5dd18e8ba6213102f1c154b52a0f72c7f0241a6784ce75e753d68d54ab21361a

Analysis

max time kernel
93s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe
Size

432KB
MD5

06886bc8b3a3b06b129c4dbd1c647b80
SHA1

27721f77d506604c752eb5be69da277c76aa9eb6
SHA256

5dd18e8ba6213102f1c154b52a0f72c7f0241a6784ce75e753d68d54ab21361a
SHA512

93e27c6b0585238bce694a57a5b2c2f1c22415b80e1970d26f97fae8aa8272a079143520f310385cce494672e0ebe4113028b1770e79c3acec030e38f9ae535a
SSDEEP

12288:rUP7yO5t6NSN6G5tsLc5t6NSN6G5tgA1F:YP7yhc6TTc6tA1F

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe

Executes dropped EXE 17 IoCs

pid	Process
2644	Lcbiao32.exe
740	Laciofpa.exe
3124	Laefdf32.exe
4552	Lphfpbdi.exe
3248	Mgekbljc.exe
2784	Mdiklqhm.exe
4532	Mamleegg.exe
2664	Mncmjfmk.exe
4624	Mglack32.exe
2352	Mnfipekh.exe
4228	Njljefql.exe
3264	Ngpjnkpf.exe
4640	Nddkgonp.exe
4280	Nnmopdep.exe
4652	Ngedij32.exe
4736	Nqmhbpba.exe
2656	Nkcmohbg.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Lphfpbdi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3304	2656	WerFault.exe	99

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 2644	820	06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe	81
PID 820 wrote to memory of 2644	820	06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe	81
PID 820 wrote to memory of 2644	820	06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe	81
PID 2644 wrote to memory of 740	2644	Lcbiao32.exe	83
PID 2644 wrote to memory of 740	2644	Lcbiao32.exe	83
PID 2644 wrote to memory of 740	2644	Lcbiao32.exe	83
PID 740 wrote to memory of 3124	740	Laciofpa.exe	85
PID 740 wrote to memory of 3124	740	Laciofpa.exe	85
PID 740 wrote to memory of 3124	740	Laciofpa.exe	85
PID 3124 wrote to memory of 4552	3124	Laefdf32.exe	86
PID 3124 wrote to memory of 4552	3124	Laefdf32.exe	86
PID 3124 wrote to memory of 4552	3124	Laefdf32.exe	86
PID 4552 wrote to memory of 3248	4552	Lphfpbdi.exe	87
PID 4552 wrote to memory of 3248	4552	Lphfpbdi.exe	87
PID 4552 wrote to memory of 3248	4552	Lphfpbdi.exe	87
PID 3248 wrote to memory of 2784	3248	Mgekbljc.exe	88
PID 3248 wrote to memory of 2784	3248	Mgekbljc.exe	88
PID 3248 wrote to memory of 2784	3248	Mgekbljc.exe	88
PID 2784 wrote to memory of 4532	2784	Mdiklqhm.exe	89
PID 2784 wrote to memory of 4532	2784	Mdiklqhm.exe	89
PID 2784 wrote to memory of 4532	2784	Mdiklqhm.exe	89
PID 4532 wrote to memory of 2664	4532	Mamleegg.exe	90
PID 4532 wrote to memory of 2664	4532	Mamleegg.exe	90
PID 4532 wrote to memory of 2664	4532	Mamleegg.exe	90
PID 2664 wrote to memory of 4624	2664	Mncmjfmk.exe	91
PID 2664 wrote to memory of 4624	2664	Mncmjfmk.exe	91
PID 2664 wrote to memory of 4624	2664	Mncmjfmk.exe	91
PID 4624 wrote to memory of 2352	4624	Mglack32.exe	92
PID 4624 wrote to memory of 2352	4624	Mglack32.exe	92
PID 4624 wrote to memory of 2352	4624	Mglack32.exe	92
PID 2352 wrote to memory of 4228	2352	Mnfipekh.exe	93
PID 2352 wrote to memory of 4228	2352	Mnfipekh.exe	93
PID 2352 wrote to memory of 4228	2352	Mnfipekh.exe	93
PID 4228 wrote to memory of 3264	4228	Njljefql.exe	94
PID 4228 wrote to memory of 3264	4228	Njljefql.exe	94
PID 4228 wrote to memory of 3264	4228	Njljefql.exe	94
PID 3264 wrote to memory of 4640	3264	Ngpjnkpf.exe	95
PID 3264 wrote to memory of 4640	3264	Ngpjnkpf.exe	95
PID 3264 wrote to memory of 4640	3264	Ngpjnkpf.exe	95
PID 4640 wrote to memory of 4280	4640	Nddkgonp.exe	96
PID 4640 wrote to memory of 4280	4640	Nddkgonp.exe	96
PID 4640 wrote to memory of 4280	4640	Nddkgonp.exe	96
PID 4280 wrote to memory of 4652	4280	Nnmopdep.exe	97
PID 4280 wrote to memory of 4652	4280	Nnmopdep.exe	97
PID 4280 wrote to memory of 4652	4280	Nnmopdep.exe	97
PID 4652 wrote to memory of 4736	4652	Ngedij32.exe	98
PID 4652 wrote to memory of 4736	4652	Ngedij32.exe	98
PID 4652 wrote to memory of 4736	4652	Ngedij32.exe	98
PID 4736 wrote to memory of 2656	4736	Nqmhbpba.exe	99
PID 4736 wrote to memory of 2656	4736	Nqmhbpba.exe	99
PID 4736 wrote to memory of 2656	4736	Nqmhbpba.exe	99

C:\Users\Admin\AppData\Local\Temp\06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\06886bc8b3a3b06b129c4dbd1c647b80_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:820
- C:\Windows\SysWOW64\Lcbiao32.exe
  C:\Windows\system32\Lcbiao32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\Laciofpa.exe
    C:\Windows\system32\Laciofpa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Windows\SysWOW64\Laefdf32.exe
      C:\Windows\system32\Laefdf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
      - C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        18⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 400
        19⤵
        Program crash
        
        PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 2656 -ip 2656
1⤵
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laciofpa.exe

Filesize
432KB

MD5
2dec6bccdfa7f9ecf1bba52ea68df5fd

SHA1
bc4354c4fbd59e2f77feddf575d0444bc7343e53

SHA256
eb23d13b79cdefe5118fe1524f079deb6a01efaec0830896115bfb789abcb143

SHA512
f72e6d252021f8b776d7b7c51b724c0d6019f61eb08956260540908fa7ae40d68e8273d149c69312318e2c71885beebeee4707a9eb58df47a061f5f17f7bc42e

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
432KB

MD5
a7eddd1ab859239e3dde23875173f291

SHA1
52ce78a96d39629132d045346ff07256aa4d5acc

SHA256
b60e360b3e3d27a1f464db3b82afe12f3b366d354aa906c278db5382373206fe

SHA512
cc77524f1c7126abf12ea6f97c7acd19e6eaf069e63e69d5b9363dae71d0e41b01466609945aab926f30737ab0657b184c7468ebc3e8a346ddae216fbb2dbb41

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
432KB

MD5
ece9afe884a8262c4878c11ce467b08d

SHA1
5fccf40964f5327f3de5efd4832b9a95ed92f821

SHA256
988e53d2faae53bdc1f9474da3dbfe05d6af0b43bc03a3626d433a359a97e1f9

SHA512
ff14f1fad5bf433c7595e00d5ccb6ef4ee055638d238c491a05ae480e479a05902b34bd3736cb06ac9088052c2d6e648beb1c164666dbf8bc7bd550f1b024e1c

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
432KB

MD5
fbc7c97416739817a71940d156e39682

SHA1
cb7d58068172b378dc9f931700641adf65de07d3

SHA256
a5d4bcbba6d330c580ebffa45b954e8654636c002686406fcb85ee0930629596

SHA512
1dbe2e23cc2b5347304bb9a28b2e819f1a73c8cf630aecd087f80be917661c2e8a3036150d4398f7ddcfd3fe6fdc1a2bf434ad82421d2ff9b04be0de7edc3cfd

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
432KB

MD5
70fd92fa6fd4a5cf260cd95f08e2c8f9

SHA1
5ffd133d57cb5011a5afc8fd86fb85661a279caa

SHA256
a3147e4a72e624bb251a6c6c219139348ec80188bddbd0050676086eac813312

SHA512
4477e10890f41833e131a49a6bb8493af7202a5cef6e947b6bd0e498799149cf7a724d2adb0079b9b2a6779dcc0f4859615caa9cfcb1e5d05584a615ce05e140

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
432KB

MD5
ba9a036d9e4736557bcbec47019f7fe9

SHA1
cf59c31d760be79289bbb35e38b32a91dc83cc23

SHA256
ba5ed1276b342971f29d5d4c4bfa7722b1ba620ce75ebecda36f3b5446785524

SHA512
cca428c17601f2c41331c44b470d152ace14ca4993ddd49225dadb55251126f56dfed456aa4a9b2df80811bb12bdfe4e0828541aaf6d302368852057a4a7da0c

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
432KB

MD5
d91d0098d126bddec8aa8571f5bcd633

SHA1
6abb143b9eeb2081570f1e1ae800f4b703c44f61

SHA256
0c681be6aeb457553fe099a0c6ddaf864726352ef0778dab44dfad7436e45dde

SHA512
b113686aab1cf0653315adb91df1765aca567cbaec361cd3e6ecd0c8fa24ed9c280bc81c3df934b740917acac8c2df02517e45d02dde3c1f6044634a87843290

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
432KB

MD5
82a439d381c3e692592913dd06e5c149

SHA1
1d16ae5a5e0979a74190ac95c6d12de13d61f984

SHA256
0498f07dec9d16f1671408fa3fb822fa0aa8681d22a0499030566e6837437d87

SHA512
d426c3918beafe363ea0196fbc7051d84b60e2d2c2f558836b4aa530fd19a806ed9834b2adea54d705010bd50b0934f91ed211b69f9e0a77763a71519a8b48ba

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
432KB

MD5
ffb0e3ca9b594f847496d7ffbe2284d6

SHA1
cda9146f09914bb662b9eeb607af6abbd016c777

SHA256
c432eaf0b480122e78e7d28b772a1d94ce7a206705cc31a47bf8fe6bd69ae10c

SHA512
6e6b453679f91186dfd712d990ca3aed1f1e42f0280ac5abe3a1b4ecdf621e5c1e31467cbbc079a2ea38e29ca17212df350c668bf0ad4c3282e31cbbffa1e76c

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
432KB

MD5
7bdcd8c6a8ed60ccee83b0e2d9736045

SHA1
f899553b9c35a5f9faf36344099bb6f14073999c

SHA256
c26f0001093dbb8800c9803b7f8ebe0c63a6f465b03b52b83510ed7256eba414

SHA512
d4196747e32fec7038ccd9a2b040ee7196d477e89069e880c1768f39fa2786f565e6ba6b1d8ee9a7a6c555cd4a6d7fdefe003623da5e19880061a1157bcd0f17

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
432KB

MD5
f82b7204862fd98c4c90b6abf32a37a1

SHA1
682e62c6cead7f22fbbf0ba8280e03d98694ab8d

SHA256
49bb48fece0a43b2ea6ddc8e2a866b923aeee8b4740df28b62a27a1048669a03

SHA512
42caf28e27da679ecacfbf1408aa717276b8db10be209a14a77f82dad26c754f901b721af63099b97e6d346c5ccf43ce9c6a181e4b2afab0491616072d5dd1bf

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
432KB

MD5
f751813e8bed6eaec24c793af3a91d6f

SHA1
a1d9fb861bd37ac64fc4d67dcf9c1c17c1705389

SHA256
34c90d2fa3f78e071ce63a94c96a25c9f9a4c5a788af2431e284327cf6b7118b

SHA512
383a7cebaaed69d3868edb9d0225a5f0fdcfee2b522a750e270b28e9dca22a45660fb01ec95af732d049b73792f97e1214dabe1dde3eba51d8f963352fb9e620

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
432KB

MD5
b33e59500c6463eee40aff3eb0c96e6d

SHA1
efa6fcd59583cea0db7cb0793e56abcb2ec04e4a

SHA256
59d3a9dccb6f7f104652c39e8755ad8b4232e7a6a63b46bf14da51f03f2234d8

SHA512
349ed4cf1e9dfe2df81f286f460c208c384610e548dd80072ed4abad71deeeaf2c70ec67ed66800859c923ae87a4e09d9b9502c9f18d6023ce35c3b478eb5312

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
432KB

MD5
46502047e27cac8ff909b361ebc457aa

SHA1
5781e2e9c5c0ba19e1e81bd970fb775564ee58b3

SHA256
1d15690299b3cf88ac9472434af2f889fb3c27c691688af40c53c6be337f7e04

SHA512
efa6b25f810d20f2c6ecb47989f930f439ad06c2329c532cd2396a2f0ca29684f351c9435804c537340c53a7a75c4b9e36c07555b309da00b2bc6f14cacf02f8

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
432KB

MD5
cfa49c6468121a004669ddf32f5114e7

SHA1
f6406b5277616ea69982fa85a7cd0892bc23ae7f

SHA256
7dad3574a3b343d87f4d693c1c768f4a1c2db9b27a13f862c3205cd403eb9817

SHA512
f6865af3fe0b82f7eed1c5c8aa2d3b9ace794d79f9594b291b2a2fe44a5c8b3efdc886e414c45828352f658a5f8f8b0776c75b032788a1b15a019220dc4805dc

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
432KB

MD5
0186a04fc4e9c3afb14683cb2898d2e2

SHA1
7dc88d765592c13c8962b8c2ecea959efadf5982

SHA256
78d1b9cecaed2d8e9bb378473c18e78da6e8b23d02d55b3ec4408a0cf6e46cd4

SHA512
da343dd1dcff2fe7504e8900adfb7d8080c156938ae1846dde83e951824ca28cac5ee9f2dd919bf5245bdc82c2b466bd9f00048252d9bd1aed10f0b638e42011

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
432KB

MD5
8647ba40c4d23328aa6c6a62a31a4948

SHA1
3e70bf0f5579777433d394f1f2ed84e8caaece88

SHA256
dd49f167085719b41114696054aa85c3142c9d349eec6c3acf78bb13d9e3d032

SHA512
d81468d46ae3ec300e90d21de7b5b0e7bdb5e0a5cabab264fa87deeb3c01fe21e9a31180392186972c4d152c999a20c04d90450c9f68cce3b8f028cfc783b60e

Download Submit
memory/740-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/740-151-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/820-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/820-153-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2352-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2352-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2644-152-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2644-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2656-135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2656-137-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2664-63-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2664-145-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2784-47-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2784-147-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3124-150-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3124-26-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3248-148-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3248-40-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3264-141-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3264-96-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4228-88-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4228-143-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4280-142-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4280-111-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4532-56-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4532-146-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4552-32-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4552-149-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4624-71-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4624-154-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4640-104-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4640-140-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4652-119-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4652-138-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4736-139-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4736-128-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads