4518820c175a213bc8d8dbf40559e60c74dad4fa0af4dc4070411d20d3daafc7

Analysis

max time kernel
137s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 11:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4518820c175a213bc8d8dbf40559e60c74dad4fa0af4dc4070411d20d3daafc7_NeikiAnalytics.exe
Size

56KB
MD5

02f030213a903ac0f9c90f41a10c5240
SHA1

a455b59d8d37ec9dc150044cb563775abacb172d
SHA256

4518820c175a213bc8d8dbf40559e60c74dad4fa0af4dc4070411d20d3daafc7
SHA512

3048c86b85e00f1e437403498e910a14ab6a0e29d526f0bae5f578cc90cde10b21c628f63a36758e05a9c91695a60d187b709bc72162232d4033a6c8ac48e6d4
SSDEEP

768:+snyFVD+BJyoJYydoiso7gE1Q9bbo4iYy84yT7IfK/1H5FXdnh:+syj6BJRr7LQVEaUQN

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe

Executes dropped EXE 38 IoCs

pid	Process
3444	Lgneampk.exe
324	Lnhmng32.exe
1428	Laciofpa.exe
4264	Lcdegnep.exe
2616	Lgpagm32.exe
3336	Lklnhlfb.exe
4872	Lphfpbdi.exe
2028	Lcgblncm.exe
2908	Mjqjih32.exe
4432	Mpkbebbf.exe
1732	Mgekbljc.exe
4416	Mkpgck32.exe
1468	Mpmokb32.exe
4604	Mgghhlhq.exe
2232	Mkbchk32.exe
1312	Mamleegg.exe
2976	Mdkhapfj.exe
1000	Mjhqjg32.exe
4272	Maohkd32.exe
4900	Mdmegp32.exe
4916	Mjjmog32.exe
4676	Maaepd32.exe
644	Mcbahlip.exe
2484	Nkjjij32.exe
3536	Nnhfee32.exe
2844	Nqfbaq32.exe
2964	Nceonl32.exe
4620	Nklfoi32.exe
4364	Nqiogp32.exe
1980	Ncgkcl32.exe
3328	Nkncdifl.exe
3480	Njacpf32.exe
4284	Ndghmo32.exe
768	Nkqpjidj.exe
3920	Njcpee32.exe
4456	Nqmhbpba.exe
2524	Ndidbn32.exe
3884	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	4518820c175a213bc8d8dbf40559e60c74dad4fa0af4dc4070411d20d3daafc7_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3384	3884	WerFault.exe	124

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	4518820c175a213bc8d8dbf40559e60c74dad4fa0af4dc4070411d20d3daafc7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4518820c175a213bc8d8dbf40559e60c74dad4fa0af4dc4070411d20d3daafc7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4518820c175a213bc8d8dbf40559e60c74dad4fa0af4dc4070411d20d3daafc7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4518820c175a213bc8d8dbf40559e60c74dad4fa0af4dc4070411d20d3daafc7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 3444	4488	4518820c175a213bc8d8dbf40559e60c74dad4fa0af4dc4070411d20d3daafc7_NeikiAnalytics.exe	84
PID 4488 wrote to memory of 3444	4488	4518820c175a213bc8d8dbf40559e60c74dad4fa0af4dc4070411d20d3daafc7_NeikiAnalytics.exe	84
PID 4488 wrote to memory of 3444	4488	4518820c175a213bc8d8dbf40559e60c74dad4fa0af4dc4070411d20d3daafc7_NeikiAnalytics.exe	84
PID 3444 wrote to memory of 324	3444	Lgneampk.exe	85
PID 3444 wrote to memory of 324	3444	Lgneampk.exe	85
PID 3444 wrote to memory of 324	3444	Lgneampk.exe	85
PID 324 wrote to memory of 1428	324	Lnhmng32.exe	86
PID 324 wrote to memory of 1428	324	Lnhmng32.exe	86
PID 324 wrote to memory of 1428	324	Lnhmng32.exe	86
PID 1428 wrote to memory of 4264	1428	Laciofpa.exe	87
PID 1428 wrote to memory of 4264	1428	Laciofpa.exe	87
PID 1428 wrote to memory of 4264	1428	Laciofpa.exe	87
PID 4264 wrote to memory of 2616	4264	Lcdegnep.exe	88
PID 4264 wrote to memory of 2616	4264	Lcdegnep.exe	88
PID 4264 wrote to memory of 2616	4264	Lcdegnep.exe	88
PID 2616 wrote to memory of 3336	2616	Lgpagm32.exe	89
PID 2616 wrote to memory of 3336	2616	Lgpagm32.exe	89
PID 2616 wrote to memory of 3336	2616	Lgpagm32.exe	89
PID 3336 wrote to memory of 4872	3336	Lklnhlfb.exe	90
PID 3336 wrote to memory of 4872	3336	Lklnhlfb.exe	90
PID 3336 wrote to memory of 4872	3336	Lklnhlfb.exe	90
PID 4872 wrote to memory of 2028	4872	Lphfpbdi.exe	91
PID 4872 wrote to memory of 2028	4872	Lphfpbdi.exe	91
PID 4872 wrote to memory of 2028	4872	Lphfpbdi.exe	91
PID 2028 wrote to memory of 2908	2028	Lcgblncm.exe	92
PID 2028 wrote to memory of 2908	2028	Lcgblncm.exe	92
PID 2028 wrote to memory of 2908	2028	Lcgblncm.exe	92
PID 2908 wrote to memory of 4432	2908	Mjqjih32.exe	93
PID 2908 wrote to memory of 4432	2908	Mjqjih32.exe	93
PID 2908 wrote to memory of 4432	2908	Mjqjih32.exe	93
PID 4432 wrote to memory of 1732	4432	Mpkbebbf.exe	94
PID 4432 wrote to memory of 1732	4432	Mpkbebbf.exe	94
PID 4432 wrote to memory of 1732	4432	Mpkbebbf.exe	94
PID 1732 wrote to memory of 4416	1732	Mgekbljc.exe	95
PID 1732 wrote to memory of 4416	1732	Mgekbljc.exe	95
PID 1732 wrote to memory of 4416	1732	Mgekbljc.exe	95
PID 4416 wrote to memory of 1468	4416	Mkpgck32.exe	96
PID 4416 wrote to memory of 1468	4416	Mkpgck32.exe	96
PID 4416 wrote to memory of 1468	4416	Mkpgck32.exe	96
PID 1468 wrote to memory of 4604	1468	Mpmokb32.exe	97
PID 1468 wrote to memory of 4604	1468	Mpmokb32.exe	97
PID 1468 wrote to memory of 4604	1468	Mpmokb32.exe	97
PID 4604 wrote to memory of 2232	4604	Mgghhlhq.exe	98
PID 4604 wrote to memory of 2232	4604	Mgghhlhq.exe	98
PID 4604 wrote to memory of 2232	4604	Mgghhlhq.exe	98
PID 2232 wrote to memory of 1312	2232	Mkbchk32.exe	99
PID 2232 wrote to memory of 1312	2232	Mkbchk32.exe	99
PID 2232 wrote to memory of 1312	2232	Mkbchk32.exe	99
PID 1312 wrote to memory of 2976	1312	Mamleegg.exe	100
PID 1312 wrote to memory of 2976	1312	Mamleegg.exe	100
PID 1312 wrote to memory of 2976	1312	Mamleegg.exe	100
PID 2976 wrote to memory of 1000	2976	Mdkhapfj.exe	101
PID 2976 wrote to memory of 1000	2976	Mdkhapfj.exe	101
PID 2976 wrote to memory of 1000	2976	Mdkhapfj.exe	101
PID 1000 wrote to memory of 4272	1000	Mjhqjg32.exe	102
PID 1000 wrote to memory of 4272	1000	Mjhqjg32.exe	102
PID 1000 wrote to memory of 4272	1000	Mjhqjg32.exe	102
PID 4272 wrote to memory of 4900	4272	Maohkd32.exe	103
PID 4272 wrote to memory of 4900	4272	Maohkd32.exe	103
PID 4272 wrote to memory of 4900	4272	Maohkd32.exe	103
PID 4900 wrote to memory of 4916	4900	Mdmegp32.exe	105
PID 4900 wrote to memory of 4916	4900	Mdmegp32.exe	105
PID 4900 wrote to memory of 4916	4900	Mdmegp32.exe	105
PID 4916 wrote to memory of 4676	4916	Mjjmog32.exe	106

C:\Users\Admin\AppData\Local\Temp\4518820c175a213bc8d8dbf40559e60c74dad4fa0af4dc4070411d20d3daafc7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4518820c175a213bc8d8dbf40559e60c74dad4fa0af4dc4070411d20d3daafc7_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\SysWOW64\Lgneampk.exe
  C:\Windows\system32\Lgneampk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\SysWOW64\Lnhmng32.exe
    C:\Windows\system32\Lnhmng32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Windows\SysWOW64\Laciofpa.exe
      C:\Windows\system32\Laciofpa.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
      - C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        39⤵
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 400
        40⤵
        Program crash
        
        PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3884 -ip 3884
1⤵
PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laciofpa.exe

Filesize
56KB

MD5
b670add7e482bbc4ddedebfd1dc717e6

SHA1
57cbd3e3953721d799942a4d0ab9f3dc3bc86342

SHA256
defe592f34f0350f4bd6fb6f16fc78a5bbb74fb89c2a1356ca5e48e777ecae30

SHA512
bcb5eb16763eae8ea93810e7b86bcc41515f2f144dde7470225191f01c2761bc551d4e748f3fcea0b859b9f933189afbe9417d27142f7396340ec0067289627d

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
56KB

MD5
008507d83870d4439417baec434b5660

SHA1
0d62377ddd81ea4a1e5f32ba2f1027830c9aab73

SHA256
6b490c5b33551221b24046df8230d421b64fba2ab7906577078d4f13a74d6eeb

SHA512
2229344a7c2a810b0d89ce1c06b9ddcee18ba129c0d073066b372176de196be64f1a0a7b6b5780d9f0d50faf2777cfc7ff5d8294f1b78456d3d4a18e7a4f2189

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
56KB

MD5
7faeb02c383e8efb5f6aac99ab1efdc6

SHA1
c7a97cf67a2bfb417248711db5924be4847f3832

SHA256
0f6a75f0fddc296b924b62492ce4d4aba6a63be8363d210034b26c8bf1b03df4

SHA512
35672a4553e7d6d5c113122d845ecd694700c55891c6769bff7608b8174be28929d28acfe1b96dbcaf003339c39fa7109ed4205a57c49da70c0a3ae0658efa2f

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
56KB

MD5
df89dc8716273ff119b2961c7c9e735b

SHA1
00300732f6e1dcdb0b324b353fcf1e1683b18617

SHA256
f6bb0c4ae71bd913f92dd2c5732360d234de241172b4d938a8e0354f91aeef24

SHA512
fe38b34fc5f104afe0e9531b0d6f1d85aa2d2214d7278db4c09056c7c25ede88dbe42e492a3bb8a7a8df68b703a20a176883d6dbcad8a7f9c6b5340e736a6e3d

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
56KB

MD5
03f8f5ab9f0987f87f98f91692df64d7

SHA1
d97bcbacd007a15c6592832311df6b5e80c23fce

SHA256
5f8f1aba8d3215f096ee778230ca65646fd721ea48ae0468233fe90ed9f4db21

SHA512
3c74d0f1c75a636951b25c010207b038924f063370aecd24cf90325e7d36f934f9d8ff4c84f4a92b215d834218b51bac7158ddd5715465759ef1e4c044a255ad

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
56KB

MD5
c6009ad9d0d25316b00040f16f3012a4

SHA1
d68462df7e6dfdf49b4eb4d5689ec540c1849043

SHA256
85455c2f048051a68cdbf5adb8ab9099a12dea21ea5e8aad281f1ca45572278a

SHA512
b2a1550de4c06fca3acd5ef549396659cd8e2a6bf6c2fe77570df7b84add85b16b4fc399f2f3a798f870c9633a806d16cda2aff4d8403376995f914859614e87

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
56KB

MD5
f8f6272a11eb715517d322d76ccc2062

SHA1
b42b3a99cb218e783170700db23602befd1775e9

SHA256
a8df812c5c78cb2facc6c9ac47418b6ef6573ff1d5fb7980d896d70049beef60

SHA512
f03c1731efa04079d5ded05836da9538fab6438f49807a21456e1351e7c9ff62dcea9277f923949bf483f923f7a868c8eb69a5797f1f0746b961459a3049f469

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
56KB

MD5
7b557944bd4961a55b0a54f75fbefcdc

SHA1
f8f26c6341784f7e2cb002eb871cf57a780c2df8

SHA256
b7e6f7533a31ec3fac4e3f9c2d9f72583ce933a4a50bb0d514dfa932092c79f4

SHA512
3c65f015096bb7f1171b77ae0b56a3183b3e771788a44ec341f556274e7c1767d108d64a35090160cc633f822da2f20bc5fdcea69f63d9f03eaa2a4d049331c0

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
56KB

MD5
4526ae647a0afc42c34d7428b163d3a6

SHA1
bb41ee4dd915a1c99ea4e909f33d51facb243ed2

SHA256
7d63442fee06dc5c00bab22de0f2e4d33314cc27a0ac5dc0196af690aa0987b0

SHA512
3d268df8871fcd552e11d2c83514bdea84ffb852c5a27edaace0f5879f3fc15d34934f7d36e60a93e50228e862e60d2949f8125c64046100290b99e43c994277

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
56KB

MD5
c32afcceb3175a477bea688d1da39495

SHA1
b384b285db8851913e6c187fa4e51f31019e04a4

SHA256
d16f1263c0f9143f59316160e46e75e254bb4e265593bda06086508989a25beb

SHA512
dbbeac6d64038b6a0b17c7ed58ff45d1d71e11ebe0e4fb55c9c4e592cad52c889ed8d0af85319f8ed7d2dd9bb0698680fec28cdd881609c65d6cf663a9929baa

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
56KB

MD5
e7a95770fa97cb06e284e62f4c79b040

SHA1
8907acde5d21c7dd808dcbd6826283eda8c3d9bb

SHA256
b1be620856b6c3609a518c2ee426a7133116fc7b170874362a127b9c288297c1

SHA512
e812b102fb064e92a7d009f719c7fd0d9805b14275ccf2bbcf082510ac27d5a397718a174cc3aefce8c794429a85edb3c9912595d3b57f90546194ffd27a0993

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
56KB

MD5
9b6cd548cd51af6003088dfbb50ffde5

SHA1
a515fc877ca52ba49ef607519ccbe29b64cf22d8

SHA256
b6c3224dc740ee8f1009bf8c5e339cafad05ce658b795818e66fbc4c30dfdf04

SHA512
e192698c56c526ffcde16d3677f6d99e80e2959809097725857e20ef0c908e53666d34a7fc4619203d870a17db5b5102ddde2bcb0257175f41a1909152801143

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
56KB

MD5
fb25929cd23b3ed58d138c9e4ce3fb33

SHA1
b9fc8ff67351feff0b2264efa8298271f33a78ff

SHA256
6539506c827b5cb31d906b799e3cedb7ed61ae3f4d938171609d113087e3aba3

SHA512
3094b0fbcab43791938a43a296dfbeb20740baee19da36edea73c893f3dddd85e7d138d78737f8658f60bce4a44613557c75764b5f1979a82b0f97e7bfc29651

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
56KB

MD5
257227f6afbe8a941e966e0e8fe3dbe6

SHA1
ad19dd7e572d207a698246980df06146659b664d

SHA256
b608c7b08bcba06ad38d9085a14e1db59bb7309e7e688c97daed19647adbcb2b

SHA512
436121c82b7f35e17c4a421f5f8f1c9ab467ee24924bf07ff419d72bbee8b6b316c566f427b8c6e0b44eb5f944c379bc7bfae00a977bc27a566bab1ff71dce24

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
56KB

MD5
7643d977e029e8976bd6e760c910cf42

SHA1
d88b73228f33a17febca9f9bdff109be34a356fe

SHA256
42d78be594c0d838c4868eede082eb1a427f43030e8bfebb7a9834b51cc5a10d

SHA512
6faf8f65c20d85543f9b4930bbbabe1b970d5fdc971a363b2cbd0c30d99395bca1115be0d0cd487097045add61eef53bb0a9c8dbd9074b21d4a80533fe9a3c15

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
56KB

MD5
bee4f0b5e597865f33120abf96d75451

SHA1
d309bb7edafe1e8fb84e0a758628ca3848742148

SHA256
248eeac78a9ff7d8cf1df85b07ac77065768e6166e0615cf863ca41de71f9039

SHA512
04c2633245168d73aab1064d9146d757145f241a8949601a2556b1a0d8f78e6ae83ec5ad48ac4876f5d153e86bf6c25ea3777a89a854bfcf509cfa802b941342

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
56KB

MD5
acdb670a04836f0002ac003d39ededd8

SHA1
e106e28d678bffaad78c5e6b08e1b5a735596bd6

SHA256
51d81babe17b6e81c3126d633aed7c356b374d19e6cbc567c3657969e277edde

SHA512
9376514dcc9dee43101682cc80166ca7d7384eab3ac82340d64fddbc9ff70e5bfd4ff89550454155771a866b5fb8ebd7a6e50a16813bb98df5f2ccd41cc3c5e8

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
56KB

MD5
020d2db083e9eeefffb00e586d8f69e8

SHA1
17088b75b0ced71c5198c528f8961171f27dad93

SHA256
5f8b7684706268e6adb455e86d09c947ff194a30e4740efabfb4adcb1ed87032

SHA512
95d5c7c720f6e6a28a9c3ba738b60596723cdceeb0d32f9c4ff93a90c76d5812a65f5b72864347b8cd4d31ea571cc455b69e93b9956fbe372186281db8874dd6

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
56KB

MD5
260042637fa46472169ab061a9196cfd

SHA1
6b0ae3e72d901092bef7af5bba0c2b6437061020

SHA256
bfb357f60161038b7c26a59a9a6df52ca8a8d8a81ca50ae5b25cccb0f59a8601

SHA512
533db65d9d03b68f021ad7c6f5614606eaf7c7412f2bae5be14b87c9971c8ba4d2265eacf2bf53fc99b8f0b22bbcfbd0956f187bdf881b0c63bf95b15fda6863

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
56KB

MD5
9d3c54ac9a045e5b6d23967209f31ee4

SHA1
0f317a0186231ce03cbb9bc59f5e2fccd8705722

SHA256
58c57c5e600a8f0f2ecceb4af08db245a591ed3ed699eb7665ad504962f2fcea

SHA512
e7176c381427b2d28da945aa2d048ec44d66d33a8ee714d05637a326389e9b0a1fc4335b3253969a6b3c932990b6851e01bf944d156ee5a290f604645358d60f

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
56KB

MD5
0ffb023de739a0fe7527430f876a7174

SHA1
7d24abb6b41226a43e53aaa8e8363d9be979c295

SHA256
bc741a43edeb161395c2b9d2d349fca32283e3b0e5add7de86d9f1e531fd6c63

SHA512
1bfd71fa8cf21b9730c537d1342d3d66dcc8d1d705ee5249efa9c7a38ba197bfe0f2b98f1b6bfdb6519150ab8fd328cabfc41caf067b0ae2e97a995d81d19631

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
56KB

MD5
6c4395b46cba8ae6ff9cdff5f425d7af

SHA1
29613542b3dad765a7da7458fdbe73a422bededf

SHA256
19ebf5b287bc88b6b8cd0536ec4118bde7c2621e3ef71ee77544e68b1fe224cd

SHA512
ad91e6f8fa0f5a67f5156d447de1ab78f888b9b42884d6472d25887f9bc33fbdc511186d93562ccc3861a68c952c91f87270deceb2e65d3d419939a0d86c6f46

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
56KB

MD5
383193aaaef9dee63826b81af24e474f

SHA1
250d507000fb6aa48d773bbf9815d1f48ef567f8

SHA256
aa3e7879bf4fb23a6f6a786d9ad3080745edc6efc22279db2b2be602a21bf682

SHA512
9c2e2995b99a27483975a9ad3d1b5c0b2d395201c56091b7ed1cbfef9f8c31fbeeec7a3d40e4e6620ef92ce088728217329beab3b68826043c2ac4bd9e1df170

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
56KB

MD5
75626ffe8eff98ced088482a5c1d141a

SHA1
f7d5aa63aef4ec5a177b4c0d919e46d39b928b74

SHA256
9f115079698e646d64401ea8e5c1b61286b2fa5f053b5a287c388ca2fa48efc8

SHA512
e6c38bdb183032f48c51d240de8fceb59826db5d8899e421465cbb626a21838d337c99d3bc5c24ccf8bfa23ba6529f59b6572b7908ed15e23bcc9d0a137543c9

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
56KB

MD5
f3ae648c3a66aa3e5e03b810a7d0cf93

SHA1
679d68d758b04c3dc587d0b9d5e40fdca5966c40

SHA256
3536eb6b6351248a26900e56331d7af6bf605c6a782c7d731e62cf8549c6f6e1

SHA512
dc22b87c4463844749af22f923efb79aa6642f43a777233b4c0e34c2bcb1a38a3ea8243a30cf9115ab1fe38c56a80a8a9d867fb1924ebac4e782eb7ca46233f3

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
56KB

MD5
c23f287173da3f54917ff6da59c3652b

SHA1
cb8dfdc558cbe10a543b1b6cdb0fb7b2f0508626

SHA256
533bc9a6e8553382998ee3cbe7fdf17fca29111dbec9a2962ab361a9a91f645e

SHA512
ce9d6deef1b4d0618f376b12a79dd7aebd00dc18c976a8354c97fbd5c92c07ebdd10b0796b4063b8ac33883e6eedc9c1337cb7b97caad42004658b2e22ba3fc9

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
56KB

MD5
d4c1a3f0956915c4056e7f49bfc71366

SHA1
d4f47eab842007e9d2575d52f637cf18913c64d5

SHA256
e3de807beb35c9c3eaf3d871b887c4ec85973ccf184b43b9cc0d94f6c97a0875

SHA512
e1bf80a211512ab3a102eede6d7df12edcac1ae07f1e9cd61e9e63f43c6d33e7a43f6482159f3fc57b6e5c115596715df1f3ec7f81baa56645c83857457d49ac

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
56KB

MD5
ecb1c9b9a74f989be1ba34d7687c4562

SHA1
774b8cf93a94768bd72ffa0f4ac242e9e402dace

SHA256
376d40d0bc5d2a0340853573ca2fc09121cf1d94cd6afdb053aebddb2a3eb359

SHA512
f4dfae93ce0f16333ff3c9a93ac9a3fa23c756eee75d4fda0434f558392015b816358fa9383b2dca2e9bd8bf6ec8dfbc44eafbaa1f723a98ffa8587c87f062e5

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
56KB

MD5
49c19b7457c68860046a687305966d58

SHA1
e16211d937728e67063d168b2324769a9c6cbd11

SHA256
a4ac46e1ebd4b7a118dd7b9e1dbabbff9c222c4305594d239708b921fff1a9d0

SHA512
92053b3374dddac21f7925b543a69d745fc38adb5cc91c11783845c1d6425371245a809115d693f746fe81a4bb8fc14565c70e0b01fe0f9e49ad6c3034dcbf71

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
56KB

MD5
6af6fb631ab788fa6f30175ccac72564

SHA1
418c52889e410bc2d989123a0446fa7749982ec3

SHA256
29211269b2d6709a5ac96301d4aff9fba29574f7ac0364c6328b218cbfa30305

SHA512
be6818bf4b43da06934fcc91c28938d5a4a1038161230d421738267bc4d3f0a1b9edf72cd51f6fb69c7ba22d4bc1cfec2ae034ae9864c7472004831b8211c1a4

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
56KB

MD5
df7db24e4f0d973102f5f729cd702d37

SHA1
37ec222f895cae15c185a9950570fa3f55b91187

SHA256
8e7e2dd52f30d6ab147b3b72e5f8e15da547ba5ad2976622d02b717d408f4670

SHA512
aee42a3d3abd044b46c3bc6c135086256bab3d50ef6ba955d016bfb008f7b9f5ffa44aa11f03d1be31d9fe44716f27334642c049f4d44088a679b7126a0257b7

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
56KB

MD5
e6e916b3d45d62e5bb6c115d36431cda

SHA1
aef3181e120179241e69531b78a948c3ecca2dc9

SHA256
27ea0123782092fd489085197952060f6c14af14e29a5dfe855ec54ab0ed6161

SHA512
eeb6db410f1f41558ba2a3457623292d8efc085a4338ce04d61e55d1c69365a0125401100a1766a303b73af640b92a14a257721d59f6bf91cb73d1f096ef93dd

Download Submit
memory/324-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/324-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/644-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/644-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1312-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1312-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3444-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3444-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3920-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4604-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads