18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980

Analysis

max time kernel
0s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe
Size

55KB
MD5

b44cef6ea11944dd26c8e21d837a6f60
SHA1

f548419924427ed444856c30d239164761e77cfb
SHA256

18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980
SHA512

88cd48776ceb23d90d2f312ea5ab4016e6a4d4ac0af8ead4d6766314d2e2f36d9a303073651880764b84ca602a51820cdc1218af3755b025bec3061678f0f479
SSDEEP

768:ijbJnsl0ABpXZw/g/3uWBfR2JA54/48UAv6gJ2jpcrG53hY7qGGGG234yxxDRt0n:ijtsl0ABpXZ8HW2DX32SrGZGLxbjRs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe

Executes dropped EXE 14 IoCs

pid	Process
1272	Lijdhiaa.exe
3120	Ldohebqh.exe
4220	Lgneampk.exe
2404	Lilanioo.exe
3508	Lpfijcfl.exe
2064	Lcdegnep.exe
3944	Lklnhlfb.exe
4388	Laefdf32.exe
1580	Lcgblncm.exe
5036	Mjqjih32.exe
3820	Mpkbebbf.exe
4216	Mgekbljc.exe
2564	Mjcgohig.exe
3244	Majopeii.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Plilol32.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3236	736	WerFault.exe	116

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 1272	3412	18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe	80
PID 3412 wrote to memory of 1272	3412	18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe	80
PID 3412 wrote to memory of 1272	3412	18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe	80
PID 1272 wrote to memory of 3120	1272	Lijdhiaa.exe	81
PID 1272 wrote to memory of 3120	1272	Lijdhiaa.exe	81
PID 1272 wrote to memory of 3120	1272	Lijdhiaa.exe	81
PID 3120 wrote to memory of 4220	3120	Ldohebqh.exe	82
PID 3120 wrote to memory of 4220	3120	Ldohebqh.exe	82
PID 3120 wrote to memory of 4220	3120	Ldohebqh.exe	82
PID 4220 wrote to memory of 2404	4220	Lgneampk.exe	83
PID 4220 wrote to memory of 2404	4220	Lgneampk.exe	83
PID 4220 wrote to memory of 2404	4220	Lgneampk.exe	83
PID 2404 wrote to memory of 3508	2404	Lilanioo.exe	84
PID 2404 wrote to memory of 3508	2404	Lilanioo.exe	84
PID 2404 wrote to memory of 3508	2404	Lilanioo.exe	84
PID 3508 wrote to memory of 2064	3508	Lpfijcfl.exe	85
PID 3508 wrote to memory of 2064	3508	Lpfijcfl.exe	85
PID 3508 wrote to memory of 2064	3508	Lpfijcfl.exe	85
PID 2064 wrote to memory of 3944	2064	Lcdegnep.exe	86
PID 2064 wrote to memory of 3944	2064	Lcdegnep.exe	86
PID 2064 wrote to memory of 3944	2064	Lcdegnep.exe	86
PID 3944 wrote to memory of 4388	3944	Lklnhlfb.exe	87
PID 3944 wrote to memory of 4388	3944	Lklnhlfb.exe	87
PID 3944 wrote to memory of 4388	3944	Lklnhlfb.exe	87
PID 4388 wrote to memory of 1580	4388	Laefdf32.exe	88
PID 4388 wrote to memory of 1580	4388	Laefdf32.exe	88
PID 4388 wrote to memory of 1580	4388	Laefdf32.exe	88
PID 1580 wrote to memory of 5036	1580	Lcgblncm.exe	89
PID 1580 wrote to memory of 5036	1580	Lcgblncm.exe	89
PID 1580 wrote to memory of 5036	1580	Lcgblncm.exe	89
PID 5036 wrote to memory of 3820	5036	Mjqjih32.exe	90
PID 5036 wrote to memory of 3820	5036	Mjqjih32.exe	90
PID 5036 wrote to memory of 3820	5036	Mjqjih32.exe	90
PID 3820 wrote to memory of 4216	3820	Mpkbebbf.exe	91
PID 3820 wrote to memory of 4216	3820	Mpkbebbf.exe	91
PID 3820 wrote to memory of 4216	3820	Mpkbebbf.exe	91
PID 4216 wrote to memory of 2564	4216	Mgekbljc.exe	92
PID 4216 wrote to memory of 2564	4216	Mgekbljc.exe	92
PID 4216 wrote to memory of 2564	4216	Mgekbljc.exe	92
PID 2564 wrote to memory of 3244	2564	Mjcgohig.exe	93
PID 2564 wrote to memory of 3244	2564	Mjcgohig.exe	93
PID 2564 wrote to memory of 3244	2564	Mjcgohig.exe	93

C:\Users\Admin\AppData\Local\Temp\18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\SysWOW64\Lijdhiaa.exe
  C:\Windows\system32\Lijdhiaa.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\Ldohebqh.exe
    C:\Windows\system32\Ldohebqh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Windows\SysWOW64\Lgneampk.exe
      C:\Windows\system32\Lgneampk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
      - C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        15⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        16⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        17⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        18⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        19⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        20⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        21⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        22⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        23⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        24⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        25⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        26⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        27⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        28⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        29⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        30⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        31⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        32⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        33⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        34⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        35⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        36⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        37⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        38⤵
        
        PID:736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 400
        39⤵
        Program crash
        
        PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 736 -ip 736
1⤵
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laefdf32.exe

Filesize
55KB

MD5
4eb5729ded3dc0c4f77fede9267398f3

SHA1
e3fbc89fa84031dd2e9f650e24f65f051d2f1c65

SHA256
15179ee397adf4817433f5d5d15581b7a9beba4c5a2c6e63546bf8d0ecd261ff

SHA512
796fce6925dc25d7273a227607d8dccfaf6fcf11cfa02bd8bbcd38891c62af03d11f6adf9111c78eb7c9c22b0df0874da7d1eebe35e72f922c4149c4df3f7840

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
55KB

MD5
392ee34c459528cd3ccd744784fd8507

SHA1
be5de1848f8c4ab5c25bacc5b2ab970ad591c1e8

SHA256
cae9557a634cb437f5f1b2c7fd34afa2d80894b9d27e676ec85a6b2edeb99efc

SHA512
f79c0f67aad70990d8148c9432d42fb2bffa3ab676e4af0f638fd80ea71c1cfa3ddb7d6ab32699477d2253c63ed6b9324db831f32b0764ef34a4a386a88a4d67

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
55KB

MD5
50d628ef4db22f96b95d18c04e0995c7

SHA1
050b6f1dfdfe0f89742bb2eae2d9e2b4f8d62e8c

SHA256
39eebffb23dd139bcf1731619d5a91cf51de6a76738d293761da581076b9fe3c

SHA512
0f7c989b5e3820170b8748e8318bc5559b37901d53ef453ea169614749ff3269dc21803ff2660aeb0c813be2c3ed6e0fb7b1882338bb9ee431af4626293f0f45

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
55KB

MD5
3599c9a26d6f3e9922ca163370dda230

SHA1
d4475a86f721768933830abde5b82bf3b293c218

SHA256
449b9f524402d9b1eba2c7865dcf595b739b442cf33afd2e065f7ff9bd3daeaf

SHA512
1264dc45474fbba76349cdf5a6f0954dec6703f7e3acc611afaea224f6bab509eba679dd2e90dc13dfd5914e31a5100d7eba13469c7bb22037076f3b4a691329

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
55KB

MD5
d78a6c682834dc002bffa02a4002acf5

SHA1
d866354ffbcab950aa8600cba830f7a059ab9402

SHA256
02ef3e72307099a623da6301db5f2ece3648885761cd47727bbb8f06d4b022b2

SHA512
a0c2255fb263bd866ba839c38f4981c088cbe3de17a12adbe7a66a294b2e0cf23a0fc7a25aef3b09b0a706ff67c26ad146b44212e8759615c622e93f3cd966a6

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
55KB

MD5
bace6ea9332536905e1e46a11284495b

SHA1
f4a46f08fff4158f82c674dacb402520d8494ef1

SHA256
9c176d9e968146b063a18550466f9fd819443b090a74ce2704b62102222a8871

SHA512
5c79bc460de1c3187dac60d2d9b08a996881f0d1d9d9490e42b99b9d7c590b25f23af0858fb77104d5b9c091f04e09c19840cde2cff7619e765659398dcdb3e4

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
55KB

MD5
a81d38226ddb607a35625f0ab82bff6a

SHA1
27a3ad0b4f6e197d15dd2775a18d616442d503f1

SHA256
dfe25859a18785bb12d680347be74044574bd11e915d3146df5d145f4839dac2

SHA512
13236073e2d401ad846502dc7368e0c3084fa29edb4ab042545d1a9150893a21d4755e8d88e363e6974c570bdab3e2f56cdffea4dea86a0510b9f31587c77fcb

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
55KB

MD5
72e4ceb00223b88bf4e218972455de3d

SHA1
1b588dc36ffa442193f8de3591da755587fa6ba7

SHA256
2de9eca9fdbe72fef970e38af8e96321bc60a3508d0242aae1bb23588aa46518

SHA512
d48e5be42e203f0726bc9ae83253adf3ecb806faa494b4f070f4b86c0791c234ee791fc3f49e75f958354a41c1c3df983ceb625afdd307d2533c9049c278f313

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
55KB

MD5
08a3240ba8a1422d0fc581a28ab30fea

SHA1
6ad51e2271b8b76058bb3f81045e33e42743d3f5

SHA256
8063c93fb2800ff93b07606d536bced6c25ddf8c7650e5a60fd57073a01d431f

SHA512
c07c8a65f51ef6524245a11482540b8e3243c4481f1e6e3e464e8422b2d61736ff007eedd147041ed4078618a57067e4723045370a82fac51d3054d6d6119e57

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
55KB

MD5
822617b99c575f48d20d6fea3562a200

SHA1
f4c24e5d9bee225c39866b54c3a4d252508735bb

SHA256
deea0f49a2bf18e558ae2515a81b19fd4030a399319ef82d8b27bc091a51c2cc

SHA512
4f37950f6c5d248e07c16cd27645d5c858594f4e7ac7c5f8726f46956c52d18c3e301c28d1e75b376c3f1fe0d089fec7557ea292132b7cd325ca414b2781b6ec

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
55KB

MD5
11e286e54e710d79fc58d5e6adcd4d25

SHA1
e6efdc780f17324719cb25d7a27a14dce85e53a2

SHA256
be528be9c5e5fb9b9caf98725a0b68482cfabb5e8413c2a98ce0dc4d5446f384

SHA512
87432631ec2c4ba60e009b98f21f11d773c81b39de2c056b33d768abbb2da6c116aac2290f20d0c95e2150c172080d6d8217a6f26feee8e01774ed5fba755ddd

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
55KB

MD5
6a51b52b863470b9d6a6d8d65c5679ce

SHA1
43e10096ee6a0f8f007e3796045a44f54e554013

SHA256
2365849cddbc0e2ae55e67a29ad3c7387d89d06ef2c152a66aad2d18fae3f741

SHA512
6228f99ba30e91ec6d6139bf5177ce15feb976e491e2f9407403ad0b34d7315d47d475e4ae77d1f33b2069e392f6a29e1cdf6a9f1ef11ea48fc95098932e085a

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
55KB

MD5
d17517c02649dd78c06c452ed9879afc

SHA1
8c2a09c5dff86d6d6fe38367ae64a39cf5967278

SHA256
3bccc1b5aa2c6ec847dad9983c3050fcb31e4715f6d6e4722492b32e2e796a0c

SHA512
e699fdb2a470ab9b4543968cdc3563c1f3e0dadccdbd4dfb7dc1e1489305a5fae31fb9f7b4601ae8e26266ee16002f54ed68f791625b0dd2b5b1ebd3bb7c5a5f

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
55KB

MD5
a8f3ee306ce9a397bd4d2ad44ada6361

SHA1
364710c02aee32368e9fc52b889ab61a62ef99bf

SHA256
071fc37a81708c3336eefcffe444729d5ea2cc0d9168db08d962c53b38a2993d

SHA512
6308d4f2a38eced3f78a86ea9658d9009422a07ab9fb4fc733dd00485900f362454dfea735ab20a0716470cb94a54bee4c45bb5b1f82e6ad5d44145d55cdf725

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
55KB

MD5
ce7740129c1c10a2ee4f726de50c471c

SHA1
d1ceb30989e0594b1d97462c0cbdaef9a78c489a

SHA256
134d15f4dd5ee02676db52e59486a33b8ae04b127fd1a10c8ffdab0ae1c338da

SHA512
b591bd6c8e3235b9d9cfb080ce4a266af7a956eec9e6a1ab85b1872eb306f5b002a089ced3d23515252c995498ad7847d08f16501fd510cac65c6bba1014e0a6

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
55KB

MD5
d068e25aba803a8b8989af43c6a56893

SHA1
4b140ff40e6fddda53d4a925ae57b7dbccc8a98d

SHA256
dda41608ecdcc8011729529b485d98ef589f18479cb2549284e42d67a1980160

SHA512
2df0d138b8b30b7a5356d6c5714b369b8259e3c17fdf13e092b7a3d51cf554c24d9006db55be61dcd6be2f70c1d28aefaaec084012948ed1bd702d867d8cd528

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
55KB

MD5
e82e6b1b0e4f6d1508c7be106be54c23

SHA1
ba5ab60bd8e15285b88a1c18de25a22039825c87

SHA256
9295323b390c04d595d234285a17871ee5339e8971c8b8f8eabe4506cbf3cfd8

SHA512
0b639e58ba8f46ac894777fa16032e648c1c0c600ec0c9e98941995d531fcd746ef727dba0b3bbf605397a49b6b8fe0e3294d6705b17242d3ff34334f26c1a87

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
55KB

MD5
09e6a8da2849ed036f62cb8c2fd06b33

SHA1
7a09f505c106016134a52f48e0b37561a7a3a321

SHA256
90f2aca49a46f0d8ddb51bebe3e2357fd5eb455ed35ef9ccbad76e91a35b2ee7

SHA512
433c8651cf2848296a55abcd5f6af3df792ef49fe88bd2ef0400632705d97e8d8572ad26d6af55eef77e626cc7fc9ebb4ad57037b64e6fab69e948ce8eacca05

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
55KB

MD5
5c2c19185ea084ec0cc3f1b043bcc416

SHA1
6d5c020274042f59500211c6bf4b0c07e376e21a

SHA256
85c945fb9f0cf5bcd57cc784933edd5b82bd4e6bdd95937636ae0a775cc7eda5

SHA512
1c79dd998865b73954cd3ece103b2aca186c18f9e3aa419063cfca08e7a4d9fb563bf674ddb3cab43398a1d1ab495529c17546445c25d915a8ee12e2ac3d7ca9

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
55KB

MD5
6c057ac82d7a56ca08d876c1e1eba6f9

SHA1
7ff4da340caf6063b4b8530748c93d2c4258c5e4

SHA256
b7ff1b6fb68162e59cfef274f6c1de464eb4e8ccc789efbfb2f00a7c1dfcef35

SHA512
bbe43daa36c360339bd339a7d538f0aee23357c00ba71ac14dcc96d796f2af3540a5d3f05a53076177a2c8279b951edfe6168c7cccee89daf66d288c9cbe6332

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
55KB

MD5
195c61a6f769ba8fb03d9b468a1ff213

SHA1
c4b82e999e2d826c5a9af58e595e63699752f4e2

SHA256
27b99c087c991e3b5dc5dfc756bafe0bb3984640d3c0e32c1e11f7ba47298423

SHA512
a40a88a2423ea790ac9ade3016224db5644503d4b5dfc1bc97589899769ff6de67c1fb764425c70871918e593b66e7f7b73b092ddb03d22618533e7210dabe4e

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
55KB

MD5
07815a7be726d4334f135f853f65487e

SHA1
14c21dfcbd701075c636eaaab1b3afb0e922125e

SHA256
a46b25c22ac2bfac86afa2e2cec0c4aad12fe8c83b1ae768730b3457b6b9d579

SHA512
3b2d2f186673a9ef5aa844bdab980d7bf0bd40da38c1cbf716be2b29aff4eda25b3e3e8810b82f54476aa7de8886be92be307f446de34afc17fe7f3e8e6a4aa2

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
55KB

MD5
33c7ce29baf6f3d4663184daa7f62381

SHA1
18906ca27a1538f8d8981769207dac17342c874e

SHA256
54068238f6b94c8e1ad50442d6480952f98f2e79ab180821af75ef6679d1dfca

SHA512
2278fe8dc1d6048b5b593b3b84d6555d87355cc9488f823e7edd1a134b1c560be0ee7d5734f5a275f4dc3ba78fd4e7d4eca7cfe202a372c33c8f6141221b335d

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
55KB

MD5
571de474746144f9e0a254da332a93a5

SHA1
681379b1194d64a99f025a4329eee59552853ac3

SHA256
9f0b5da15b5e7539b9873a6e0968c42df8765c66affe32fd5f7b5c80742de153

SHA512
98f8822ecadf61d9878ec9034d8d81f7c4915f0f929f2c886b601ffd73d07542122ad0fa9af40fa0c989a6967018922dac0deca9a73e448b2fe80161a407ad61

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
55KB

MD5
4e53ebeb500835f92e5215e29af542cc

SHA1
753a940568b88c909bd9699e00afd58f74d39963

SHA256
73143e185759989a840d05ea2e6f2ed8575ced6287ed1a75aa1f7957ede5fdec

SHA512
8b4220803980581b353b3532c46663318a3214849fc599a5116f3a3821fab940d22f562a93f57221c211890530bf8b223b411e1102770b518765e42b973a26fd

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
55KB

MD5
02a3afc79a9ac4aaf1c4052995173b8b

SHA1
96ca5c61b3bb7ef93d83427e5ffcd20035f1010c

SHA256
e82ce02d31c342ec019a2dac61cd5f182e2c6fb54431d8e619585706c2f5009c

SHA512
5ede838aeb78daf0bd45df84cd65a6af3f8c6bfd218441791a3d4e7c68de8daae3e073c027bad88b5a7677b112edb43895200c3a5efb20107eb50190907b3780

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
55KB

MD5
e888376df2999ff0601b543a72409a88

SHA1
8347a98212d881027518a9253d063e61cd43f4b4

SHA256
159ff294a7b22d0bf10c2856b4b2c6fa8b9cf6788e7f3ce09087578ac3c1b597

SHA512
005e9a9bf91ab9fbc4ed1f23caa2c4e3abdfcca7a85b611c4e80cf5cde900c7178c993cb6e5083454082fb2216e3c2b61b2bf22719a46383fb01e8ba41d792f3

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
55KB

MD5
013ee822ab1125ffd0724349ff7e462d

SHA1
c2d1ca0afe72ee0bb57e06d69b021562e33019df

SHA256
7e8b860353b273f094a161ebaa14ac3c8dc0396bf9c8e2e8d6a350d26b8dfd17

SHA512
50e93a7dbe4b5b7a7d864d5e2dd1c2e69502e07436428728b2e65337fd377b1954b76f69018fd67b998667c395e7ffd2cbf47ed9faf29b012d2c3a7883f0d6c0

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
55KB

MD5
7da43134cc5def99ade6213c214c4c0b

SHA1
1abfad7b630ed05b46ec5519327ccd274ffc8721

SHA256
d19d39d50f159625c1e7220494be929c5ba4af276af4a743dffaa01bd78d7fb2

SHA512
d28ce3eebc778bc6d3c62adc98b16bd66822d743903703265c6ddc4412bbb75c12b2fa5bb8e3d48a6dad04403ffd043b670595f0a5d2b6e5679fc9fc6450b308

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
55KB

MD5
eb802e6cc3fc75b652c553a3bb38da5b

SHA1
3528dd50c9827c15e109b7984b26a5b2201537f8

SHA256
9b0600b314328b4c63c495e1e83cb957f10e65c59ee4a5b7cfcce2b993cc6222

SHA512
8e584ad29b285a11bcce459ef03f661a13889b64e79584ae1949f2436ab31e8b82337d1b203216674537aa69a2d37771b629d06f80f7c61b40563dbfba96aff1

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
55KB

MD5
d55603bbdc9fbe91463e6ccfa75cd45a

SHA1
63fd669d146fc09492b761854b16c6f7b0586c04

SHA256
27be68defb328fa4d7573886dc8f167ef56840d62af40bbf0b71a6b91cc4fc07

SHA512
51c6763b036429ff700ba61178332c9c774039e4b4e26a1c5d82b5374171e8c00b977551d9335cf5ce3b6c8c67dde056c3305866829e49c85a8e288f4d93cf5e

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
55KB

MD5
802559f59d49729165ef082bd809e661

SHA1
8e859c9376ce26c01b5206236515a4079f794640

SHA256
1d633587106c39262660512c8cfe9b4608f723033736cd5e324c2aa9872cc909

SHA512
62e376b6c6c483e0d4c0e5e547f3a56c6c9665ccc60492b558fe490e5a849dd1ac9c0ffdba7903f17d89282329beb70829ed9f04c8933ef71d24e5c03ee48ebb

Download Submit
memory/736-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3412-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads