0666d857e2332b2b7dccada51282eebc24eec79969efeb12110a16dc5877b232

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

196dcdf40e2b3b5c9a22ca2a86af9320_NeikiAnalytics.exe
Size

108KB
MD5

196dcdf40e2b3b5c9a22ca2a86af9320
SHA1

2179bada9ab861700071d7696b3f1e66cf240a01
SHA256

0666d857e2332b2b7dccada51282eebc24eec79969efeb12110a16dc5877b232
SHA512

1183fe42be5b02275297b8bd4524408619decd7a7613f828bce674943acf2f284e36fe1f566da97b4cbe2eabb375fd8d3519afde8733da0ce2ee613301c1072e
SSDEEP

3072:dN1BwE+Vsibs1/tUKSEK45XFcFmKcUsvKwF:dUVRgGK5K45LUs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	196dcdf40e2b3b5c9a22ca2a86af9320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	196dcdf40e2b3b5c9a22ca2a86af9320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe

Executes dropped EXE 38 IoCs

pid	Process
4932	Lnhmng32.exe
3852	Lpfijcfl.exe
1240	Lcdegnep.exe
1680	Lklnhlfb.exe
4500	Lnjjdgee.exe
3024	Laefdf32.exe
736	Lcgblncm.exe
592	Lknjmkdo.exe
4308	Mjqjih32.exe
5108	Mpkbebbf.exe
2236	Mciobn32.exe
5032	Mkpgck32.exe
3152	Majopeii.exe
4456	Mdiklqhm.exe
4312	Mnapdf32.exe
1428	Mpolqa32.exe
4832	Mcnhmm32.exe
4080	Mkepnjng.exe
1792	Mncmjfmk.exe
3300	Mcpebmkb.exe
1444	Mkgmcjld.exe
4872	Mnfipekh.exe
636	Mdpalp32.exe
4028	Mgnnhk32.exe
4912	Nnhfee32.exe
3800	Ndbnboqb.exe
3616	Njogjfoj.exe
3708	Nafokcol.exe
3516	Ncgkcl32.exe
3244	Njacpf32.exe
4372	Nbhkac32.exe
4348	Ncihikcg.exe
4896	Nkqpjidj.exe
448	Njcpee32.exe
780	Nbkhfc32.exe
4992	Ndidbn32.exe
536	Ncldnkae.exe
3840	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	196dcdf40e2b3b5c9a22ca2a86af9320_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	196dcdf40e2b3b5c9a22ca2a86af9320_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1612	3840	WerFault.exe	123

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	196dcdf40e2b3b5c9a22ca2a86af9320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 4932	3260	196dcdf40e2b3b5c9a22ca2a86af9320_NeikiAnalytics.exe	83
PID 3260 wrote to memory of 4932	3260	196dcdf40e2b3b5c9a22ca2a86af9320_NeikiAnalytics.exe	83
PID 3260 wrote to memory of 4932	3260	196dcdf40e2b3b5c9a22ca2a86af9320_NeikiAnalytics.exe	83
PID 4932 wrote to memory of 3852	4932	Lnhmng32.exe	84
PID 4932 wrote to memory of 3852	4932	Lnhmng32.exe	84
PID 4932 wrote to memory of 3852	4932	Lnhmng32.exe	84
PID 3852 wrote to memory of 1240	3852	Lpfijcfl.exe	85
PID 3852 wrote to memory of 1240	3852	Lpfijcfl.exe	85
PID 3852 wrote to memory of 1240	3852	Lpfijcfl.exe	85
PID 1240 wrote to memory of 1680	1240	Lcdegnep.exe	86
PID 1240 wrote to memory of 1680	1240	Lcdegnep.exe	86
PID 1240 wrote to memory of 1680	1240	Lcdegnep.exe	86
PID 1680 wrote to memory of 4500	1680	Lklnhlfb.exe	87
PID 1680 wrote to memory of 4500	1680	Lklnhlfb.exe	87
PID 1680 wrote to memory of 4500	1680	Lklnhlfb.exe	87
PID 4500 wrote to memory of 3024	4500	Lnjjdgee.exe	88
PID 4500 wrote to memory of 3024	4500	Lnjjdgee.exe	88
PID 4500 wrote to memory of 3024	4500	Lnjjdgee.exe	88
PID 3024 wrote to memory of 736	3024	Laefdf32.exe	89
PID 3024 wrote to memory of 736	3024	Laefdf32.exe	89
PID 3024 wrote to memory of 736	3024	Laefdf32.exe	89
PID 736 wrote to memory of 592	736	Lcgblncm.exe	90
PID 736 wrote to memory of 592	736	Lcgblncm.exe	90
PID 736 wrote to memory of 592	736	Lcgblncm.exe	90
PID 592 wrote to memory of 4308	592	Lknjmkdo.exe	91
PID 592 wrote to memory of 4308	592	Lknjmkdo.exe	91
PID 592 wrote to memory of 4308	592	Lknjmkdo.exe	91
PID 4308 wrote to memory of 5108	4308	Mjqjih32.exe	92
PID 4308 wrote to memory of 5108	4308	Mjqjih32.exe	92
PID 4308 wrote to memory of 5108	4308	Mjqjih32.exe	92
PID 5108 wrote to memory of 2236	5108	Mpkbebbf.exe	94
PID 5108 wrote to memory of 2236	5108	Mpkbebbf.exe	94
PID 5108 wrote to memory of 2236	5108	Mpkbebbf.exe	94
PID 2236 wrote to memory of 5032	2236	Mciobn32.exe	95
PID 2236 wrote to memory of 5032	2236	Mciobn32.exe	95
PID 2236 wrote to memory of 5032	2236	Mciobn32.exe	95
PID 5032 wrote to memory of 3152	5032	Mkpgck32.exe	96
PID 5032 wrote to memory of 3152	5032	Mkpgck32.exe	96
PID 5032 wrote to memory of 3152	5032	Mkpgck32.exe	96
PID 3152 wrote to memory of 4456	3152	Majopeii.exe	97
PID 3152 wrote to memory of 4456	3152	Majopeii.exe	97
PID 3152 wrote to memory of 4456	3152	Majopeii.exe	97
PID 4456 wrote to memory of 4312	4456	Mdiklqhm.exe	99
PID 4456 wrote to memory of 4312	4456	Mdiklqhm.exe	99
PID 4456 wrote to memory of 4312	4456	Mdiklqhm.exe	99
PID 4312 wrote to memory of 1428	4312	Mnapdf32.exe	100
PID 4312 wrote to memory of 1428	4312	Mnapdf32.exe	100
PID 4312 wrote to memory of 1428	4312	Mnapdf32.exe	100
PID 1428 wrote to memory of 4832	1428	Mpolqa32.exe	101
PID 1428 wrote to memory of 4832	1428	Mpolqa32.exe	101
PID 1428 wrote to memory of 4832	1428	Mpolqa32.exe	101
PID 4832 wrote to memory of 4080	4832	Mcnhmm32.exe	102
PID 4832 wrote to memory of 4080	4832	Mcnhmm32.exe	102
PID 4832 wrote to memory of 4080	4832	Mcnhmm32.exe	102
PID 4080 wrote to memory of 1792	4080	Mkepnjng.exe	103
PID 4080 wrote to memory of 1792	4080	Mkepnjng.exe	103
PID 4080 wrote to memory of 1792	4080	Mkepnjng.exe	103
PID 1792 wrote to memory of 3300	1792	Mncmjfmk.exe	105
PID 1792 wrote to memory of 3300	1792	Mncmjfmk.exe	105
PID 1792 wrote to memory of 3300	1792	Mncmjfmk.exe	105
PID 3300 wrote to memory of 1444	3300	Mcpebmkb.exe	106
PID 3300 wrote to memory of 1444	3300	Mcpebmkb.exe	106
PID 3300 wrote to memory of 1444	3300	Mcpebmkb.exe	106
PID 1444 wrote to memory of 4872	1444	Mkgmcjld.exe	107

C:\Users\Admin\AppData\Local\Temp\196dcdf40e2b3b5c9a22ca2a86af9320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\196dcdf40e2b3b5c9a22ca2a86af9320_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\SysWOW64\Lnhmng32.exe
  C:\Windows\system32\Lnhmng32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\SysWOW64\Lpfijcfl.exe
    C:\Windows\system32\Lpfijcfl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\SysWOW64\Lcdegnep.exe
      C:\Windows\system32\Lcdegnep.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1240
    - - C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        39⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 412
        40⤵
        Program crash
        
        PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3840 -ip 3840
1⤵
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fldggfbc.dll

Filesize
7KB

MD5
b07f0804d79e32c06842a7ae201fa331

SHA1
1b805c8051b7c4636c8a1645378857a7ee8114cd

SHA256
144f951a3a956d321a3445234ed008b66497b123550c8e30cfdad9aca145265f

SHA512
7d0f4c088edd910af3a89ba22f44f5afddb7cc13ee398ced28edd07d75de389eb5d0dbe7a941c189cd430c15fa543b51125513d09f9753e434a9517a954a2e86

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
108KB

MD5
a0a7453713978cb7f67b3b4721175781

SHA1
c78d7db27cc272a83489b06150367879e34403d0

SHA256
eae8e1bf22dee300bf62526f461352962906519fbb68f58ca6d3a11037c0d27d

SHA512
01466a02649f8a8e91ff19e58c02fbe01c67bcefb9143444982c93fe011fb627d2193e1a731e694575685449e28001dfcea6df2276687f40c427658a0ccdd7ca

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
108KB

MD5
a7b2a9c75d4276ae5ce010d5c32c44a0

SHA1
b1865c4faeb2806e73269b0bd51102e559e4e3fa

SHA256
aa1195c4050cf5e40c7635829d640435c4631b8e206dbab0d64d2c269910e076

SHA512
b8f127b7826ba9fefecec9a0838511bef9121029626e78c93629539ef5b0ac978c114c503ae8d4293f03f04fa4ef483485f9f36b6ad4e999409328dc44a3aef6

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
108KB

MD5
32d1f632ae60de8905cd587d329e8e30

SHA1
9a4afc16f57b0ee86562d6cf7ed6fe8bd9e872be

SHA256
eff556b4e70f3b8e93684d9361474859524b1e49a79fa236d68b9f05c99f4d3b

SHA512
589ab33d95796e299aa125c9186a53f3fe2d7a09422d6287cf805aeb6a8d435240bc2af5c32afe8bd3669e9144f85f5cf407ca182de1a6e15142a633a02d8720

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
108KB

MD5
6482d46d978bf59771dfb0ef1ab7318f

SHA1
0fe022c163d477360b9f9dc7e7def747d62fe7d1

SHA256
ae6e897bb0e020617ace3c51075b78baf9dd5050d27868fc24b08f12a954cc03

SHA512
d78d98e23645872371d7d2343781f560b27332614accd7056ab1f0d6b639c3678541e5ec3a1382006dec9f69c1153ec992434f2fced39b165170688c9704cda0

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
108KB

MD5
d3b5807b60a717d21e3d1d99df82c05b

SHA1
aca0ed84d12f7e34768884675f7ed9cc2cab1dc6

SHA256
ff98317e80588193d4dd3e3ed0e65d2407e37d1bb4516801130ceae03588b257

SHA512
34275851406c400082e45c87a3ce031061ea3ca96cb6d4b2a9487508b059eaac7b7c7420c920367c0ad70103eeecd95d0139d376ea322ec6aad78f1885309cef

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
108KB

MD5
53b7f42cd3b179230c725b07e4b65a08

SHA1
828535d945bc7da891e1efc280a59ba8a17d13bd

SHA256
485fa7e310dae8fc03973d5b2c39e088165fd7aa53fe862094356e5613d708f7

SHA512
b831dfac28b13b3d52f9a1f3677efdd878afa16d1388b17e3bc8fd219edf869ac3bb40c099b943f2b22598fc660316649580efed71fc65a7425149c3a4a4e025

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
108KB

MD5
611d59a654474c87262c93176d487644

SHA1
eb2b76906c8bff8ddbfde441765536d57289b3de

SHA256
1a49718e3075139af46cdafe2a296e0403ee9934ae8e857536005692ecfcdfce

SHA512
d1dbacb1aab3a61df6f1d150abd655a4e7e0e3303647cdd3fecc54a7447d42fcfa85bb8b3485db8656dcaafb3aa651ee337bff4c478f7c4e71ca8b361941809e

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
108KB

MD5
5f9a0350b981fc85576dd5c37f60bbbe

SHA1
fe66a5050258f00a2fb9cf8715e9187fa8342a77

SHA256
8dabedd77d196d2cfdb060ecf02a7c56c709bd02b0ab30639193ed170db49e9e

SHA512
c1102010a82c938e927a76ac3c8a474839a3c50b26f443c1799883007ec3ff547741ea693775146659ced157ac0c6e24ef8f86bc264f7c8d350d7e87e5ef4c8a

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
108KB

MD5
be18660a318d9dba16617d30589ded84

SHA1
0a36bb3c3d3e38b238473efb169c4041d9dec88f

SHA256
2604e9a4f6cf3e3aba3d9ca58e2f6f91ad768f5ef9a5a1be91a7255a6c9f8fc1

SHA512
8eee4dd30924e60ed286c7ff071df564a674fe2818d8c806a831aee6cc4a291500768661121ec698ea0a5900be27f8bea9ca85792dbb9ac31c5a06ceba5a2847

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
108KB

MD5
586eaa75cef9359bf677493a69688337

SHA1
1216fac6991ff2660bed61fb5a2fd350d0a0e12a

SHA256
bc86e0c32382050317e39978f97df18e86440f009f63e81010db283121778b4e

SHA512
50de3ad039be0f35aefd2f3167fa6851f95ee4eccadb0dd1074155bc2f153134c9dc2ab97e00461bdb2e56af93382caf7f7a5195a33a30cf214475d195cd9f74

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
108KB

MD5
ede87c738cbe47d0053847ef90a2c9fc

SHA1
eb41c7df967a8f5f9c3ac304580d842bbb005f5a

SHA256
35c2b7b9566bdfa1d325718c3f079ec60d8ba23eaae4457babf906b9a32b7438

SHA512
dce4cdd3f8e3a6ccea854de99aa548256c64059f2ef4254d54ab67fceda03f145d0462aabd86b01a19f683da5b2faf93a2963fd2869305a9250b82be73b49e9b

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
108KB

MD5
97c96dc07a3ba0c49e857abdb9b5ed8e

SHA1
1289c70945d664453f8819e795551da63a874d06

SHA256
fa64090946b13f070a28caeb83f0f201b8067eec286ba89f457cd636758c23f2

SHA512
32c4f100755db1ab513394a30728bbdd4069354dcacd0957279db990d5123cfa44deda318e041c042a2fa6cdddebcf730d5c21a13b6c8a993825b1a8b9d812f2

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
108KB

MD5
6cef2d0d86a6beef2a7ddbf90537b94f

SHA1
3ee9ef59ff0a95c813542567c14d28f7a1485355

SHA256
d5601fee0c714de93581fd6937c8f4c5117cecf3f18d3b4c43a1ed2e66441fd9

SHA512
12f2017e1132049d254e44385c493326c83830d029e85ac0b3b75ef5637ada319b079924485c1ade0ede1f86a50b24f57a6fd5eb73069123ac280b031af961fe

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
108KB

MD5
c3933bef4b58ed80b0d314be268cf95d

SHA1
1cafa5ef124f1fbab5c8149e3b6facae44893529

SHA256
7afa5d7c54c7ca329db30ca6b22144417f17d0d9ea15f2290be0ca1961540955

SHA512
b784019d93bd08f444a5f5f075e54c96548feb38b6b6f299b7780554f4d493c9cf114da74f89162184eae78539ae3b6fc5190e6a4afa9fce350e6d571deb244a

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
108KB

MD5
5684c52b79c29537d6545c3bb12bff3f

SHA1
9e638518759d06b7fe4312670a10ad8dfc71d632

SHA256
07a8d651eabcfb33c8c8471eb541491807ff5503fc3ad21a21669a8102b78488

SHA512
e029ed4c580efdb04ecdb56ef9cf1cd182eabde01e679858b819fd85256eb318fb5ae65b894341a9ff85a57ada6cb2cd8aebf3e5997cc203be31728fc9c111e2

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
108KB

MD5
500ae53b6fa5f19fb7f3bd2c81a7d4dd

SHA1
03fb028cac5eef30e1bd6e495500903d26175db4

SHA256
3b4b1aeaad6554d896e9e9a7e47c8279696773b9182f3ac190c8f7a232b1b2ff

SHA512
17347ad8f953a804b0c7bfb6c597e8a145e2236e859502855900497a89d3816a08a466e9c5aa45a90b23aa88fbff9c1b1d2a7119087429daec8021372c17165e

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
108KB

MD5
dc705baf0d84c4caf217175e1e703e99

SHA1
583ac59bbe3202839128ddb0e66170f20ec0aa92

SHA256
3c584fd950909b39a4f0e75b45c32b5480d81d120c4c24d12b807599750c9f24

SHA512
5cbfe022ea2c1adb20953136611981bfa5e32264dbc7565f56f58b302f6b9cd1a10f1e8b548aa5c00c9c39edbc705b02423815469cc873fdfcfbb412b187a38d

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
108KB

MD5
46a927cf70c50fb959dac1f54afad2f1

SHA1
5f35ab2e07770410038b47dfadebf75bf88e0a48

SHA256
b75b7867147af41b314cb0dd021a09f8618685946bae587ec47030a79bd8c8da

SHA512
663abb8e80ba2687b01bbe8505d916ce80b5d97d395210a4feb854f1cd4799e0fc3ee5cc4effb1d0bc6ead27c36fb69b64e4507dbaca35d17cbb28fcc522e729

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
108KB

MD5
9802a9639ff3b1868d07b99490afa21b

SHA1
cd982cb7b56aafc07cfd96b3dd24d3a0e617464c

SHA256
85faa8e438666e2d5f0eeab875e9f5a269af27bad2bfa45840ce41cbef0d7628

SHA512
594589d9c981128d5de5dcb90e18fd7b27a8638eae3d7fe2eedad71b5db463317eebf9a95ded9951ec042ca664a2a363926872c379d6035af984fb43fbfb1b63

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
108KB

MD5
c552516dc2188617a71742d7aa738b18

SHA1
569330d0f11173d95de7f261c16cd33f37855e61

SHA256
8d043637ddc408b482f1d6e5dfa121c1ce1f1757fc6b293b8dbad6a1d189217d

SHA512
485d2738a9ab8e961e33f26a0e6ff180f7238fc8e0751c29a94d7b05c939cdd276f7c670dcb21efb130f9a6bf55130a41a3141ed08bbac22c68ddf88644854ea

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
108KB

MD5
0e22b9590fd99e25684c6590dbc650f2

SHA1
e770ef9c787eabc5bef8f8fd3ec343781b3691d0

SHA256
de7791c08fa7182a5a876b3f634eb9b824811b132543b83597234327c7261f63

SHA512
7167d1f9a32b9e65ab9325b41579529fd0b55dc68bb115353874dd962569ba9cad2756844ae333d4c30c3a87d173ba242aaa1a426f880c001ba8bad376ec2b35

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
108KB

MD5
d36b9d83f55a84d9501c665106579b9e

SHA1
04590c448139a064bb7a1270ed33372779afda10

SHA256
44ec6256bd7c06a4366b27281decae5fa458910700235db3098acb7290b4efe7

SHA512
303cbe23236b5c3c16310223db55d52e2f8fd7a85284e11ad6d3c0c81d2b466d73ea7a8ca419b95dbeb9c7928bf03b58d2201c2a2831b5ab0d30e092e3e9b858

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
108KB

MD5
aac1cf3b507cc00623dd207342a4ad1a

SHA1
f4acfbcdb00a80c1657fdeaf4c0fa603fb1c077e

SHA256
27e76e73d1a67a305d7439c784088c7013676946dd58ee996bad322e5f10a35d

SHA512
88875ab2a589fea2d2cc896d36adf748171ee20034d88b9523f88e382fffd92ec0e76854e81353ddfbab70ab245a2722f5d729f1b010ec389b6c81fd248498bd

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
108KB

MD5
785111a308f423c10c9a23640f34cf01

SHA1
937b7c713593f426bbe4706eab6c0964d6a0ba17

SHA256
657f1048f7587aa19be6f9b71ec2dfa7f050b2474748a6c90464847cbe57e16b

SHA512
124e9b24a0f54c4e338e1ad618fe6914f393af535a58ea55c933a93c78495044de42042b1e1ec009965da61aa21504059a363083fdc18b6bbad178f02fc3c6ea

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
108KB

MD5
5b7c7d7663c737747c5d02cbe8ff8f5a

SHA1
adeac6cbc8170a16ff94797f98961a2761e3adb5

SHA256
060587f243b9dcc774054eff5420605afaee6279f10f7065ef45ce864dc82e21

SHA512
6ecfd764d38b977c3fad1935c8fb5d6a010d834de395cf21d772d79a3942691e39c163bd8b02400310de5eb5e603966a96b5c40c33d1311213ef9aa71294f277

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
108KB

MD5
03200b960f20b8408064e5c35834a83a

SHA1
126957cadf310c3d2bc2e925cbece6a9297c7475

SHA256
2a328036a8abaef007d189de2874406cf2e38b4ca21acb78a752ec7ade022c2a

SHA512
29bdbb3de959677ce6494018fb125e226bf1718b54a4e5541eea3b7c7af88f6ccf4eab9a9ef1a7cd163877fa846fbe83e60efd993795c6e0f81a814822ddd4bb

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
108KB

MD5
83aa64841a85e6de42f1502737861522

SHA1
f99595f2d7f961e7587932a87d35d334209a113b

SHA256
28612d4e1a8ae12c652db760f3b73354565ded75fa132d61cf33a9dca1b47e3a

SHA512
1b3c7ef3ae48e625327064f4099ef3e3bf1d4944e1fb302f32bc6c097b77f9f1f3bbdf4957281f452a0f61506164fe0435cbd4b60af680f9666dcc5e3ac4210c

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
108KB

MD5
3452420c31de418ea2a74a69c23bc158

SHA1
91a5ce90776d8515419e60cee72509774df611ee

SHA256
26b8f95dafbaeb84123a4da47ece38eabc450dfeddfce5e9665bca77a6ea1ee3

SHA512
cd098449712c5d3cd520b01e44bd7101bebbedd3b3661ea149a44c4b14b4be2581a8301a57ca224a0ebeca97908edbc96b2dfb20e513a1561a52ad62e5e937bc

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
108KB

MD5
26a4376976118160bc8402a59cfa0a80

SHA1
782ccd7add12dc41cfc9cccd89869e5bed3d9c17

SHA256
8bc642643cf2bff527ec58b815ff305adab8e460be634fc31e82d5eb2b76e919

SHA512
04ddd990e0bc9c3f154ce24876d876c9f8452d3cbf735ede629c5ef4b0d430f134c107da2066efb0e4aa90244bbbfdbd242e84c66119001be85848fdd01400c0

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
108KB

MD5
aac7f3831bedb56a1b35b3c83eee4a3b

SHA1
09241a7d12f76552b531a6defa939dc0b3e8ad78

SHA256
3ecc9f52447d1aacc6b17057dedb7824b4a193d845f439de3d1b1975e7f32658

SHA512
3910afacb7b2f1c68f0ff2aeeb75167def6306a6c45fadc2b2335883b7cf3c1b261b991b7c9e9d51c782dc156a099f2fd546c8dc4647493e50e3e768acd7c4f3

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
108KB

MD5
60049764c9870f72ced4bb77bc0458d4

SHA1
4bd63a8987018f6d57654426fc06a9e976449179

SHA256
127d42831f06e53a857e19a3e6c2d5d152fcf5d923ea9fe7449179df34a75b3d

SHA512
dc87a20a2e401e748dcbabd7e50f84ec2e4956d04607b4df5729642e395611d04f2039703cc1185416da754c71f4bf78f3d173346c1402aa2232db6b27a33118

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
108KB

MD5
fe823869c8d5f555ce7c38dd868e8ba3

SHA1
a71d3ae9f9b95c0454603c5ff5e6115d7d35dca4

SHA256
7fe99b0f81d6555305d4f33b350150d6346002408a08ffa9541315812a54b501

SHA512
6cefde22cfe61d23b57d61b48fdbf00edd7aac298eda923237fc933779b328efa5a7e69de5f8156fc70ff36a2a511e2643e1de99cb8053b296e7ebc32f41808e

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
108KB

MD5
97c94d8e74abb3adba544109e319b2ab

SHA1
01db84ff3a120bda6e98aee923a2dfdd8b719bfb

SHA256
d65fc3f7b2d89d8185749033e4ca800a4da9fcdcde6b488b17216f9be3b29c6d

SHA512
2dd491d7354103800f8e63f8d97095f21ad407e00b9240baf483ff8515a5041096ee62af1911f823bab6bd044b08e4220731772755bf2b9375aff6a5379fe1f6

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
108KB

MD5
e506542819604cc0f8a8b4b7db30bc6e

SHA1
f8a1b241ec343069c5d9a081ec7183a69674e175

SHA256
cddff92e30ce91ea27b84961cb6ad4e01f910cefe141306da6ff00945ca3d239

SHA512
ef8eb68e01a5e9486df7f5ccd504b22d535a0efd1b1a9f0cfc7ad4013d29da367cff27a769651f88bd27cdc03a183a2f6c375a64b1a06b95177394dc04c89712

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
108KB

MD5
203e510010d3c34258d4e86c11abec2f

SHA1
4cae2134ad9b326c45c0891b53f5d6644ecb0d55

SHA256
c055ea6f2a01e4f1001ffdca5a2b9d9f9ae02bf967dc9835f33b5a61ddec5c35

SHA512
1bd5deeaba14de40c633e8f9ec7e26e6e21822c0047bfa17970a9dd044032f5818d5759f60aee3a5c189c6e17c185018c86424555e6be557ed73d2097340dab7

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
108KB

MD5
2f487b75bc3e52e18422576f6f2d4b16

SHA1
69b270a66d4babec59873729bf3c38da6eb3a07c

SHA256
93321c326cb8263a2aac5b52a674bb59c6553acb7ee8100cad034d4c25936068

SHA512
9437af4d7b2e9df4829b321dd8ce1a380f16144fa070e77ffb98db514520e6047367794e5b23f7a295e45a558d21a7e4c454612cb341b0685f18fcbdeca42eed

Download Submit
memory/448-301-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/448-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/536-289-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/536-295-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/592-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/592-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/636-323-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/636-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/736-355-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/736-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/780-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/780-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1240-363-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1240-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1428-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1428-337-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1444-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1444-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-361-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1792-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1792-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2236-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2236-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3024-357-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3024-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3152-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3152-343-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3244-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3244-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3260-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3260-369-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3300-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3300-329-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3516-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3516-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3616-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3616-315-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3708-313-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3708-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3800-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3800-317-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3840-294-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3840-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3852-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3852-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4028-194-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4028-321-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4080-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4080-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4308-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4308-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4312-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4312-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4348-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4348-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4372-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4372-307-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4456-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4456-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4500-359-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4500-44-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4832-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4832-336-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4872-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4872-325-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-303-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-267-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4912-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4912-319-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4932-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4932-367-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4992-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5032-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5032-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5108-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5108-349-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads