feddd66a4dfed04c733f50055e1ea5c6fb27dd8d5ec60e7bd34fd00b2df4f0d7

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ee6710a263362f8d169b5b61d03f120_NeikiAnalytics.exe
Size

144KB
MD5

7ee6710a263362f8d169b5b61d03f120
SHA1

6bd9f34f30c30aae71f63fe2c3850285e9cb949a
SHA256

feddd66a4dfed04c733f50055e1ea5c6fb27dd8d5ec60e7bd34fd00b2df4f0d7
SHA512

094790b8aedf9e956fd36fe8f5ed2861cd8e27a61162b57862cc1c6090eacb838c49d3ab50eba04fe5fd314f88f0f2d82d367260544d2b484c4b89898511d74d
SSDEEP

3072:4C0DnK1ojVj6v/5ezGYJpD9r8XxrYnQg4sI+:TWK6VI8GyZ6Yu+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7ee6710a263362f8d169b5b61d03f120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7ee6710a263362f8d169b5b61d03f120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe

Executes dropped EXE 38 IoCs

pid	Process
1412	Lmqgnhmp.exe
4028	Lpocjdld.exe
1664	Lcmofolg.exe
1156	Lmccchkn.exe
4408	Ldmlpbbj.exe
3700	Lgkhlnbn.exe
2904	Lijdhiaa.exe
1260	Laalifad.exe
2568	Ldohebqh.exe
5000	Laciofpa.exe
4468	Lpfijcfl.exe
1804	Ljnnch32.exe
3816	Lphfpbdi.exe
4336	Lcgblncm.exe
1548	Mnlfigcc.exe
1748	Mdfofakp.exe
1268	Mkpgck32.exe
2768	Mpmokb32.exe
1084	Mcklgm32.exe
1428	Mkbchk32.exe
3376	Mnapdf32.exe
4480	Mdkhapfj.exe
1044	Mjhqjg32.exe
4492	Maohkd32.exe
3440	Mcpebmkb.exe
4988	Mnfipekh.exe
3908	Mdpalp32.exe
4112	Njljefql.exe
1772	Nqfbaq32.exe
972	Nklfoi32.exe
3860	Nnjbke32.exe
400	Ncgkcl32.exe
4528	Nbhkac32.exe
956	Ndghmo32.exe
4924	Ncihikcg.exe
1612	Njcpee32.exe
508	Ncldnkae.exe
3332	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	7ee6710a263362f8d169b5b61d03f120_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Njcpee32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3936	3332	WerFault.exe	122

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7ee6710a263362f8d169b5b61d03f120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	7ee6710a263362f8d169b5b61d03f120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	7ee6710a263362f8d169b5b61d03f120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	7ee6710a263362f8d169b5b61d03f120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	7ee6710a263362f8d169b5b61d03f120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmccchkn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 1412	740	7ee6710a263362f8d169b5b61d03f120_NeikiAnalytics.exe	82
PID 740 wrote to memory of 1412	740	7ee6710a263362f8d169b5b61d03f120_NeikiAnalytics.exe	82
PID 740 wrote to memory of 1412	740	7ee6710a263362f8d169b5b61d03f120_NeikiAnalytics.exe	82
PID 1412 wrote to memory of 4028	1412	Lmqgnhmp.exe	83
PID 1412 wrote to memory of 4028	1412	Lmqgnhmp.exe	83
PID 1412 wrote to memory of 4028	1412	Lmqgnhmp.exe	83
PID 4028 wrote to memory of 1664	4028	Lpocjdld.exe	84
PID 4028 wrote to memory of 1664	4028	Lpocjdld.exe	84
PID 4028 wrote to memory of 1664	4028	Lpocjdld.exe	84
PID 1664 wrote to memory of 1156	1664	Lcmofolg.exe	85
PID 1664 wrote to memory of 1156	1664	Lcmofolg.exe	85
PID 1664 wrote to memory of 1156	1664	Lcmofolg.exe	85
PID 1156 wrote to memory of 4408	1156	Lmccchkn.exe	86
PID 1156 wrote to memory of 4408	1156	Lmccchkn.exe	86
PID 1156 wrote to memory of 4408	1156	Lmccchkn.exe	86
PID 4408 wrote to memory of 3700	4408	Ldmlpbbj.exe	87
PID 4408 wrote to memory of 3700	4408	Ldmlpbbj.exe	87
PID 4408 wrote to memory of 3700	4408	Ldmlpbbj.exe	87
PID 3700 wrote to memory of 2904	3700	Lgkhlnbn.exe	88
PID 3700 wrote to memory of 2904	3700	Lgkhlnbn.exe	88
PID 3700 wrote to memory of 2904	3700	Lgkhlnbn.exe	88
PID 2904 wrote to memory of 1260	2904	Lijdhiaa.exe	89
PID 2904 wrote to memory of 1260	2904	Lijdhiaa.exe	89
PID 2904 wrote to memory of 1260	2904	Lijdhiaa.exe	89
PID 1260 wrote to memory of 2568	1260	Laalifad.exe	90
PID 1260 wrote to memory of 2568	1260	Laalifad.exe	90
PID 1260 wrote to memory of 2568	1260	Laalifad.exe	90
PID 2568 wrote to memory of 5000	2568	Ldohebqh.exe	93
PID 2568 wrote to memory of 5000	2568	Ldohebqh.exe	93
PID 2568 wrote to memory of 5000	2568	Ldohebqh.exe	93
PID 5000 wrote to memory of 4468	5000	Laciofpa.exe	94
PID 5000 wrote to memory of 4468	5000	Laciofpa.exe	94
PID 5000 wrote to memory of 4468	5000	Laciofpa.exe	94
PID 4468 wrote to memory of 1804	4468	Lpfijcfl.exe	95
PID 4468 wrote to memory of 1804	4468	Lpfijcfl.exe	95
PID 4468 wrote to memory of 1804	4468	Lpfijcfl.exe	95
PID 1804 wrote to memory of 3816	1804	Ljnnch32.exe	97
PID 1804 wrote to memory of 3816	1804	Ljnnch32.exe	97
PID 1804 wrote to memory of 3816	1804	Ljnnch32.exe	97
PID 3816 wrote to memory of 4336	3816	Lphfpbdi.exe	98
PID 3816 wrote to memory of 4336	3816	Lphfpbdi.exe	98
PID 3816 wrote to memory of 4336	3816	Lphfpbdi.exe	98
PID 4336 wrote to memory of 1548	4336	Lcgblncm.exe	99
PID 4336 wrote to memory of 1548	4336	Lcgblncm.exe	99
PID 4336 wrote to memory of 1548	4336	Lcgblncm.exe	99
PID 1548 wrote to memory of 1748	1548	Mnlfigcc.exe	100
PID 1548 wrote to memory of 1748	1548	Mnlfigcc.exe	100
PID 1548 wrote to memory of 1748	1548	Mnlfigcc.exe	100
PID 1748 wrote to memory of 1268	1748	Mdfofakp.exe	101
PID 1748 wrote to memory of 1268	1748	Mdfofakp.exe	101
PID 1748 wrote to memory of 1268	1748	Mdfofakp.exe	101
PID 1268 wrote to memory of 2768	1268	Mkpgck32.exe	102
PID 1268 wrote to memory of 2768	1268	Mkpgck32.exe	102
PID 1268 wrote to memory of 2768	1268	Mkpgck32.exe	102
PID 2768 wrote to memory of 1084	2768	Mpmokb32.exe	103
PID 2768 wrote to memory of 1084	2768	Mpmokb32.exe	103
PID 2768 wrote to memory of 1084	2768	Mpmokb32.exe	103
PID 1084 wrote to memory of 1428	1084	Mcklgm32.exe	104
PID 1084 wrote to memory of 1428	1084	Mcklgm32.exe	104
PID 1084 wrote to memory of 1428	1084	Mcklgm32.exe	104
PID 1428 wrote to memory of 3376	1428	Mkbchk32.exe	105
PID 1428 wrote to memory of 3376	1428	Mkbchk32.exe	105
PID 1428 wrote to memory of 3376	1428	Mkbchk32.exe	105
PID 3376 wrote to memory of 4480	3376	Mnapdf32.exe	106

C:\Users\Admin\AppData\Local\Temp\7ee6710a263362f8d169b5b61d03f120_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7ee6710a263362f8d169b5b61d03f120_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\Lmqgnhmp.exe
  C:\Windows\system32\Lmqgnhmp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\SysWOW64\Lpocjdld.exe
    C:\Windows\system32\Lpocjdld.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Windows\SysWOW64\Lcmofolg.exe
      C:\Windows\system32\Lcmofolg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:508
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        39⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 420
        40⤵
        Program crash
        
        PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3332 -ip 3332
1⤵
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eqbmje32.dll

Filesize
7KB

MD5
5f5b200e98787f96e4d560feb2b19bf5

SHA1
5141f3816d00423eb620861d1036028048c2f781

SHA256
487290f0741fc40962fb5cc91cf31ca12050f127a37aa55c20222bd708c67c75

SHA512
c74a2cddd4237508791fa6a7bf33c7c2b73faaecf2cb4b5cb9906ebc9f1eccfafedd648192c94e01bdd696247a0922a99e7cb9865f132855d34a24734ab4a122

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
144KB

MD5
028e0fe10888b4f2a1d3784681a6b668

SHA1
d66ee52d5aa22d29b8bd379e17c70c83a5d6a5b2

SHA256
7625cf3c133ae467a72ab26bc221cf9d0c3f64f0a7be1479acd0038dccdc82e8

SHA512
8c0640c083ffd6c94dfa3466787f19d1c9099dd6964bb3637e7553cf8102273d86ed4a65e03f2f2b7581f902387becae9a688c7b8a7f62496d941ce5bc9b8c85

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
144KB

MD5
0cd1b735eb7b9359d3189d3ef0a0c3c9

SHA1
96fdf300916a7b89ae9c79779739bb1699c730f2

SHA256
0c2cd147cdd310fe68ae89d718f948719544134720444e60e5843521f9828398

SHA512
e38516aa8963cdca5ec28956cd48e3bf755d7e6b938531653fc8361b0dbb29214180d3399953302310ba27bd982984b982b7c6e8b657fa2e7dc0310e1b2ba3b5

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
144KB

MD5
237e823bc03525e19c69bb2b9e6453d1

SHA1
1f1a4759a1a7142423116bf4db84a4a83d3abb43

SHA256
c0b8d673a6458d142676f8147c100ee1f109a26027fe4c45babbdebefb3a8726

SHA512
e49a90d39993cb346683a6d62e8f762d24bc12f8900ecfaccb2853896dad06f5e5bf35175a14cb549498290bdf4a0c745fdda209fab67b5b545a82950f392fd4

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
144KB

MD5
c42a028cfe9ccc2e16ed483b886a8463

SHA1
8c694c19a448edff1e32db1583209754607e8a0d

SHA256
10be770bbb493efaf30857b0adf121d25b72c1ae4a6ba1e3cd176fc3f20cec73

SHA512
feffc3d09f169e67904c83caba5e39ccba780a637169a15e7778dd467c0da6c3e80ab07f4ce7dee2df414be2371d0da668034a5ddbe4e93a4cdc3044315884b3

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
144KB

MD5
98ee788e09a17239272f9875091ae500

SHA1
3c2b5a2d7850998f0c83d5f723f62e7284e500d0

SHA256
6a5e5703d17cea7219352a68d9f5e909769076c0af29e8e56dbdfaadded01e14

SHA512
b23386646fa345d2673b152b29b2610c531653a4f40c950ce180656e87a1ca504f1aaf33228174635dfda1b64bd3a8cb35412e0529f3cf3de76a5683f85abbce

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
144KB

MD5
4d91163e11ba76da5fc489dd3a59047a

SHA1
da1ea713951a8647e0ff0a298dc0087e4bce193a

SHA256
b6f00d31a9a829772af07ec5c838e307f8fc84ac41ad62bd0ee83f654b9c64fb

SHA512
67bdee914a82578233c4cf71b3d5c7d9764b4de5a6b969b3c567f99ae30d5e1ae3e4e5a6213cf8a8e1c54b478c4aa151a3153f50bcb212baf726b44b042931c8

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
144KB

MD5
c7ea4c93fc4667831066805933484861

SHA1
cc4e73f608347376d79cd9e309cb5ad54a4b71c2

SHA256
36ea1797424fa28a5e6fd2a0358b6d192300b18361ef159a7aea6c28052310b0

SHA512
72c6aee5ee7de0431994efde141258baa6be88f76081af7a19e760605bacf5c89954b7966274ec3fb981409706c5aa947d7384ef576f79aece0f13345deeab42

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
144KB

MD5
5fb95aac624a029fc676bb036d606c51

SHA1
64544e132372875bb3c0ef2c5d9e090925fb2d18

SHA256
cc137aaa8ea4c6ffdd08eb55fc0033559d0feb4e49ab71409b1335e32b7c415e

SHA512
58199f22a38049df44e41054766f97e5cde4f9d052a85fbf2dcb337bff92603613844b4a5143aa67831cfbee12ef14383222986c9fd3697c0fbbf03729b745f9

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
144KB

MD5
6dcd09c4df3986465e493ba089d9c53c

SHA1
daea54eee33cde8bf85e1842d0afb0e36f1603e6

SHA256
11a2b65c0f2cdc3edd8b947552cc7ae32ae905836dea323848d506ba55aefa52

SHA512
180febaf6fb8511e246ae09e700792038fb97f82271cc4eba8ed2188d3799def946024a0e076d8b9d125f647ff161720114a4bf936793e9e071ae5a583848f66

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
144KB

MD5
a2295eefdc796a841618b1502806927a

SHA1
1dc612e02353ccad9a499185ba934fe364d16ccd

SHA256
266a98f3e8ec45c81b11127fd3ecc33fd3015c720bca11cd7ead5dd87e22ad7d

SHA512
16f1295c2b78323f8f3ec3d2d69be889e3804aa5469ecdd44f77bdd0c5a523e52656913be241234542c7f9a644a090650afdee4040af013a8db643e6ed441583

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
144KB

MD5
c2371ca92bfcb0dcf8d6c8b11452c632

SHA1
e11e5dc4a1db7310f6ac486cc739cb9f3c7d9942

SHA256
ea458f54f6d5bd3b92251e26adaf35d76a46c2b66fed62881be263345644415f

SHA512
34c61ae29421ba9801d4236e69d52834f81f5afb42bbf49ae7ceb6de8d107105979d3954f369afdd1708778de5bf97ab292e6733d98633fd2c76416802c0c263

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
144KB

MD5
57fa08e4eed981432183427f7c0114ba

SHA1
6a572702b10887fb58ea3d97496b68987e2a2c35

SHA256
ca2d6f9b2d8af4a6df4f735a927fc83f6df1c62d7af23271dd4f01e17619e967

SHA512
4d8fb7917cfb0ea446ba8f821e5c851e53db3c266504b21bb1f9060f29dd98d8684001b7532b27aeec9af50e1c4cf5d8055beace82a60c72cce92a53264afcad

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
144KB

MD5
f0490dee3443f1f92cd398ddd869d5f3

SHA1
f97c86de2f6010fc5e087f2f3cc48be67d39ee01

SHA256
5ffa741f40ed1b0c2ba429b3ebd6d716244fe3982655c25e9a09b67bc7ea6771

SHA512
336caf94c76a40d28425af3ba0d566b7eca1b078a2d1c3cc567e64a8464c967db8cbb420288bb7c7a51861bcac4ea9818cd24b3e35cd73c8428749bc4228f486

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
144KB

MD5
577ec6751803c65d510a689bcfd5084f

SHA1
962ecfce602b34eb96c13333ebf4a64be0e00b5f

SHA256
290b981440e34581883db77e084ad4cb06031091d0eceb4597a0e8fa466716ce

SHA512
078f84b25408d3742c47fe3fd4f4a77073d873740a93a090068cb4eff1e7c9c00cb92070a462196656e96bfd3312b4c70536d6babbb6b9abab9274f0b193d716

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
144KB

MD5
466858a9019eb3205d7e869c5fb45df5

SHA1
48c229c0bef57afbd7a8dfd72e973cc6f9fb9f4b

SHA256
baa841d56fa50e510855c21f2a4a5f64de708747564b141d79f07c27019d6388

SHA512
89b9033e0b1cd30018eaa5d14032462f1f271b95b157878b864bed45fb3be79d85a8f70b41b6c6866513f75f6c0d64115d7753e9bbf65cb1dde43d08d3d9f706

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
144KB

MD5
74bf69ac758b6a907cd82edc642861e7

SHA1
53ca265697777f444129b495550ac6f49df2c37b

SHA256
27abdecae2cb70157ace3b3d854a091b28f401a8a119ee8c1de913dbeb807121

SHA512
a43d7f113fc855b600778c58d76014607424185f755e7cf6ed4c3318368fc867cba58f664f28c5ce490af9e302737423074870e4c1b73ba63697b55efee7594f

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
144KB

MD5
7528b88d3fe2bb78a6ec0e59cdec9b1f

SHA1
1bee4d468aa645c43b94f5ead38d03beb656f209

SHA256
d9a5cad576ed6c9ae4ea215425d8047941456547832b60c2480fb6e0c3f5bc85

SHA512
456e6f21972403a82307d3eab47eb024d2a2c249fcf39dd24aeca550d8ba938254f7e57727aa0b2fefaee2267ff4105e682cfb75e1a5eaf25313df63987e45b2

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
144KB

MD5
e21e0ce2d646154100b53ebee2f9e4c3

SHA1
07667806587a375129ec9c0be97db4504905cc02

SHA256
a0efbc96acedc929cd77806ae08ef998f47a47acc72cef361a192fc355cca0e4

SHA512
116c761d5471625d6c42d4260368783f7d02e8140d18c464e073cbe9763f47122ba338d9005d1570d3504d01233a2eadf87a7817b4998aae844a27d014e6c446

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
144KB

MD5
f315d9f0a468fd73c3b61d13f950833e

SHA1
58bf55a80d7aed4c76d2ee52dbda3774bd5e1dce

SHA256
82f49b8ae8cb3f2762224428c5f4ac0b144fde14d6dbf54d92d359d71d0b3043

SHA512
3904a777f913b2be224607da71261a220a4c72153a336cc32ed8c634455309b635989fd172b4bbd32c83b105f0b4279712a00628d6c661bd3d37efd888f5c0a8

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
144KB

MD5
ecf75592ae62e32e56e66c4ccbb115f2

SHA1
666c9bf98cf54663598b69c973a0f145b4469c4d

SHA256
0c5f5284a4eed6d33431b907fa68c498a60d97f5666650f92d7a29dbf3241acd

SHA512
00f23e2d7ca1677db1532caa39552206353e26074f8d030dff7004b75e738569fcc068e4de81774646a4fc1e74dba42bf37232915f249697aee4a66ad1da9f5f

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
144KB

MD5
a57a9594c6d39f5011ec64a37c232404

SHA1
a58eaa0286283b862dc39cfd6eb81a708f8b2763

SHA256
0a9033f63025f9927c67a1bf1cf0c70001e5b91084293fdcf077eca42386ceac

SHA512
2b3fd343228b53f26bd1f479fcfa27060eb77329d7506b96eac934c3b0ac8d718c40103ea4546cbcd316b81c2793ab5dae6ada0a9aa79ccfe4d2b5ec5c9a06c2

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
144KB

MD5
85b072e2785024ac6f66242b334678de

SHA1
b44fb6dd22ce75ab3b8dc7927e0ef912b4424b8c

SHA256
61803a0d488bc737c4fb815114a42e9f4b44b8febb62d861b43b7208b70bf14f

SHA512
731e7abcbb04ff6960d286d157c6882b31ddb15f2c880924eea0979de57e0e796ec039732aa0dcc19bec07c9814e4af98b6eade3a1e80396d67befd0d6b69613

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
144KB

MD5
1a25efb8d81fb1832bc659f262549df3

SHA1
7b72d2b5eb3c050375b018871493168d88e9ffeb

SHA256
bcd30795569dcd7711ce24c5717d2970473cbdbdf74ee55df0bbef21f3585f62

SHA512
7d57dc99513988106a2ae90f645a4ae26103314018d6b3a89222fe0d45c4bfaa2ac012cd5ff487017d9e9934430dc93d8fcd7d377700277ae8c31dd3d710952e

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
144KB

MD5
68ac51e78dfc53e881fc374f1bf110a3

SHA1
df6aff1467de79504ec48e61703fdb9ef98cc554

SHA256
c6335a113abbc3c904832f9ff3792ba4b3307382fd1f467940e951ee05c1c378

SHA512
0d7a007451d86796856f8a555512aed0ff10ca29d61849605616ffb7832405be727346ccfb656e239f31cb81b877f76137517dce8684175d8c5a5fdc38b396b1

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
144KB

MD5
6346ec3ae5e42da89ee573e3f6f031d0

SHA1
a483864f7e702da8ec2eeed26c7effcbbb6e09eb

SHA256
a9efdfb9e1e5b7bd6873383473fc1bfbf944868c65d090c830f680705913ed2b

SHA512
3508916603622a83deb979415d5a66813750296f92bcec08c2e81fdcb164982e3300d480988370c5010a691d0da99b87b394c7601bce17bbb7dabc4dfed2893a

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
144KB

MD5
d0f3e452905b72bc57833ce9b0a89faf

SHA1
13048e669461870da9225b59b001f3d096987388

SHA256
bc9aaf98305582926cd7438c715f7c30ddbcc23f1dc1e50157026563d2d32b2b

SHA512
704bbf20ca27c864dec67427162711f334cc4b533f2e057ef59399e9605950ee592dc7cdc2ac3ad6487e213391f47fd45fc82b54654caa138330e4f64ac3dee5

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
144KB

MD5
44bd1b1fc4408c4677c0e71b291c06b5

SHA1
1c687e5fa0a81f8077c6d87e1989ad179cf102ae

SHA256
de3fa73cc364fa1c8fb3343c47111ffa5c4a2476e04784206e08a337668d3347

SHA512
1331a03862d2779320206e21f5db03d8159c81ffdf2039a90700965155fb1a14e1849e06ae6a142f737150f010ce1b9f4a58961d3f38418adea5edeef56c34c9

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
144KB

MD5
3b5025520a3be177e05cac5dc963bf06

SHA1
65af9878d8743c377928a37c7c73ec9c9ffeadf2

SHA256
2f902d16d214fee162c8a27d47c25237185ad282590a2aa709ad0292e2fa1663

SHA512
d2b6b09098b00a70a291bf73e8aab28176143bb37958067c809bc6c134f7a6576c728d447ace24219ccadf4f6cba22ab91d215cd80ce6fc3b1f7aa42fa48f8a4

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
144KB

MD5
2f1a79cedc3569fe4cec553b78f44f5a

SHA1
363db860c0aee35398ef34d52194dcb0001b54eb

SHA256
73facb968cf4a87164bfdc1b0ed4eb202a674b763d2440bf57802e682ce5f3e0

SHA512
272e31d9a3b51af187d61418c0f10b6e2e1b8d02f3b5bf6290e3adca92b7aba7e7b3a58035610a971a65d0fe6d17f479c9ee3db712ca65d15d50d58bf92418d6

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
144KB

MD5
02b1fac44069b645b5d1dfa500d6727c

SHA1
5a350fe612e58bc64b4f69a41bec0594b4bf3106

SHA256
6f0ef84c82bb918f90250688aec2c79629c866ca2ef1242e5cc63a36449e2e58

SHA512
6ab6b15fa98eda9f043350f96b1d2d1583198c19a14e68f823259d3ab655bf6087e89c055deaf2fd3aaa077ee04aa800a6a89ff8be380032fa09ae4a1a03755a

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
144KB

MD5
af954ce722000374887c92c311a75653

SHA1
fd415ad910854fc56bf636d19f9241a78a3974c3

SHA256
6bde813924aa24c78e0a8a376249cd7f2203477d6d333b307536412c4f58c36a

SHA512
97e255379c40ef892b4545d930fe4089ed54db8dd6986e14c6268e81bab66a3d139a1a2212e505daf33e9bf97909ee8451018a46d8d8b204f43b820892c9a6b2

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
144KB

MD5
14a474e986e1fa78f382893c15d35b06

SHA1
5dbdd85aaa7415b79c34d94b202c6ff0ee3acf20

SHA256
00835f44c28b86f02c2f51819f0d5705869928b393d20e680402034577866555

SHA512
6f569946ac0e4e40548ca61d0d5719b67b812050a27ccd641ed08e7789f0717336acef9340b018cb0fba17fb84df9aab74bc12f159edcfe014b4110a5335650b

Download Submit
memory/400-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/508-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/508-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3860-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3860-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads