4038208a8cef39c77a9e0331275bc3ee936017480a410e38c27890efa15dea37

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b70b8c09d0e6c0b36dc91fac77371ae0_NeikiAnalytics.exe
Size

168KB
MD5

b70b8c09d0e6c0b36dc91fac77371ae0
SHA1

668d37b70e26c6fe2b15675b27e785306ff75429
SHA256

4038208a8cef39c77a9e0331275bc3ee936017480a410e38c27890efa15dea37
SHA512

67cb4ba5e66b532367ba7c0a4b397ca42b391593cc4b6c974bafd8e870a28aa3314ee64ccb648c7948f3df56ff5a1344e226d3e958e863cda54a0d976f72ae90
SSDEEP

3072:dYjAzt+ingpFwpDuJ8mF9YNTyr4p9t4W987u1j5FaoJ5pFwr:dtt+cyFwpo8mFCNkq9tr987u1dFVrFwr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b70b8c09d0e6c0b36dc91fac77371ae0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b70b8c09d0e6c0b36dc91fac77371ae0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe

Executes dropped EXE 35 IoCs

pid	Process
3704	Kkbkamnl.exe
4832	Ldkojb32.exe
1852	Lgikfn32.exe
1404	Liggbi32.exe
3780	Ldmlpbbj.exe
1988	Lkgdml32.exe
1840	Lpcmec32.exe
1480	Ldohebqh.exe
2016	Lkiqbl32.exe
4564	Lpfijcfl.exe
1176	Lcdegnep.exe
1352	Ljnnch32.exe
3264	Laefdf32.exe
4468	Lddbqa32.exe
3772	Lknjmkdo.exe
2304	Mciobn32.exe
976	Mkpgck32.exe
2452	Mpmokb32.exe
4484	Mjeddggd.exe
4908	Mdkhapfj.exe
2468	Mgidml32.exe
4088	Maohkd32.exe
4952	Mkgmcjld.exe
1956	Maaepd32.exe
1668	Mdpalp32.exe
4844	Nnhfee32.exe
4452	Nceonl32.exe
4396	Njogjfoj.exe
2232	Nddkgonp.exe
5056	Nkncdifl.exe
2636	Nbhkac32.exe
3232	Njcpee32.exe
2132	Nbkhfc32.exe
3692	Ncldnkae.exe
1248	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	b70b8c09d0e6c0b36dc91fac77371ae0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	b70b8c09d0e6c0b36dc91fac77371ae0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mgidml32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4464	1248	WerFault.exe	123

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b70b8c09d0e6c0b36dc91fac77371ae0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b70b8c09d0e6c0b36dc91fac77371ae0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b70b8c09d0e6c0b36dc91fac77371ae0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	b70b8c09d0e6c0b36dc91fac77371ae0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 3704	2664	b70b8c09d0e6c0b36dc91fac77371ae0_NeikiAnalytics.exe	84
PID 2664 wrote to memory of 3704	2664	b70b8c09d0e6c0b36dc91fac77371ae0_NeikiAnalytics.exe	84
PID 2664 wrote to memory of 3704	2664	b70b8c09d0e6c0b36dc91fac77371ae0_NeikiAnalytics.exe	84
PID 3704 wrote to memory of 4832	3704	Kkbkamnl.exe	85
PID 3704 wrote to memory of 4832	3704	Kkbkamnl.exe	85
PID 3704 wrote to memory of 4832	3704	Kkbkamnl.exe	85
PID 4832 wrote to memory of 1852	4832	Ldkojb32.exe	86
PID 4832 wrote to memory of 1852	4832	Ldkojb32.exe	86
PID 4832 wrote to memory of 1852	4832	Ldkojb32.exe	86
PID 1852 wrote to memory of 1404	1852	Lgikfn32.exe	87
PID 1852 wrote to memory of 1404	1852	Lgikfn32.exe	87
PID 1852 wrote to memory of 1404	1852	Lgikfn32.exe	87
PID 1404 wrote to memory of 3780	1404	Liggbi32.exe	88
PID 1404 wrote to memory of 3780	1404	Liggbi32.exe	88
PID 1404 wrote to memory of 3780	1404	Liggbi32.exe	88
PID 3780 wrote to memory of 1988	3780	Ldmlpbbj.exe	89
PID 3780 wrote to memory of 1988	3780	Ldmlpbbj.exe	89
PID 3780 wrote to memory of 1988	3780	Ldmlpbbj.exe	89
PID 1988 wrote to memory of 1840	1988	Lkgdml32.exe	90
PID 1988 wrote to memory of 1840	1988	Lkgdml32.exe	90
PID 1988 wrote to memory of 1840	1988	Lkgdml32.exe	90
PID 1840 wrote to memory of 1480	1840	Lpcmec32.exe	92
PID 1840 wrote to memory of 1480	1840	Lpcmec32.exe	92
PID 1840 wrote to memory of 1480	1840	Lpcmec32.exe	92
PID 1480 wrote to memory of 2016	1480	Ldohebqh.exe	93
PID 1480 wrote to memory of 2016	1480	Ldohebqh.exe	93
PID 1480 wrote to memory of 2016	1480	Ldohebqh.exe	93
PID 2016 wrote to memory of 4564	2016	Lkiqbl32.exe	94
PID 2016 wrote to memory of 4564	2016	Lkiqbl32.exe	94
PID 2016 wrote to memory of 4564	2016	Lkiqbl32.exe	94
PID 4564 wrote to memory of 1176	4564	Lpfijcfl.exe	96
PID 4564 wrote to memory of 1176	4564	Lpfijcfl.exe	96
PID 4564 wrote to memory of 1176	4564	Lpfijcfl.exe	96
PID 1176 wrote to memory of 1352	1176	Lcdegnep.exe	97
PID 1176 wrote to memory of 1352	1176	Lcdegnep.exe	97
PID 1176 wrote to memory of 1352	1176	Lcdegnep.exe	97
PID 1352 wrote to memory of 3264	1352	Ljnnch32.exe	98
PID 1352 wrote to memory of 3264	1352	Ljnnch32.exe	98
PID 1352 wrote to memory of 3264	1352	Ljnnch32.exe	98
PID 3264 wrote to memory of 4468	3264	Laefdf32.exe	99
PID 3264 wrote to memory of 4468	3264	Laefdf32.exe	99
PID 3264 wrote to memory of 4468	3264	Laefdf32.exe	99
PID 4468 wrote to memory of 3772	4468	Lddbqa32.exe	100
PID 4468 wrote to memory of 3772	4468	Lddbqa32.exe	100
PID 4468 wrote to memory of 3772	4468	Lddbqa32.exe	100
PID 3772 wrote to memory of 2304	3772	Lknjmkdo.exe	101
PID 3772 wrote to memory of 2304	3772	Lknjmkdo.exe	101
PID 3772 wrote to memory of 2304	3772	Lknjmkdo.exe	101
PID 2304 wrote to memory of 976	2304	Mciobn32.exe	102
PID 2304 wrote to memory of 976	2304	Mciobn32.exe	102
PID 2304 wrote to memory of 976	2304	Mciobn32.exe	102
PID 976 wrote to memory of 2452	976	Mkpgck32.exe	104
PID 976 wrote to memory of 2452	976	Mkpgck32.exe	104
PID 976 wrote to memory of 2452	976	Mkpgck32.exe	104
PID 2452 wrote to memory of 4484	2452	Mpmokb32.exe	105
PID 2452 wrote to memory of 4484	2452	Mpmokb32.exe	105
PID 2452 wrote to memory of 4484	2452	Mpmokb32.exe	105
PID 4484 wrote to memory of 4908	4484	Mjeddggd.exe	106
PID 4484 wrote to memory of 4908	4484	Mjeddggd.exe	106
PID 4484 wrote to memory of 4908	4484	Mjeddggd.exe	106
PID 4908 wrote to memory of 2468	4908	Mdkhapfj.exe	107
PID 4908 wrote to memory of 2468	4908	Mdkhapfj.exe	107
PID 4908 wrote to memory of 2468	4908	Mdkhapfj.exe	107
PID 2468 wrote to memory of 4088	2468	Mgidml32.exe	108

C:\Users\Admin\AppData\Local\Temp\b70b8c09d0e6c0b36dc91fac77371ae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b70b8c09d0e6c0b36dc91fac77371ae0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\Kkbkamnl.exe
  C:\Windows\system32\Kkbkamnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\SysWOW64\Ldkojb32.exe
    C:\Windows\system32\Ldkojb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\SysWOW64\Lgikfn32.exe
      C:\Windows\system32\Lgikfn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
      - C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        36⤵
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 400
        37⤵
        Program crash
        
        PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1248 -ip 1248
1⤵
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
168KB

MD5
d28472b567a18960dbf4eea35a79568b

SHA1
bc19404dcc2b5f97362877bac7675c4a5b130f19

SHA256
4aadc664ed45100eb313d7ba51b01275c84dfd2dc2a5bbbebe1f8378da6ce61b

SHA512
911035f5924b65e0d66e2c56440fb9711ea4677f36bd9d4e35cd75202b26e0b0344f3aa859a6f7489eb7a532950e296a89da657b12362499adb898cb260d0635

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
168KB

MD5
89e2e1d7170cef24897fd92db6c7b290

SHA1
0860529fbbee8136292a6c539f1d788ba796fa01

SHA256
0bb6b2ea84ea2f2f8cae7b2bd9e26f933fa17e68ebe4d34978346c81fbea3e1b

SHA512
747284fd604c04c34863389c8a56f06de4cefac0172822a5b4ed3c651b740af071276ff3e4251c3a530d01ed749c73a3f6b83f69505446fc6924b0ed8a67537e

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
168KB

MD5
0ff46b0ab4d695d091415e6205106ef2

SHA1
c151dd1cf3945c638eda20fe1a6c36a1b9857be0

SHA256
360b3d4d6c3897b0c633695f5ff6da9a19fc84cf7839c10574c637b9cbb724bf

SHA512
e9054178737ab03e5e59510dcc37f2947c48eceb4dd930553fe52ffd4cc24ad98cecdb72c12739321fc3e263580d7149dff0f08bd3ca164ad002d1186922d74b

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
168KB

MD5
833bd73bbba2ce01e76a024b7341f68c

SHA1
1e4345f9baa902ade56c2c1b3103601ea8758a74

SHA256
6c17a656b395cca02c2916ce0feaf5b26fa0e71a445da509f9d6874d8c78234f

SHA512
8b8ad8f56919ae81231291fa3ec7e3a5b00d482786cecd07f21d12850c71c798b1a5a48d0ccff2a214075cd17d134099e170d0834b2589aa8d970d95ba118f6b

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
168KB

MD5
49e2606f86278d1c29fe75ddc0a13d3c

SHA1
7af977e0cd49b704988355a74d4947ee354547c5

SHA256
39086c6773e59ac37d9d2a19d73103ddb1efff5ead9cc54a97736449dd8b07a5

SHA512
83abd16a696040b8305760cf84a5d7b939b062f9edf0ad3d141bcc6c7ef9cafeca8d05d4ab5fd047a35074d05483d065e884399d0372c0dd812e2e093213fca0

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
168KB

MD5
5ede0a584e8f7ca28f457f3f4793fab0

SHA1
a8cd7bf370eff15b23f1226b3b7ac3515547c369

SHA256
cee235804ecf399bde59dacce96f342c0a8d2cb4b701cb7808d7e7f77e65283d

SHA512
0b6d332b091cd591dfcdbb2af171606eb3b84f2f88dec474a31b831a19fd0f0f301eb47ccf29103819d7f682b35523821d5d48569aa8bf98a1d8aebff038c4f3

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
168KB

MD5
2bbf41528e3d898bb3b8aeacd4bb1f2d

SHA1
813f3568495632e630569260bb29fc5383bed2bf

SHA256
3c9517b7df41c69d1ffb23d81ef134b80b9073aea14606183dfba68b177f5dd1

SHA512
e40e35a27b34a0fdca74a18492a602edbc533ae5e7eaf5a7afb89d6448d1a508b5dc1164f29e797fdb4c96d37eef38a453dbd9feed7c8c388b7a8f45455c590a

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
168KB

MD5
15bf2fd39afd98afa33713902b6ca6cc

SHA1
f33bccb0a664108554e53ea86e2a4f3457556b06

SHA256
64c1f58b762953e8c4e96aa987c4d9829f662958ea95d1583f9ae64f41b464cf

SHA512
20a7f8e6cba2e6b022c917b11aec894e5fa8da4bec3310c2c527f24d2e700e563425b01c8b7379556efee8d77826e24bbe4530bd596a2816d9157001e2e04b9d

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
168KB

MD5
2141c402cbfc4d84b44b83899f014b6d

SHA1
7d807d5cd9f5a18e8d4ae1e58b46ab1d157b1b3c

SHA256
fd2abd9b98353ad8d48a44464509a8958eb6ee0610723054da5a9a4bdb27baeb

SHA512
b6f646b4ea1a625d148cb79aa41eb1ed0d99c7629500222f5827377f0d167dc32b64bc23705648f9568b1bad8dc03a96f31e246e742f4285565ae886d7252813

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
168KB

MD5
347bd43ad788f888a734bb03a1a2faac

SHA1
b821d056d9ee26da39e0a5f352ee53f1bbd0bc5a

SHA256
d200a0a3a32eddd48049d34e2f6b51a5f2e2e1aad0e75662dccf3faf8bceaf02

SHA512
2fdc2f99f643c532b29aa357c389f98abe2eaf796c2b39ad323ef2cc51b6c11721bc821c3c475b35efbf2f8f8ddacc46f45fef03038a0d0d3bb585251281e649

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
168KB

MD5
8e299f9422de699b02a830bc5bc5ba44

SHA1
f54ecec09cc06cf37917b1fccc3393527d809124

SHA256
d68a26d097033fe868d8425d978cc7fa004b0c53b88be5b1f20a0f297365c15c

SHA512
fb235d539f4f2aa3eaa23d45e9509f835bf1bea8ae5f6cc1f05edc9b0e34cc359facaac07d663fd3650ac188c386a5b802462315884355d30d24835cd60e8b0e

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
168KB

MD5
f5c540c8ee914433f3cc8614572dbb89

SHA1
11e3c5b309c1fd58cbe7e31432ae5ad6661ea755

SHA256
062663e4c7f1fe6baeb3b12071edb502b50be99650ffc2c33eca69fb66a580dc

SHA512
483381891ced96062be71c262a819059fff191dcbc507a5aeff200c21ffffb271eb6a5289711d9afe501b0f5fee6e7709e64fbc9f7916b1868da630c11f36e8d

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
168KB

MD5
9af01a24840efe4af0211889c0b6ddbe

SHA1
858ad8e9c6f1137a6e3272b2ec0fc7dd1e820b35

SHA256
1035d8383175ab44b23494707ea0555d0633043a95aea0b2f3c73673e6cb2681

SHA512
0b3a050098e40ac19e20d9aa94c90e69087eb5b8e57fef408a6c5ed5ca1b761cc3f31d1761954c2e0205767e81a274ea615689e456eebc160ad94a57af18e2d0

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
168KB

MD5
394124e48b51717ea9e887b759a3ec6c

SHA1
2b2f278863cf4662e658e921b4d0c2c358bcb677

SHA256
ee93a2bf62b36601a770b54aeaa266be9df8666caf7bcf03a6718ddabddb8afc

SHA512
d6768b3391a27fbed2384a10bc5b1aa91b2aff3aa1e180656d693f143cde66312203434e828840901318228dac683870b76db9a663264f20761545eb3a4fe5ba

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
168KB

MD5
609409722a7cd77cd12b0d5b6bf80632

SHA1
6578a1967ab550e20230ed66ad6436a56c93354d

SHA256
89f08b40b4c5c1895db03e181a3321eb46851be92822883bc27260a2d238df19

SHA512
2b63478367871b778f4a9b91220b4fb28c1feaf46d4fc440d1fa450f90b61914a96fee0b913eeb34ba7c5e9c8317f246631910cc7da3597e6d1e2454fd969061

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
168KB

MD5
c30b572b1ece60eb847da72a2eb537f1

SHA1
16fda19b89d3202d1cae9e985949f4ce31430e1a

SHA256
bac89a9bbdfc7b09f45f61dc8fb3e5dff854dc47ece718ef1b7d115fdac6360f

SHA512
f314ddb6004e3785284d17937c240d6431ef80ca53a782673043780da3f27098dd4109a8f276527d4aa630050bc91e06069224a0725c532c64f60f2797851d5e

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
168KB

MD5
364706f28e429dffa072c8c039dc31d4

SHA1
7dd2e7f0bda4b71c254434f5d777fa182a148cd0

SHA256
2085cf510c327a694666b22ffd5a4cd43b812508885f2a7625182f8f60fb650c

SHA512
3d8bbb6a918eac40059039d74b854d49aad663a3e7343d4d32ee9a80eaa82551c8c85a1f9abcd1e5440be6316680df450b0540dbe11f5220e7a86e6e8ae043a6

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
168KB

MD5
16a0eb0232dbfd327247418cd7e16772

SHA1
ad1e3e5e080231d3c33d2383be91830a55df11e0

SHA256
95dcc476a5e74f2221067d72f7ac0f20ba3a0c6650a730dcc93dafdb5f27179b

SHA512
ea7dd95019e87978e4df4802a5de720f209b3f54d0cb115f19aa55304744ec447625f5ee7a358960f1bea29b2301d1867879eebd3262dba1cd384747579086c9

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
168KB

MD5
1b7308cd127dab8b3eb8a567c8a3fee1

SHA1
d4fbb6537ab87936b0f2a11311463de0ccbedbfd

SHA256
f2399cbb2fd083679aa2926e12f147405c227b5dbcef258c297aceb48a544ba2

SHA512
bb19780e076e6b94c704809f1f9e42c1883f72fe3ce8a2cc9b5d1ddca20564a5c97820c036d29199ef94ccabb937f62fb86c6f789c6c4bd098936276533730fe

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
168KB

MD5
ca68b43120be0d8758b2f144e2030e0c

SHA1
1042443183e94f5690c03bbba81873d1ca44ea26

SHA256
5c7e6a82bbbcc862a21cc24c9bda402c1c8f067cf487dbfc43293d7c7bf8811a

SHA512
1021986b44d957bc36e3c319297017edff27fdbe5cb4024042a2f01e373a9ffbdd3f11310632992654367554a69045782e666d3911287d339d028757daa36e17

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
168KB

MD5
bab85169c5024a9797b975a5b0c25fed

SHA1
4a576bdb2e71072d3f302a94b4df68915bafa43b

SHA256
adf4a649028cee2d827c386ae5c6eebdbe1a79646c4a2d6817d0a0e185c22f68

SHA512
ab977e3b4ab600dd76802c19fdf141ade19615e68ecd5a67b731a59534480768082abc32a3aee695be5610aa5b6252158b851078fff68afad19c769a5506b630

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
168KB

MD5
cf27270f1df07f4abaad73ee7e0238f2

SHA1
8e34cce279111a71487e5852fc3c7129375acdd8

SHA256
1a5bc76110733b7281879c028807b39fb9ae8ad8bc5be65e126967a8fddd2dea

SHA512
2e1791a3a385ce43cf3ab6686532912ecc590163576e1af0aada0b0204cbb39f3a7d1a4c2e7662c75de1e3e3e0344bf1a6fd87298dd3472078ff065a3781e99a

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
168KB

MD5
796a04e1f340935fac392c33fddb0a8f

SHA1
3654566f853212130733a76448058d54be511f0f

SHA256
b884581b8825b959b942cef658f1105e6bb6e07f93cb9d3dd3997e48ca4485dc

SHA512
f5815b20d70e96ae5e2ffab9bfe39316468327b6185501cabcf2a636b4021b2569eb99b412f1a6a97f78ec4e56e91fbe9a072d6805871eca44535fc64b280fda

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
168KB

MD5
c93b1a0101c06bbf4f176c13d767d6d9

SHA1
353f0f3c18ea9ba979eea03f787362b45db20692

SHA256
ea33bde3e11434ae9025fc0f7e9ad22032ec7c7a3e0462dc9637bcc394d0c036

SHA512
7df273cc5300651d832af7e1b1133401f3dc50bca60f5e19ecd0e04320f7c736578b6dbffd2a4a7b770d6c214e412eb5ba924a7a9619f4ec8d6d50424f03fb69

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
168KB

MD5
ed41d3a69efe98d520596b562ba3712f

SHA1
2fc20b5a760c8278d91a9193e26e100fd16445fd

SHA256
08297593c15de815866ae17c69c6ba0ff49082a98223e150bdbaa772b09d8687

SHA512
8d70ac46cf210baf56414ba313dc3fe5d245be328375ea619912c3c5743d2aef3227d34d5a3e7d8d7d498dc04910aa951ab5914189046f150b85d95282440409

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
168KB

MD5
97cdab8841e3330658edca5a2ff7db14

SHA1
e106beff774542e60fddad84ce6fb6e39170221e

SHA256
86f1affd2a336e199f592e75e1cfbe1986f290c7c22f94d71c929e85096b405c

SHA512
d55b07f63359b9901545610e334d8998d57f7e944424fbca1e1417246f4e7943bb07dbb8d80e67bda935c01fe67ca4f24533753216f85274717f7ed4223be6f5

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
168KB

MD5
a3f991165e3cf0ee60c4278da2d9b270

SHA1
e7cf7a10c2541739ae02cddb4da890b6e0e03cf8

SHA256
62c923b90ce82c815327782d23fc0c9f8b242c80fae96d5bfce8cdcedbf09c13

SHA512
83cad8c351be15499f7cff168b11e153feda5c3ed3e6119371e7722ad8aa89f42a2275437179a4363138e634b07623759bb87ced66b018b0b722cf992723d7f1

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
168KB

MD5
7f4307780c15cfa5a56395bf5c5c2ecd

SHA1
4996e8ad905b42cd6ad63496e8cef8d0676cce07

SHA256
f68b8c9adcdfe63d77414c8086f40f602a93190d7afb8b77c9e33fecd86cefd8

SHA512
0d4db43e9be167d5e5600f682ad0cbdabfb95fdba2155af730fb929c628e4f455f84d2b51f5d9f302b0af5b99ac29822daaa8cc6bf6c8bf8ba6a04fe4a21ac0d

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
168KB

MD5
19a749ba4faed008b592cfe2bbcd4d40

SHA1
9845b73cf09fb867bae61dce0f5c672a00c00431

SHA256
2db90f49836009bcc894c86215639f8c06aa8ea8b8998831767d79f24a060076

SHA512
8aea4379cba1931e7965cd47ac12b67b1e24242e583d149f48fc3a43171e17e7c6e50a6a3791b9e6801bbebd57abb14ea1d97ce510b49b9bc716f8ee95d5264e

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
168KB

MD5
912f33c133b5f90cae3fc087f9046866

SHA1
928946c968534df447809eb7c07e5bffcdeb3736

SHA256
c334d037f15d72f3b7ccf9285d8fa59eb51db074f6ce05f5e917ed6a6f288add

SHA512
59068ddf61676d967d8f8efb6bf6dc579b0aa19dc4eb84c045633485e5cc593fda0af824453fc90531ffb12d53d0478c0bf5f12bdfa8d9aa6159cb978a2a649f

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
168KB

MD5
3df095a4f7a5168b3221182de9106673

SHA1
4aad673e069847bdcd34dfff2768f3ce06468012

SHA256
3991743fb6d0ba476196a82bc95c025df137e5ebc0748dab2eb0ef2da517c80b

SHA512
2933484e83ef91150f75818ba033336f2696e32d7ce3567f00170c6c50c5ea9546c01c21d17e058b0507799d1a19c109b47cbc9b7d50bd032e97455e1664f045

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
168KB

MD5
58500f3e4cc5581b7899f3b508ba9f81

SHA1
5def24aaef714d838cf4b4f85a3e0cdb5ef83867

SHA256
7c0ebf40fa4b094a7c2aceadb1b6866f25efc5ebcbba28dcc0d24b24983487ff

SHA512
ac4f1474b70f7b2a54702e83a9095d88364fff01b36d7890cef6492b180a9c3b9fbba27e895df23369551e31bc82cdc4f8446506beb88b20bbe7ac062c3c8c61

Download Submit
memory/976-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/976-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1480-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1480-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1840-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1840-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads