083727d95ea7663414cc41493635e65f6f705affe47f36cb4e041f5deb1e09aa

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1557ed4d3c41b4844f464690700e23e0_NeikiAnalytics.exe
Size

63KB
MD5

1557ed4d3c41b4844f464690700e23e0
SHA1

8344c0c6b38cf471996396189450ef405b5d1920
SHA256

083727d95ea7663414cc41493635e65f6f705affe47f36cb4e041f5deb1e09aa
SHA512

a83442c85ed0461ec8b24a64b65e8330bac064a3f30b806dab9bb6be389227c960204af574a57d3cfcb080aa3e265af69f56e4fa74d772a352aaeeb25cdcb51b
SSDEEP

1536:f2BtPZeUMyswxyABIuy5OA2vngwV4DX6fl:eHEVyySIcRgwVMK9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1557ed4d3c41b4844f464690700e23e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe

Executes dropped EXE 46 IoCs

pid	Process
2968	Kcifkp32.exe
1976	Kkpnlm32.exe
1156	Kpmfddnf.exe
2796	Kckbqpnj.exe
624	Kkbkamnl.exe
2720	Lpocjdld.exe
1656	Lcmofolg.exe
4956	Liggbi32.exe
4324	Lpappc32.exe
2180	Lcpllo32.exe
3856	Lkgdml32.exe
2452	Lnepih32.exe
2508	Ldohebqh.exe
4540	Lgneampk.exe
1096	Laciofpa.exe
3508	Ldaeka32.exe
1992	Lklnhlfb.exe
1444	Lnjjdgee.exe
2184	Lphfpbdi.exe
4340	Lgbnmm32.exe
5060	Mnlfigcc.exe
2352	Mdfofakp.exe
4412	Mkpgck32.exe
4500	Mnocof32.exe
1540	Mdiklqhm.exe
4080	Mgghhlhq.exe
4932	Mamleegg.exe
984	Mgidml32.exe
1124	Mpaifalo.exe
4320	Mglack32.exe
2320	Mdpalp32.exe
212	Mgnnhk32.exe
4028	Ndbnboqb.exe
4448	Nklfoi32.exe
4796	Njogjfoj.exe
2868	Nafokcol.exe
2980	Nddkgonp.exe
2940	Nkncdifl.exe
3972	Njacpf32.exe
1140	Nbhkac32.exe
4952	Ncihikcg.exe
2692	Njcpee32.exe
2272	Nbkhfc32.exe
4440	Nqmhbpba.exe
736	Nggqoj32.exe
3748	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	1557ed4d3c41b4844f464690700e23e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4872	3748	WerFault.exe	130

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	1557ed4d3c41b4844f464690700e23e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1557ed4d3c41b4844f464690700e23e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1557ed4d3c41b4844f464690700e23e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1557ed4d3c41b4844f464690700e23e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 2968	4536	1557ed4d3c41b4844f464690700e23e0_NeikiAnalytics.exe	81
PID 4536 wrote to memory of 2968	4536	1557ed4d3c41b4844f464690700e23e0_NeikiAnalytics.exe	81
PID 4536 wrote to memory of 2968	4536	1557ed4d3c41b4844f464690700e23e0_NeikiAnalytics.exe	81
PID 2968 wrote to memory of 1976	2968	Kcifkp32.exe	82
PID 2968 wrote to memory of 1976	2968	Kcifkp32.exe	82
PID 2968 wrote to memory of 1976	2968	Kcifkp32.exe	82
PID 1976 wrote to memory of 1156	1976	Kkpnlm32.exe	83
PID 1976 wrote to memory of 1156	1976	Kkpnlm32.exe	83
PID 1976 wrote to memory of 1156	1976	Kkpnlm32.exe	83
PID 1156 wrote to memory of 2796	1156	Kpmfddnf.exe	84
PID 1156 wrote to memory of 2796	1156	Kpmfddnf.exe	84
PID 1156 wrote to memory of 2796	1156	Kpmfddnf.exe	84
PID 2796 wrote to memory of 624	2796	Kckbqpnj.exe	86
PID 2796 wrote to memory of 624	2796	Kckbqpnj.exe	86
PID 2796 wrote to memory of 624	2796	Kckbqpnj.exe	86
PID 624 wrote to memory of 2720	624	Kkbkamnl.exe	87
PID 624 wrote to memory of 2720	624	Kkbkamnl.exe	87
PID 624 wrote to memory of 2720	624	Kkbkamnl.exe	87
PID 2720 wrote to memory of 1656	2720	Lpocjdld.exe	89
PID 2720 wrote to memory of 1656	2720	Lpocjdld.exe	89
PID 2720 wrote to memory of 1656	2720	Lpocjdld.exe	89
PID 1656 wrote to memory of 4956	1656	Lcmofolg.exe	90
PID 1656 wrote to memory of 4956	1656	Lcmofolg.exe	90
PID 1656 wrote to memory of 4956	1656	Lcmofolg.exe	90
PID 4956 wrote to memory of 4324	4956	Liggbi32.exe	91
PID 4956 wrote to memory of 4324	4956	Liggbi32.exe	91
PID 4956 wrote to memory of 4324	4956	Liggbi32.exe	91
PID 4324 wrote to memory of 2180	4324	Lpappc32.exe	92
PID 4324 wrote to memory of 2180	4324	Lpappc32.exe	92
PID 4324 wrote to memory of 2180	4324	Lpappc32.exe	92
PID 2180 wrote to memory of 3856	2180	Lcpllo32.exe	93
PID 2180 wrote to memory of 3856	2180	Lcpllo32.exe	93
PID 2180 wrote to memory of 3856	2180	Lcpllo32.exe	93
PID 3856 wrote to memory of 2452	3856	Lkgdml32.exe	94
PID 3856 wrote to memory of 2452	3856	Lkgdml32.exe	94
PID 3856 wrote to memory of 2452	3856	Lkgdml32.exe	94
PID 2452 wrote to memory of 2508	2452	Lnepih32.exe	95
PID 2452 wrote to memory of 2508	2452	Lnepih32.exe	95
PID 2452 wrote to memory of 2508	2452	Lnepih32.exe	95
PID 2508 wrote to memory of 4540	2508	Ldohebqh.exe	96
PID 2508 wrote to memory of 4540	2508	Ldohebqh.exe	96
PID 2508 wrote to memory of 4540	2508	Ldohebqh.exe	96
PID 4540 wrote to memory of 1096	4540	Lgneampk.exe	97
PID 4540 wrote to memory of 1096	4540	Lgneampk.exe	97
PID 4540 wrote to memory of 1096	4540	Lgneampk.exe	97
PID 1096 wrote to memory of 3508	1096	Laciofpa.exe	99
PID 1096 wrote to memory of 3508	1096	Laciofpa.exe	99
PID 1096 wrote to memory of 3508	1096	Laciofpa.exe	99
PID 3508 wrote to memory of 1992	3508	Ldaeka32.exe	100
PID 3508 wrote to memory of 1992	3508	Ldaeka32.exe	100
PID 3508 wrote to memory of 1992	3508	Ldaeka32.exe	100
PID 1992 wrote to memory of 1444	1992	Lklnhlfb.exe	101
PID 1992 wrote to memory of 1444	1992	Lklnhlfb.exe	101
PID 1992 wrote to memory of 1444	1992	Lklnhlfb.exe	101
PID 1444 wrote to memory of 2184	1444	Lnjjdgee.exe	102
PID 1444 wrote to memory of 2184	1444	Lnjjdgee.exe	102
PID 1444 wrote to memory of 2184	1444	Lnjjdgee.exe	102
PID 2184 wrote to memory of 4340	2184	Lphfpbdi.exe	103
PID 2184 wrote to memory of 4340	2184	Lphfpbdi.exe	103
PID 2184 wrote to memory of 4340	2184	Lphfpbdi.exe	103
PID 4340 wrote to memory of 5060	4340	Lgbnmm32.exe	104
PID 4340 wrote to memory of 5060	4340	Lgbnmm32.exe	104
PID 4340 wrote to memory of 5060	4340	Lgbnmm32.exe	104
PID 5060 wrote to memory of 2352	5060	Mnlfigcc.exe	105

C:\Users\Admin\AppData\Local\Temp\1557ed4d3c41b4844f464690700e23e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1557ed4d3c41b4844f464690700e23e0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\SysWOW64\Kcifkp32.exe
  C:\Windows\system32\Kcifkp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\Kkpnlm32.exe
    C:\Windows\system32\Kkpnlm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\SysWOW64\Kpmfddnf.exe
      C:\Windows\system32\Kpmfddnf.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4412
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        47⤵
        Executes dropped EXE
        
        PID:3748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 400
        48⤵
        Program crash
        
        PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3748 -ip 3748
1⤵
PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
63KB

MD5
9e439218f4bc99b01be757bd0a79aaf8

SHA1
93cc3b34cef802f0883527f74015098898e4d61a

SHA256
e804f9f40249ba5b86ef3fa5cbab5bed5a2291f5519df921d073c8a4afdd931e

SHA512
6dcde0f99aa207f22cd059e9c5ba1276f12bd0bfeaeeeebf6b36b791a3753ad19de88ee8b44ff44aa9bb275c88307feb48223869d9ab03b46a12a9752887b609

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
63KB

MD5
000ca4846fd025883fe6429efbaa912a

SHA1
10bf99bbed3cdf449556911060d3bffb620ca83f

SHA256
d2cd7cbc30de3126a86480a0b98144841ef6e0455347241365801072f5ef7f85

SHA512
8fa8c33fff1fc3c391d2d974122d10e2454cebf4a11001e55504a2bc8703e8bef7bbcf6187ef3f1d25beaabe29a0c47ad4c2f71aa48a11067caeb43b47e2fd77

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
63KB

MD5
6dae87730e2fc44d0ea2621c409c6d4d

SHA1
7f55f31df91146f5a0f366d55fb78817be4798b1

SHA256
ba3d6cbe203bbafb105de37b577be4fdfa6e079bd53327a6bf10fb364e363593

SHA512
acdd3339b5b9f4864bd59bda5b9e316fed899ab2639d9833762c3c6ec9fa8f566e8a1df1da7fe6bddb3f46720f796651c12d00781f9fa830d4c9ff43b87bbfb1

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
63KB

MD5
dffca1e4ce25a0e63e53c8f6cf38d6f0

SHA1
dbdf6647f9fa7802bbfcfb8d3abf90c93421ce47

SHA256
8fdeebef0bb7c2eb71e462ae1910d45797104940c325e8846d9627d3850bb957

SHA512
927b110565c8ae6a6e9c60d2647b7827ac4d8646a11cfbc029cf218e8ee3556c57431898a5505b8598bbb8ca4e553c50bee8796b995c7e28e7d2329f54fdd567

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
63KB

MD5
722975eb362038f85197d1307fd4ede7

SHA1
b00481df53fbcbc5d698be2a5d7ae61857ece9de

SHA256
7386976168468cf2cedfccb40b276f239bd76f65bcbb655e9cf7590c28134903

SHA512
ea70b7f9d16b16725d58311703df5f51fa36ffa8b68b5c40447f87d60407bde5561edcb2341171c4a390284bd4a6d9ee143253f6f66da15e6baadcc91ab5369e

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
63KB

MD5
ce88e8dff0755cc9fa92c1c51422ffef

SHA1
78939b403744644bd3fe329a770364d621a867b7

SHA256
19ad62c1bf09c01e9dfe83974c6faadbfe5a3beffb8b706c549ba504a8f2c6ba

SHA512
625d3adb399c975679cf1025b4ae8acb78c503ba49bc98ea8cb8d0b8c5575b6da294f07abbf80f714130888abfbabf372ff01e2e86f70629924ee8942b942ee3

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
63KB

MD5
06099e094155e680ac226cc56447199f

SHA1
efb3394de836688c79c08065003eb45b2c0a2d80

SHA256
9c10e5f58ff30decfdfc588281079c0f0f89eab979e79b1e49e343bc4aaf7593

SHA512
111ae42c772bd5b08bcac551d5fba984b2e48c43010de7598db98fd70a779adc6fd475816a2e98c2270767eb442590ae5ef9fd792288c66aa9fcda0412be1231

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
63KB

MD5
bf832b5e8ec833aa3e500b814064b57b

SHA1
a40b8103b3f2f50c9586dbf70e6da89ac0c96dc2

SHA256
4cf25e6a5f91707ca350de1ebcdd88ffb611e3f2be71d005432f869117ea4422

SHA512
98ba95f1b888d3e9b64c8baaf52390bd2fbd6bb8cc6ebcfa9165b5f1c55a4f18f17a4597c9896596db0724e338d98c6ee1ac2f47bb3a259d1fa7164026e85076

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
63KB

MD5
d0deed95cdffd9c775677c969757e215

SHA1
c610f6af64f3c5324d7fff76840b54b0c6d656ff

SHA256
0399e0f4ecc0102c8f264adca769c4bb775a9b4e258b691919dff73217b8e30f

SHA512
d33f0f38a549a8b7636f805964e92920b5c634ad0ec8b9ec2f08bb40cb749f2b883ab8121b01d7e502dce760340bd942059f163c335a1189bf2063c16b755187

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
63KB

MD5
fa60b0d1304a9878eb0f033be3612981

SHA1
19f1be83bae56fc4a2fed38f5cb2e0ac846a9e37

SHA256
f0dbfb29d874780c8052bcb1ba4ad9cbcb656321ff993c2babb859d950284fa5

SHA512
0a36eade77c396fef71a4961e01c3aeb3039063c87e2a24600251959795dba88d83e6ce06d22efb402acc1f6fb168c209c0182ac916f77420863ccdf05f1a6fd

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
63KB

MD5
8c7fd1a66ce595fe84ba40fd160077e5

SHA1
a40650c96881e6576246652d1e708229f82aa528

SHA256
ed6b24b525213ae88b1598146d146f561754b6bdc924c8d7f06bc12cedeaeb95

SHA512
dbd7f91f017d023d841824472ec91a30cd535b7c3550106bb5b559e1fc0047d904bee992012a7552eb2f2b1025a8705bd0bf789f7be93fc45243a0a1be088478

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
63KB

MD5
64c2363149e8696807d31b965f133606

SHA1
dd42a860a4a4889dc7a41255748be69c7c7fa6e7

SHA256
a2f938e862a43e1c8c25394df124300a6785b02d9df89735222bbb01fc79a76f

SHA512
0ffd90727d06eefea6657bb48453d3560a4d32dbada462df65f43b38cbfc7061a1f2cb0046ec36e1bd86e6f0a58d9ec8cc101178a8e6fab0250faee88d56d1b9

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
63KB

MD5
e947491b48aa0dbc1da21ecff0924080

SHA1
e05065af0e9df26f8e1129bb6decd6b21cf7a432

SHA256
b82647c0c603faf7e16c80f615d61e6ce65830cb910ccfe249fb8628d5dcd4e7

SHA512
14598662dbd0d34784ae7d989da69bd1516f9a02bba61639372f563c1bb58967233f86bfc003781e96764baadbc9692152ae9287af89a6f93dba8eae9ed458c9

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
63KB

MD5
9b2a23ea496ef808206b833138011809

SHA1
2838b5ad8f49a92aafd57376edd1d5954a6bf360

SHA256
1a0f87cfc40a873639ccc32525aa264104dc302c0cc7f807bd4efe7c059ec551

SHA512
dcc0d87558a46d6a55c5ae82fbf9918ed3aa054f0b41ae54d9e311528ef515f0641ab4b8208dc761335a97ff6988811f6b8f20226aaad445a023a5c9b9fbed78

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
63KB

MD5
97bf5e3af6bfa2d565d1c72b99f3bfb1

SHA1
efc3b73eae7a64ef87a91d6f89e3232d9ccb57f3

SHA256
6387dc0d69a788bc5c6efacde64a01537d4e02d87e10a9ad80c326c1b4ecf55b

SHA512
d29bfda4f047c1e1f3c17a32beae433d4b2511009711ef1631461b83f3b5a6560f9b7731c3db0305a72bdf4d85c72170216dfab2d63b4d17a0140291159e864f

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
63KB

MD5
4e11c03e0cf4848c1c9fa6337f1c78f1

SHA1
481ff5c4d42c6bd88867a96b83e2ad0e2f3f0126

SHA256
285503a9b5d55116843a8ad025f1aaf374594ac040e6b7daece9f17b5ad94c3e

SHA512
2d44d620c26fc89cf26eca9538f9749b043b741cd9d28885fbabc879736f268bd44ad2e127216d5b3c998cc5d4a5e199e2b67182682ba6a6aa8114d991b42eac

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
63KB

MD5
05f2e8fff8d349be9fe5576c746a2fc6

SHA1
c7f0538ab7f9f6c8762c761924b6ad0183ce4280

SHA256
f8ebf95edd6ac0029117f098847ca3f3dfd91247bb1221cda49278eb7c350928

SHA512
f2a2a6b59aa5b79565a29779a8b9344fe6aec844182f7ee6a763eb6ebeb07a4f7e12910f930cb7e03bfb0a9e790236157f6e518aba3fe157e068ec9bc5e9f151

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
63KB

MD5
0960f2509fd77d8617a819a592abdd16

SHA1
cfded6c07a7970680de1155e9de4beae5ec0f0d4

SHA256
db5f5a593e2c8ec7310c3826577f7702832c2717222f98e318777a801118ae27

SHA512
e462e5cc0ba394508cf8d7a233802eb1b17a77c4f11b474332c056cf186919d136e17c5a753ee21d6ebaf6d866d3da3d42d2024c1a3ef843279e8cf22bbb774e

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
63KB

MD5
97e8036c680753043500393ab208713b

SHA1
061d3a2f32ba2b30a4e3e45e7f20b51b8064ddf4

SHA256
a005f77ba505d366b81f6f357e490396bca2cb8b3237855ca73fd7b0014b8059

SHA512
e6beb9cae3079d7c679bfa76c06dbe7677899ab00a47d840bda791236af1b92ed65fcd53aa50a3629496eeef30b3824a11de43d6655abf203c3123d8a02df5a0

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
63KB

MD5
f79a6142dc3a1af2fd019a0cff3b9995

SHA1
91c5011b524441e872a2605a5c5dfc8d896670d9

SHA256
8bca7e9633230555c6461c62d9d04f6b14554dfdb3100590e5d11474d028185c

SHA512
17d37ffd5add1d7d00efa37265e603ebf84b0949485f36ac25d139b648bce4339a8a724098c763d84ce015ed7930cea81ae933a4f2e7687d9e5ed7d0201c4dca

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
63KB

MD5
24466a4b7263e19aad254bdd330c3556

SHA1
7587b203cc4816785d5616bbdb9df65fe2d9a651

SHA256
9aa18a4693c8cff6e841498f0a8bed0d646e1aee452578c331928894081a2b0b

SHA512
44f76fd4075b2c61dae59190bd3017b3394af4a0280d0de63769b6a21b833e43fa851ec1cb4009dabaa18d7fd04ec43237c1fbcc845663de8d3f3ea31af541dc

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
63KB

MD5
ab0503a819792ab307334b5f889b62ce

SHA1
77ec7fed606e2f038309b35c0d2e25ed0d0853ed

SHA256
75e1653559914352b1b66d5d5309afd0dae1a216012f3261548ae4efa6c47bec

SHA512
c2200453f64c038f97b4e57cce60c3f3b74d501650acfbc4d07bd64c0ff5aa3a62ed4f20fe4804970e7343007a68728be0f8d4d2cbed4bdc3ca2c04ed83c136e

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
63KB

MD5
72d41c44314f70c6b5d11295b0e4e579

SHA1
9810c4890e3454c312b62eaafa8791c270cb61f5

SHA256
c74bb5c3b25648b231766ff785a82ba6dc728fafe808e522138aac3dd9ac3aeb

SHA512
89e4446b5fa98c7d52ace8cb19907ab160669c991e8b555a28f4afea4d698b055a08334ca2ab9b7fb2779f2e2dd53180ad86fb116a1869a355ff7d5408939593

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
63KB

MD5
ff5413aa67e36b91a462c56e4bb5ef2d

SHA1
77411db9b6ba879c50b6351e694708035e482991

SHA256
cf9b5251ac6d6a3ab2a50f6416744aafc5895eed8559dc79b4b4105d53685cab

SHA512
6ffe715c9478855543856cd9c5e43acda58f38b4e1945524c5c1b1fdc5330587a708c2f262d654a5fe9963bb794a31223645c5da1b859bc595efce7606aa2ebf

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
63KB

MD5
d065be877c95909352306736c2e71054

SHA1
e733e9826d3c8c77db79b3d21a7b4a25ef7b091f

SHA256
59bd6807e08212eaac19df314af8952b103fdb61b801c23a7a4c71bf6cae959d

SHA512
854606ba83d14f9c34b54aa586a60d5495ac1eae03b71b7d96ddcda229c3b8990eb0a28e72e218f86c65dbff07957a9eec8a931642019478485441c7ceae5278

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
63KB

MD5
24223429ec5fa773fdf13243d643c722

SHA1
ecea7a77de40ce64bf5c283f7849e9d67d3001a1

SHA256
dcf17585c29eca448d3df796b77f23a0d6de9234248f7fe1f44839e52252e9ab

SHA512
005842764897400da1ec7a8286b2054a1a211676f291c4838168e881a194d972066cb01eabd448671874e629ddcbdaa123ab0e998a2d7fa31d4f974ff2ff025e

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
63KB

MD5
ff5bdd72bedf481a49b24f2c11644951

SHA1
d0569848b8dce2de0001c99795ddfc7140447ccf

SHA256
474ffa6b81797811447ccc88a63d2ee61195896b268b14aef8bc09cd2a3a3aa3

SHA512
d35d8d90b322039366f765540ceb03d1ee22ac38f7aea37365b6648be72c27fce2d7d2fbce554a4d6a2c0e0e08dc83f11694343711de013b9369b026d7e6c3d2

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
63KB

MD5
fd108ef1622f2b1ceafd5ab62d285ce2

SHA1
cf1ba2813964144555969a2f0d51147fe5550e87

SHA256
d10003748ee5a111421dc2018b790cb73ee25412fbfba219447a67165dc77236

SHA512
34ad884c730ff6c4ae617ec53d2ec2353a03a1dca3cf64b5cd543cd10c75799e7dd59b20ba30a8c07ca60178ff67c966a0f6b7b05d042ff8a06228a9ab23e493

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
63KB

MD5
987fc88e7d5f127d083ef8d89d91832e

SHA1
14c7e4926a2cbe3440098e285a6b0b6b0c99afdd

SHA256
c52b53bc39527bcc4929824299cb14439d45e6d7987b75945d8fe9e3dda8e43e

SHA512
7f1c907fcb99ce00a07a6dc284b065e9fbbc81aa669e14ccaafdb3ac132a04d1276e09913ab669e7c65a13bd07cfb2aa2ed1c183fd801ae93c4c131204f50800

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
63KB

MD5
a066c59ed446c3c090cc3188bafe86c8

SHA1
6361ad1291129433c0fd193693f1a2732f22f685

SHA256
b634e3f6688a7b4a7e010884f6e3a591335419622b9c0650251177e041fcd7ae

SHA512
25f1fc3a2fbe02392b5eea7afb5d3b8c7b43aac6d0051d0bbad730a6c5f40a1445f4d0223be3e9ecd0021ae3b96aa924d4989c4670d1c6f64d7ff378ed6b3b89

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
63KB

MD5
57d59cfe4dd1f9d8e16c7e75b8256adf

SHA1
2b9fe488fce230d26db92f1d8afccad3d292bdd3

SHA256
1c4c9d1e7fb29e0079d2117f0b1d8e99a8e958454198429a8d6a7bdaf07faf08

SHA512
d11fb16d74563cb49c318ffcdcb847d591d245e5be165ea893387cc4dadd723d107bd2e8422bb1b741e68d86a1228441ef4143641df166970416ed848ca296cd

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
63KB

MD5
79299ce22a5fc2d939c19bc4b42f732d

SHA1
e269a61d1cecc4e5ddfdbdd92229d583fd2fd974

SHA256
87822520ddf53ac8f3bc9a736b6aabd49e2d3a703e9fd0a3740d5da46dacce28

SHA512
4393982e32b62c1ea5b5efbd9e3a24167b4a383e9743390db36e73edf480417367090a64d078bce124407d5b6145f1ae0df71c22e9f215e3a00ed6605b688329

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
63KB

MD5
4b25359ebe685d170f867dbb68f17bb7

SHA1
ba838328b872090dd3224574ed5ad1bdf720f546

SHA256
9c2493995830aab2909a44df3073cfd8a8dc9117746293aa1a2ea83d93901ff7

SHA512
86984783db33d2e637fac905a9df6b7c40f8d6ea69b5c2d759a27324bfa86f3cf3bc8652f733d899ba49e264d03296dbc44f446b35b6638f1902d8158d2190c6

Download Submit
memory/212-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/212-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/736-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/736-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3856-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3856-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4540-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads