350da7bd9fe7a2df454b2275384d4e67e9405931b48bf2d7229a1b711f18a9e0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 18:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

411af4c49c15145ad05b5fd54ad1dae0_NeikiAnalytics.exe
Size

88KB
MD5

411af4c49c15145ad05b5fd54ad1dae0
SHA1

9355b9bbe2095fe1b831287607197311b178160e
SHA256

350da7bd9fe7a2df454b2275384d4e67e9405931b48bf2d7229a1b711f18a9e0
SHA512

0d8476a98be4f9ab0fa10c5dc51cb3c9ed55e8ef5571e41b61f2ae2ad21cf341afc16e4ff6a3c1f658e9c7eaef8fb5d2a098a87e1474f38fb5ff4bdfe4d2c81f
SSDEEP

1536:DEf8IfKUQ494S1fFYMozPWOVd3TJSfYvDtAvu2fHdWnouy8L:DI5VG3TJSfYrMu2f9moutL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	411af4c49c15145ad05b5fd54ad1dae0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	411af4c49c15145ad05b5fd54ad1dae0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe

Executes dropped EXE 31 IoCs

pid	Process
2696	Ljnnch32.exe
4396	Laefdf32.exe
2872	Lddbqa32.exe
4684	Lknjmkdo.exe
4944	Mjqjih32.exe
2056	Mahbje32.exe
1028	Mciobn32.exe
1920	Mjcgohig.exe
1180	Mnocof32.exe
1176	Mdiklqhm.exe
2196	Mgghhlhq.exe
3220	Mnapdf32.exe
4512	Mdkhapfj.exe
3576	Mgidml32.exe
4088	Maohkd32.exe
3264	Mcpebmkb.exe
640	Mkgmcjld.exe
1260	Maaepd32.exe
2772	Mcbahlip.exe
396	Nnhfee32.exe
3084	Ndbnboqb.exe
2932	Nklfoi32.exe
1864	Nafokcol.exe
2316	Ngcgcjnc.exe
4680	Nnmopdep.exe
1316	Ndghmo32.exe
3732	Ngedij32.exe
2120	Nkqpjidj.exe
4000	Nbkhfc32.exe
5060	Ndidbn32.exe
4264	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	411af4c49c15145ad05b5fd54ad1dae0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	411af4c49c15145ad05b5fd54ad1dae0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mcbahlip.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2572	4264	WerFault.exe	114

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	411af4c49c15145ad05b5fd54ad1dae0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 2696	3936	411af4c49c15145ad05b5fd54ad1dae0_NeikiAnalytics.exe	83
PID 3936 wrote to memory of 2696	3936	411af4c49c15145ad05b5fd54ad1dae0_NeikiAnalytics.exe	83
PID 3936 wrote to memory of 2696	3936	411af4c49c15145ad05b5fd54ad1dae0_NeikiAnalytics.exe	83
PID 2696 wrote to memory of 4396	2696	Ljnnch32.exe	84
PID 2696 wrote to memory of 4396	2696	Ljnnch32.exe	84
PID 2696 wrote to memory of 4396	2696	Ljnnch32.exe	84
PID 4396 wrote to memory of 2872	4396	Laefdf32.exe	85
PID 4396 wrote to memory of 2872	4396	Laefdf32.exe	85
PID 4396 wrote to memory of 2872	4396	Laefdf32.exe	85
PID 2872 wrote to memory of 4684	2872	Lddbqa32.exe	86
PID 2872 wrote to memory of 4684	2872	Lddbqa32.exe	86
PID 2872 wrote to memory of 4684	2872	Lddbqa32.exe	86
PID 4684 wrote to memory of 4944	4684	Lknjmkdo.exe	87
PID 4684 wrote to memory of 4944	4684	Lknjmkdo.exe	87
PID 4684 wrote to memory of 4944	4684	Lknjmkdo.exe	87
PID 4944 wrote to memory of 2056	4944	Mjqjih32.exe	88
PID 4944 wrote to memory of 2056	4944	Mjqjih32.exe	88
PID 4944 wrote to memory of 2056	4944	Mjqjih32.exe	88
PID 2056 wrote to memory of 1028	2056	Mahbje32.exe	89
PID 2056 wrote to memory of 1028	2056	Mahbje32.exe	89
PID 2056 wrote to memory of 1028	2056	Mahbje32.exe	89
PID 1028 wrote to memory of 1920	1028	Mciobn32.exe	90
PID 1028 wrote to memory of 1920	1028	Mciobn32.exe	90
PID 1028 wrote to memory of 1920	1028	Mciobn32.exe	90
PID 1920 wrote to memory of 1180	1920	Mjcgohig.exe	91
PID 1920 wrote to memory of 1180	1920	Mjcgohig.exe	91
PID 1920 wrote to memory of 1180	1920	Mjcgohig.exe	91
PID 1180 wrote to memory of 1176	1180	Mnocof32.exe	92
PID 1180 wrote to memory of 1176	1180	Mnocof32.exe	92
PID 1180 wrote to memory of 1176	1180	Mnocof32.exe	92
PID 1176 wrote to memory of 2196	1176	Mdiklqhm.exe	93
PID 1176 wrote to memory of 2196	1176	Mdiklqhm.exe	93
PID 1176 wrote to memory of 2196	1176	Mdiklqhm.exe	93
PID 2196 wrote to memory of 3220	2196	Mgghhlhq.exe	94
PID 2196 wrote to memory of 3220	2196	Mgghhlhq.exe	94
PID 2196 wrote to memory of 3220	2196	Mgghhlhq.exe	94
PID 3220 wrote to memory of 4512	3220	Mnapdf32.exe	95
PID 3220 wrote to memory of 4512	3220	Mnapdf32.exe	95
PID 3220 wrote to memory of 4512	3220	Mnapdf32.exe	95
PID 4512 wrote to memory of 3576	4512	Mdkhapfj.exe	96
PID 4512 wrote to memory of 3576	4512	Mdkhapfj.exe	96
PID 4512 wrote to memory of 3576	4512	Mdkhapfj.exe	96
PID 3576 wrote to memory of 4088	3576	Mgidml32.exe	97
PID 3576 wrote to memory of 4088	3576	Mgidml32.exe	97
PID 3576 wrote to memory of 4088	3576	Mgidml32.exe	97
PID 4088 wrote to memory of 3264	4088	Maohkd32.exe	98
PID 4088 wrote to memory of 3264	4088	Maohkd32.exe	98
PID 4088 wrote to memory of 3264	4088	Maohkd32.exe	98
PID 3264 wrote to memory of 640	3264	Mcpebmkb.exe	99
PID 3264 wrote to memory of 640	3264	Mcpebmkb.exe	99
PID 3264 wrote to memory of 640	3264	Mcpebmkb.exe	99
PID 640 wrote to memory of 1260	640	Mkgmcjld.exe	100
PID 640 wrote to memory of 1260	640	Mkgmcjld.exe	100
PID 640 wrote to memory of 1260	640	Mkgmcjld.exe	100
PID 1260 wrote to memory of 2772	1260	Maaepd32.exe	101
PID 1260 wrote to memory of 2772	1260	Maaepd32.exe	101
PID 1260 wrote to memory of 2772	1260	Maaepd32.exe	101
PID 2772 wrote to memory of 396	2772	Mcbahlip.exe	102
PID 2772 wrote to memory of 396	2772	Mcbahlip.exe	102
PID 2772 wrote to memory of 396	2772	Mcbahlip.exe	102
PID 396 wrote to memory of 3084	396	Nnhfee32.exe	103
PID 396 wrote to memory of 3084	396	Nnhfee32.exe	103
PID 396 wrote to memory of 3084	396	Nnhfee32.exe	103
PID 3084 wrote to memory of 2932	3084	Ndbnboqb.exe	104

C:\Users\Admin\AppData\Local\Temp\411af4c49c15145ad05b5fd54ad1dae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\411af4c49c15145ad05b5fd54ad1dae0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\SysWOW64\Ljnnch32.exe
  C:\Windows\system32\Ljnnch32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\Laefdf32.exe
    C:\Windows\system32\Laefdf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\SysWOW64\Lddbqa32.exe
      C:\Windows\system32\Lddbqa32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
      - C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        32⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 420
        33⤵
        Program crash
        
        PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4264 -ip 4264
1⤵
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laefdf32.exe

Filesize
88KB

MD5
65f9ea97021974b2e3ca16d81bc10d36

SHA1
dbed3646acf264c106c62493717a65af4fcb9f16

SHA256
93644dd438712bc36b421d0e48ffc696cced2c7a503a483dcc416ade9c22b346

SHA512
5377f65a5732a3d91cd71d2f2566d2e63866a2fe2687a6691cbb740cf83007572aaa176516acddbe52612224605523a5bd609401c6ad8f38d925505a7b48f956

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
88KB

MD5
33aec0793e3dec235f261f8fac33bbfc

SHA1
9b3a3732ffc53783f7dfbf1db4c1ca0199811ec4

SHA256
39186895415ec0e72a567ff62a94919303af0e2fdbaa8f8943351327901ae1cb

SHA512
df0fc8d8e8a393663d06a5d26a2d2d15c9c7817b68804f87e7e36362d1311ebda54fb29f9ebc31475eef148b4f82252aa749ef5b2ae5eff41c72220ef69f5a98

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
88KB

MD5
b329a6ad9d9e177118edef0de62d244d

SHA1
624c15f9c21adb4b3919749148cb34c3b81dea8a

SHA256
2ca514583de6771ab673d57d88a5a3540ee928da3e3cd862c19c1c72613eeee0

SHA512
953bc3d25c8aa3de3e08b497a42a7ef8f3c3d31744b47d8e1ab4b8af7a3df4927a96e0f61d4d9417616b5d6f7caec1952fa0e3ed8a87a0ce7c9027a83f5a3775

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
88KB

MD5
1e2b72d0e804d6cfb6a68d626ee2b857

SHA1
8674e47d16d29a6fddd87e5e001eab999c253267

SHA256
3416050d0431dcf384f7056da272b2e2b75eea80676fbfae1ec06026ce1e58fe

SHA512
a56ad6454bf5ae4186f249dc54e54eebc21d4664ffeb3b976e28400d03da2971fe155ee96d53a38df6a44ef8130babdad06e00fa916dc78268175ecf9a9200ef

Download Submit
C:\Windows\SysWOW64\Lppbjjia.dll

Filesize
7KB

MD5
94e597cf5c9905bafda3cab1fe6b04a6

SHA1
2ea8e045ff1f99001df934fed693cc129c25b15d

SHA256
24f39269ce5f88d7e6f88a48eafdf1b24941139ead0f6e5dcb422bdc1e6e1bcd

SHA512
cb9fee7e9b458a23b199c4befc93bd92fe59fe392c08f579fde2f560ddfac1492d167d6c83653bf4b7d4058d6a651a137c1232785a987a06333e76712bb18bb5

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
88KB

MD5
aea2acf183338d9f9281ae450e44c4c1

SHA1
a8cc75ee6e665d979923e317fc5b02aa7e2416b8

SHA256
0203b8f2d27c834802debdb6e38d2693afd19f3333a6f775a397c9a3ff3b1fd4

SHA512
6c81106786c65a0d82641d0ce2bd4e6ddcd16658ab19eedbd6791e3d8d594c45560afe57193122ef38676133fc261208a6321c90b33559499fc158a00f05cfcd

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
88KB

MD5
26a0942f4d0aac8d63b3f673f5391ab3

SHA1
1a3a1ab050f80f06178de79fc7dc3971316fcfbb

SHA256
f39f48f7be5b24f2b9093c23697752ebbb9e1f0cd81288940ec8b0a2924e28c1

SHA512
41fd5a3977b7bf6b52357c7a360c6126b7758398bd99707603a6cb30db75e3e948a34910fdadc8cf30aef45ca37884a2ebf63c8d5926ed0b9ec499bd5e5c453f

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
88KB

MD5
fbcbece3ae39553091936565583ad65d

SHA1
46c8375e6a7ff47a09cdc2f0e94d704f6053165f

SHA256
2ce6c153654afc98d31fffa192d7f4fbfcb4fb3bab11451e92dacbf860136120

SHA512
7d49fc8283dab35fc4b8bcaa46309c21467aab25594cc64206e51504a3b42ab2ee42773b138d0daaede21af0c10523489ea1b928b39a508213d2004762e8fd19

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
88KB

MD5
b4fd5ded8307a19e5271d9e0fadec2d7

SHA1
d05bc2ed80775b5cb656936e8a9ae5b7211c93ca

SHA256
afeb3afb9bda167b6f2dd3bb3232ca55ff03588c8e533859f8cbdc6a4bd08a88

SHA512
29c8d30c9a17b1e0b0e35be4ad2a1af0940eff91644fbbf1d2443be970807b3d7b537dc29c2fe0d762a7e504f4230dcba9eda3f9361743829017dcb2424eae9a

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
88KB

MD5
668a051d80a4f34992ba97df2feb8477

SHA1
85d15c89d39adfa03b88f3c7d553123de82238e8

SHA256
433184314218d3da27d60779ae7320dc36241535c6f2065577f6c5a9943c77fd

SHA512
445eff3a3d3ef8c0336a73ba7bcf4a655efb313c6b36b9461ba956c3e498541ef8f8aa6df83f5a6cba23cb14e126cafdf694aa8911f7adff69528cb3ad317c19

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
88KB

MD5
7087bb38f6f263cf2d5cd96282978981

SHA1
990784e746b5d6884c8f5a04f7c1535b6e54adde

SHA256
4351255112c1cb6148b40741f3d7a1f76f4e30775e48d8e820e4d6a92b6aeba4

SHA512
59f41e694c63d80b9e0a81a98ad3e7e3f727400848c8054ac16f6c9e31cd9e73dc4133eb6c6a70186edd35fd09fd016830d746a0519ba14d98d4674f2fee5bc1

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
88KB

MD5
cee3f004ae019914202a3c4f54f432db

SHA1
dfb3ee4a186c5c5b42c0c7114a8839a2d6270439

SHA256
c93bbfcdac8aa4fa68d3664e964bc4a527c8d4b744ffb22512e64259fcc7036b

SHA512
8679705def32a42ab6e67e8d91a01712dd7ac38eb182d89f2056a69962c64ab8bbad94bb0d47f083d2fac46debde80c9b18ff6ad1c9e102c3219e1eecf78d071

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
88KB

MD5
6942cd19709cd77b18ab554cb9e800ba

SHA1
e99f675f41f02334c5fe49da7a6f9d413791cd98

SHA256
9fd4dc2a0428b9ab1982a99b4f8e661704c68e29cf0c81948e5ff28de671a0b9

SHA512
e7d3b8818085b74bf37152a522edac05f12492d1256792c5aa70fb1bd2db6b254c5ce7091cffeb6a9f0856a4965231191fff13c660ad77efe5f07de58b3bc050

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
88KB

MD5
3bee18b87ebcaccca18e444e9aae939b

SHA1
cec710e7a888757552d90b0a202aa069e94dc244

SHA256
52ca1e140fa619b77bd4c633587ca3bed0b587ff4aa1aa5354e9fa0314981b98

SHA512
14d92116c828684cbfaab8a10325e0fffdec103d0a8447391e7153fcc7474f45652cadc7f41d22937ab6c56af04c5048a1328678b5c896cc62b1154a22af4b0c

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
88KB

MD5
964881d518f79db8cfacfe756047890c

SHA1
b809d5452c72fc934d8c08ee7cc0af5bc76862e8

SHA256
575825f2e3b55e34604dbae92433428a46d40c87666b1d40bd7b5a15221757c7

SHA512
d23154b083ae2c4b55b63c6ef49444d562f2b472f2858a13df41205164c91a0ea69c9b9f09e1a63541ca49b990c7e6cdb0d83a1496a1818121a730d30e2ba56e

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
88KB

MD5
f0f1db5aedadb7b6da878c8053d9941a

SHA1
e94c7b2f649520744fb11aeeae3e854caf8539f4

SHA256
4fedad51ce20a859094a1d7d90c7a33257dedd0a4042ccc06a280e6a82c9ecd7

SHA512
48c2abcdc19d54c8cb0cb4cb7058dbedccdd12fbee892031fb5377b358be8d99d28219a9d51ed960c33e5e68238261d7377da8fdf5ad03888c924bacd95bcf2d

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
88KB

MD5
5163449f0b4808ea25bd74e16c2f6fc2

SHA1
41bf4776f9b50bf28cbc315a34e01e696c20ab68

SHA256
c6fed30be7368bf99d9f622d6fb36f7d233ab6b7c831e26f556250555eed21e6

SHA512
76f632d056496ea0e836f95d6455657ed697b0728ab8b52196a6cb9dc7b6e3f672a6660101d4d77ac48333d27d36dd85f2f6e42c19466d408ebd8a97003691bf

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
88KB

MD5
2c72fe51bbbf80170a54d569e171e37f

SHA1
9aa01465d54abb30aa8e4670794ba02cd2bcdac8

SHA256
f0dc8a45f0c25a19c51c5316ae56f426ab4f343b22211d45b13f799b1dd6cc93

SHA512
daa0caf4dfbdbe24fe07a1c90f4dd225c9a515030d0550624b0ce7020e925996bcaefce7aad0ecc3d34d23d82b6824fbc3e5848a7f637484b43cdf60536bcefe

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
88KB

MD5
e6214b17b2d07d71723d73e6df2c9aa5

SHA1
35e5bf8bf0eea10037671e203c59bd4660837839

SHA256
67950ef50e0bce24760dc33e741e4d4c600d3911d28057bc275d5369a04f125a

SHA512
9a557ab181d256743d9e0ebdbeb0013abffc59381cdd4e901482ac9c6101be0f5b518cfbf197a47e42e4bcf7c88208e9838f06159472fa2f25ef1cc7f397f0dc

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
88KB

MD5
d5b570f3a95222c232090b132792e339

SHA1
5328462716785d998b448621c79e667e1e95074d

SHA256
afabacf0923af3e61304cf8113ef51d112fa9a0cebd6d66f1391f8609440affc

SHA512
89188bb5dfb3536162c09f6242ded9e3d93ed994e91bd5c3455255b5a7525e7f6247a1a0b1c3b89f7e1619a7ecd017d6d9a750e438cee08202718d86bea28bca

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
88KB

MD5
e687819449d73e4ffac25f36010bdc46

SHA1
8dc025fcd26943b9e9f7eb28cfa82e8919ce77fc

SHA256
cf5ffcd9f89873c012794d8e93c2ebd4ae5294d78b6b8eb68a3f0002e9d5d7b5

SHA512
52fc68d62a0a6833aac3598c6230f1e9f9d7df0be76d8c5dc39065858ff53213ff6701166167bfcbaa63972c160935baa7a417565a77c37121c1506dd3e6220d

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
88KB

MD5
8191c876b213af6141f43cdfdafd1cf7

SHA1
1d25213a2b7c70da63e17bb7859f0001ce37715f

SHA256
6991e7b7e8bfde57e6b5d00f4724387927c573333d8c48acdaefb9ee02644acc

SHA512
d2388f52444844cbed1e0490cb1c1e1dd283c2fd77575e8fd917bf7698a9a491525957617445601456594aa2a4ce3f9a9a0db180beb03bc144b3efd5f819867b

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
88KB

MD5
cfac953bb13e017bad085698490c8991

SHA1
be2bf26fe77ff9eb4d1c81d1d3e2c31a8a95115c

SHA256
502f8c824e215cc877cff576b984a83277daeedfc3b7cb4ab0670a19a2e19835

SHA512
7d23064e43a229e201aab1b5f5670163f11ab3d28a3f945c64510de66d4d5b540721d975b5f744f62c37c601cd001a9c97b02e0a30e47628a5ca216431fc33f8

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
88KB

MD5
09b2bbafabf7efa877b2d0cdc8d5aad3

SHA1
de820b1ffb2306c2ba8da072ee5f4884c206deb3

SHA256
daed8c418368a001cf763355e90de77c1fe090ba265dea686ebef5970f191eec

SHA512
45e74ce1e29752a1e185ca070b8cd692b99869b379b043945e75f46465da960b79c4da757fd70a016cbd9ff288020a7f51fadc4c23eb598d8fadf12fcc21a531

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
88KB

MD5
cd0c5130f19fe980009bef555a9dd300

SHA1
50c67b927cedf60cc6822336bac0bda665471977

SHA256
ed53e519a89cc0756e49255a026b430dae4bcdf91e76d1f9266443478c9dae60

SHA512
fe953bbe29943b296cb0243e12740326af8efe703070302a6f58e2a59614cd5d8a1b6a9805c38b3ac52ee348ff24947f0d44dd23fdc368f8fc8c6a076b11feb8

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
88KB

MD5
6041819210833ae8eee7477f94938d80

SHA1
642e8e9797ac0452d78c0a4557a6b6a36bcc63df

SHA256
c612d6052f8ee0d8ccf90e40f3225446c18900af7e3cd0fd686f7b1a46e2fe66

SHA512
746af54fd0e679acaf038c7c018cf94c45acb61e2be3054e6fe479923486e3c17a536561c4c13b3f6c20a6b104c19a8d961242a04aec9bdb3f8f1b517ed36810

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
88KB

MD5
25543cd9f95f4e43daf8161f6d08572f

SHA1
0cb047973c014fb3d73310476c5fda0f9a5dc99c

SHA256
c52ae64424fd7c2aea211b8633d6cab1968b6cd7d8715461e994bca82ba8744c

SHA512
e17af8b553c6219adb713d08b2956b2bab5ccd530258e51c1702fad3d7348e106408ee4ca0bd14f67a2a7d71aaf469ab75010ef51ce311460b857c039478d359

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
88KB

MD5
e95a3752b95f4d8ee32efce7d817f198

SHA1
2d82e9f630a00d5b322a4ccf5559a7932905af74

SHA256
e8fcbf260ca924894c5262443e5d6943688050731440f63e1878effe0e561ee5

SHA512
590a07a580092fd123ce98611d121b09b45e2dd26fafacfefeac284947063b719bd37fcacfd7be10de95a4c740eb49a3891505a9a84cd5d73b9173f86e189898

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
88KB

MD5
3d1f67500d55e6001c973f0eda3dd16e

SHA1
eb00d18bdec567677ae35b45cc2dafe61620ebd9

SHA256
23c24db567e04785f09f2d1115ccd730a24feaba655c7947db602de0636b96fc

SHA512
2f4ff611629ee75978b080c43c91d25bea980ae904fa83c249fd3897cbfdebdf0ea5bce0cb62c19e02143bd635a1f09ee52a2d98cb0fc3847d63e8af86f32616

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
88KB

MD5
579e3a3b2aea8b44f8beb7c1f34da492

SHA1
62190c71d3a612b8b6dd56ab5a307a33cbc4b59f

SHA256
011f44167771c7e95763b7db0d3319c41db46a4fec2b596c802a616d28397b1f

SHA512
43d078fe856f4fe147d24f7007c3db5d13eec098ce0e5897e2c9074730e728e99d07962615109ab58a8b35baff1ea1e369b14ddf0700b4eff85f56c76c0ca4ca

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
88KB

MD5
3737464123ee675c82ef2b58f22df014

SHA1
4e8e38a7c1b262c15e8e232aead061c0abd10316

SHA256
a43942459ab8b98a390fae1dd4cee0384175a2d206f3eea811abd2af7cc203a9

SHA512
cbbc5e7febe959708c27feae1d9c2306193b9ce92f4a512aded8ea9e9d554860d0fcce144da1a117b540167ecc6f2e9daa25b7c33b29ef484eb9c11036a6e14a

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
88KB

MD5
637b35f1815cb9be83ad559383dec09b

SHA1
6ddaa0fd828140b5f52bef8878341adc4ec95a43

SHA256
bce8672b28f3a55ac1f636f96666790f8c1429f865b43d9e89dbc63d8a5909b6

SHA512
708037c5bb8723bf582eda5a8bf9f2d1adb1495a8f374468ddecd3ef38f8dde581f2f0b552cd6b6f03850c531aa1c7d1a5c5535c242d9071be4a26d1994cfa0e

Download Submit
memory/396-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads