5624282b1115d1f2b94a992732610a7bbdb52c0df3540c16619ff5edb051c7c2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1f0708f08d54adb5a1c54777b87d690_NeikiAnalytics.exe
Size

80KB
MD5

c1f0708f08d54adb5a1c54777b87d690
SHA1

87632aff0b721c462cba9b0582205f4e014c0bb3
SHA256

5624282b1115d1f2b94a992732610a7bbdb52c0df3540c16619ff5edb051c7c2
SHA512

24f1d47151d1f5d3f7eaf3a2442eaa864efaa0003189b70b5fa74fb3580d302eadaf101abb4ccb3eb3aff7e4a35d05362850dc6a0e8f8aa89c8446fb23df5e1b
SSDEEP

1536:d8WDDsbWlSxhzBBr1lQbdovkinE0EB6NB32rWcf9o4s2LDaIZTJ+7LhkiB0:L3sbPQbdovkin46CrWi9oaDaMU7ui

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c1f0708f08d54adb5a1c54777b87d690_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c1f0708f08d54adb5a1c54777b87d690_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe

Executes dropped EXE 38 IoCs

pid	Process
3004	Lcmofolg.exe
1956	Liggbi32.exe
3008	Lmccchkn.exe
3900	Ldmlpbbj.exe
1968	Lgkhlnbn.exe
2232	Lkgdml32.exe
4484	Lnepih32.exe
2820	Laalifad.exe
1412	Lcbiao32.exe
3868	Lkiqbl32.exe
2316	Lnhmng32.exe
4924	Ldaeka32.exe
2804	Lgpagm32.exe
3656	Laefdf32.exe
3200	Lddbqa32.exe
4948	Lknjmkdo.exe
5068	Mjqjih32.exe
1556	Mgekbljc.exe
1836	Mjcgohig.exe
4296	Mdiklqhm.exe
708	Mjeddggd.exe
4832	Mpolqa32.exe
852	Mcnhmm32.exe
1840	Mncmjfmk.exe
4016	Mpaifalo.exe
2004	Mglack32.exe
680	Maaepd32.exe
3732	Mcbahlip.exe
3396	Nnhfee32.exe
1596	Nqfbaq32.exe
1164	Nceonl32.exe
4604	Nnjbke32.exe
3856	Ngcgcjnc.exe
5076	Nnmopdep.exe
3748	Ncihikcg.exe
3908	Njcpee32.exe
4972	Nbkhfc32.exe
2932	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2764	2932	WerFault.exe	121

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c1f0708f08d54adb5a1c54777b87d690_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c1f0708f08d54adb5a1c54777b87d690_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	c1f0708f08d54adb5a1c54777b87d690_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c1f0708f08d54adb5a1c54777b87d690_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c1f0708f08d54adb5a1c54777b87d690_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 3004	1196	c1f0708f08d54adb5a1c54777b87d690_NeikiAnalytics.exe	81
PID 1196 wrote to memory of 3004	1196	c1f0708f08d54adb5a1c54777b87d690_NeikiAnalytics.exe	81
PID 1196 wrote to memory of 3004	1196	c1f0708f08d54adb5a1c54777b87d690_NeikiAnalytics.exe	81
PID 3004 wrote to memory of 1956	3004	Lcmofolg.exe	82
PID 3004 wrote to memory of 1956	3004	Lcmofolg.exe	82
PID 3004 wrote to memory of 1956	3004	Lcmofolg.exe	82
PID 1956 wrote to memory of 3008	1956	Liggbi32.exe	83
PID 1956 wrote to memory of 3008	1956	Liggbi32.exe	83
PID 1956 wrote to memory of 3008	1956	Liggbi32.exe	83
PID 3008 wrote to memory of 3900	3008	Lmccchkn.exe	84
PID 3008 wrote to memory of 3900	3008	Lmccchkn.exe	84
PID 3008 wrote to memory of 3900	3008	Lmccchkn.exe	84
PID 3900 wrote to memory of 1968	3900	Ldmlpbbj.exe	85
PID 3900 wrote to memory of 1968	3900	Ldmlpbbj.exe	85
PID 3900 wrote to memory of 1968	3900	Ldmlpbbj.exe	85
PID 1968 wrote to memory of 2232	1968	Lgkhlnbn.exe	86
PID 1968 wrote to memory of 2232	1968	Lgkhlnbn.exe	86
PID 1968 wrote to memory of 2232	1968	Lgkhlnbn.exe	86
PID 2232 wrote to memory of 4484	2232	Lkgdml32.exe	87
PID 2232 wrote to memory of 4484	2232	Lkgdml32.exe	87
PID 2232 wrote to memory of 4484	2232	Lkgdml32.exe	87
PID 4484 wrote to memory of 2820	4484	Lnepih32.exe	88
PID 4484 wrote to memory of 2820	4484	Lnepih32.exe	88
PID 4484 wrote to memory of 2820	4484	Lnepih32.exe	88
PID 2820 wrote to memory of 1412	2820	Laalifad.exe	89
PID 2820 wrote to memory of 1412	2820	Laalifad.exe	89
PID 2820 wrote to memory of 1412	2820	Laalifad.exe	89
PID 1412 wrote to memory of 3868	1412	Lcbiao32.exe	90
PID 1412 wrote to memory of 3868	1412	Lcbiao32.exe	90
PID 1412 wrote to memory of 3868	1412	Lcbiao32.exe	90
PID 3868 wrote to memory of 2316	3868	Lkiqbl32.exe	92
PID 3868 wrote to memory of 2316	3868	Lkiqbl32.exe	92
PID 3868 wrote to memory of 2316	3868	Lkiqbl32.exe	92
PID 2316 wrote to memory of 4924	2316	Lnhmng32.exe	93
PID 2316 wrote to memory of 4924	2316	Lnhmng32.exe	93
PID 2316 wrote to memory of 4924	2316	Lnhmng32.exe	93
PID 4924 wrote to memory of 2804	4924	Ldaeka32.exe	94
PID 4924 wrote to memory of 2804	4924	Ldaeka32.exe	94
PID 4924 wrote to memory of 2804	4924	Ldaeka32.exe	94
PID 2804 wrote to memory of 3656	2804	Lgpagm32.exe	95
PID 2804 wrote to memory of 3656	2804	Lgpagm32.exe	95
PID 2804 wrote to memory of 3656	2804	Lgpagm32.exe	95
PID 3656 wrote to memory of 3200	3656	Laefdf32.exe	96
PID 3656 wrote to memory of 3200	3656	Laefdf32.exe	96
PID 3656 wrote to memory of 3200	3656	Laefdf32.exe	96
PID 3200 wrote to memory of 4948	3200	Lddbqa32.exe	97
PID 3200 wrote to memory of 4948	3200	Lddbqa32.exe	97
PID 3200 wrote to memory of 4948	3200	Lddbqa32.exe	97
PID 4948 wrote to memory of 5068	4948	Lknjmkdo.exe	98
PID 4948 wrote to memory of 5068	4948	Lknjmkdo.exe	98
PID 4948 wrote to memory of 5068	4948	Lknjmkdo.exe	98
PID 5068 wrote to memory of 1556	5068	Mjqjih32.exe	100
PID 5068 wrote to memory of 1556	5068	Mjqjih32.exe	100
PID 5068 wrote to memory of 1556	5068	Mjqjih32.exe	100
PID 1556 wrote to memory of 1836	1556	Mgekbljc.exe	102
PID 1556 wrote to memory of 1836	1556	Mgekbljc.exe	102
PID 1556 wrote to memory of 1836	1556	Mgekbljc.exe	102
PID 1836 wrote to memory of 4296	1836	Mjcgohig.exe	103
PID 1836 wrote to memory of 4296	1836	Mjcgohig.exe	103
PID 1836 wrote to memory of 4296	1836	Mjcgohig.exe	103
PID 4296 wrote to memory of 708	4296	Mdiklqhm.exe	104
PID 4296 wrote to memory of 708	4296	Mdiklqhm.exe	104
PID 4296 wrote to memory of 708	4296	Mdiklqhm.exe	104
PID 708 wrote to memory of 4832	708	Mjeddggd.exe	105

C:\Users\Admin\AppData\Local\Temp\c1f0708f08d54adb5a1c54777b87d690_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c1f0708f08d54adb5a1c54777b87d690_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\SysWOW64\Lcmofolg.exe
  C:\Windows\system32\Lcmofolg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\Liggbi32.exe
    C:\Windows\system32\Liggbi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\SysWOW64\Lmccchkn.exe
      C:\Windows\system32\Lmccchkn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
      - C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        39⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 408
        40⤵
        Program crash
        
        PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2932 -ip 2932
1⤵
PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
80KB

MD5
f62bd1b74ab2d1db1ecf917a9fb732c7

SHA1
eebf6e1bdb1cfa488f1ea795a0c1bd47213e87f9

SHA256
b98c524084105c1208061b8dbfc7f991e68daacac10d7a49381dcaf7e537b72d

SHA512
ee2b2d4655b862c138a830abe0f54619f3a9a3bc91ab376078f048d118a0e9d4943bedff6d5edf9f5a14ba90e2728a4b7d25fb8e55c5e7dd6c8dbe1557466151

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
80KB

MD5
bb03520b39775aa6a5578094d4088bcd

SHA1
a191b3755cae2d5decb8b3f39fe1b3d5f6cf7602

SHA256
58be54166271940d8a35ef4073acc1d1563428a27edf01ced737f13b4016bb61

SHA512
1eb4523a667f27b2b4107954b34b64172b5abbec157128b98556cc7874327e3f1709b0a47ded0846167a31c374ff56900efa8d75ab961f48fad515e3452451df

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
80KB

MD5
82c8deeefec546009ffe3076966bc9e1

SHA1
81c9416333e1f37996b1471575294b524c307bd1

SHA256
348506e7f22f7420fe136e4d774ddfc448f6ba75165027793d8a5751fc00be69

SHA512
61a1a828661c38dae7d5ae2571a5a5a4c7f9c1f2c1cfad7493ea3095c53da73e8eae763622160b8a4fa119b20157f39aa0737cfa2fc894f54bf3ed732532dacd

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
80KB

MD5
c3ed92c4d2fe15e65a8e4f178de2632a

SHA1
6ec8c613b529b59db5c077f94d93ce29a80a7b4f

SHA256
aa3eb5b148e9175c0aa23fd600bab8b7488f7c7e44e2e3d30168f27b21fc8a00

SHA512
ccd028b199d1bf3e19f2ad3acd07af5daebad7a894d11b5acccf3b620a176fd2f5a166a060c3f39374f17141da0a7f449221333ce6824f0a5ac7c161884905b1

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
80KB

MD5
7c936487849c53ec4c8ae0fb0c1c6e4c

SHA1
a0c5792fbee4c65eb238bc69ecb44ab80ea54c8f

SHA256
ad4fd5b8ae67e28f83284e05cf5995e1dec7bf1caec3d2ee80b197e7769d9ee0

SHA512
be773bea31db70c724b4dab11a53ec7a782a2461e0429eb87325ca86a82696162dade59c5e207492199e1f689448e9e9691ac1547419554c8c275762e12eba80

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
80KB

MD5
7edf94f14a4590a528b6dce7538901aa

SHA1
b151c533d4fd86b03b8fc790e2f1365d039ee987

SHA256
8c85e6fe8ec3258e6b59f29df53385e2cd0cf4eb341809a06b2c968d2357a754

SHA512
c6642fa0d3cc180009a33715042b90faaf7e8fc7ed21caa34e0647e4ded67f38bd6371db6408ecbf2cb9649516f1f54c50417d1e481a4191679c78045cb46295

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
80KB

MD5
314b39226fc258f9465fd4f5db2c3d2f

SHA1
60a327f4f4f05d1b3a3726ecd342e7b9b143bf6e

SHA256
0904b2f98f8cb66f51c57e838146c64d018caf1d78665efb525f3cfad66b7675

SHA512
354891e80609900cd1cae35c3664d04b8c38fe00bac7ad7aeed5ce6be3d2d1b7e259cff51f796f1f40316938a0c4d531138891c7e516c3e81586c0297acbf720

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
80KB

MD5
78beacbc49b13f2fe2c731edaf395eb7

SHA1
84d57246b3d0495667eab391d1a79e8b09460bef

SHA256
cdf02fcc98e750ea6ec081455e7134c02a278521a7a15d4db4de612e359001c8

SHA512
223560b92fbdc7308ad7ba3653ebe8e55cd51e50d82f0ef31601d77c19f56b652108e4805e13a23e69395c8b6dd77c06963a35807929e6387f991c3ee81e4d04

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
80KB

MD5
c02bc76718520f655e3287fa6a8bd102

SHA1
aa7f9de6bf11ec34ee4e08b00d104a0e801bdfcc

SHA256
40faf32646dabd1f67e31bc1bc9bab0445661815f6397ed3e9489c41186bb025

SHA512
bfe76fdefee81e313e7dbe99a3394805848ede01d4d897a3158c83f82cf7ab2606c68544832b98807522a2e5dd2c2bbd45474fa09063e9ade3deff8a29c05215

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
80KB

MD5
c4cfbb5fd3b3a2b3917ae1ec6f4b59c7

SHA1
4fb3287d015f4427f1f8787557317bc1a7b9e97d

SHA256
f517daacbc5822622c2dec8fc435132a63b8cfb28366c070d8c24ac0000589ce

SHA512
415a3604e108a37116e5ba3178b00d88f38f0d946b57c4f71fbcaf3bcc00ca1bb8c50d550e907de5b9875e9b70b58758a9adac330e3c9419527cf5158fde7dc7

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
80KB

MD5
1f16de8c7628c724a6f169c4c2886cfa

SHA1
78fd5b29d306839b753db9e3a0a2cc26cee09c36

SHA256
28c8fccde9d1a4fada752a238efbf03a6c07b76067811349a489c0f6f02e8dfc

SHA512
40085e860173a0ba15d31ff8efce1abdaa59888c9a754aebf9cd3795799ede6df7c03a3b86fb84479fdb585ab66bad70a5a55e05d5ff32ebf81c2c15e4952a52

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
80KB

MD5
6550e77908e99fcda6840aff875b035e

SHA1
107ec103ac33de15039aa13b093a6ade7a860aae

SHA256
128fb7ecf831009012a153f5115dcc0df71fa5b90a1242e066008383f65c65e8

SHA512
188840b14ab9c6662ed6fe422812daac281602db8c27ab50deb9daf63fa3e6bd1cd0ac70d643c8567cfe097f98a65ce2c039391ef3d55f06c66fdaf67c14524b

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
80KB

MD5
71ba74a370f1f40802273c6614cb9e3a

SHA1
eb385b017e162d01af60b0ecb8832df60aeec6cc

SHA256
9153e0fe4d80c096c702c9471578c972cc130effe7cfbd81c6d6ca0138a71cf2

SHA512
bb57b6e2189cc303baa600c5428fcffc24194b7d8e70268ac594e1257f333b98e197af4a3730c2be99781699c00ff1b2a897c84638be0931ba546347b2ad0af6

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
80KB

MD5
846a9eaa58e75d70453be3c61fc42ab3

SHA1
430c65e099b9557c75757807ad105d98633d003b

SHA256
016534df800d5d5161ca0751faddbce4243673110fb8bc97a99b77165031319e

SHA512
ad2d5241fcee7ab3693152eb52c7a2af6d77c911540723a615a3d74d921bc4effc40c98b406782c2d761b72ab9ed1bc33f4277fd53e209d295e20c94ae6b8b15

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
80KB

MD5
b94681ba7671c3892d3fd684de70f65c

SHA1
c14b6675cc9d91583891846a0229153c2077b06e

SHA256
48a2c7231468a82e75b41c5cc8085d1a91666125bd70adad9949f4b9f5c086d9

SHA512
c5c81519d919ea68b25da2547e602f335ed5ba081017574c3191fbcadf3fe3f525851e7262309743bd287578a59981ad5c548846667f695aca30d35f2c2b55ab

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
80KB

MD5
ffec60c2a138c5bbc61428dcbdc1ecca

SHA1
836c68df1d949b55da82b3ab16657f27bcbc3098

SHA256
b16567b3f303d4a7a3d9dd2e9f0393adcfc362b7c754c948bb46c204b25e3104

SHA512
7aa073da63fc26d0f11ebc64ae61738e3a0cf527bb18ae43590d1649e3b998e1c0dd7aa046ab6459e7c8b1c61a754006353735a10d630f3420dbc5592c74bde8

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
80KB

MD5
756fc6c8b208122c19cc61191360a504

SHA1
d43d5753603dd2958889ed7307e7809d58c94117

SHA256
e477394c50a34f0dc8b989953a1e4022b127ffccbdf4537467c2f53ade090f0c

SHA512
f623725c34618c177196c48270e8b6fafd471f56b38e927bfa8874373cf0d11ff0e77221df36f134a2d1fa8ec8c195562beccd4b2d103daf5e21d53e1b16f2e5

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
80KB

MD5
f8364427973b61acd9517547530ba789

SHA1
ce600afb0237490e0b6616d733c18edeaa351331

SHA256
fc27ce5bcd017027b1a724adda4bb22e24886fb897a039cf4f8656957a007b85

SHA512
2b5117e23afd4e87bf5ae864fb690afb0bc2422cddeb3a00f0f2164993b19b74bfa333f61d1ce04da2ddf60093b4ae3baf54284ea480870823db873adca9d799

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
80KB

MD5
0dfbdc88e363f3916ab7e8856e4cb1bb

SHA1
9395c6b7834106bbe662dce17bce82d6c39634ba

SHA256
e0a0473ee2284d5d4a02dd9d502366500f5d9997cad5f800b5f2f352eb90f091

SHA512
649883eeda24208edb70922d11dbf02c3abfcbee524f62b1f9d5b8327f96c5aef1a420f3cb9c8d79eaf74245ee822ea0a0545007aff69e96878725975c435a60

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
80KB

MD5
ee13dcc9867e5b97c705f13e7c41aba1

SHA1
d72f98b8034c0cf9b2b1a65da216aae5ef3f5065

SHA256
d711ad3a1ddd867fffde01ae94a7b5faec95c8a661c0014784952fd1b2a371f5

SHA512
636f3259ee3ae74c7abeb3c57799afb6fb7f31197963e63391fa1397e1e6b0b00e972a0f82fb7036ac62dded5dea0f85b9b69e1185f88c0461dee736c079b294

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
80KB

MD5
6b3b55e286cd628afac0b7b8f133dcfb

SHA1
07b4a48244c5c4912032782b623cf0c360a266bb

SHA256
a877c479c1a712369e7a5c948c20a6b45f0fa6a129a84d4ce073d0623c3d54e9

SHA512
8b56e55d62a96cd5e29c7bb9dc0abe040b88a5d7be1f62b8590b3cee9193f1cd4efdc1fa41b5b6f30cbc1d0de5f9d1575848403ce1b3d94da72833cfd6fd9e45

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
80KB

MD5
9e3240b19b653dbc7e57f451234bd3e6

SHA1
e62d3aa2d943bccc53684078e4576ad71373f51f

SHA256
c8438d8a78055a76451ab5da40b9a3f41c2d0ff13776e0487f84535c4a53983a

SHA512
0dec41ee2f229c7cb1b9484ecbe1cb7cfc6a1ad31832736c42e667eed10247cc9cba495b986df03e66fb8bdde782a161d2b1153715595680d37e38cb0b77376f

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
80KB

MD5
ff5b2e269bb8a59d901bec36b25f3893

SHA1
f419227a26e67cb5d848a0ed84f24d3a0d3aadf6

SHA256
9efd6cfd1ac76aa90b210d2f8ac37ecbd240df02f00aa7dae0cc14959bd37e67

SHA512
2101da1e9718ad5cc85cab0612f9623156d748256c3c8b13740ca1310905920f853deaefe7b6a5d2370b3a0cdff1310dbfb5de286c347a90d4291f6cf022356c

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
80KB

MD5
2c15f5ddc8611382b743a1dd4116e7ef

SHA1
4fba5be1290acd51e2c57f511c3f055ea669db57

SHA256
407669a5dd73a4a712f9188f3f34fdbb4a6c2343f860c968f4afb247fff40072

SHA512
dc89ef9c73460e3a08f245f9e51ed7abbbb832fd4ccf26c1a1ac793e1c12255f1961b87940286e6da64297d55df44bcb25bd58e23316c50f697cd70c825dd11b

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
80KB

MD5
4f92d2a904c2bf98b8d7ae53020fcb1c

SHA1
b2181f11442407fd5c7ff2d9fce239312506ec06

SHA256
fad83a0fcfe1224573a3bbf0b6da76e09871a586bdf6f11c65654d92c97e980a

SHA512
438ac22cddaa6fa9546dd065644875b3abc871f1dffeb71c1da29abac09f3777f775104e7d4930e23097712642bc135cbe8e1154c4e8bc83fbb9f6d16350108d

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
80KB

MD5
093e14553c376db2669ee4dcd40f7989

SHA1
6f91c83cfcab88104515ed551ae7d2e3fd55a08c

SHA256
a7cc0a04334f9535070700763d2e020d11f9ad34e429ad1a8c70093aea2f97ca

SHA512
2ce2b461d891accf65d070a5f32e95c50bc069f3939eb60c1dfa8f0cc31c2c18ab91030df4ac276e5fb042b1ec930f5bc73c917ea1330b814d294ad2d9af938e

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
80KB

MD5
b51d9958e469928691f8eaf1a420cf0f

SHA1
6e2dde1fd27cebc6fdb2002e761c6031a501f47e

SHA256
3a2ad6d9117e6f1889bb46f9699d784c0a035209d353253e3eae2fbfc7169bb5

SHA512
c0a3eec666633607181c296125a7d1d0a86e7a68c074a02cd0c81d75b818b7868d8d13a517884aa1f54599ca77f7825b56c773b17b8274723d594fa4b04985ba

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
80KB

MD5
d66b42108d660837abcdba0bc74e5539

SHA1
842b8b4736cc280b6f0aa4f782c1e968daf9d062

SHA256
8917fb29f3771f418222923ba8a6333c07fd1a15f93ba7a8ac33b535615deae4

SHA512
3f04add031bbcc425e76058cae1d7166630445577b988b880c45f6bd6bf64dd648cb4518f4a0ad98bd6bc5e568d86f80e1e2ecd25b7907db8574d21542dd924f

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
80KB

MD5
b7149e79e8f6e154a399c5005c098eb1

SHA1
6850dfe9b2a40b0716b62128d2c5725c04b06774

SHA256
88171a762fea1a889aad2cbd7403ab00b2249ccf71c7083c446239906c71b0f2

SHA512
b8d4ebfdab5d66aefa30fb616ed04aac49105988128f0b0fc9f7477c5c123843737636e37bd525d58d6983ccd6b5b32b7fc92d36aa6e3e418b2d6a04582837ee

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
80KB

MD5
9e8b74f0d1fe03aff0b8151290ee13ba

SHA1
0636c5fb096ff512b6a5b448776a57596dbbe603

SHA256
78275f0e3a326719db0156d90c035e7ede5e0e5795e1e6989d7d54c67cc2b831

SHA512
8ccbbcc2e489de77ac081759b0cd0e9615ffe472ff5a87292ef9a330c93121a3562953b2a51cdf92a4b816f81a841da43bb3f51809b8237d89eadc43307841c6

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
80KB

MD5
cef0d7923f488d0296f504f62be2c00c

SHA1
d5480a73ed1458f9a94bdb535f665119bb8a9e02

SHA256
f5f3d80c5964bdbaebb3d58f0726d8607ff079ad4a042bf531f1ebd3045cc3b9

SHA512
edf62d5937dc8ad8acc495b33dfc1f8ec313cdd352c1be4922fca198109b47cdecafebe4b11c6b25b4d92f2ec7609dabbe4717b8f8cfb5b54f141ff8fcb8b401

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
80KB

MD5
48ce7856057d6174626fe34526b9aaf4

SHA1
abe718742c6429f732b03777d555c5c9cb6b3305

SHA256
72c5a77efe5f1f46acf241f1832aa192a05f7b272204444aa57cf395f7082119

SHA512
0c24d0f769d719f03cecfcbdaf7d415597c0d0e6c5d7a4ab505726be7ad370e8d2bbdbfd3994055264d3fad1010c14a4bf554fa4ff2b27583616a3c0612886c4

Download Submit
memory/680-309-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/680-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/708-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/708-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/852-282-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/852-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1164-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1164-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1196-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1196-77-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1196-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1412-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1556-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1556-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1596-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1596-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1836-166-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1840-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1840-210-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1968-44-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1968-130-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2004-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2004-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2232-53-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2316-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2316-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2804-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2804-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2820-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2820-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2932-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2932-318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3004-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3004-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3200-131-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3396-253-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3656-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3656-122-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3732-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3732-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3748-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3748-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3856-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3856-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3868-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3868-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3900-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3900-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3908-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3908-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4016-218-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4296-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4296-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4484-60-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4484-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4604-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4604-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4832-191-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4832-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4924-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4924-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4948-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4948-222-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4972-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4972-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-230-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5076-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5076-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads