610436f2fdb0f462dd949862c65bad6587dc49ff0b7e61afd3e1894d298dadde

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

610436f2fdb0f462dd949862c65bad6587dc49ff0b7e61afd3e1894d298dadde_NeikiAnalytics.exe
Size

236KB
MD5

1723c14bf29ec1febbaf1478afa19560
SHA1

37b2be5a5e72fdc6f60de9ae2e82720e6a8d8715
SHA256

610436f2fdb0f462dd949862c65bad6587dc49ff0b7e61afd3e1894d298dadde
SHA512

8c07790aaec3e154ec40c6ed5d132bcc565cc9ab2ea0008fcec788eb13b8e628e871cc9b6d24e1038ac9784a5e9b602531f79fe1a4ae6e59e0790a8956353687
SSDEEP

3072:lKoZGvNG3BhI0S4pTJ9IDlRxyhTbhgu+tAcrbFAJc+RsUi1aVDkOvhJjvJUp:lpZUv0S4BsDshsrtMsQB4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	610436f2fdb0f462dd949862c65bad6587dc49ff0b7e61afd3e1894d298dadde_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	610436f2fdb0f462dd949862c65bad6587dc49ff0b7e61afd3e1894d298dadde_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe

Executes dropped EXE 38 IoCs

pid	Process
1000	Lpappc32.exe
1560	Lgkhlnbn.exe
4028	Lijdhiaa.exe
4792	Lnepih32.exe
2440	Lgneampk.exe
2312	Lnhmng32.exe
4696	Ldaeka32.exe
2520	Lklnhlfb.exe
548	Laefdf32.exe
4484	Lcgblncm.exe
1688	Lgbnmm32.exe
2408	Mpkbebbf.exe
2324	Mciobn32.exe
1608	Mkpgck32.exe
4924	Majopeii.exe
4868	Mdiklqhm.exe
3452	Mjeddggd.exe
2288	Mpolqa32.exe
3124	Mkepnjng.exe
2160	Mncmjfmk.exe
1860	Mdmegp32.exe
3316	Mglack32.exe
1160	Mnfipekh.exe
2364	Mdpalp32.exe
440	Mgnnhk32.exe
2228	Nacbfdao.exe
3668	Ndbnboqb.exe
408	Ngpjnkpf.exe
2680	Njogjfoj.exe
4492	Nddkgonp.exe
4268	Njacpf32.exe
4408	Nqklmpdd.exe
3864	Ngedij32.exe
1080	Nkqpjidj.exe
5112	Nbkhfc32.exe
4900	Nqmhbpba.exe
4520	Ncldnkae.exe
4424	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	610436f2fdb0f462dd949862c65bad6587dc49ff0b7e61afd3e1894d298dadde_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	610436f2fdb0f462dd949862c65bad6587dc49ff0b7e61afd3e1894d298dadde_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	610436f2fdb0f462dd949862c65bad6587dc49ff0b7e61afd3e1894d298dadde_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1260	4424	WerFault.exe	123

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	610436f2fdb0f462dd949862c65bad6587dc49ff0b7e61afd3e1894d298dadde_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	610436f2fdb0f462dd949862c65bad6587dc49ff0b7e61afd3e1894d298dadde_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1000	1096	610436f2fdb0f462dd949862c65bad6587dc49ff0b7e61afd3e1894d298dadde_NeikiAnalytics.exe	83
PID 1096 wrote to memory of 1000	1096	610436f2fdb0f462dd949862c65bad6587dc49ff0b7e61afd3e1894d298dadde_NeikiAnalytics.exe	83
PID 1096 wrote to memory of 1000	1096	610436f2fdb0f462dd949862c65bad6587dc49ff0b7e61afd3e1894d298dadde_NeikiAnalytics.exe	83
PID 1000 wrote to memory of 1560	1000	Lpappc32.exe	84
PID 1000 wrote to memory of 1560	1000	Lpappc32.exe	84
PID 1000 wrote to memory of 1560	1000	Lpappc32.exe	84
PID 1560 wrote to memory of 4028	1560	Lgkhlnbn.exe	85
PID 1560 wrote to memory of 4028	1560	Lgkhlnbn.exe	85
PID 1560 wrote to memory of 4028	1560	Lgkhlnbn.exe	85
PID 4028 wrote to memory of 4792	4028	Lijdhiaa.exe	86
PID 4028 wrote to memory of 4792	4028	Lijdhiaa.exe	86
PID 4028 wrote to memory of 4792	4028	Lijdhiaa.exe	86
PID 4792 wrote to memory of 2440	4792	Lnepih32.exe	87
PID 4792 wrote to memory of 2440	4792	Lnepih32.exe	87
PID 4792 wrote to memory of 2440	4792	Lnepih32.exe	87
PID 2440 wrote to memory of 2312	2440	Lgneampk.exe	88
PID 2440 wrote to memory of 2312	2440	Lgneampk.exe	88
PID 2440 wrote to memory of 2312	2440	Lgneampk.exe	88
PID 2312 wrote to memory of 4696	2312	Lnhmng32.exe	89
PID 2312 wrote to memory of 4696	2312	Lnhmng32.exe	89
PID 2312 wrote to memory of 4696	2312	Lnhmng32.exe	89
PID 4696 wrote to memory of 2520	4696	Ldaeka32.exe	90
PID 4696 wrote to memory of 2520	4696	Ldaeka32.exe	90
PID 4696 wrote to memory of 2520	4696	Ldaeka32.exe	90
PID 2520 wrote to memory of 548	2520	Lklnhlfb.exe	91
PID 2520 wrote to memory of 548	2520	Lklnhlfb.exe	91
PID 2520 wrote to memory of 548	2520	Lklnhlfb.exe	91
PID 548 wrote to memory of 4484	548	Laefdf32.exe	92
PID 548 wrote to memory of 4484	548	Laefdf32.exe	92
PID 548 wrote to memory of 4484	548	Laefdf32.exe	92
PID 4484 wrote to memory of 1688	4484	Lcgblncm.exe	93
PID 4484 wrote to memory of 1688	4484	Lcgblncm.exe	93
PID 4484 wrote to memory of 1688	4484	Lcgblncm.exe	93
PID 1688 wrote to memory of 2408	1688	Lgbnmm32.exe	94
PID 1688 wrote to memory of 2408	1688	Lgbnmm32.exe	94
PID 1688 wrote to memory of 2408	1688	Lgbnmm32.exe	94
PID 2408 wrote to memory of 2324	2408	Mpkbebbf.exe	96
PID 2408 wrote to memory of 2324	2408	Mpkbebbf.exe	96
PID 2408 wrote to memory of 2324	2408	Mpkbebbf.exe	96
PID 2324 wrote to memory of 1608	2324	Mciobn32.exe	97
PID 2324 wrote to memory of 1608	2324	Mciobn32.exe	97
PID 2324 wrote to memory of 1608	2324	Mciobn32.exe	97
PID 1608 wrote to memory of 4924	1608	Mkpgck32.exe	98
PID 1608 wrote to memory of 4924	1608	Mkpgck32.exe	98
PID 1608 wrote to memory of 4924	1608	Mkpgck32.exe	98
PID 4924 wrote to memory of 4868	4924	Majopeii.exe	99
PID 4924 wrote to memory of 4868	4924	Majopeii.exe	99
PID 4924 wrote to memory of 4868	4924	Majopeii.exe	99
PID 4868 wrote to memory of 3452	4868	Mdiklqhm.exe	100
PID 4868 wrote to memory of 3452	4868	Mdiklqhm.exe	100
PID 4868 wrote to memory of 3452	4868	Mdiklqhm.exe	100
PID 3452 wrote to memory of 2288	3452	Mjeddggd.exe	101
PID 3452 wrote to memory of 2288	3452	Mjeddggd.exe	101
PID 3452 wrote to memory of 2288	3452	Mjeddggd.exe	101
PID 2288 wrote to memory of 3124	2288	Mpolqa32.exe	103
PID 2288 wrote to memory of 3124	2288	Mpolqa32.exe	103
PID 2288 wrote to memory of 3124	2288	Mpolqa32.exe	103
PID 3124 wrote to memory of 2160	3124	Mkepnjng.exe	104
PID 3124 wrote to memory of 2160	3124	Mkepnjng.exe	104
PID 3124 wrote to memory of 2160	3124	Mkepnjng.exe	104
PID 2160 wrote to memory of 1860	2160	Mncmjfmk.exe	105
PID 2160 wrote to memory of 1860	2160	Mncmjfmk.exe	105
PID 2160 wrote to memory of 1860	2160	Mncmjfmk.exe	105
PID 1860 wrote to memory of 3316	1860	Mdmegp32.exe	106

C:\Users\Admin\AppData\Local\Temp\610436f2fdb0f462dd949862c65bad6587dc49ff0b7e61afd3e1894d298dadde_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\610436f2fdb0f462dd949862c65bad6587dc49ff0b7e61afd3e1894d298dadde_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\Lpappc32.exe
  C:\Windows\system32\Lpappc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\SysWOW64\Lgkhlnbn.exe
    C:\Windows\system32\Lgkhlnbn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Windows\SysWOW64\Lijdhiaa.exe
      C:\Windows\system32\Lijdhiaa.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4028
    - - C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4792
      - C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        39⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 400
        40⤵
        Program crash
        
        PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4424 -ip 4424
1⤵
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laefdf32.exe

Filesize
236KB

MD5
2fe0955386f409e6ef30dc1064e103b8

SHA1
11aac0d173e8087d8b86d2a00480133b439ac6d8

SHA256
7fc3866c401b357956d1181d6acf15e1f9ff69e610218f9eb011f6ed503932bb

SHA512
59427a4c745f9e5d6059d80622f27abd0dcf0c31b1a1c154b9a9093eaa77cc730c6d07960145c96ba45dd8298ab8825c1300dabd291ce263e614522b9af0b191

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
236KB

MD5
445109228acaac7ed9b289b2cf917b73

SHA1
acfd8c15776d0b1fdb212fdc81d719854a151fbe

SHA256
5a35371c4b5611ad9c5abf3f1405e125fd3611b2268a0a16e3b1b705ec1cde7b

SHA512
aa7cae232b25cff68bd62668bf0a041c430362f595a7efadc161b7c4b3afc1b1ae575073f5b8bdb790452dbf83366fa06bf1ae227e8f2d14bec784af95e07971

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
236KB

MD5
08924b8ec10c239726ba0961db0aaf36

SHA1
a0772baa78a44e637ebf875b828ce09aee9b3453

SHA256
77cc3361c848f75420a5157ea73e9085e9d61c65e541eeb4519a934654c46611

SHA512
620c635988cde43c26d1917e226de2f54a0f0ff59430793fa8523c1b1a399f535271599c5676c11cd271e35be5e0ce8934aa52c30a2d305c886ce28d8908277b

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
236KB

MD5
2fe1b4fb7091da6c49a6a20217c66c9e

SHA1
1e9f1d958431ceb46d3e288eed22a2ab43ff95e2

SHA256
73465a3edb3ccad697c53e75233fd180bdd9aa629578a56836594352c829ba75

SHA512
65b08e33be88af531b9e04cecec2e0c3838f9a492159be2eafcd742e331868e2717e33c8a5718bfa5f52f0659a5dfe6a2f80abf54e7103637e7122d362d70767

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
236KB

MD5
7857a07040eeff5584f9fe7f471a6afe

SHA1
0234712594ea2a32a2217a8866360827d08b0b97

SHA256
abbfebe2fa23aaa816f6ec8ad241e234146b3ad195d9b65bffb179f42142123a

SHA512
fd2873b3b66cbe8112b4c66482146cbe95c96966eb5a1650ee5fb55fc085f5e23469f6769a48f595fffcfb24f3841ccc9ae80c2956ac0ac0d152ce924489b556

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
236KB

MD5
9cc22c5fc0f8b20120f8aff58790b200

SHA1
1d6e6aa28ceaa874d09dedf3415c89439880aeb1

SHA256
8b1d4d4f6188b5c48fc741562b7bb830733e2681981da5094704663902acf9fd

SHA512
5edb0a629bef6e455783258ae7dc013179f438bf70f673648a51edc55952a25010a11b7ad6bf391da1d529a90946f580614032ddc8ecee27beac65ab1388e046

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
236KB

MD5
7acc9b748824225aab7d27e69cc8121a

SHA1
3ac2b2c809da1413541f657e33175163b2ba6fca

SHA256
51572638b703122c1d0d01d9be07ac4e52ed9f68a2cd49727d403e6e3689440e

SHA512
87dca2555bc4afeaf600ac344a34d8e773a22b8f0a164309658ee5d5fc28808588d15c0affdd9df405a171787c350d161b8ec2da30f09c995c5f5b5548066967

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
236KB

MD5
46ddcddfec2aba77a5126fa8f66576f4

SHA1
d2d53d53d32f8f0936515947337169b23426fff9

SHA256
64c8593cdb2e67f372024d4388253c188aa48a3e8110de8a57866dd56ae397f1

SHA512
3c60f8a03712b231555af6cafe8d082372cc89e6b67995f230054eb0535a859299ba8be38e5af98fbd3ae4948e55c5c4b47982e7e082f14727c42b06821bfa69

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
236KB

MD5
ef7b150d0197887257227202c491a0b6

SHA1
a3675510a964f4978b9bb310638c70a995acd35c

SHA256
3cadd7bcaec985b76eedb3fe2f857bdbb566f755b48768882a7b12dafe4b0b99

SHA512
a81ab686fe422e6a214d7204b7a30ba56ff1b35bf1b40f60b67b1d0adb6536111ec49d9e2055112dd10af7ffc9ca3c526cad1dff68d684e6cd23df1d1d606fe5

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
236KB

MD5
ff9b9e896c0c9a5ea031835e701e1cfc

SHA1
031161a5ac24786db784fddff6b43261b1c5d1c1

SHA256
6590f9ee0a84bace3826ce197008ee58c2139d7962d3898348547b4aa1c08097

SHA512
41810cdf4678ceef8e75eb85f33810ada4b01e5c3c03695aa42294d9927e2d4d330de2642f63902c6b0cb04813033d7d38b7f4dacabd7fa13569d5b3cd1d1525

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
236KB

MD5
d8baa68eb2da19ec11886d3b3ba17128

SHA1
bddbae6b689b0712fea7f96fb92a71903df3c056

SHA256
bfec25ad1a6aa9f6b3f9b064b545acdbb2352d4dbf0628a4de2e86ad7e474781

SHA512
0c7069a0a2bd401224680c96f6fbc10603dcb4c8ff60805b1a57b6e9995c806d4e0cc61a8be917cc3e6d90c5ed6eefc4b010e2b7357de5a301dd1cae3fdbdda1

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
236KB

MD5
99711e7281575be4196287d1dd759ced

SHA1
f2ae74c7ac6ad763943181ed33e708c2ba5587c2

SHA256
fb21b1082f1751e29dba8db5a0bf05a43f7c11ffe19a1507e7fd5614e2b049a1

SHA512
8563345faf774a8dc640796b46085fafbf2889bdf716be40cdc4ea0d94d2a0578ce4a58e4511ae16c52d2169e1f3fdbf0a754ab94f65e61b20448d1c1b71fc68

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
236KB

MD5
a7b3c2fcb1583ba96fcc3e9ab6bf92f0

SHA1
96ff9c760387db440dd1d1ae59a2f2932ce8be46

SHA256
7e1b8301db29855e2452efe14a68ce4e095e4097a64a113386b8f2eb16c42e68

SHA512
74adb7d1a050085f1aca8404f1498c488fd3c83083ca351bfa6b29d155e1d558767ed7bff00c0554961c3f308650d6895536de88011d816d36cfe99d82d8e773

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
236KB

MD5
d35e9fb6c49a6e1dedd4142e8863c1cc

SHA1
1dedfb097daa74884e253a74fce493f7648e1f43

SHA256
6fa3e708afe4e2f87860b5de677775f40df9f66c8aacb7243a052aaed48cd73e

SHA512
bb95f431183096e51db4da810e2c504a2c8c269612530f719a9c80002696d03c5df58da0ba5b3c440abe7226c26e28dc5b8202bfb6791b5a2dadf00811b7ef25

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
236KB

MD5
11deb8c46d4cb9b638be45bb6a8b9042

SHA1
78ac6e087c474735b3975ce82402ab1da1447318

SHA256
7d8154edfdfba332733d5a441325d119c479000e86bacdaf91ea683343a0060c

SHA512
55b13efb3754151567247c3f3beac906a61265627382d272a898574dbcdcabbb6bfbb02e79823f0d86b8920d626ec2943fd75e02dc40273adbc500f61678bd34

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
236KB

MD5
51c16e4fa2146cfb59331a51d24d3d2e

SHA1
95343c7daf7a27e9c377b91f3d70f8470b8236b2

SHA256
2d38513bdb3a22522a631ad9442098d467d872625161a3ee1222f0456a2c084f

SHA512
cd990a81d29ea0d9af63e0b599d4a0c8b1435ada8193e81e5569386a335b44da228538726f14e80d9d82dde16aad9e11b4bbd8494f4181dc1bc30bee9a38c551

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
236KB

MD5
552eee9d6f653b1a445e0b3786bc71cd

SHA1
174b485c97f76fc0bbac664cfce71697a24ed529

SHA256
4aa7f3ce41d87fe50021dde91d5df2f31917b3b568939752f4328455936f8cf6

SHA512
5a81773c662f58b7a22b4f9ba14936f494d482bda92d0123a79a746c8e2eef132c5986749f9254bd68495f68eacb7180d8455c7c42e4cedf33f9d54c6f35a777

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
236KB

MD5
b6d960c0d408078411fcf05585be4b0f

SHA1
9d91ddce4760238f85a3e3e169ef541dd8a39294

SHA256
92f44a8402f8ab0dc9e78ab59725c4afb414ba75d399a562c9f65e41c138ca20

SHA512
93f26863dbcf7721538fa6ec3cf627eb009cb68ab2f69c67c94041041f557c13913579effd97954f792a1a63c59460a8a38ed8aee3de9643c24a7a00279230d0

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
236KB

MD5
cff39678daae9dd04adf49813b938082

SHA1
050756367e3b47c7dce454b810997056372296f0

SHA256
504e7c4d88b5492633e623cdf6132fb7464f859f7281af53ab70e017ad73d757

SHA512
85473835ec5e28f348f13db30123e3f724d7c5ad91149a244d8532daf2be9233d003fd0cd7bf78a00cb62b6837702df42dcbea641c2ee7fe6c28fe38333fed27

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
236KB

MD5
51fcb38e124748788084b7559fb0da61

SHA1
a7644784ae8f2cf31eb4437061f2c99f30e19b5b

SHA256
541e48a53a9e3f6cd5eabccaf78f1eb5b887b3474632a68b596053d842d0ff8a

SHA512
38b4856983e12d89aa4daa403de2372a619a61840b0939f521a7b2956a6afb7a34298531fed6faf003a0a8c098ec56c5799496fad128d1d13ce71159bbfa8457

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
236KB

MD5
b7e9f20fc034c4a988c16eabd7612f37

SHA1
803c0ca31d5a03688fe2de85d8b0c05b13241cab

SHA256
014bc9b4e6f2f7d4c017a186ae5e84038505bddd1c1956618bf89242cbe05eba

SHA512
8643bf05e087480252d9f20e0995d1370ad25073d15873f1500576016e056abfbf3e42dda632d3bb0f92a257f93a88f7cb03a2c2e534fb85bed2e32189aebcb7

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
236KB

MD5
803c277a13bd310157e0474f5d2caf39

SHA1
7ae447fcd0bac884f7d37d2029455716a87a084d

SHA256
1eea2a5448b3a9c97cba30b888e3e5d2da80718379272b067c6c03835949c651

SHA512
df425be3424b8a71fdd5d0083c890440edcde5644c42d954064e50de32a3688f2e8c14f3e81be2ce654cfb42a55db337276ba77a529d1735714e8d2601d01930

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
236KB

MD5
740917c88890a84ea30652e9148581c9

SHA1
e9b173cd108525d206f5f896994bf9b57e4f9d45

SHA256
c103a7a92250ff1cd87b4e08ef583b228ae671d1b78b2aa321a555d589668c33

SHA512
3c8ba378cb7319e5f7dcd7ae48aa242771434ffa74bf4b2130486d48db83affbd3846a99d0c3078dc26edffda1f57facac990802b606b997482128ec54f850ee

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
236KB

MD5
990cc73fe8210dcfd48674d3522d448f

SHA1
18c4971c0356bde3ffad3e1236c0129615efa553

SHA256
dea559b60990a0f05e5a703bf0a52c94dba3dd826f7810d5a21d5a8a01288183

SHA512
2587f632956d53f24fd9ab05aed9bf907ec1a85b8e4302dda9508f8b221e9ffa6f47b5746ead884762a6e04ef393bdbb3f648973e8af79bac8bc078d638512bc

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
236KB

MD5
65da42fcc82cd0752aff445fc98feafb

SHA1
679440adea8b876067500c7b049846d4f0d165aa

SHA256
14fce89c7df667bf21e73c8061a371194e76d29b40e73f447bb4ac0dbe2b88c8

SHA512
e787d9281fd296944dcb99aec774d7683a82bf97126d3b7ff166548b598d45e8ecf79bafaddbbef5a15e78c84c1b3f42614218f53c5bc195f566291dbb480b05

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
236KB

MD5
0d3e11d20e298045f90bc55b828b58b2

SHA1
9229b43130d3182701b265fbcdf37602968584d3

SHA256
4c5f1970ac22137aafde6290f7676e03140e499731fd8a884c2ef885a363246b

SHA512
ef8317ced323f90acc7e3e53afcc183f235cf88e0d41ca8186c1af47fa0f927b8b91d2937baf46303da97781ea4d9b7b9752e578e8f3ee8226bd9b88fe2319ab

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
236KB

MD5
69efc4d3450fa7275119d86d1713a3ad

SHA1
a8141418bee06bbd34251ca929ceeb5b33e42dd6

SHA256
f0651d3ed620386767e467ddb8ddd9d2d9d936a9e0d92540a69c2b100384fd78

SHA512
c058796176fccc94e0dc661790f82e4d1f48cdc37a3f4b633d98849c7e6fc20fc801c28e4dcaaee9f5d843e15353594549dd8cc23684d911d05f6ac64bd89291

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
236KB

MD5
64c376f472e4f79034826b655665079f

SHA1
ebd321a541c9d3e9979bf9b45b2fcc931477fe19

SHA256
ab5f63fddaf9bca3b1dffcb279dea82e1dc4f1085c09bcaac7dd7f4145f0417d

SHA512
75056fdb0fac034ee0e66eb179f345f073f7d1cd764986ead46b6128e47af335bf8fb38923719089edf88575aa971cb09ac8dcdc74d41ced0f484a2f1b6db973

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
236KB

MD5
a3d7d247a59eead0a7e1ca38afb689ff

SHA1
71f33d087a6a7a290f43c08e5c8c0ed42f73613d

SHA256
b67b621aa5f7059d44a8a0288fdd7cf3ba39b6c4bc96ae18347b5559b2c605ea

SHA512
b181f91f5a491409170891958c877055f16038f9d2269732400035e353c20219692c3103ad1140f3f843ccd65b759406de055ae5e639a1fd997d7efa72d1f168

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
236KB

MD5
529db1bdb5b2680d7e271eebfd2e607d

SHA1
3a52295e82d0f5dadf3ec42c67a95e844c2ec803

SHA256
99da1132fcf5174ba2bfa996f1796253761779600bca2d0213594f0fa7653ad8

SHA512
2b269a39117b7b1f14630a002db6b7a0d16e6d80a7d32817af0251f676634915b88926e02d3c66f68fbad52362731e67d37011a439a25308e63060d849e89213

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
236KB

MD5
89d38bdaf68c283a134df2e8a3108a69

SHA1
6031510eb7314ffe876e6437cb043f283d69425b

SHA256
34086b5160416b1961c434270d70fcc92b424413222c9ce8e4dba8987f0a744c

SHA512
e865e5cd3c8f4abe425c2539bfe0dadff3e08f90827d4550da754c4b82abf04b99ca6148a778a917779d697428fc8575817c5138ab29ee95d96c937191a6e15b

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
236KB

MD5
19e1eb812602a310a5b37eb04df7f35b

SHA1
5a8cc99797149e0f3537e130512cd4b2d4b9ac60

SHA256
b4cf486b7d030c2efe85f604dc53ebdb3c0768a9aa172e4d90d7c7990c7a7668

SHA512
e2e89ff175f875992e21ce64083d8d963a72fe5b140060c544ce6fd47366185f9fa8f214fcfe40509c665213bfc9cd6f95007df13dca0baa7d8602edd4d38609

Download Submit
memory/408-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/440-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/440-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-77-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1000-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1000-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1096-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1096-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1096-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1160-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1160-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2160-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2160-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2324-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2324-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2364-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2364-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3316-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3316-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3452-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3452-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3864-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4028-30-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4900-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4900-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5112-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5112-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads