f3318c7b5f204d62df163bcf96d94dd7b1d772457961ebfbf654fdc3439503b4

Analysis

max time kernel
135s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 18:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

433376960d2dcf5d3729e9b5d1736920_NeikiAnalytics.exe
Size

144KB
MD5

433376960d2dcf5d3729e9b5d1736920
SHA1

8b97837c478cabb9b050ea8ec78199f675dbe05d
SHA256

f3318c7b5f204d62df163bcf96d94dd7b1d772457961ebfbf654fdc3439503b4
SHA512

fbae8b6a5dfdf9cd1d796aa535e9f7eab04ed3b570eb88689297dd24f5108d20ec26f45b10acbbdfd634a68dd39232658322db01fd4735393ad642b57c3e00d4
SSDEEP

3072:9DldvIUIL9xTBCcvzLa7WWu4JSxIzzGYJpD9r8XxrYnQg4sI+:9ZZULDTBCcvzLa7WWuXGGyZ6Yu+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	433376960d2dcf5d3729e9b5d1736920_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe

Executes dropped EXE 42 IoCs

pid	Process
3432	Lpcmec32.exe
2236	Lcbiao32.exe
920	Lgneampk.exe
3676	Lnhmng32.exe
1396	Lpfijcfl.exe
3852	Lcdegnep.exe
4888	Ljnnch32.exe
4944	Laefdf32.exe
5088	Lddbqa32.exe
2368	Lgbnmm32.exe
2228	Mjqjih32.exe
3516	Mpkbebbf.exe
4936	Mciobn32.exe
4552	Mjcgohig.exe
808	Majopeii.exe
1652	Mdiklqhm.exe
1932	Mgghhlhq.exe
4600	Mjeddggd.exe
3664	Mpolqa32.exe
1964	Mcnhmm32.exe
3696	Mkepnjng.exe
916	Maohkd32.exe
4896	Mdmegp32.exe
3972	Mglack32.exe
3640	Mkgmcjld.exe
2232	Maaepd32.exe
1360	Mdpalp32.exe
1204	Njljefql.exe
4456	Nqfbaq32.exe
3136	Ngpjnkpf.exe
3720	Nnjbke32.exe
1188	Nddkgonp.exe
3864	Ngcgcjnc.exe
4964	Njacpf32.exe
1740	Nnmopdep.exe
4280	Nqklmpdd.exe
4380	Ncihikcg.exe
2120	Nkqpjidj.exe
4712	Nnolfdcn.exe
3948	Nqmhbpba.exe
1124	Ncldnkae.exe
564	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	433376960d2dcf5d3729e9b5d1736920_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4720	564	WerFault.exe	127

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	433376960d2dcf5d3729e9b5d1736920_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	433376960d2dcf5d3729e9b5d1736920_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	433376960d2dcf5d3729e9b5d1736920_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 3432	236	433376960d2dcf5d3729e9b5d1736920_NeikiAnalytics.exe	83
PID 236 wrote to memory of 3432	236	433376960d2dcf5d3729e9b5d1736920_NeikiAnalytics.exe	83
PID 236 wrote to memory of 3432	236	433376960d2dcf5d3729e9b5d1736920_NeikiAnalytics.exe	83
PID 3432 wrote to memory of 2236	3432	Lpcmec32.exe	84
PID 3432 wrote to memory of 2236	3432	Lpcmec32.exe	84
PID 3432 wrote to memory of 2236	3432	Lpcmec32.exe	84
PID 2236 wrote to memory of 920	2236	Lcbiao32.exe	85
PID 2236 wrote to memory of 920	2236	Lcbiao32.exe	85
PID 2236 wrote to memory of 920	2236	Lcbiao32.exe	85
PID 920 wrote to memory of 3676	920	Lgneampk.exe	86
PID 920 wrote to memory of 3676	920	Lgneampk.exe	86
PID 920 wrote to memory of 3676	920	Lgneampk.exe	86
PID 3676 wrote to memory of 1396	3676	Lnhmng32.exe	87
PID 3676 wrote to memory of 1396	3676	Lnhmng32.exe	87
PID 3676 wrote to memory of 1396	3676	Lnhmng32.exe	87
PID 1396 wrote to memory of 3852	1396	Lpfijcfl.exe	88
PID 1396 wrote to memory of 3852	1396	Lpfijcfl.exe	88
PID 1396 wrote to memory of 3852	1396	Lpfijcfl.exe	88
PID 3852 wrote to memory of 4888	3852	Lcdegnep.exe	89
PID 3852 wrote to memory of 4888	3852	Lcdegnep.exe	89
PID 3852 wrote to memory of 4888	3852	Lcdegnep.exe	89
PID 4888 wrote to memory of 4944	4888	Ljnnch32.exe	90
PID 4888 wrote to memory of 4944	4888	Ljnnch32.exe	90
PID 4888 wrote to memory of 4944	4888	Ljnnch32.exe	90
PID 4944 wrote to memory of 5088	4944	Laefdf32.exe	91
PID 4944 wrote to memory of 5088	4944	Laefdf32.exe	91
PID 4944 wrote to memory of 5088	4944	Laefdf32.exe	91
PID 5088 wrote to memory of 2368	5088	Lddbqa32.exe	92
PID 5088 wrote to memory of 2368	5088	Lddbqa32.exe	92
PID 5088 wrote to memory of 2368	5088	Lddbqa32.exe	92
PID 2368 wrote to memory of 2228	2368	Lgbnmm32.exe	94
PID 2368 wrote to memory of 2228	2368	Lgbnmm32.exe	94
PID 2368 wrote to memory of 2228	2368	Lgbnmm32.exe	94
PID 2228 wrote to memory of 3516	2228	Mjqjih32.exe	95
PID 2228 wrote to memory of 3516	2228	Mjqjih32.exe	95
PID 2228 wrote to memory of 3516	2228	Mjqjih32.exe	95
PID 3516 wrote to memory of 4936	3516	Mpkbebbf.exe	96
PID 3516 wrote to memory of 4936	3516	Mpkbebbf.exe	96
PID 3516 wrote to memory of 4936	3516	Mpkbebbf.exe	96
PID 4936 wrote to memory of 4552	4936	Mciobn32.exe	97
PID 4936 wrote to memory of 4552	4936	Mciobn32.exe	97
PID 4936 wrote to memory of 4552	4936	Mciobn32.exe	97
PID 4552 wrote to memory of 808	4552	Mjcgohig.exe	99
PID 4552 wrote to memory of 808	4552	Mjcgohig.exe	99
PID 4552 wrote to memory of 808	4552	Mjcgohig.exe	99
PID 808 wrote to memory of 1652	808	Majopeii.exe	100
PID 808 wrote to memory of 1652	808	Majopeii.exe	100
PID 808 wrote to memory of 1652	808	Majopeii.exe	100
PID 1652 wrote to memory of 1932	1652	Mdiklqhm.exe	101
PID 1652 wrote to memory of 1932	1652	Mdiklqhm.exe	101
PID 1652 wrote to memory of 1932	1652	Mdiklqhm.exe	101
PID 1932 wrote to memory of 4600	1932	Mgghhlhq.exe	102
PID 1932 wrote to memory of 4600	1932	Mgghhlhq.exe	102
PID 1932 wrote to memory of 4600	1932	Mgghhlhq.exe	102
PID 4600 wrote to memory of 3664	4600	Mjeddggd.exe	103
PID 4600 wrote to memory of 3664	4600	Mjeddggd.exe	103
PID 4600 wrote to memory of 3664	4600	Mjeddggd.exe	103
PID 3664 wrote to memory of 1964	3664	Mpolqa32.exe	105
PID 3664 wrote to memory of 1964	3664	Mpolqa32.exe	105
PID 3664 wrote to memory of 1964	3664	Mpolqa32.exe	105
PID 1964 wrote to memory of 3696	1964	Mcnhmm32.exe	106
PID 1964 wrote to memory of 3696	1964	Mcnhmm32.exe	106
PID 1964 wrote to memory of 3696	1964	Mcnhmm32.exe	106
PID 3696 wrote to memory of 916	3696	Mkepnjng.exe	107

C:\Users\Admin\AppData\Local\Temp\433376960d2dcf5d3729e9b5d1736920_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\433376960d2dcf5d3729e9b5d1736920_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:236
- C:\Windows\SysWOW64\Lpcmec32.exe
  C:\Windows\system32\Lpcmec32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\SysWOW64\Lcbiao32.exe
    C:\Windows\system32\Lcbiao32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\Lgneampk.exe
      C:\Windows\system32\Lgneampk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:920
    - - C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
      - C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        43⤵
        Executes dropped EXE
        
        PID:564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 420
        44⤵
        Program crash
        
        PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 564 -ip 564
1⤵
PID:240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laefdf32.exe

Filesize
144KB

MD5
a87009e160adf133470e475799d9e744

SHA1
1c48db77bd90e6eb498a51c3ecd626e4943efc72

SHA256
41582fcab803b47cf7221e96608592917ca6f1d2a75163e5f2705d221bc5ea24

SHA512
f9f0636ba03a598db97730c608c5a7fb665474581a176b7a535b7b20b2d740bd3507313b21be250f767063a89a7647ab78a4080f347b1316bcea83009e052a07

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
144KB

MD5
a94a6550205c1f2f3215ee4b8576ad3f

SHA1
a6a3a118dd9202bc48ff0a290a0ac5926240c580

SHA256
319c98f0ef94d50211873ed1a601d942af56c163eee10198bb427072ec6aca29

SHA512
0e3c5d5ac77336f88ce3998d8065da5951c423b7df9fa985547bfbfc76a1116f0a1c98deb61771d23b54fb25fb69041d3b0e963e23e44461882b413252913f4a

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
144KB

MD5
c4256507f6407eb394fc738907a0c15b

SHA1
1a4d364361d94ebe4ee63a8c3fcc4247bb0a569c

SHA256
d9d36516586d0ad1e20d419472ce4cbbcd8f343e727599650cde309011cbb685

SHA512
c91c2070fb06be7c4ab612ae4de61ffd60eed8de223228fed940182fad846e1770922257387a813cbd012530b54782035b37dd2487d6ed96bf9679f4ddb23eac

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
144KB

MD5
a93262412e231ae28e0c42b63d647476

SHA1
6a8f3ce4bd165c0057996190db5c83a88c211493

SHA256
5b774ef057a3a4394dcf25c4ae110c38c53bb43f82b7b90acf7094e38581ca8d

SHA512
437c331411f6f37d88aa55807accbffdb5f11e8bf6e24563708baf294941aef9ac75c5ef0ed555977049ea5390c7cff874790cce0e320b1d740db00b548bb983

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
144KB

MD5
03747d9b83d2e1e9004ce3af33501646

SHA1
5b2255aa74dc45c4d66a3cdff21683acd0c5fc79

SHA256
f7099760c28f5acf36a1a7d12b5defd865d9ef0583a6a8463559d9b5fb2a1441

SHA512
af33f5c5b228c352fd9e41384d3c54af2aa78e86147209dfc5e6f289dd4bd27e5b562ca5b7f2b2d80376d9674ff4c9472e0fab88d494bdc02dc678c2433e6790

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
144KB

MD5
513ab062cca804cea8339f889f7319f6

SHA1
e5ed5caf4058e928a180bc99eaa9e3080077aa3b

SHA256
6ecaa8b594849632d9fc2d1e2d7b706981dd0dfe517944930d1c25caaffd9a53

SHA512
b4ddd36b7a5c5f64b6572909c4ed53f1332680f38d656e9e119d97f36941bbe1461c012d6f1a3735ac429e8936c2b2483b591abfc75c46c7a11a95177f11e140

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
144KB

MD5
3d70f646188773d835cd0e4b64a758ad

SHA1
d4f93f6f51b929bf16cbcb833a624d5334725cc1

SHA256
42c244ac5e8b06e198b7b9b61f3488aef92c94baded12c311eefeed9f2c63a4f

SHA512
554b148327a6a0ccdad549d51451cc57d36fe354ce9782d55054f9f07213cd5dd70fdb8f5ce63a132efbb18ce80a50e64df79b21c82da9e61cd44387fc48b1c5

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
144KB

MD5
14968c956a0032c52f7c3eba23e71db7

SHA1
c5ee231a33dd3e5e8a2aeef097b85ca17af8d82a

SHA256
af235de9d0e7db6de34b98e4c9ce7154bf3cc978ee983c02cf7d602f32694e59

SHA512
b89cdfa175aadfc60a6e96500dc498daa23a4956f081bb463cdfeaf712f2502264797ca0d5e272dbda0b1ce2420998a7d6674e895f95c370743ff1b3893d39cf

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
144KB

MD5
6dcd09c4df3986465e493ba089d9c53c

SHA1
daea54eee33cde8bf85e1842d0afb0e36f1603e6

SHA256
11a2b65c0f2cdc3edd8b947552cc7ae32ae905836dea323848d506ba55aefa52

SHA512
180febaf6fb8511e246ae09e700792038fb97f82271cc4eba8ed2188d3799def946024a0e076d8b9d125f647ff161720114a4bf936793e9e071ae5a583848f66

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
144KB

MD5
3142698b704249c01228d82d46a4fbe5

SHA1
c67443a93e132c612131b2704d2885ac5150941e

SHA256
9168de5a13dde5edc206ae28db63661d4c9655b8ba85f6ec977a8e5ca4443e45

SHA512
d8400ae3dd4a287983c52f1fb2a79985086a118e6afb9e10036b5d24d131266daaaa3faa3f0fffeacb13f8bb3d9b2a0650605d0c053bbac8e42ff5a60299f695

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
144KB

MD5
7efb6a327ae8583809cd2e562e325692

SHA1
98693078d54f589e63f70c446f9cf4ca6a685ebb

SHA256
c8c647aff472beea8c9bde806a65abe457ab98ca683f490f1ad5477d36795bb0

SHA512
64d9063b9403c615f1579ab5565d653d698b558f1e607b9317dfa237998c2ccbbfb00924e7e201624925d0e403fb6f000cddcc466d25e6bb65d9af8029724eea

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
144KB

MD5
2ddfffa309ad4cacc50d247e7f5d29ea

SHA1
3410ceb6bfea08117b3b075075a8222cfea9ae3e

SHA256
7d61c844e54a95cc672a28b48505110f845316612431a0a3cce174aaefe7295c

SHA512
f3852165502cee4f6c6221d2a08d1dbee6b932253b9819d3c5ca7d6490cdfda2aba5cb5938dcf55c45450ef7b90f79dd2d617c4c18acc93960560c55fa19a1f7

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
144KB

MD5
3206580eab4b0b91a445b2ea68e31c57

SHA1
e101f278414a0521cd3412c10e3bad72c6997fec

SHA256
88a67b1e982e6253eb9c0e0f8fbe6505f086164c0397bdbd9423515c8c6f7ab2

SHA512
d0346e40bcd61c637fa04d730c5567a36ad9d880ac33efdf7a3112edd8e404aecc5ad31a7725abdcef85813c35067f725bd415269de4d741caf7e6fff308a787

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
144KB

MD5
fd22d5cda49bb87308bc9bb6718aeb8e

SHA1
5a567edad60c416c2967463dec5582e05e9c3ec6

SHA256
08f105d4606fdcce24a60390bbcddfd7fd86a463411c48cbf4f573fe0c14d552

SHA512
e9b5d14ecbca38c83f320b522eec39a13b7dfbba8f8e3ad8398f9ccbc7a562f41fe00317a7d9e91fb5d4e0a724e8c23faadc8bfaae05ce832733341a87f9e845

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
144KB

MD5
3068cb02213b4cdf1247a7d1ca153177

SHA1
c38ad06823500f93ec29b99e2dc2403cbb80f1dc

SHA256
81db2ecb84c41be6554ec369a5bcdc95af6367a0b9500f71e6ffd6e707d3ac9c

SHA512
c6323658512c2abe8382cb1cc7c007877acff0add897c97a0ff1d6c369549109158cec165649bd8aba102a013d0291b882cdb1192772462d3a3af6434c513d33

Download Submit
C:\Windows\SysWOW64\Mbaohn32.dll

Filesize
7KB

MD5
f6ea2076a130ac4aa23beebfe2a0f336

SHA1
fac329266ad22506d57f6294376767c558ada143

SHA256
bd4fd9c754bb11298718ad9cb1ef6716bebace19332d299ba34c5e1086b5c116

SHA512
603e4768eed0bf255ad496cc0e90011b457616ec764ecaa67885c1ada9fdca41da8be01df12b5ab815a5179eb5ddca98829e4854de2525e09b9f2cec1d3522db

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
144KB

MD5
4f99d5187cdc7cf4118fb8b77710122e

SHA1
fb3f198842c9a60005da58353c0b2cadf6ce7a55

SHA256
eb224ca2902002ea7104429c015d004514f310a4c30f93c1b5eac52cb2fca293

SHA512
78d094b4c26cccd5c3587e8db9af5bc55502a9ee54700eb113e4c8a4fc5025ce07aeb6465012b38f7d410b807ab9c8cc98fa70189bab2ac222b22aa06116d756

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
144KB

MD5
39d24051f5dc49d4921dec19938189df

SHA1
7dbe388c22bb3a8608cc893b286efe9bf338e988

SHA256
fb3df82b036e704ae38c42ff5adc837ae6402569a92bee5a94e091a25c036434

SHA512
983586aa38c28263f1136930878312a40a7245303b7a2cff955324d9db4f691b96b392c0a7612a15c6ac46fa51c60d5db771d874e13aaf3db82964426b65a262

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
144KB

MD5
747d8f8b9abd64631e463f12c64e495c

SHA1
fd41e2ce09a8191998d8228289d97d2311f4bc5b

SHA256
1c548697b5e3ea3d6283a27c1b8968d6560c01b501414aa0f0d4d5a51e3651ff

SHA512
311fd1fb9869a6bfaec445746f4cd023e652e2597238c350c8138671ad1251deb041ce037741dd26fb702cf186f61e3df69a518b5cc45b7df6b66d10a17b1356

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
144KB

MD5
da6e5fc5af5c16135befd025c6b565ab

SHA1
d63307542edba0e510cc1090fdc58b11bb76aad3

SHA256
3917cef3d552574bc676d6887403e9ee3ac4f367b77e857d062aa36a8afb45cf

SHA512
5962ab0abfc3a50d331546d2aaa64dc6a945908c2adc651ef7f9e5f3809764a779d4ae108c4e0dee917eb2d5fb39d9c59f5c0628f3f46fc0f5c6b3a0963e5979

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
144KB

MD5
ecf75592ae62e32e56e66c4ccbb115f2

SHA1
666c9bf98cf54663598b69c973a0f145b4469c4d

SHA256
0c5f5284a4eed6d33431b907fa68c498a60d97f5666650f92d7a29dbf3241acd

SHA512
00f23e2d7ca1677db1532caa39552206353e26074f8d030dff7004b75e738569fcc068e4de81774646a4fc1e74dba42bf37232915f249697aee4a66ad1da9f5f

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
144KB

MD5
f4ef588ea977a93859035ee58147ec7a

SHA1
bee148bbc362d0b82333b15e52a06e8703972802

SHA256
a8477afe12ac1ecf1c4f256e5e7a33e58edfa57e1b70bfd1e6ee012c1551b4d0

SHA512
d8326cac698eeaae6f6ac7380e4eb0f5149f5bf9ea107852651771e98da5a3ff3a7819367d0406da65df8c17e93b2f5bfe03e9722a292c388fc8b0964cbd7185

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
144KB

MD5
d3caf9b80e93cac37170139f6a9bad8e

SHA1
63da1a7fdb83cbea95707a69279354bec4ff9ba5

SHA256
12403c816334b5e5187de11d83cb8b1d4e25403acd0e80b4cf62d08b35cb9bcd

SHA512
f780f1c855bc9b412454ac04e02c037f1368e90b30b678d525b8b535b4b6a7aab7e4a5bb977c0f5a50a7471f7cc382da1c9201f7ba33c347ffd5a6fcc48d5175

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
144KB

MD5
f5baa131cfb3941122c153b8c4b5e222

SHA1
d8938987cfe5b4731c5938fb17b19ae475d8fc19

SHA256
252a7ffa8e6423ee3d76c213f093da10641da67ac6b43533ba2137d11ef10324

SHA512
2bf1f6a725b758904e3c41ca60e6aa93a3fca6ce9c824950e75113f32f93f75d06b54e5bbe9b42d49d88dde9f9c3adae91fac1b5cfeff7c08f2b793cd07616d0

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
144KB

MD5
934514da19fc497acdea09c2e7222b54

SHA1
5d08cb25be560b511c3e7742d0d4fe5ee347a49d

SHA256
c86a467034e0553b9e2f689b91470bfd43d151f8a0c4983ec9176375d4f00782

SHA512
bae9f48b1ef21da32e4d206ceb45be23c4a4fdbd4bf0c88201317bddc97129d6f727e1d9b9f5409339a83c35b86b3829b2fb0b1bc0e169b2412913d3627b6d57

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
144KB

MD5
95cbff244ffc78edaead908031823f94

SHA1
be58f7ac52a1b83a3e073aa4ccc8199cdff6e8e5

SHA256
2a1c8bf8de0ea490140e93dba3891b195c4a1b4ba83d63f24b8dec5edd60f741

SHA512
558f95cb4044bec19e739c8e01561b6560652efbf68edd3f314c2a5eaaebb1884dd38aa1bc14ce5d80c97a174ff6fd638b685b5df6ee71601facc52308674f35

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
144KB

MD5
bac47eb6341c03f6bf1e1bffcd121f4e

SHA1
2cd8f71bcd919ad218267d1226c7a1400839835f

SHA256
24a9526352698e05bfb5a6f2892fc590a97e9e2f2e027a328a9677ded06f9885

SHA512
9c433285ae96f2de7ac4791a07f889221d77869400e44af8b346b8c6a4d38156d34a76b1664d13e5830856f889f046dd621740c4acdb1c71a2dfac018b0521cc

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
144KB

MD5
a15acdcd039bad0eda3b7ec16dc67dc4

SHA1
1d345d32fce6abb369c331a82279b99a3775b58b

SHA256
635963a745147c2e8577f0faa9b5c85ca06607b786f5f84e673de63cb1ffda2e

SHA512
fd65062c388ed32a05fd7da2d122ead8c438b2022cd4f5ebb8d52a2a321257fc92d1bef5b022622df5f947ec994fa2526659c1c3a984eca0370d88188598eadf

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
144KB

MD5
4d16456e83b71aff58785039362cd5dc

SHA1
6b407408ecaaa564034210efe91446c6d13837de

SHA256
268cc0ba9b722dba55f52a610a92b023f591e82bff513dbaacf9940964e8d2e4

SHA512
37003fda923ca3c0ede9f2904bcac50e2a55aa09f5336fe9397192f88adff80bc673c711820d18e18835daa7ace487a0ad03d59dbd1fce120bd224d74ec73102

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
144KB

MD5
2919399f1c26e7d974c40912a43f3f3b

SHA1
eaf787e9196b26a79c54a0a2714a9de57669ae59

SHA256
a327a7b644b0ce6e7f42a10112b421784b4b0b9e22279884f16b04b417055710

SHA512
2ab4af83ab8c658ac1d357b22342ada1bcaadb61ba022c652d0f9dd3a72c9d8f5b33ab1a6497ad5415b4ee07970f15151276b2990d4cfa023af1b46dbe6618c5

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
144KB

MD5
1ebbad95ef4814903eddf987c15a5a2b

SHA1
817c85868ed1a404f91519eca93effc33ce2656a

SHA256
b3f25f7506c30f7474888ccb9dd65afc62a5c9e8e847caa6303d7a9ecb042cca

SHA512
13a3cfb51a24672cd117fe52316b1a6e839a93ff80e13faf544554e55ccbea73854342ade1a25936df85c1009fc8889252c721a03862acd2d57f9a82d3d46511

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
144KB

MD5
3b020ab990b1fc023aab9d4f2bd7a607

SHA1
65b6c519b233c305dabf60f83ecb2447ce1041be

SHA256
4209bd9aa5a23c14f9329d9c052f425ac9ba867bb5620f712a58a995fe9c30b2

SHA512
ec872c41c0d737664a0dd487c0bd6f00812e61f4a2962c8cd4b049c8c55e7f3860946c5d03d2f4c56e82c57d6884e0dd2ff550fe8bd29f11e7e51d2e6a693454

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
144KB

MD5
0e43744c0b345764a9f8333caa3b0d54

SHA1
9269956e61a948c2267eef62d9a7fbf98e70e03f

SHA256
4dba3bdd942531f160872dd68e05786dc80fc89d969ff968f14ee20601de8844

SHA512
bef699ccb839263c242a98503718a2b088e61625137bff9ccb949a4c100e727fcad4999c68bca7b63e7674b3d19e9c8b1c562322eb7b1621244d4b5e99c44dd0

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
144KB

MD5
2f1a79cedc3569fe4cec553b78f44f5a

SHA1
363db860c0aee35398ef34d52194dcb0001b54eb

SHA256
73facb968cf4a87164bfdc1b0ed4eb202a674b763d2440bf57802e682ce5f3e0

SHA512
272e31d9a3b51af187d61418c0f10b6e2e1b8d02f3b5bf6290e3adca92b7aba7e7b3a58035610a971a65d0fe6d17f479c9ee3db712ca65d15d50d58bf92418d6

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
144KB

MD5
af954ce722000374887c92c311a75653

SHA1
fd415ad910854fc56bf636d19f9241a78a3974c3

SHA256
6bde813924aa24c78e0a8a376249cd7f2203477d6d333b307536412c4f58c36a

SHA512
97e255379c40ef892b4545d930fe4089ed54db8dd6986e14c6268e81bab66a3d139a1a2212e505daf33e9bf97909ee8451018a46d8d8b204f43b820892c9a6b2

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
144KB

MD5
14a474e986e1fa78f382893c15d35b06

SHA1
5dbdd85aaa7415b79c34d94b202c6ff0ee3acf20

SHA256
00835f44c28b86f02c2f51819f0d5705869928b393d20e680402034577866555

SHA512
6f569946ac0e4e40548ca61d0d5719b67b812050a27ccd641ed08e7789f0717336acef9340b018cb0fba17fb84df9aab74bc12f159edcfe014b4110a5335650b

Download Submit
memory/236-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/236-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/808-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/808-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3720-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3720-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3852-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3852-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4712-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads