57c1a9cc3e8d2d5a48065bbee66f4af794e69f28c914b15fa75c65cbcbfd7e42

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57c1a9cc3e8d2d5a48065bbee66f4af794e69f28c914b15fa75c65cbcbfd7e42_NeikiAnalytics.exe
Size

89KB
MD5

f402f3bf2d138eb41aba1e011d5fdda0
SHA1

26a6dafb91ecc121b48fa66a9e6b26d06300ace2
SHA256

57c1a9cc3e8d2d5a48065bbee66f4af794e69f28c914b15fa75c65cbcbfd7e42
SHA512

260261ddc87b57f6b47131dbb9ba7459831b4f07b022a7d02fca7c9255f730558a63e8e835ddfa26e96be526be0a211619185766c5989d9b9f76a3ad4b125945
SSDEEP

1536:tr/p7o//Vk3rJ1+JnIf6FDUN4Q56WvvqEGJ52oc3blExkg8F:voXVIFqno6rFUqEGJMocrlakgw

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	57c1a9cc3e8d2d5a48065bbee66f4af794e69f28c914b15fa75c65cbcbfd7e42_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	57c1a9cc3e8d2d5a48065bbee66f4af794e69f28c914b15fa75c65cbcbfd7e42_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe

Executes dropped EXE 45 IoCs

pid	Process
3224	Lddbqa32.exe
2424	Lgbnmm32.exe
3824	Mjqjih32.exe
2896	Mahbje32.exe
5032	Mdfofakp.exe
3536	Mciobn32.exe
3000	Mnocof32.exe
2928	Majopeii.exe
3600	Mdiklqhm.exe
3540	Mcklgm32.exe
2852	Mnapdf32.exe
3368	Mamleegg.exe
2444	Mpolqa32.exe
1016	Mgidml32.exe
2988	Mjhqjg32.exe
4112	Maohkd32.exe
2332	Mpaifalo.exe
3284	Mcpebmkb.exe
3096	Mjjmog32.exe
388	Mnfipekh.exe
2280	Maaepd32.exe
1140	Mdpalp32.exe
1004	Mgnnhk32.exe
3948	Njljefql.exe
4116	Nacbfdao.exe
4720	Nqfbaq32.exe
4736	Nceonl32.exe
1952	Ngpjnkpf.exe
232	Nklfoi32.exe
5072	Nnjbke32.exe
4552	Nqiogp32.exe
2388	Ncgkcl32.exe
4504	Nkncdifl.exe
4224	Nnmopdep.exe
4520	Nbhkac32.exe
1364	Ndghmo32.exe
4008	Ndghmo32.exe
4660	Ncihikcg.exe
2528	Nkqpjidj.exe
648	Njcpee32.exe
4344	Nnolfdcn.exe
520	Nqmhbpba.exe
3468	Ndidbn32.exe
3552	Nggqoj32.exe
1620	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Bdknoa32.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	57c1a9cc3e8d2d5a48065bbee66f4af794e69f28c914b15fa75c65cbcbfd7e42_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	57c1a9cc3e8d2d5a48065bbee66f4af794e69f28c914b15fa75c65cbcbfd7e42_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	57c1a9cc3e8d2d5a48065bbee66f4af794e69f28c914b15fa75c65cbcbfd7e42_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4672	1620	WerFault.exe	125

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	57c1a9cc3e8d2d5a48065bbee66f4af794e69f28c914b15fa75c65cbcbfd7e42_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	57c1a9cc3e8d2d5a48065bbee66f4af794e69f28c914b15fa75c65cbcbfd7e42_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 3224	4524	57c1a9cc3e8d2d5a48065bbee66f4af794e69f28c914b15fa75c65cbcbfd7e42_NeikiAnalytics.exe	81
PID 4524 wrote to memory of 3224	4524	57c1a9cc3e8d2d5a48065bbee66f4af794e69f28c914b15fa75c65cbcbfd7e42_NeikiAnalytics.exe	81
PID 4524 wrote to memory of 3224	4524	57c1a9cc3e8d2d5a48065bbee66f4af794e69f28c914b15fa75c65cbcbfd7e42_NeikiAnalytics.exe	81
PID 3224 wrote to memory of 2424	3224	Lddbqa32.exe	82
PID 3224 wrote to memory of 2424	3224	Lddbqa32.exe	82
PID 3224 wrote to memory of 2424	3224	Lddbqa32.exe	82
PID 2424 wrote to memory of 3824	2424	Lgbnmm32.exe	83
PID 2424 wrote to memory of 3824	2424	Lgbnmm32.exe	83
PID 2424 wrote to memory of 3824	2424	Lgbnmm32.exe	83
PID 3824 wrote to memory of 2896	3824	Mjqjih32.exe	84
PID 3824 wrote to memory of 2896	3824	Mjqjih32.exe	84
PID 3824 wrote to memory of 2896	3824	Mjqjih32.exe	84
PID 2896 wrote to memory of 5032	2896	Mahbje32.exe	85
PID 2896 wrote to memory of 5032	2896	Mahbje32.exe	85
PID 2896 wrote to memory of 5032	2896	Mahbje32.exe	85
PID 5032 wrote to memory of 3536	5032	Mdfofakp.exe	86
PID 5032 wrote to memory of 3536	5032	Mdfofakp.exe	86
PID 5032 wrote to memory of 3536	5032	Mdfofakp.exe	86
PID 3536 wrote to memory of 3000	3536	Mciobn32.exe	87
PID 3536 wrote to memory of 3000	3536	Mciobn32.exe	87
PID 3536 wrote to memory of 3000	3536	Mciobn32.exe	87
PID 3000 wrote to memory of 2928	3000	Mnocof32.exe	88
PID 3000 wrote to memory of 2928	3000	Mnocof32.exe	88
PID 3000 wrote to memory of 2928	3000	Mnocof32.exe	88
PID 2928 wrote to memory of 3600	2928	Majopeii.exe	89
PID 2928 wrote to memory of 3600	2928	Majopeii.exe	89
PID 2928 wrote to memory of 3600	2928	Majopeii.exe	89
PID 3600 wrote to memory of 3540	3600	Mdiklqhm.exe	90
PID 3600 wrote to memory of 3540	3600	Mdiklqhm.exe	90
PID 3600 wrote to memory of 3540	3600	Mdiklqhm.exe	90
PID 3540 wrote to memory of 2852	3540	Mcklgm32.exe	91
PID 3540 wrote to memory of 2852	3540	Mcklgm32.exe	91
PID 3540 wrote to memory of 2852	3540	Mcklgm32.exe	91
PID 2852 wrote to memory of 3368	2852	Mnapdf32.exe	92
PID 2852 wrote to memory of 3368	2852	Mnapdf32.exe	92
PID 2852 wrote to memory of 3368	2852	Mnapdf32.exe	92
PID 3368 wrote to memory of 2444	3368	Mamleegg.exe	93
PID 3368 wrote to memory of 2444	3368	Mamleegg.exe	93
PID 3368 wrote to memory of 2444	3368	Mamleegg.exe	93
PID 2444 wrote to memory of 1016	2444	Mpolqa32.exe	94
PID 2444 wrote to memory of 1016	2444	Mpolqa32.exe	94
PID 2444 wrote to memory of 1016	2444	Mpolqa32.exe	94
PID 1016 wrote to memory of 2988	1016	Mgidml32.exe	95
PID 1016 wrote to memory of 2988	1016	Mgidml32.exe	95
PID 1016 wrote to memory of 2988	1016	Mgidml32.exe	95
PID 2988 wrote to memory of 4112	2988	Mjhqjg32.exe	96
PID 2988 wrote to memory of 4112	2988	Mjhqjg32.exe	96
PID 2988 wrote to memory of 4112	2988	Mjhqjg32.exe	96
PID 4112 wrote to memory of 2332	4112	Maohkd32.exe	97
PID 4112 wrote to memory of 2332	4112	Maohkd32.exe	97
PID 4112 wrote to memory of 2332	4112	Maohkd32.exe	97
PID 2332 wrote to memory of 3284	2332	Mpaifalo.exe	98
PID 2332 wrote to memory of 3284	2332	Mpaifalo.exe	98
PID 2332 wrote to memory of 3284	2332	Mpaifalo.exe	98
PID 3284 wrote to memory of 3096	3284	Mcpebmkb.exe	99
PID 3284 wrote to memory of 3096	3284	Mcpebmkb.exe	99
PID 3284 wrote to memory of 3096	3284	Mcpebmkb.exe	99
PID 3096 wrote to memory of 388	3096	Mjjmog32.exe	100
PID 3096 wrote to memory of 388	3096	Mjjmog32.exe	100
PID 3096 wrote to memory of 388	3096	Mjjmog32.exe	100
PID 388 wrote to memory of 2280	388	Mnfipekh.exe	101
PID 388 wrote to memory of 2280	388	Mnfipekh.exe	101
PID 388 wrote to memory of 2280	388	Mnfipekh.exe	101
PID 2280 wrote to memory of 1140	2280	Maaepd32.exe	102

C:\Users\Admin\AppData\Local\Temp\57c1a9cc3e8d2d5a48065bbee66f4af794e69f28c914b15fa75c65cbcbfd7e42_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\57c1a9cc3e8d2d5a48065bbee66f4af794e69f28c914b15fa75c65cbcbfd7e42_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\SysWOW64\Lddbqa32.exe
  C:\Windows\system32\Lddbqa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\SysWOW64\Lgbnmm32.exe
    C:\Windows\system32\Lgbnmm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\Mjqjih32.exe
      C:\Windows\system32\Mjqjih32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3824
    - - C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4720
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:520
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        46⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 412
        47⤵
        Program crash
        
        PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1620 -ip 1620
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Flfmin32.dll

Filesize
7KB

MD5
eba5df3066404b0219c7625ef932874f

SHA1
78f942ddf0397607fba2a71593701c920ccbdcf9

SHA256
a4baec2c3ad5fa70473266054338719251f61e2614d3f7705ce851a442140749

SHA512
59dc80906f3f28bc22068485a3c791ddb43df98a02e9ea26b87d40e72af3efa81693c260e371eca534506871ffcf384c883369c3536fbf8f71f370109b1e96d7

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
89KB

MD5
e8db6fcf74142cebe7d5bc04df472304

SHA1
c2891e997d3a872ea2143f84be35081882ca27de

SHA256
2e204b3c8f831060437ee081d086650d4cebf6080bd12718282d50d392e660ed

SHA512
d33fae77035fe754cc395f6b159af84aab7f91b5acc4b85c0fad1014cb797822955ad8e192aaa3b9999befd58ba2f3f2c01a0dfbe0a760603f5475b3c9e7a84d

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
89KB

MD5
1a8a9ec49d4df5d84322990ce4661ee0

SHA1
fd9b3b272e5f020a12b3bfc9023db2cfe2eb64f7

SHA256
e2b5279176f0bf0e94a90222131be67bab57f638f54f60ec2fe616160c22a4c2

SHA512
aff5e8bba1bc660940480c16f648a3d2ffd02d9460726943fd703ea8f06416452ba8478cd22d2bc558c9fd7386d47b4ba13075b497d87c1a5b3e71c5d5b44e65

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
89KB

MD5
bf3f9cdc6ef1739aa878399b27374dba

SHA1
a9aed92359d13eb4bec81190934173ec6bc42c1b

SHA256
b2d223246ea1f498c03009329de49a9a9a683f46435b98ee69d4abec64e88b9e

SHA512
3fd250afe457555224f20ac9f74f5e28c0647308e08c485cdd30de607b08849c2755f64bb45aae0a0d4d57857a481085b3b94ffa2869615bbb43ba45dd59f59e

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
89KB

MD5
659a71b0d98f9741db1442a97dc6770e

SHA1
f9161e03c357a7cf5ce90c61730cd7bfc5eb7d15

SHA256
6927189b49213a6d26179602945d803778ee63bfc58ea2603df064f50d7a7ed4

SHA512
0a7ba36858344f5653d5a5e96618a64fa4ab60f3604a5a1604f16f630ed9f2781584b63d4fda862ff28d3dc734f68aae3a4beb49f38ebdb5e5c6d00031f37a92

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
89KB

MD5
692ceaf1125c8b0c391ac86b7a08b68d

SHA1
1d8eaaa2d0b679018e264b558e43a2604969d22d

SHA256
c68547dd988e843f3caec5d09b90397ff9ab3e83ea0eda4c93d4b24b5dd8e495

SHA512
dd6f8a43830583ee28397c5034e66f3a5dce3d968d89bdfe1676aa5e19f367c456d684cffe6cd475b1fca786324e7cc4412459a9adce18a8f690b6c31ea8fd4d

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
89KB

MD5
332c7dda03230a8d4395546e9381f16b

SHA1
cd5f082eac4416e07ebc43da5340d7b130d6e99b

SHA256
5eaed2b5ecf60f1186f62489b03e9297f3999e79ddf3ceb9be87c7c240307cea

SHA512
4dfff2a82625c3c216d2d3e861e0406de76d980c3d8b4f6202fb7692948d16bcff826f0f5e6d7d6f903f4dc30e32b5d5ee9e9062bccb2c37120bb3f035fe31e5

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
89KB

MD5
c92ae6d644743f47ee7e32a9b8318a23

SHA1
18838b967cd9e29df9ce89769892a16d45b005e9

SHA256
8cf5eeb24445e045b653babbd4ad6ecef721017bee9ecc1150cd0a13a0623045

SHA512
470128a91c6998e2eb1fc1a6981d37d4cb85f4c34b360f2eef456ca1937758e89d823440197504c7252faa793d9f2daf642084f22d7b7f424dbd399b532ae599

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
89KB

MD5
863a7828a5b2a0e08ec7d8c84546102a

SHA1
8983dbba6194bd45e8a21517a5bb3fc20da94998

SHA256
89bc1039861232ebed82a584dd7b6b707197ba650da091da32d445273bc180dd

SHA512
9a4a6b38456918937be3c54a23aae9d31f5a3619bda793ac1e705b0d9ba70ef4627bd27597d3051b8cfe2515439bf385b1f2fc7b4e26498eec7c2f79f49e570b

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
89KB

MD5
05863947c61109dfb92ec8111608559e

SHA1
265cd7b42aa9f43ea862c1b91e8dd485ccb7c66d

SHA256
e0be0939a42c71485a03d2e02a3eba7a1caed6e66e7cd261cadbe47a5477852d

SHA512
22f1aad63729178f65d77f47d1569fc6d0cf5022ef7ba0d320c76e7086378e1461061093efc4c4572274540b4ed45a39290555b4497eab8c71441e21a00ca468

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
89KB

MD5
024ceb92cd065f39150cffad5e8b7c80

SHA1
8e62dbedacb2cec92f3ee81bddd81f9cc9dc26e2

SHA256
547f27dd733ea2c713f9e85bbfb7579e7ca69945123c48f4340757e4d419b425

SHA512
a5269f417d6c4e9c278dd52a43df536471e05a682f80f31d1fb91d40047848a7715674933ddfb1d9338f9062154058960627eec79296c99818689d684f03b757

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
89KB

MD5
4b9e4e4880dbc3c00e487cc4baeb35e9

SHA1
29c9e20e0e5ccad0c0754e1ac07e24d297f7ab73

SHA256
0499cd6bd624a1c883387f2fe42d48692924481935978c2077f19dd95d2d0fbe

SHA512
53ab0b338db4cbac54e838fa2c1b00c287a96fb8936204f68861dc75c3f1557ec858116fb70524e27e1e8924ca2583f53cbff2ecb17a7edfd537a57c69199191

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
89KB

MD5
64dfca58428cfda929ab62add06b61d0

SHA1
548d0a28de143ea217d051eddbc509187ef9ccdf

SHA256
93a148c32826f2542948083dce9db78e6a8e18618447cd811ef10bea70e0c13d

SHA512
5fb47470ec3132001b61622bf34f6354e18c9c53423f087ce2491fe9b56593a69c595c2a94871299703f7550e43341a965ef61d71d4dbae26fd349ba0ac85da5

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
89KB

MD5
a4a38aab93d0f3e468a75f9307d22afb

SHA1
40d6195cfe6610318fbbbe4c17b9e4e511e76103

SHA256
2f4f613d676225044d5585b4a0a7361009afbdccae47c5d3d2c2dd777a86c6f4

SHA512
0930bb558e9be4aaf3267b17d178afac466b0722828b815ff77ac79efc1e142f33132cfbb8a9a2d9ca37b8bcf634f29812955847c6e556b43106d957826c9035

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
89KB

MD5
dd74a25339d8245d4e86842688af5e9a

SHA1
ac65260029692daf32d091ada005f51b2e0bf249

SHA256
45e2943f4462a5853481f8c1e3268539c72771e67a2730a004478d9ff902e7bb

SHA512
a4fda180464e9c8d9d1cf256e245e2d5a9a4bdfc40ea9b496a35fb35a0341fa4cdce762d7331742c0c114c89f0143f48073d34c32e0d255e95247a61c131d18a

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
89KB

MD5
4ba04fd7e0d19c60189ae5f839db53ea

SHA1
fabd5563c15510f92a83f4f39bd6157c992af24f

SHA256
7cf5cd68b81e45c9e4be689bbe3ebc87b8d22748786f3edaf8bda98cf638d0af

SHA512
6b726305a2f99792acbcbd2031c6b1d8160e1c3f3e5519b6a62f2aeb695be76968135a1db09d35d357758bfc1030071f71dfa59c6dd2fcb1803b8f2bb61266c0

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
89KB

MD5
78752cb1b56da082646f26204f396400

SHA1
bc13bc7ce4eff949e4300ea702cd3d3d2b04998a

SHA256
b58d28d12596f3e923952b65743a7ebf8d58092ddbe986e71365bacb37913d17

SHA512
dda2a79c3701339e0f8bd0deed8ba5c07a3fbe8c9df65a31823d0cb4cabb8e6d4acacab8e348044e1ef85e0aa7f1b5d068462ae2ad3bd92f4b5e69bf8e285ba4

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
89KB

MD5
5deaec74eebf199b8ca64c4388684d52

SHA1
783ef236930229b73dd22ef56ffd61eeb31ffc59

SHA256
5f5874d6bc816b9e7ac83e4db9ba297d8276fe9cab1dfc18e264b5210de6cd39

SHA512
8afa59a96502c349bf72388d7eeabac4792ffb56db341a7a23beabb33e98ab5825863b2c24f0f8a78844fb4f7015c0b8e7863b58702186a327728c2321f49b61

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
89KB

MD5
ee7646e49eb0306664d0476f10c65fb4

SHA1
8c55c35739bbba0431ceba4827402f893bbee11e

SHA256
b4ff05b23ef9d9579a335fd7bc7d2bd0fe65ea944a28e410f696d1b2c809b8ac

SHA512
508a7ee8865e087908598cca941e2c02ceca0f30269d3c2b8b12a57bbf119f9ec1e0ac3c359dcda13dd487df4f719a7a08d77ce1c19187dc2c5026383e63f3df

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
89KB

MD5
5144808b85f69dbdb649380ec32f26c8

SHA1
b8474faa95236ade6c57624ab026e1d2a73112f0

SHA256
8381068170b12a6a2b63a6afa2e078bf48d25a1be83c050cbc6103d829c7b566

SHA512
bef0b445d445305b425fec607b079604e435c73bebfe7e3cd4a91ae9116c7e22e6cca7bb4fc44ccc0be45a790eb49999bff558080ffedeeedd48596461ab3359

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
89KB

MD5
920bf7395161ae074900bf06338ae269

SHA1
855f7663b3c68273fac591a5d2d7a7f95abde1e4

SHA256
6630abbe4ade7c26fbde30626b9db18cf465e81bb4bbb1ede8cb5bc1a14eeb77

SHA512
83d68213797b225e257a0203bc708c41dda1208d115f5925948ea9a36bb9342d16c5bb2b57d5c282146fd082e97a0bb610150da50797016f332e98332749e72c

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
89KB

MD5
062b814075844699a89ca5999bb11a6b

SHA1
0eefa939d48a13871708f9c602dffe94c6f3ccd7

SHA256
3469c8917bfe57b744ae651dd0669667a61eadab5b34dfb87b5087c81dfd1a8a

SHA512
d3fdc17dfc1aa4fec8031f8d95a15c0b3ea02a06af2cbe188ff420a724d810703325bfed12648be2d69aab6f7ffd3727241bf02743424a6a9cbe34ba4dae4a20

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
89KB

MD5
0eba34bf8df04a56c540fe3ed81f3587

SHA1
28f8e11c984bce8787e71247f4cd69cafd7addb0

SHA256
9d8a1a3718f7cf60cab4f0285f035a3a128214cb664880606c6db278af3a2f49

SHA512
e2413d76e294039d0091f84b38b642e7139e2664437133be6c88e06b5c909b3fc21f8f51e621328eaadead1ed73b9e09e0f80a24e4091e6c151a015e83b739b3

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
89KB

MD5
47f83d6bafcc0995d3a2a849636b8ddd

SHA1
e25199664b66bafa02191a87e1029a875ae875b6

SHA256
5fa606267a8115cee564b180295a2a31f9708f0a0c12bd025aa6b31dcf9b4210

SHA512
2d8e48c319e56b4622c68f70b0f0963247d155cc48288b3f10afe086ae56036875acf411e1e9e74bec868003f52b8063d71d9757fccfb79a9eef8cc9bfcffa91

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
89KB

MD5
a9a0b48b55b947badcdba00248108662

SHA1
8ab93ea61d984993e2ef28b1eec6b92f166f159e

SHA256
12223d8e1326d6a430efb84f6d891a1cd7a5ae7abdf3da2167bbd14d0ed9440c

SHA512
fff81be6fddfcce35a7efd867460d777f5e4625a9c10b95a80062c2871a6d79b14d3ed077a7161fe6e7a36e22eafdb86e6e78dfbb9ec7232f1fb80707c5d9497

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
89KB

MD5
4da973a54cdb5c54e448a7643c7f921c

SHA1
dd0e88abd18a57634801f93a7027178f167bb3e5

SHA256
58da53f3e19f429f6e366878afdbd4841f9b1222d9fb993eefc28a15dd8409cd

SHA512
5008f389761fe7a55236a1a21b30dafd3172be6e6389f15be653414468628639d51f4299a33cb03d722f3adf882fe29dcf9d475e8c022a55f7ea29d2f891fc04

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
89KB

MD5
b03e5fdde0da3cedb33bbb5abab28e58

SHA1
109b751008b35e07876db5fbf007318cf36d8d6c

SHA256
e32f309632efe924bfb902ea9a18933ed94944011edce175eb9bf71515a67cb6

SHA512
5ebb558a35c5f0f4cdc19c43bca015049257d4c9c452f08871e6478ed0786c65bb8ac0ba9bcb311c5ce20b2f59f6bc92a4ebe17182590f357ed7dc40a6b96f4a

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
89KB

MD5
93fa79e8ef3acd8ad157979a0889d3e1

SHA1
4bb48f21fa067a1d9b8dfbbc488ee59951e2fcb0

SHA256
ba1e43a430bdbebf1e2f37f7f6fec6d2c74ea0986bb482e1d45d99324447b256

SHA512
d945e6a1b6b3850bfd3a8145108df96e73a5159f5721a8b69d43bffafcacdec62a4b461c70decf9229143be991337fdaf42f9b5de9e33f956d1935816074a5c7

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
89KB

MD5
90ed2d8544175b3bbdad8d2ea56cb760

SHA1
38012b1a63641c55736817caec68e0e3b1e65f78

SHA256
64f2233e570de1825ac5a59e8a83e1d3c13f6324929c0c51fe053a1ae669315d

SHA512
909a709a9cbaecc56dd5f73cccaf40f38dde054e92336e4cb98eb3d5e0cf95b7b5c89835d5f68af0b52b4ab4499ef870d50172f94014ff4ab21ec701b3051368

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
89KB

MD5
92eaaa8b7e6ebfeae236caead025d039

SHA1
a3607ad2b48f31853d7a0d860b28cdac650ca1dc

SHA256
2fc81d705b015dc8fac51a9c703951d7d110e4c0fce02eb90456feea7a057dd0

SHA512
6b4c38bac18ec1fc2e87a7e4158e827343c069007b000a3b492ef847ed3e678ffbaf6f2a2c527c63ec66a877b6d5f82a0ef0e59c960054dead88b10fe21f5ef7

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
89KB

MD5
e207f5180b75488c971f43de1e63341f

SHA1
d4502bb2cc7ecc44bce716f3e3242e71f7091cea

SHA256
c3eb542e536932a38849a273e8d9902d30a63689900052d5c1c2936dc1c9071e

SHA512
2b1b9c50d5c5efab3cb75a8fbb4be3346c72d11616376da32c1f2e291e79e857c84f9c0aa1952283bcbf9bb27c22a28f85026331cac000469b12be13b9c1c1dc

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
89KB

MD5
02a4e80d25286032255a2370d9630089

SHA1
02be2f6aaff718bbf5ab43cab2bc759bebdf01ec

SHA256
19bdf3e84f88d3790fbb4a20f985f02cccf6b5297247bfcd59f2928fc6e25168

SHA512
679d2b6b652e48c1808c81925ca33ecb1f3cece4f12a04d5ea3892129e5f3b0513bfeba287eaa107e6289a3c3521d979c4bf43987b9545b2e791a44b1741e7e9

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
89KB

MD5
aeacb714bd1cd5da53cc462c5bee0ab2

SHA1
efe4453a29c649de799edfa859050b97670a86d2

SHA256
d88c79c30cddc07924f380803431dbdd1abcec5e8f05d0ab84dc77e01d45bcc9

SHA512
a5286c6e83639b8a5b2c3cab98362c6159f7a304d4f86b6197a7bc283dcfb02d51e0f878586816d5dcbea798086bfefa90eb41892be4797515b7a7cee2705529

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
89KB

MD5
f4c3c170e23022a22eb4cf10278eee5f

SHA1
28cb701beeb39d8914e2e11d7ea661e6a760c334

SHA256
217f31edf50d5d29d9300b112d9cd626d5b11b3261fe422ac37d55fdb1c7429d

SHA512
14f2f9e46141965c4c3920ec9d484874645ca76de9cecad279529b311e51959cc35982dc0f32a486a9064ba9739ff3a9eda4844f801885fd5c781bac150986b7

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
89KB

MD5
94fb86da0a187ca1aa8132aefe710779

SHA1
4cf4f7fb59370238bff73c4d14b2b74b8bd77b74

SHA256
76caffa245011306740950eff58cbece0ea747b6e658f4a21b91cf442ff92c97

SHA512
cd83a1c881525340b767e662881f2ce400b2fe51c95d67df5ed94f05ff23802e0f6739bae73cbf02579b4a60eaeca64e2321a73ba7416997faea6402b0890469

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
89KB

MD5
797dc19e077eda40ddc916210b3a12ad

SHA1
7182df5db098824a34ef0b5ca5a50d0b83b4ed3e

SHA256
f81f9fae30555967375a466747ef58e92c4a28596bfa39daf5e01183209fb555

SHA512
995a2c1d6532094196c18b237b667ee54797ebcd3de96e755a933764208967102aa7ab73220751357b16cb5c7fd2534dfd95cc1d294bb3442b9e7db3c7011902

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
89KB

MD5
5201180cd3b32867ed7765d42bcf4a2a

SHA1
a15b72a7ec91acfa30208273da9ce2999b7a4ac0

SHA256
3becc06c3afa7008a9538564627c2ee4e3ea29a3f40a623bb9fedd139e93c961

SHA512
5de025878b37a17067ee925c9f23399fa24f872a3ac7fdb273811d5e42211641fdd53cd3b8df96bee919812d7ba004aca23b7fc9634582b372f50e08f0fdbed9

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
89KB

MD5
8c2bf52104aa7d74277673d08dff62ad

SHA1
d658301cf531cc2c21d1f2417587b3eafc3497e5

SHA256
1a3176b0548b3c0904b35e9aa610c3248d2d69e93ac4d4f8755609174d6b04a0

SHA512
7b2a4c69efa22e5ef201047a0d7055e0e1bdd72491e31cf09d20b2bf5136dae27056728f5993e1cb4a7f3fbe0b1c321183fd4c348ef25df2c9d6a5b5bb69f508

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
89KB

MD5
247ed80dc22d623734a18e43e0126732

SHA1
b8a356fe862fce278ea8e37cd07c338d775a36d1

SHA256
fa4903d18c455f05bacc35810d79ecce22744fbac3fc24e0534aece58667c944

SHA512
ce3c4d4b14ab1c1a39a4bb343af47f416ee1dcda3c38077072c1ecae48cfd3311186363c1cf2b872bc5902d6518fb0f290b5f48510f6f2f9fffe0cab1d2f5248

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
89KB

MD5
41e91f0fac904b424cf00d81617bfebc

SHA1
7a2156f932e2be2aa1e49ef3f47f2396ee51af2d

SHA256
84c3533f30de870de805ce9b16614ac8dd37265086ed264ada5890743379d4c1

SHA512
e8e2f324234ea4e8b065d92df76585bb8d3bfd59e38f5a83c7da73fdcc9960d50cf03bdecf43213464feda2df33d37aa4519250bb60fb58fc3108d5c8dc76ade

Download Submit
memory/232-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/232-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/388-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/388-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/520-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/520-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/648-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1004-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1004-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1016-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1016-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1364-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2332-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2332-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2444-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2444-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2928-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2928-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3096-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3096-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3368-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3368-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3468-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3468-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3540-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3540-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3552-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3552-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-75-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3824-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3824-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4524-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4524-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4736-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads