40c90fc046babfaf0bab54dcfd6cf80b9fefabbb481d88c1272b6e30941ec8a7

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40c90fc046babfaf0bab54dcfd6cf80b9fefabbb481d88c1272b6e30941ec8a7_NeikiAnalytics.exe
Size

94KB
MD5

18458866fe33fa5973bb90247d92b910
SHA1

a0de3240a7560f0195fb46cc25acc330b697d4d5
SHA256

40c90fc046babfaf0bab54dcfd6cf80b9fefabbb481d88c1272b6e30941ec8a7
SHA512

e3b95c3f37b5685c82fbe50cc5865bfeb03e715cf99b7e67b7d585a703246187dfeaec65ba4a744e7eedbe482bb8b88e953eee337f1af7ec4caed1a851cf7915
SSDEEP

1536:BQCmcXrklH+tDMTwWi+blCRyO8ja2LAaIZTJ+7LhkiB0MPiKeEAgv:BklH8MTTi+blUMnAaMU7uihJ5v

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	40c90fc046babfaf0bab54dcfd6cf80b9fefabbb481d88c1272b6e30941ec8a7_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe

Executes dropped EXE 41 IoCs

pid	Process
4468	Lcmofolg.exe
4316	Lkdggmlj.exe
3008	Lmccchkn.exe
3900	Lcpllo32.exe
1968	Lkgdml32.exe
3052	Laalifad.exe
2112	Ldohebqh.exe
2932	Lgneampk.exe
4608	Lnhmng32.exe
3116	Lpfijcfl.exe
2168	Lgpagm32.exe
2872	Ljnnch32.exe
3948	Lphfpbdi.exe
1148	Lcgblncm.exe
4168	Mjqjih32.exe
2860	Mdfofakp.exe
2956	Mgekbljc.exe
1672	Majopeii.exe
848	Mdiklqhm.exe
332	Mkbchk32.exe
1132	Mnapdf32.exe
4220	Mdkhapfj.exe
3148	Mncmjfmk.exe
4848	Maohkd32.exe
4032	Mglack32.exe
3624	Mnfipekh.exe
2340	Mcbahlip.exe
3904	Nnhfee32.exe
4824	Ndbnboqb.exe
4328	Nklfoi32.exe
3700	Nnjbke32.exe
2996	Nddkgonp.exe
3436	Nkncdifl.exe
5084	Njacpf32.exe
1752	Nqklmpdd.exe
428	Ndghmo32.exe
1680	Ngedij32.exe
2892	Nbkhfc32.exe
4004	Nqmhbpba.exe
1988	Nggqoj32.exe
972	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	40c90fc046babfaf0bab54dcfd6cf80b9fefabbb481d88c1272b6e30941ec8a7_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1028	972	WerFault.exe	124

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	40c90fc046babfaf0bab54dcfd6cf80b9fefabbb481d88c1272b6e30941ec8a7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	40c90fc046babfaf0bab54dcfd6cf80b9fefabbb481d88c1272b6e30941ec8a7_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mnapdf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4468	5100	40c90fc046babfaf0bab54dcfd6cf80b9fefabbb481d88c1272b6e30941ec8a7_NeikiAnalytics.exe	81
PID 5100 wrote to memory of 4468	5100	40c90fc046babfaf0bab54dcfd6cf80b9fefabbb481d88c1272b6e30941ec8a7_NeikiAnalytics.exe	81
PID 5100 wrote to memory of 4468	5100	40c90fc046babfaf0bab54dcfd6cf80b9fefabbb481d88c1272b6e30941ec8a7_NeikiAnalytics.exe	81
PID 4468 wrote to memory of 4316	4468	Lcmofolg.exe	82
PID 4468 wrote to memory of 4316	4468	Lcmofolg.exe	82
PID 4468 wrote to memory of 4316	4468	Lcmofolg.exe	82
PID 4316 wrote to memory of 3008	4316	Lkdggmlj.exe	83
PID 4316 wrote to memory of 3008	4316	Lkdggmlj.exe	83
PID 4316 wrote to memory of 3008	4316	Lkdggmlj.exe	83
PID 3008 wrote to memory of 3900	3008	Lmccchkn.exe	84
PID 3008 wrote to memory of 3900	3008	Lmccchkn.exe	84
PID 3008 wrote to memory of 3900	3008	Lmccchkn.exe	84
PID 3900 wrote to memory of 1968	3900	Lcpllo32.exe	85
PID 3900 wrote to memory of 1968	3900	Lcpllo32.exe	85
PID 3900 wrote to memory of 1968	3900	Lcpllo32.exe	85
PID 1968 wrote to memory of 3052	1968	Lkgdml32.exe	86
PID 1968 wrote to memory of 3052	1968	Lkgdml32.exe	86
PID 1968 wrote to memory of 3052	1968	Lkgdml32.exe	86
PID 3052 wrote to memory of 2112	3052	Laalifad.exe	87
PID 3052 wrote to memory of 2112	3052	Laalifad.exe	87
PID 3052 wrote to memory of 2112	3052	Laalifad.exe	87
PID 2112 wrote to memory of 2932	2112	Ldohebqh.exe	88
PID 2112 wrote to memory of 2932	2112	Ldohebqh.exe	88
PID 2112 wrote to memory of 2932	2112	Ldohebqh.exe	88
PID 2932 wrote to memory of 4608	2932	Lgneampk.exe	89
PID 2932 wrote to memory of 4608	2932	Lgneampk.exe	89
PID 2932 wrote to memory of 4608	2932	Lgneampk.exe	89
PID 4608 wrote to memory of 3116	4608	Lnhmng32.exe	90
PID 4608 wrote to memory of 3116	4608	Lnhmng32.exe	90
PID 4608 wrote to memory of 3116	4608	Lnhmng32.exe	90
PID 3116 wrote to memory of 2168	3116	Lpfijcfl.exe	91
PID 3116 wrote to memory of 2168	3116	Lpfijcfl.exe	91
PID 3116 wrote to memory of 2168	3116	Lpfijcfl.exe	91
PID 2168 wrote to memory of 2872	2168	Lgpagm32.exe	93
PID 2168 wrote to memory of 2872	2168	Lgpagm32.exe	93
PID 2168 wrote to memory of 2872	2168	Lgpagm32.exe	93
PID 2872 wrote to memory of 3948	2872	Ljnnch32.exe	94
PID 2872 wrote to memory of 3948	2872	Ljnnch32.exe	94
PID 2872 wrote to memory of 3948	2872	Ljnnch32.exe	94
PID 3948 wrote to memory of 1148	3948	Lphfpbdi.exe	95
PID 3948 wrote to memory of 1148	3948	Lphfpbdi.exe	95
PID 3948 wrote to memory of 1148	3948	Lphfpbdi.exe	95
PID 1148 wrote to memory of 4168	1148	Lcgblncm.exe	96
PID 1148 wrote to memory of 4168	1148	Lcgblncm.exe	96
PID 1148 wrote to memory of 4168	1148	Lcgblncm.exe	96
PID 4168 wrote to memory of 2860	4168	Mjqjih32.exe	98
PID 4168 wrote to memory of 2860	4168	Mjqjih32.exe	98
PID 4168 wrote to memory of 2860	4168	Mjqjih32.exe	98
PID 2860 wrote to memory of 2956	2860	Mdfofakp.exe	99
PID 2860 wrote to memory of 2956	2860	Mdfofakp.exe	99
PID 2860 wrote to memory of 2956	2860	Mdfofakp.exe	99
PID 2956 wrote to memory of 1672	2956	Mgekbljc.exe	100
PID 2956 wrote to memory of 1672	2956	Mgekbljc.exe	100
PID 2956 wrote to memory of 1672	2956	Mgekbljc.exe	100
PID 1672 wrote to memory of 848	1672	Majopeii.exe	101
PID 1672 wrote to memory of 848	1672	Majopeii.exe	101
PID 1672 wrote to memory of 848	1672	Majopeii.exe	101
PID 848 wrote to memory of 332	848	Mdiklqhm.exe	103
PID 848 wrote to memory of 332	848	Mdiklqhm.exe	103
PID 848 wrote to memory of 332	848	Mdiklqhm.exe	103
PID 332 wrote to memory of 1132	332	Mkbchk32.exe	104
PID 332 wrote to memory of 1132	332	Mkbchk32.exe	104
PID 332 wrote to memory of 1132	332	Mkbchk32.exe	104
PID 1132 wrote to memory of 4220	1132	Mnapdf32.exe	105

C:\Users\Admin\AppData\Local\Temp\40c90fc046babfaf0bab54dcfd6cf80b9fefabbb481d88c1272b6e30941ec8a7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\40c90fc046babfaf0bab54dcfd6cf80b9fefabbb481d88c1272b6e30941ec8a7_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\SysWOW64\Lcmofolg.exe
  C:\Windows\system32\Lcmofolg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\SysWOW64\Lkdggmlj.exe
    C:\Windows\system32\Lkdggmlj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\SysWOW64\Lmccchkn.exe
      C:\Windows\system32\Lmccchkn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
      - C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        42⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 400
        43⤵
        Program crash
        
        PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 972 -ip 972
1⤵
PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
94KB

MD5
478a2aeb24434ff055d26fdccc35613d

SHA1
9fbafb1d9cbde81d2c45b374008ad51b55caa7ff

SHA256
8e7bf845cab66bf26c35723456ba26586f68b7fb9293d337be161c18604806e9

SHA512
acf4d62bc5607c481d3867f9661accbf6b6170d5a4fe0328739525b81e2510a3fa0d487e4d9fa9f6056bbe92e29b360e48ade4457c1617631df514fc259fd42f

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
94KB

MD5
c875d7f8812b4b4f59f3a155e41f1084

SHA1
f77c6f6f5433dc3a8572a102de4aff757fd2536a

SHA256
170e17b812aed7a2dc26bbd59ab9a74fbe795c683ff6b59056c3a088a3df59ca

SHA512
5baeb9e59e904e3c7cf5899a5c923af0896d801f50051541a85463eb6c1261500792a9e3aecde411f881d2c62cb53648accc59b7fc20a9c39a824897bcf2f73b

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
94KB

MD5
2ad20519d84dded868cad5bebe5ed7d9

SHA1
976f6c3ce6f40c0458476b34e8a476997a28172d

SHA256
443a7cadeefbeac38ffacbf7c71adffb6f9d62e73af0c4337e69f012f17bccea

SHA512
5bcd721c28b9ec864a3b07ef39cfd07a7b4ac58a3755527ceebb86e1c08d354a3d914b2317197ec08525af3cad036efd0050d53513496f08a59f3fd1daf95ea9

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
94KB

MD5
7096de16f17ea79b01f16cb18b3b2d0f

SHA1
9e4d0d237aad7a7e0c93b8ea4a51c6a2c7c878ca

SHA256
ee66c514103970bb76be11754a7c9c70facd6b7e0d43d4e972532e5c4d5e6e80

SHA512
0b000f35604bc7022247e6b66e48b23f2e81f29d12ee5dcc5e71eb635141b31694436f77ad5a72fc6956bb84b34f804282e4a37da93d3388fb1a2f02471fa0fe

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
94KB

MD5
daa7c745433fa96e082ddd976873ad32

SHA1
ab55e09b903ebbdcba4136b2566e911ae38bb5b7

SHA256
eaf096e4af7e1be46098da319d0e40a3f86689d4fb746edf35fbdf7a968d0baa

SHA512
bfc88e4896dad5a0beef1ec9d5f76db94b22889cf000b431a90500a1d6122c221d3c7cceebd2b906751552b8ea358a67b4aefc55dc57d1d9be8430b454d3b408

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
94KB

MD5
a344154ed9af4bf1e52f1bd7a1261b7c

SHA1
e1ecec61161c2dda2647296267ca587f896e7085

SHA256
33b75ea0854c70027520e5ea30344203169724ca9f9ac58b8c24cf85b83ba507

SHA512
254e2e00644aa977a44c5661bc80d6bb2aeddfa89cc57595c50bc9b762a1f042911e9314088e6d6dd4a20fca5f357fcc9d59834d4e5997d1f2b83d8f2c808d2c

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
94KB

MD5
9fbb0f08fa6e36087c068b45e531db23

SHA1
8bf089370188b390c6785f5fcf89070663bf2d2a

SHA256
da5a04bf104929793e5d5706616fb1ffdb717e9f7003de1e25e2cd9c79a197b4

SHA512
91776c940a4e1cab96af402908aa7be3e6b82838449200412453f95460e7037a3f4ff30e5148de15a8d57b20ebd72ee3f5b85446452d266d0c7843181016c50a

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
94KB

MD5
d5f2743a7856e5e863c019caaddd4a76

SHA1
dfb558b7377df3d7f3c59973dee99b05061ee39b

SHA256
c0b767be3cb37bf69c4d6e64bce82ad0544f0c219831c1d0bcc3e198cdda7fa1

SHA512
7b19bde26fbb83a01017747f78ac371e2666ae0023aa8c6e7a1a3a0dc861ba443b10627f6ace9e14993f9d1d66ba3647ee83b5f7fa68767dbef0ef05dc547146

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
94KB

MD5
ba20e5db518c874b23ea2040b7df835b

SHA1
085d0031bdb1d829142e49e578a997926e9a0393

SHA256
1d07cb8f14237e0a9f3ffc4baddca7973cfcf5e15cbcc429972ec28ce4bcd170

SHA512
4d840c522120162375ad91ad037a06d494b8dc10f1a558fd86242670c5613dc45f0a372021336e4b0dc05089efc48f64d19b539eecc086449b4bcdea5d2fe976

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
94KB

MD5
0440e6072e5e40556e6de222f16bf74a

SHA1
3656beb6c340305196e7557569506da481431262

SHA256
f943b200d96d4c71ad64a3ea0877df4d334f4fd7d5bbd7a58261fb61442bbbc2

SHA512
e5077e27a9c2143feca9b7bcbe1bd4e7c7b32a6e30fa6256a7f000afdbd2d2a1fd8cfa8a04bbcc21a03ef802c1080037d99fbb452b376630e8cf8430e1d8bf47

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
94KB

MD5
be665648aae5e07a7855bc5b9c671774

SHA1
37ad13cb41b605636a7ba7d56b598ba8b991f4d0

SHA256
6dd43a7decbaf7f8acd91ae4e98e0862fc81841b6c7347d26df489ec20569efa

SHA512
be8a98b72cd2366f97ac695f6df425866e23f46f4514dc57d8709b268113dca5002d7c96ac9a521f946bce4914a801a9058de390f74374633efa8586dd038400

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
94KB

MD5
30e5df6b0726d4695fda82fd9b69d5bd

SHA1
3dbc3aa0aeaef5e7d36eb97026a26420e29e1cf0

SHA256
a6c1115e25dbbcc08d7fb2da740d350eabd01946a2fa5391362e0d971f675dc2

SHA512
c1bef8bbd733f88d325be50701d10a845bfbc136d6896c3d9a389044b22a7ff0ac2da8e0a1099c5587b2dfdb3f754bd4f515637dc20599bc4744c066a50a00fb

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
94KB

MD5
31ff570de390683282fd3b923fd0ed37

SHA1
e4a0d9df8458d1f8fb85cad4b5cac95a09b8526c

SHA256
c3190c074f5b085a30006848716cd29197b56aaad51585e58b47ee0f3cc7344d

SHA512
681addb90080f2aab3853a09eafd3366920e0f8653531ba8d12c2ac5264424e07ad6ce52351a0b4b302f1c592b1bb966f7b0eeee5a89af8ae802cb0211c1c23e

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
94KB

MD5
24856412e710ef16ac10cce04d814f23

SHA1
39c36dd866a7951eda5b2e04fd3c2e984a39c11e

SHA256
8e52e4d9691c243648e1f13b9dc44c941351412ddb9fc9acebde1c6022cc4bc1

SHA512
2085ebc3417c01e1ed6ea6d0b018966a865375b47fa89e4d02a9d208a2933ad9d11d1c4b0cc58d7f55c45a8245cdabe3ac09ea6481a7d32973bfe2d021ef0d28

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
94KB

MD5
5a830c1b6d786d8a364092749c411b76

SHA1
d91dfee381a79861c90884395dee632cd65418c9

SHA256
6a28411810b5533a39ec601e5f21e3a8d35ebfb7acfec3f37843b13da713485e

SHA512
684bb6843e96a43c282ae21025c48f393fb0ec0c133be0e245cdd56b1a9ec0cf902209500930acad1c324af46a01c89ea4338d87646e11b45328d2846352dc41

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
94KB

MD5
6baa8a37a967133aa331f129f1ca9694

SHA1
7322d28f350491564b713d70dff199631b546b09

SHA256
3e2179747b8234001ed2764a595f9c77a59ba0fccf337fea25fc48c506c473fe

SHA512
fd86773e313cfdb469317f4bf710ddbecf33eb888d7470004f3fa899f42a527153284c1c410f9af6bf7ee9a05de003f775ce1a031d757fb8080538211375934e

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
94KB

MD5
1d8b070fdd8b9e3d0b4592b8cacd7153

SHA1
a7c43c8ca00b63722dbe25c1541f1d909fbce9c6

SHA256
3e470a345cddb177ee8418eaed6be7c6473ac49e1e5a8a6fe378d298437d1d3b

SHA512
aca5de7332b1885e287228e39a674c7a45ad980fa0e635baff93caf1947793d7426a8948a0220700a646338bada337490d78e6afd95adcf4c1f55e8c8fa64583

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
94KB

MD5
6ff3e85cd51ea71bf57e48910e12ef7b

SHA1
a6eeb63f3a9cc732ebc3bf3a4ff0becc683cd36e

SHA256
8fabafdfcd0463535fb5d95ecdcbd49c38949aaa7b4c216366e9604020ced082

SHA512
0ea9944d9b519fe626f6b294c84fc3d59e55e498821adfb081ec92521b126d76cb193ecb8321748440170b3cb38bd016c8f493b8d58054cd1321d454aa9bd14b

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
94KB

MD5
c9b2b31a61769c752fdac1c53a3a2be3

SHA1
0de04956fe1b33cd698fca6915ce0502cc7d3d0a

SHA256
0dc7ed9281b08037f26646aca6acb94737c023972ea6bfa9b979a9216d907089

SHA512
7267073aac38da2835075f28a55c185af1b99f4dcf034fc5a625a16f152fbdacb795cc185f50e6474dcc21e674bd0f3c5a577b728dedfe53066e19b86c06ee07

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
94KB

MD5
7133152b37d01874bad0dccbb3f54d16

SHA1
194558da06485ed6214c544f5518a5aeb9249796

SHA256
5ee0c46f6f0ff72dd1fa60ef5a17e66d28294b5f59c1d65872a24a2a06ac9981

SHA512
f1e1026aa23b7c7e5e892d2bb7204da62904023834f9f640708f86cddcfc0af87307b57eeb5dd08fb4fb5b521cc220cf8df27b6c32124cbcee568169b486ca82

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
94KB

MD5
ca09769e381cb4c0f50a462973f38acd

SHA1
1d944355a6c65a0dfb316963c2c747603677b325

SHA256
95b516f9a5704604d4f144c744a417a5b887ade0dfa1c79338c1c4b22cfb9c61

SHA512
b5bce60bbb4a15c19416e0353d303fd8869e511c579d6196c68781f18266e0f1c16f07f363a482ccb85822bdf94f2f478d7c4cf98917c10e5fd17e70e705b42f

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
94KB

MD5
5aa0fe618b125c4bbc0dcb4ae3a00b78

SHA1
db33b40e3a946011a31d8fb8cb62daea03783376

SHA256
66f922c202880f32eb19cd205f8be5bf1408d2dcb49aebf1ed66cfae254cacb8

SHA512
438f73e4bfe09f14f798d922da58e8529696dd33da9c3f03d7101267ae52c38943122a427cfc38f113a010d92adc301272476aedc8f7bab34d99e910a654d1ef

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
94KB

MD5
1ed517f8b4b3e0dc779f85393a081e29

SHA1
de76bef6bc5336f01f86ca2e8c2195d2aefbd8e1

SHA256
db38b6a857e5909bc8378a177d9b9edce1e1b4a68c6da0da572ee708b5d25b60

SHA512
b5e9d22af2083a490da1f4b2be2e0126a45289716a2113d92b6642426a11611c9af0cf4a71e000f8885976075c51ea10a255069d6ad9df96b32f1e926ed365c0

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
94KB

MD5
84b9637d23fb77986ad40bf3e523c8b3

SHA1
421974609240ed52f8f3001ee80088c7fada13b0

SHA256
2ca11a3d0299f0d1fc59bfb9a22a496adc55c290a0465f145543181e472547cd

SHA512
330798da0ca4465685e2b96f74058c177c2cb2704747cac239041ec2f7cdab5a4e400cf21d4b0537a938c32feeba4d26754ef06b0b9b348cb7552714453eb15f

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
94KB

MD5
8756a111f4c135b6d150bac583c7cbbe

SHA1
2867346eb4812d5a183760d0a5f27c531d77753e

SHA256
3ca2de0e87aa999a3f7a0f75dacfd651504b329ea0af90ee2bd7e30bed8a5f2e

SHA512
d6abc5054fcbcd2f3d79c8a16c23d1f4bbab9332e9c393ba4543ed6640f25457971a8e2c7ba9c1828ca8f53e6e4093c9ddd9c852053a1ec49fa540e39f19ae39

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
94KB

MD5
fdcdc3e96ccca164fe253c9acf76e517

SHA1
01cca7c9415b8a09d923b6423c82449a93749cd0

SHA256
9b9eef5db2d10eaf74aee922b83c5f0bcc1053f7c0f9fed8b0a0ee5af5a6ba3c

SHA512
649b4fb21ad532ebb779a975cddf1718661bb849cb74ea2e9c19529fb8a06b00ae9c6ea9b90c967ccb177de0688cd623d0da0778ddb1075e9fe678f9cdeaaac1

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
94KB

MD5
c9c2a2f35690c6e5a9cb97448f37cd12

SHA1
52f6d3ca54ada2530f57f4c851bb6182551d6bb0

SHA256
9c5652b513257970e54c95f7974ae872ed4ac77906357d6b57189f7704d65a9e

SHA512
7e7d57161518d2da606e83c860f15b25b7f958e19725ec8548e6e6eed3da0dfb06cee4ce3dbbfd0341dbd418d6ec21b7cbd4cef780a5c3117e889fd278d70832

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
94KB

MD5
508954a5ffd99c7fec1e4c5f3df0e3b7

SHA1
9ce1364a87326611bc7d92e1583eb7558cef75b0

SHA256
23cbcf57283580cd3ea5583c49c27cb79a9e365338f5df18b3e567a5e9b52033

SHA512
ea7beabb7923569b75c24bf27695a8cd0c787851b70ca6b2d7533219e61b286f0d46df26ef263a33e1ec9b60538ab311e356b95ad56ff47f5582624560c99421

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
94KB

MD5
584c8ccd4f83d99d9c8fbfd70d845ce3

SHA1
f03b26100ee3035474f996b13f2fa3fa5918e031

SHA256
ec4fd13cc5c297442f33f0ec1d6610980abdb0ff8fb15fc32a8676754aef095c

SHA512
ff5ac488b3524c16af221aeb0a931c129ad279f7b4228067926a4cd91eeffa3e6d3cadbc8f62a3e62e75844e35427755d3ed4ea2f2b8ff18ce3d9fd6113b086f

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
94KB

MD5
2115941148d30d52a9ed1080db194927

SHA1
8e90ecceafde5e5080ebca89ac7798a0ffe758f1

SHA256
fa5c40afe58b07f0057ca490a33324d3eb36e07e2422e70e800ea27c305c690f

SHA512
2638b16a431d0f0cf8e117193b8babceda6f174df4d34429696da04fbd52110f95a59be38d79d0c6fcc2b8dbc408eb4f5bfcae3926279c502ef96a01bfc6fe0b

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
94KB

MD5
66b172cf445b6c2a63487c5402915ce8

SHA1
67a8b7ba236b584330fac8d989c09c067bd6d44d

SHA256
c0b6d038420e90560ac52ffc6fb9ee6909d2caf8b37287b7c6d17a3e59418383

SHA512
f770d7adcd708dd98539e085bd8d8e68a32d9fa1084eb03e6a38ce3c6b7df1f580d8a1e3d759d7d81db6598a99f748ea444c9ca64a1f2d0b5381ba95598044f4

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
94KB

MD5
155432308199d2c454e2bbf4b5c93532

SHA1
c1fdaa7a652dd1a5194081e83eb59e8df6b39205

SHA256
38bf21a58a3f0cd981e673c11bf8ec9caf3e6a326b583e4d978a97f0759d773c

SHA512
7c3075a8eba395f0cc712eec7d2a3d4b9bbc44f947c9d8ba021cd35d78ae74a6ab55bb9f7e0b56e996bf6749510adcb584fbdd2cc3bffd74ca851596f28650a5

Download Submit
memory/332-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/332-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/428-309-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/848-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/848-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/972-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/972-339-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-185-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1148-210-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1148-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1680-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1680-343-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1752-345-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1752-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1968-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1968-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1988-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1988-332-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2168-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2168-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2340-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2340-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2860-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2860-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2872-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2872-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2892-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2892-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2932-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2932-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2956-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2956-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-29-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3052-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3052-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3116-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3116-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3148-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3148-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3436-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3436-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3624-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3624-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3700-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3700-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3900-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3900-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3904-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3904-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3948-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3948-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4004-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4004-344-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4032-221-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4168-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4168-219-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4220-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4220-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4316-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4316-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4328-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4328-331-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4468-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4468-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4608-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4608-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4824-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4824-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5084-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5084-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5100-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5100-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5100-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads