8c2b1639390ec07b09693c341b09ed6946be136e54851c3982d3c7bce365768f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38d1b5bcdf998b6ea7238a16a965b1b0_NeikiAnalytics.exe
Size

174KB
MD5

38d1b5bcdf998b6ea7238a16a965b1b0
SHA1

6614ae587686d73efbc8bd0c00f28f756e800624
SHA256

8c2b1639390ec07b09693c341b09ed6946be136e54851c3982d3c7bce365768f
SHA512

6094a0c00848da3246cda02e539446d5d2083f2fa56ab5e6130f0be6615adc6d953626202c0a2e6477810c425708cb44b699fc73a86e6302f3528df9223bbb46
SSDEEP

3072:iuvwY1rUrZSx485Bt4wnrzeA07DxSvITW/cbFGS92TlTTtttSneicdq:B11A4JawnraAYhCw92TlTTttt5D

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	38d1b5bcdf998b6ea7238a16a965b1b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	38d1b5bcdf998b6ea7238a16a965b1b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe

Executes dropped EXE 34 IoCs

pid	Process
1956	Lcmofolg.exe
3008	Liggbi32.exe
1200	Lpappc32.exe
3748	Lgkhlnbn.exe
1400	Laalifad.exe
960	Lcbiao32.exe
4520	Lilanioo.exe
2208	Lgpagm32.exe
2168	Ljnnch32.exe
2872	Lddbqa32.exe
4912	Lknjmkdo.exe
2848	Mpkbebbf.exe
3200	Mkpgck32.exe
1540	Majopeii.exe
756	Mdiklqhm.exe
1040	Mkbchk32.exe
1004	Mpolqa32.exe
432	Mcnhmm32.exe
3124	Mncmjfmk.exe
4148	Mdmegp32.exe
2560	Mglack32.exe
3148	Mnfipekh.exe
1580	Mdpalp32.exe
1744	Nkjjij32.exe
728	Nqfbaq32.exe
800	Ngpjnkpf.exe
2772	Nafokcol.exe
3880	Ncgkcl32.exe
4564	Njacpf32.exe
1084	Nqklmpdd.exe
4432	Ngedij32.exe
4560	Nnolfdcn.exe
640	Nqmhbpba.exe
3000	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	38d1b5bcdf998b6ea7238a16a965b1b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	38d1b5bcdf998b6ea7238a16a965b1b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lilanioo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
436	3000	WerFault.exe	118

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	38d1b5bcdf998b6ea7238a16a965b1b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	38d1b5bcdf998b6ea7238a16a965b1b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	38d1b5bcdf998b6ea7238a16a965b1b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	38d1b5bcdf998b6ea7238a16a965b1b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 1956	1256	38d1b5bcdf998b6ea7238a16a965b1b0_NeikiAnalytics.exe	82
PID 1256 wrote to memory of 1956	1256	38d1b5bcdf998b6ea7238a16a965b1b0_NeikiAnalytics.exe	82
PID 1256 wrote to memory of 1956	1256	38d1b5bcdf998b6ea7238a16a965b1b0_NeikiAnalytics.exe	82
PID 1956 wrote to memory of 3008	1956	Lcmofolg.exe	83
PID 1956 wrote to memory of 3008	1956	Lcmofolg.exe	83
PID 1956 wrote to memory of 3008	1956	Lcmofolg.exe	83
PID 3008 wrote to memory of 1200	3008	Liggbi32.exe	84
PID 3008 wrote to memory of 1200	3008	Liggbi32.exe	84
PID 3008 wrote to memory of 1200	3008	Liggbi32.exe	84
PID 1200 wrote to memory of 3748	1200	Lpappc32.exe	85
PID 1200 wrote to memory of 3748	1200	Lpappc32.exe	85
PID 1200 wrote to memory of 3748	1200	Lpappc32.exe	85
PID 3748 wrote to memory of 1400	3748	Lgkhlnbn.exe	86
PID 3748 wrote to memory of 1400	3748	Lgkhlnbn.exe	86
PID 3748 wrote to memory of 1400	3748	Lgkhlnbn.exe	86
PID 1400 wrote to memory of 960	1400	Laalifad.exe	87
PID 1400 wrote to memory of 960	1400	Laalifad.exe	87
PID 1400 wrote to memory of 960	1400	Laalifad.exe	87
PID 960 wrote to memory of 4520	960	Lcbiao32.exe	88
PID 960 wrote to memory of 4520	960	Lcbiao32.exe	88
PID 960 wrote to memory of 4520	960	Lcbiao32.exe	88
PID 4520 wrote to memory of 2208	4520	Lilanioo.exe	89
PID 4520 wrote to memory of 2208	4520	Lilanioo.exe	89
PID 4520 wrote to memory of 2208	4520	Lilanioo.exe	89
PID 2208 wrote to memory of 2168	2208	Lgpagm32.exe	91
PID 2208 wrote to memory of 2168	2208	Lgpagm32.exe	91
PID 2208 wrote to memory of 2168	2208	Lgpagm32.exe	91
PID 2168 wrote to memory of 2872	2168	Ljnnch32.exe	92
PID 2168 wrote to memory of 2872	2168	Ljnnch32.exe	92
PID 2168 wrote to memory of 2872	2168	Ljnnch32.exe	92
PID 2872 wrote to memory of 4912	2872	Lddbqa32.exe	93
PID 2872 wrote to memory of 4912	2872	Lddbqa32.exe	93
PID 2872 wrote to memory of 4912	2872	Lddbqa32.exe	93
PID 4912 wrote to memory of 2848	4912	Lknjmkdo.exe	94
PID 4912 wrote to memory of 2848	4912	Lknjmkdo.exe	94
PID 4912 wrote to memory of 2848	4912	Lknjmkdo.exe	94
PID 2848 wrote to memory of 3200	2848	Mpkbebbf.exe	96
PID 2848 wrote to memory of 3200	2848	Mpkbebbf.exe	96
PID 2848 wrote to memory of 3200	2848	Mpkbebbf.exe	96
PID 3200 wrote to memory of 1540	3200	Mkpgck32.exe	97
PID 3200 wrote to memory of 1540	3200	Mkpgck32.exe	97
PID 3200 wrote to memory of 1540	3200	Mkpgck32.exe	97
PID 1540 wrote to memory of 756	1540	Majopeii.exe	98
PID 1540 wrote to memory of 756	1540	Majopeii.exe	98
PID 1540 wrote to memory of 756	1540	Majopeii.exe	98
PID 756 wrote to memory of 1040	756	Mdiklqhm.exe	99
PID 756 wrote to memory of 1040	756	Mdiklqhm.exe	99
PID 756 wrote to memory of 1040	756	Mdiklqhm.exe	99
PID 1040 wrote to memory of 1004	1040	Mkbchk32.exe	100
PID 1040 wrote to memory of 1004	1040	Mkbchk32.exe	100
PID 1040 wrote to memory of 1004	1040	Mkbchk32.exe	100
PID 1004 wrote to memory of 432	1004	Mpolqa32.exe	102
PID 1004 wrote to memory of 432	1004	Mpolqa32.exe	102
PID 1004 wrote to memory of 432	1004	Mpolqa32.exe	102
PID 432 wrote to memory of 3124	432	Mcnhmm32.exe	103
PID 432 wrote to memory of 3124	432	Mcnhmm32.exe	103
PID 432 wrote to memory of 3124	432	Mcnhmm32.exe	103
PID 3124 wrote to memory of 4148	3124	Mncmjfmk.exe	104
PID 3124 wrote to memory of 4148	3124	Mncmjfmk.exe	104
PID 3124 wrote to memory of 4148	3124	Mncmjfmk.exe	104
PID 4148 wrote to memory of 2560	4148	Mdmegp32.exe	105
PID 4148 wrote to memory of 2560	4148	Mdmegp32.exe	105
PID 4148 wrote to memory of 2560	4148	Mdmegp32.exe	105
PID 2560 wrote to memory of 3148	2560	Mglack32.exe	106

C:\Users\Admin\AppData\Local\Temp\38d1b5bcdf998b6ea7238a16a965b1b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\38d1b5bcdf998b6ea7238a16a965b1b0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\SysWOW64\Lcmofolg.exe
  C:\Windows\system32\Lcmofolg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\Liggbi32.exe
    C:\Windows\system32\Liggbi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\Lpappc32.exe
      C:\Windows\system32\Lpappc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1200
    - - C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
      - C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        35⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 420
        36⤵
        Program crash
        
        PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3000 -ip 3000
1⤵
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
174KB

MD5
0638c9be1c6676177137aa524367e56a

SHA1
a875e34d1b1a2264395583971bc0fa6c4d7a4caf

SHA256
45126444f49e6ceb547fe9d530567edd7139d7280d38feaa7e43126a3dba4ab7

SHA512
04bb2b04ede45e7ab6286f20d8e44f2a1b05498f17c1cefb42d23fc6523932b3666e8d6e70fdbbd7470f94a7eabd6bf4cfec1be3feaceec0cf6d89c0a72bf644

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
174KB

MD5
b67d688d1d4d048facbfeaa17419a43d

SHA1
eab82639a42be7fccf10f02952004ebd518c6c41

SHA256
d26a1133f7f4356885991de803823d20408ed9c06133f7c64af8a64adb0ace84

SHA512
36e0b85dce396985102a1f3c55aff6e1188ce60875bfe82f19c88d475e37a5fb75d966fc7cc6e17397e908fe63a2af3f20aba151e627c853ef83bf3e0100c059

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
174KB

MD5
f62d4bd77adc92c8c2980146f9285345

SHA1
8004f019b98ee7cf5a5a5e7e536373a7822374a3

SHA256
2b2195e9490fdb3f3d40a711846be0acd1684ccfc8641e565c75f8824021747f

SHA512
adf10a8cfc5afeba13d6858837e0a26065329cf5c23a8c1d1698dbaea3da7e8632e7fddfc206a34f7a75b5707247f80328d62d08d4e7ee566639265d0c8dc4ae

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
174KB

MD5
eb38297b18c196b03f4ebdb19719c350

SHA1
c86b9c5c49b4ee685bbd550e5e67940c5aa78fbb

SHA256
a2cd40f2831b5940ca6e6c5c5d7fb73904fb01fbe352ded801f7ba6edcd9a7a5

SHA512
5d71410bcbe5c0d2d86b8e65848e787b4e5fa8c555cbf8a3e7a483da709faf83e22881fbde26a88de7ff5472709ffa85ec148c6c0bc57822a217820e42b97751

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
174KB

MD5
ddf5e6589cff85fac5d259f4c85d1046

SHA1
dcab7b4b827f73fcdd54c76e5336ecd8fce71032

SHA256
711d999adf2792904868ba8586a8319891c74dc39bf187cdf20d532f04650208

SHA512
3ab16ace7e2329826befa0f18f227c42fbdd847145640338103c138c522e23a0cf6e99f0633e70fdcb22a00ef2c7f44e342c9059abb72b07285428543efdc2bf

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
174KB

MD5
9aa7af20b80fadbfa05497931c58f92b

SHA1
15178a5e2d2d338f47930d6e9057def1717a0f0c

SHA256
603a4f70460e91c11677ce9e524d0540f30bdfa0b411cb71a4b0e9290b4dc5b8

SHA512
59f090d97026da8da29e916fe5e9fc359f216751ebb8a459897a21ec9958a744fa3e78588499a830259aaa55c7d8a18a4997daa27a79af0ef6a62dbe7d578208

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
174KB

MD5
ccf06b07ab06799bface155a46310b42

SHA1
c1dd232e36da2f581df66efc9cb7fc6f8bb5fad4

SHA256
673bf91089e0994362fcf3b1ca23873fdf66dce491a9de2c8a3d39bbd1136a31

SHA512
bc39c9dbe185bff463ea1e7a3e9564a071a077f304f3ab215302a6413ac24dd406b156c56203dbba80f2a008209c53a03179b076e32fc429715e2a9b1e506184

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
174KB

MD5
aa0dd6ea737dcfb435864e89ea9830b9

SHA1
6b43dcd97f88d83c769b3e3fca48f1396250a6bf

SHA256
ef618b269c4d65be5922d7518aa68d68586c08d7564e4d6644118460c5d9cb8f

SHA512
16bb5c914e608356ce120de251c4e779f6e5565eb4de02accd0b0bca8d5e9944827853551995cd4f70150eb22767b61cc69282879f63f8b9a9eb069e54545aa5

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
174KB

MD5
0e24592c098c5dd623cbce26ab5f2e1d

SHA1
b8eb49d7c77269ddf21c3efc041b94343be709a4

SHA256
1ec3cb20e5f3bb2d8baecf213ce4ca08347da703e8aa4246484c7ebcc6c164ef

SHA512
bd01e19020bbdc116ada785a1b54384176c5188aa62cd0388ab910dfbc0675bab7d20aa576f92b4174c0636e8678c21339a0e62e21d6362d1ce79855be73a720

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
174KB

MD5
989e81949dc5d11b59760e1ed89860e2

SHA1
5e7092a155746be848bf1f4ad2d8242ea32b86c1

SHA256
ff6cfe991c2749ad6b1b5b82ef695ad5de4e95b2199289f85c3050cf0e8b2d9e

SHA512
6542c98f738baa53ac82201dc48a0ce7ab416752edf983731cd3afd3c976c3c6242c5c654398d4660e0d1dc8b53b1c8862be0d3beb945ae5d971a0804605fd9b

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
174KB

MD5
17d7f5f780b2682b326074e01588ae8f

SHA1
1ecd76ca5d7b489aaaadc8bc3efaf529e734b619

SHA256
b5e3365b8e277b1e6f7527feb9468e94ede10261f6f252cd2b2bbbe1a5f29129

SHA512
691a63a8d4a3c18cb48d7525fa76617433aacee85eaa44278f35dcc3fa01101c087511a51dd91f6252ff4cc985b12d1611721ce2f44de0f4474e99a078aa39d4

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
174KB

MD5
6a4c04d23c49ae6b64ca1c87315873d5

SHA1
0524da1c40db47aa8018243ac6b328e257d62eb6

SHA256
1c2177d3099edc7875a444b6fbef1a9122c8aa4e2f0ba1d56760ce9d957cf7d9

SHA512
54344808fbd0a1dd0370e9cca217c9614a05e5aaf1d22f2d675e358ae48ae8a16043ee62ad745bcf7357d0ea63e11b3040cbbb5a0ae142c301a4320322f93015

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
174KB

MD5
954c58f494e5b1db943cbb8184a6411c

SHA1
bbab4481c79ea1fbfba36e79e84be4b7b2cc7027

SHA256
f195fb4a8854ad0ebf07acc9b5ea62fa3c10521c58586bc74a06a6b829c12d01

SHA512
aff9ad43a9297fb3c77f188f06069f3b2a860cb1e9b751bdbbba2a57f538d9f68b7f30420078d9c8c7a8ada344d740c46a559ccaf56a44506a3579be3650ffd9

Download Submit
C:\Windows\SysWOW64\Mdemcacc.dll

Filesize
7KB

MD5
cec82ece345fa198501e981731bf19f6

SHA1
3e45ea54b9d05b7760ac89a8a447bdc7ce897480

SHA256
0bb3b0debac9b849ac769d808e6b48f2320c9220510a76c880042dc405071181

SHA512
5392fcfd04d23942958888fb36312cfdfbad4a72589e6d4e6c8da14245ecb30fd027888794e69795230c15ecc8a5341164a4b0c0a0091386ddc696fb603b4b80

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
174KB

MD5
adfd1f3b3647cd9fac328a2196c67a1a

SHA1
11b0ebcac444f491a54f6df36e67dcdf26c1b153

SHA256
7690db38d60360c8d25a1572e6e20f92c1289e1d98e7f66ed1caf1e967b6b296

SHA512
7210b60bbc69d7145c189e7dd257d734cf7e752f5e4b6f55cf043cf26dcddc79f21b776c19e2365b3aa3ae0858de385e3bef9a6bbb133b86d169f01256241ce5

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
174KB

MD5
22a2fdca66bbe7c14c812443c98eb1fa

SHA1
1cc0257e143f1ecf14274707d09e7989f3ed2a8e

SHA256
6391dec7fed3bca3bffa73bf7346695b4e05ff27e5fac61f2eec17f00c6e78fb

SHA512
cf525c14fc1be9bf6849c9042732214b65ca007d9070185c70662f6a3ee2f03db708fe90485e801232346d215522b0207db8076e986722326f8dab9e28f10504

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
174KB

MD5
2802689379ce2acc59e015f9f2baca78

SHA1
1904fc831f410a2352dc3a94a56e93d54fd79038

SHA256
abd0ca0875c1134ca8a9d893192aae4211ead3dc95cef545c7f052524b93dd35

SHA512
6a2e616ee95beb3249d9a8fb53ade8769957967b8df507faea3b3aec25399171fbc784c5be444d0c99987bba392826cb760d7d3bd5c6a1ad7953fa1423d6b0e8

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
174KB

MD5
0e80a61b5583f853655d93dafe8a0ce7

SHA1
ec8bb005d0fbf8c95016605fcba010d2884f533b

SHA256
f9e955c103a4ffc8dae2186c3d1541de9e801e749074d06191cc77372e424f08

SHA512
78fca90a7cffa1e00053485b40406b0b0aeb248e0f59f3cd86fd2054ae0c5c472c3182bb4991fcb703809358c98be28806b5d4c264bde25d370f8a03501757ad

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
174KB

MD5
46bbbe76ce84d11e8b5130eb24412a63

SHA1
5d38233b4be69fb1dfe99512ea7ab890568611f1

SHA256
3604fed84c08671d28fa11abcc4e7e9670dc60e6207cb43bf68babaca2112980

SHA512
0c6b757cc57f9d835df1da448f7b66cb90b7904de5fe004ba3003e6915df84ae2e58b3c32fcc7a8b16e2c21fda787efc833349b3236735fcd1e97d378180a6e1

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
174KB

MD5
315aa313473ddab5d238b53f2a807ee8

SHA1
84a11ffcf4d6387e17f774eeded40ca306090b00

SHA256
d8d8e08727ef9f42d20e829a68fa68ea05df736ae1650ba398a0c0ab37b4b348

SHA512
8f9b421ada0c3ee3f61f022856308ab52497764dd5f2ce3ece0a7602e8941735169028a29e2646a90af6a0b778645f58d94b1c1390c73a1f0efff1fa4dae5e5b

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
174KB

MD5
4df244f663ceb1f5c3bf17b2122f991a

SHA1
0669e6cc4c99680d5673fbe0adaaeb7fc8ee5eed

SHA256
6ff788af1a0471b2e49e62266ba41e0d6bc88e32c9effe8903a8e1bcbd1058ce

SHA512
28548067c8dd8421639bd068cc7d54d81ff576741b5d252415b0c0f8ef2a032682a792fe87e2d04aaeeb3d7164b0b2789f8b1e2738cd4c0d2826d1a6a16a6862

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
174KB

MD5
98e6192215f7591db8ebfb8b29f07061

SHA1
ca6cbf4de44eb6332e237c327dd6c20f93cfdeeb

SHA256
cb2e5b0cf5bcf9b66e16d3480fe2fd831069003109a8e6a5e94e50426bbdb614

SHA512
9037b3500827d06a9253d5d7e6d4b14501d4102b5880570f5dd753ed204712277fb29fbff30e3ccd8edeaded1b833b6d8693293b019675cb4e686dbd3d34e061

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
174KB

MD5
ebfdcc4a54683e8c67247262c82657b9

SHA1
123f71fe27c896b633759ba042c34f9423539264

SHA256
abbb724972f1cce67d69b3d3e99a2e367cf44d6ba1fe86dcc7a0f258f8680d1e

SHA512
4e2036aea0d95fb4169cfdb42fc1c40c8d66839fda02d23fbf7ba1922276699e22b1891b390b30546e493804609b0df428a8a33fb096f74fec79392a217d8d8f

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
174KB

MD5
21b7688057b5dd428f63eee9645a82eb

SHA1
f245d9458213e078ffedab3e5f25462931477401

SHA256
1745297e4edcfc29ab688bce919d87d0396251473cd77341ae68680f313fd312

SHA512
d99000cfddcc5f3ccaaa2d7b83e31ad24e8794db89cb8770df60387515c3f546f93d69563c4be4c028bc9cb5bcea1362ca925fcbe4c82010ed36bdeae760e07f

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
174KB

MD5
05c3c9f53977938f9982f7b3430f283d

SHA1
6e3cd909c7850dfb79e5f433914cba4df141d98d

SHA256
05c99b469c4c0ad0c222ae5a58877014803f2ee11eeb974997438324577c0e43

SHA512
982d6ad98c3445e7a31257909c366ad7db0bd6e124e999b313cdfefee51d373534d20b08ed4fb2f9ae0e65bb1941069ef09c52b43fa5cf72dbde283e7642e052

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
174KB

MD5
2bd21d46c40c90c41de664af7922a580

SHA1
91d54b063821edd4ac39255c5cf45d71b9d695d5

SHA256
ed4fa936cd8ae687de43fa29c54011aa8c5177785560c9491c298155446c9a18

SHA512
30538d0ebae86d87076a9babc3de7ac82a6c53d882ffdc02fd3e5cc6965e414996d8b40ecb010cc1ef735f85a531a7db51be2fbf25fdd83c2c2472bfd5982c89

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
174KB

MD5
81599079e5f6085d6f4cba7593a2a842

SHA1
d16711f4d62f9cf15162e3011723957b903aba57

SHA256
d374792d02925a43062c88559c90af5fa26263bcdfd88bce041652046bbba175

SHA512
31cc6480d1bf2d709ba8d34bdcf5019a301c632e083cad331acaf0b579ce71e444616d9c64a45ea74669125ca3251255f6827162ef36cea9015a0fba2788d850

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
174KB

MD5
f857e196fef59af91bfd54c3d732d2c5

SHA1
8c4cec5cd32cedd4770e148ba0f374e1d8f6e62a

SHA256
d480b2048795a5a9eb57d13c3f497f37a15e1149c69cb702755e04a0dddb03f7

SHA512
2c83a3bd8302ebc4c713929c52f0962cb3637fe8ed668ada8444a719923cfc5f217bbb50c9a54afa09f15d5debd01b8ded81984d23e90a48b8aa30eee9347a51

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
174KB

MD5
dd2a041babaa3077f08f9a3bb7d1bcc9

SHA1
abf885f5001929d0709356e916471e86ea630b17

SHA256
73c7e15600a84ab13713551aafb0d5193721c8685c602c77587c4d4eb5e84000

SHA512
6564cd05a81bc2a10caef4c330c5c114d6c6d36ee095526a2c9f2b0fd7890fafcd4d084520430325e5457165d717271205ac1fa09167080e87c15f1aaa7b63db

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
174KB

MD5
864d3c70b3e0db1b6c219665bd6adb87

SHA1
b84ad6dcfac28cab81b63e40dc967befb083f690

SHA256
ad6005a3a9f7c285ed23209a14bd5c42b24e9de238128422951611670731e533

SHA512
1a235999b3120ac7eded0286fde122e901babd7dcb8123547ebff95e95e26df23768b9c89120d2a9a500abf372ed0239540ecc266c9fd88e2146a3b01ccb3c38

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
174KB

MD5
42dd018f782348e3ee3893d337ed60f0

SHA1
39b40b81f3a13da503bd9f869197e62cb36a5a06

SHA256
7be044f160aea55d157539e2790c60f997a8a078a78a7fd49d1143a887c8c40c

SHA512
31c6434fb68336efb29e79cc95e08cecd70973ff2b710ea0011f6c2bdd16bc86dad55ca19cbb26c578b43ecdf72b7d11d5f03dc2ca8281b19e152d471bde0688

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
174KB

MD5
8e017922976597dfb658bf3d73af22dd

SHA1
0b3687b5f40c8a2e33ed66748f68908ccf5cca2d

SHA256
d2b804b7afb97a777caf766431c72ec2077f8b2ee9a7a4cb77c7857676ee5f15

SHA512
fecb093b11bbf8592b82788fab7072fb42da67a9cd02db5f00f3d08347139a27210fc8bd294db5a495299a60548f7d898782d3aa9ad45f598b0c8f2df2db1a69

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
174KB

MD5
5cc06ff8bc6a2e4d14d7eb67ffdb0f63

SHA1
b97b29b7c9f44df7c1f2a069bcf07f158cf455b8

SHA256
018dd376739facbd79662578959e02b1076ca9bfa17d2f70228ad23979a3b3ea

SHA512
dc725a45c477f212cdcfb8aca85421c68d32a449adf4d8bc9cbbb24c1acb035ff165f9a17050a708fa6502350f07fcb6507f60eeb1138f2b038e35632fba1e73

Download Submit
memory/432-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/432-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-272-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/728-199-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/728-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/756-288-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/756-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/800-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/800-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/960-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/960-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1004-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1004-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1040-128-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1040-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1084-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1084-271-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1200-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1200-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1256-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1256-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1400-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1400-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1540-111-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1540-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1580-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1580-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1744-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1744-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2168-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2168-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2208-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2208-295-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2560-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2560-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2772-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2772-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2848-95-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2848-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2872-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2872-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3000-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3000-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3124-156-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3124-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3148-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3148-282-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3200-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3200-103-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3748-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3748-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3880-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3880-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4148-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4148-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4432-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4432-273-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4520-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4520-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4560-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4560-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4564-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4564-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4912-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4912-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads