86b281f030995be5179b1eaa93e193c5312d4e4778f4b87059b997b4cc8d0fc4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ce3f2edfe153790203b3bdd61efc210_NeikiAnalytics.exe
Size

320KB
MD5

2ce3f2edfe153790203b3bdd61efc210
SHA1

a83b68cb439f4fa2004f9ba7fb7bd19926775fdc
SHA256

86b281f030995be5179b1eaa93e193c5312d4e4778f4b87059b997b4cc8d0fc4
SHA512

26c03134ff95d0a42aee18114ff21adeee31a79c879e995bae551ff803a76f63ae4739ab9bbfbe70e05ab68788fe2597559714389a6c6e66f6dc3cf281923671
SSDEEP

6144:CsbU8/9hPVvl/Y/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:ZthVvcm05XEvG6IveDVqvQ6IvP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2ce3f2edfe153790203b3bdd61efc210_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2ce3f2edfe153790203b3bdd61efc210_NeikiAnalytics.exe

Executes dropped EXE 52 IoCs

pid	Process
1980	Liekmj32.exe
3164	Lalcng32.exe
4856	Lpocjdld.exe
3048	Lgikfn32.exe
1788	Lkdggmlj.exe
4336	Lmccchkn.exe
1044	Lnepih32.exe
2680	Laalifad.exe
1760	Ldohebqh.exe
3880	Lgneampk.exe
1480	Lilanioo.exe
4512	Lpfijcfl.exe
5048	Ldaeka32.exe
3484	Lgpagm32.exe
536	Ljnnch32.exe
1756	Lnjjdgee.exe
1372	Lphfpbdi.exe
632	Lcgblncm.exe
2208	Mahbje32.exe
4344	Mciobn32.exe
1880	Mgekbljc.exe
4092	Mnocof32.exe
1920	Mpmokb32.exe
3276	Mdiklqhm.exe
3676	Mkbchk32.exe
4704	Mpolqa32.exe
4020	Mkepnjng.exe
840	Mjhqjg32.exe
3780	Mpaifalo.exe
5104	Mdmegp32.exe
3128	Mglack32.exe
1696	Mpdelajl.exe
4292	Mgnnhk32.exe
4524	Nacbfdao.exe
1448	Nqfbaq32.exe
3012	Ndbnboqb.exe
3408	Ngpjnkpf.exe
4708	Njogjfoj.exe
5084	Nnjbke32.exe
4616	Nqiogp32.exe
3296	Nddkgonp.exe
3424	Ncgkcl32.exe
4716	Nkncdifl.exe
4260	Nnmopdep.exe
4328	Nbhkac32.exe
4760	Ncihikcg.exe
4796	Ngedij32.exe
616	Njcpee32.exe
4548	Nbkhfc32.exe
3140	Ndidbn32.exe
712	Nggqoj32.exe
3576	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	2ce3f2edfe153790203b3bdd61efc210_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	2ce3f2edfe153790203b3bdd61efc210_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	2ce3f2edfe153790203b3bdd61efc210_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4780	3576	WerFault.exe	137

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1980	2064	2ce3f2edfe153790203b3bdd61efc210_NeikiAnalytics.exe	84
PID 2064 wrote to memory of 1980	2064	2ce3f2edfe153790203b3bdd61efc210_NeikiAnalytics.exe	84
PID 2064 wrote to memory of 1980	2064	2ce3f2edfe153790203b3bdd61efc210_NeikiAnalytics.exe	84
PID 1980 wrote to memory of 3164	1980	Liekmj32.exe	85
PID 1980 wrote to memory of 3164	1980	Liekmj32.exe	85
PID 1980 wrote to memory of 3164	1980	Liekmj32.exe	85
PID 3164 wrote to memory of 4856	3164	Lalcng32.exe	86
PID 3164 wrote to memory of 4856	3164	Lalcng32.exe	86
PID 3164 wrote to memory of 4856	3164	Lalcng32.exe	86
PID 4856 wrote to memory of 3048	4856	Lpocjdld.exe	87
PID 4856 wrote to memory of 3048	4856	Lpocjdld.exe	87
PID 4856 wrote to memory of 3048	4856	Lpocjdld.exe	87
PID 3048 wrote to memory of 1788	3048	Lgikfn32.exe	88
PID 3048 wrote to memory of 1788	3048	Lgikfn32.exe	88
PID 3048 wrote to memory of 1788	3048	Lgikfn32.exe	88
PID 1788 wrote to memory of 4336	1788	Lkdggmlj.exe	89
PID 1788 wrote to memory of 4336	1788	Lkdggmlj.exe	89
PID 1788 wrote to memory of 4336	1788	Lkdggmlj.exe	89
PID 4336 wrote to memory of 1044	4336	Lmccchkn.exe	90
PID 4336 wrote to memory of 1044	4336	Lmccchkn.exe	90
PID 4336 wrote to memory of 1044	4336	Lmccchkn.exe	90
PID 1044 wrote to memory of 2680	1044	Lnepih32.exe	91
PID 1044 wrote to memory of 2680	1044	Lnepih32.exe	91
PID 1044 wrote to memory of 2680	1044	Lnepih32.exe	91
PID 2680 wrote to memory of 1760	2680	Laalifad.exe	92
PID 2680 wrote to memory of 1760	2680	Laalifad.exe	92
PID 2680 wrote to memory of 1760	2680	Laalifad.exe	92
PID 1760 wrote to memory of 3880	1760	Ldohebqh.exe	93
PID 1760 wrote to memory of 3880	1760	Ldohebqh.exe	93
PID 1760 wrote to memory of 3880	1760	Ldohebqh.exe	93
PID 3880 wrote to memory of 1480	3880	Lgneampk.exe	94
PID 3880 wrote to memory of 1480	3880	Lgneampk.exe	94
PID 3880 wrote to memory of 1480	3880	Lgneampk.exe	94
PID 1480 wrote to memory of 4512	1480	Lilanioo.exe	95
PID 1480 wrote to memory of 4512	1480	Lilanioo.exe	95
PID 1480 wrote to memory of 4512	1480	Lilanioo.exe	95
PID 4512 wrote to memory of 5048	4512	Lpfijcfl.exe	96
PID 4512 wrote to memory of 5048	4512	Lpfijcfl.exe	96
PID 4512 wrote to memory of 5048	4512	Lpfijcfl.exe	96
PID 5048 wrote to memory of 3484	5048	Ldaeka32.exe	97
PID 5048 wrote to memory of 3484	5048	Ldaeka32.exe	97
PID 5048 wrote to memory of 3484	5048	Ldaeka32.exe	97
PID 3484 wrote to memory of 536	3484	Lgpagm32.exe	99
PID 3484 wrote to memory of 536	3484	Lgpagm32.exe	99
PID 3484 wrote to memory of 536	3484	Lgpagm32.exe	99
PID 536 wrote to memory of 1756	536	Ljnnch32.exe	100
PID 536 wrote to memory of 1756	536	Ljnnch32.exe	100
PID 536 wrote to memory of 1756	536	Ljnnch32.exe	100
PID 1756 wrote to memory of 1372	1756	Lnjjdgee.exe	101
PID 1756 wrote to memory of 1372	1756	Lnjjdgee.exe	101
PID 1756 wrote to memory of 1372	1756	Lnjjdgee.exe	101
PID 1372 wrote to memory of 632	1372	Lphfpbdi.exe	102
PID 1372 wrote to memory of 632	1372	Lphfpbdi.exe	102
PID 1372 wrote to memory of 632	1372	Lphfpbdi.exe	102
PID 632 wrote to memory of 2208	632	Lcgblncm.exe	103
PID 632 wrote to memory of 2208	632	Lcgblncm.exe	103
PID 632 wrote to memory of 2208	632	Lcgblncm.exe	103
PID 2208 wrote to memory of 4344	2208	Mahbje32.exe	105
PID 2208 wrote to memory of 4344	2208	Mahbje32.exe	105
PID 2208 wrote to memory of 4344	2208	Mahbje32.exe	105
PID 4344 wrote to memory of 1880	4344	Mciobn32.exe	106
PID 4344 wrote to memory of 1880	4344	Mciobn32.exe	106
PID 4344 wrote to memory of 1880	4344	Mciobn32.exe	106
PID 1880 wrote to memory of 4092	1880	Mgekbljc.exe	107

C:\Users\Admin\AppData\Local\Temp\2ce3f2edfe153790203b3bdd61efc210_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2ce3f2edfe153790203b3bdd61efc210_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\Liekmj32.exe
  C:\Windows\system32\Liekmj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\Lalcng32.exe
    C:\Windows\system32\Lalcng32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Windows\SysWOW64\Lpocjdld.exe
      C:\Windows\system32\Lpocjdld.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
      - C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        25⤵
        Executes dropped EXE
        
        PID:3276
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        53⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 400
        54⤵
        Program crash
        
        PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3576 -ip 3576
1⤵
PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
320KB

MD5
8bdad2f657e37c1ae4ef552fcdf45937

SHA1
b68e2303367d65be2f6319efcf711d3cf37b2bfa

SHA256
3a5302ce267f27e653937846ed92cadc8dbbf31a6fc608037a2051a4b30a298e

SHA512
1c2bb4aa9388617ef47f8798765197831ef5f13bbba2cdf29ac07a15a3c4bb47877c07b883275a4b3d209c711331dea04edb9592ccc2f82c3f5c3e6e697a31b9

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
320KB

MD5
7be6c4be35fd8f54172804dd51e349a1

SHA1
dfe408a0de282710da918c5fca18462cc0773b0b

SHA256
a14d829a6d2403125d00de4c3dc17fbea704ff9bc13f6d3956229ee3d75181aa

SHA512
55a005e1bc3fb8de556fc2860bc67a52e45bfe3422dfc407096c3953c979a1ff29a90e98b9e856440b91f988077f1812eb29e830d185337ae45f855f635f32b5

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
320KB

MD5
07fa1f1f954628b71243e1660f55267d

SHA1
2eb9c60795466e29e793b0b70c68385d93a5aec8

SHA256
3c6169ab1586b94ba4a283563a519646ed7117753f576deb3b25b6fae5bf333b

SHA512
b2a428e425332ab50d05f127cb41f443878ceeaee0ab5bcc24c813f4257a967c037ce13acc389317a19849e2ea408a6920be3ffd6d66e2a88f79abf36c30dc44

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
320KB

MD5
6aaecef4156c7b529cd4b131e41f2e3f

SHA1
4919cff3cc74776e2f93d7ffdebc96b52b335bb5

SHA256
39b2cb43c4e169aa0c18166c9c8d6a70f9bdb24c3f2207a83248ec307ac2fc6f

SHA512
d4e5611c4f27c529647560961fe74c6831d45df6f35800d794727224f797c1feee6b651f139a79780d207b6614b0c614b17d1e3910742c163f5568afe21052d4

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
320KB

MD5
4f119c12bb058621021cab1cf9cbf2c9

SHA1
43ca56c8350ccdee798a9e29dfbacb3ce7c69ad9

SHA256
b0f9f14f7413e197f5e241f3eee96adecc815c72fe7c52d3ea180f759a5f6f9d

SHA512
932b492ba70992d89ff1df3d5e7dbd66529c3a704c7b32de0953ebc9717636c4194e5655ca961c3bab9fb41ec615626c930146c8149eed1c6ef229a42d68fdd2

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
320KB

MD5
ad132f49358ec32d699a7509921a28db

SHA1
f5a1bdf1004a469feb2a9094e59790644e5d3c99

SHA256
c85aa29340a35c3cd7ede6d65e8f62f36cfc8a0a1c4dd547aba88b6ec8bd130b

SHA512
2bff67837868e198046a8085fcda5bbe36119314f5a088c014062b8a1d90b7b3f50af9181246ceb92cdd1262ab5e630a724a9449b79aa3148523b00ac5d4386a

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
320KB

MD5
85305ff3e69a8306d7dc5082b5b79a5c

SHA1
e9359728bfb7f83fc1efb71845bcd8b7bc25d662

SHA256
fd2ec216d44d97ef284291bd96ffeb5264215732ff041fe34436e3d7c7c965c2

SHA512
1c2028c913323cba565837fb3a279e62966ed56a588fe63c5e712cef9a225f1bb358dd6e29998c0a55c8c6a8e61a7b51f5ac0fc9cd0646a3f306956030e0a4cb

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
320KB

MD5
3b9c785114fa85c62f2ae61e351e492a

SHA1
98738197e26ceeec416891fc9f85b081118f50c0

SHA256
2b2662f1e9691996f0168740c5d2770c7534998920c361644ce83e8ed572a1d6

SHA512
398df7d6bab8e1e3e7987cd3422aca3e12deee4e4a7bea019a68395ad8e39469ab92e0b87601364a7560cb014c21fbd6005c1513d9393442a8ed84265edf2833

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
320KB

MD5
db70737489e7e1d26ff4c7f66aa3c1f5

SHA1
f4875eb20af9823ae8a5610b19a72335dfa8cc40

SHA256
a08434343a2928fd7bf0a33525419fea8bc579ff35016a99f0766426c5aba121

SHA512
b3a9159d082402f166e5324cc255e47db9b6bd3a14b3b6e386d73944d06f4bfe96cb0b5f1081099f73c57b589ffb827b9f71998185b158875d0219e15dd2d096

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
320KB

MD5
73fc3de797bb425b56cfcd21ecb3e6a9

SHA1
8d4b9a24a3a6b57e419e5749181622eaeea6bd03

SHA256
684c8cf18802796ad8fe4f05bbed0275efc2f3a21fbce6c5b5dc214c4d12bda3

SHA512
44a2d0e43bc2fdcb1be1e448d634308e0af1cdd55f38ef7a31fcf2129190d26d5f8e08e2b88d802404754dc25ebea7db7febbac5c8396bd82d2f116a73b5baed

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
320KB

MD5
51dc87fc5bf925e6fbfab0cdfa3a1948

SHA1
1947894b55a0eaf48dbe97a2536bc7873c152832

SHA256
a0e07317842e33650e1017a77584f87734b9d9a86528b2cdbd40b3240dfe235d

SHA512
a3ab8d1b24868a489895948669d5bb5a8c937b609332dee366ca9d10ee8c19acdecb8c2b449e015a116176384466feb0d0f3d8ab8bbd479335f198d7f955a989

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
320KB

MD5
de8dbc6013d19d43e929c10b96fb265f

SHA1
c6bce989838211e9b6fc7ce95fbc72936feffb43

SHA256
c2b4f5ce2dd18ec40f55bbf3b7087d4e14a98eb3a7462259e3d817ea8b88bc76

SHA512
79786d024187c7029a4f7cdb0134224f9c0a18c7329265be0aacedf2ede2254b73a920976a9d44885eaff5d43646c9c165567dbe93cce2a1773b95a48f265b1c

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
320KB

MD5
420adc10d2213bdbd92f1473ba42a32f

SHA1
57e4329bbab656e681e57f1cd604f13cdc70a207

SHA256
83e2e7248c409417741a79c0e16cad8872f8f423c2b4b3ecffa90bb4b252aff5

SHA512
a9eb1c1fc5521e894afbce9a3c7802f76a21a5e0c1b82bed2c9c20e79c5119b6c87bd3f38b312d5278dfc10c42216a3ac650772738fbf97f2b4aa47af376d910

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
320KB

MD5
6333fdb44c92445abf34517762689da4

SHA1
c69cf3f03dad1aa1f9e1f9825aa3888e9bbae5ee

SHA256
1ff172f6baeac22a44fb31ad356978801bb3636dd8c6d165179043fb67a8063d

SHA512
a1e6bc981a17aa212b327392bdb6670ea1a0eb6beff8f4bbee44fcd8bb77f1991fea91c52c6fa0e9c2215266f4162ae1c490e7badd018e7701d772068084cc38

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
320KB

MD5
8dc49a0f80cd9cc99d608865e3918a42

SHA1
c10307ffe1035d20f640556c48b55c7a9de5aad2

SHA256
f8ae2af1f663bc51fc03c6f613c23ef4a8f677197244a228eb2397023afc6c8b

SHA512
6a848c0b7f27c9966b7884c175a5a60109ca13a691c7f0fd7a4a50dc92afd98bb58bca8fe69f49a77cfba9e053ed49cd1d7c4d23f33c9aa0e8f87a6e51c95a86

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
320KB

MD5
f44d53b1408e88df25f1581d91083832

SHA1
cfe82ce4a89b62648c6a20d0b674223d5cf597fe

SHA256
e09d6e48154eaa694c4b74e64044e0a6285539513da5af422391b109aaaf409c

SHA512
dd5cc1819d586a067004e213da8a9ed26283d0e692098e7850fca27fd1fddc297d57521a81bf55de346dfd9836568e50c082027096037082be6ffcfb60d591a4

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
320KB

MD5
9b3614d4546934ca2da729a169bc9806

SHA1
eaa56a858359d657435843d23011a3fc60ce809c

SHA256
0c47a72e8fbd0b605804f20a82c95f01871c1dbb9dbe7ae5e4de129543ae9120

SHA512
594712fa8c5009212504a2fd0e093bb1872a1602da567ec73e60b9a635e2641f2fa18fe8d10f12e2e512c0b1d3ff4c5b18c8114c07c56b650e30d1fc9fc9517f

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
320KB

MD5
44424725fa05b0c5dd221588c2d96d0e

SHA1
4548d63a7345cc3d7ce05d91dfc143d2d4e72a04

SHA256
3be5c2ff9161653d676d8490418ca54d36d5c198b74b8cc0863c3ebbbca4ce91

SHA512
a9d89b5744b3cc2570bf71a02e584e0fccc2cd4e9335d8e9f0cf449e598e30469f2769854c3a271bfb37ffac78035f35aab5501363360be0793d0c46faa33d31

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
320KB

MD5
b42c40a438fef06d5423d793045a941a

SHA1
50751b2d32cdcf20fc1839fd3970d113d1732fa4

SHA256
9d9d5dccb1a3522ba2a67364c2f319455fbd7bb06bc28c79abd9482e65d130d9

SHA512
ba70755ede0fc94bd92ba0482879e9c7dc388f725693db47ee10690181fbb11ec53099217c5f2ff15ad2e55dd5a94ca7b35a1ec38ea09c43c1aa5b7ebba8875d

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
320KB

MD5
773cff66ee1df2cbd5ec2050a9504602

SHA1
97d221aef141003a4c6a227eedc31d4273b10f25

SHA256
4dd5cf7f4cdee3963cac53e421a5b83320bcfc41bb0606393ad09b32ca82cff5

SHA512
85be20e2f62f7d0920dbe0c4592dc7e78a5b525a52a28ab2d3ca0732023eebf6f71db63f0d15103c95d4fd8a271efbbe6a093c8c04cb35e00e198033829989f8

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
320KB

MD5
3fe2575d2f0a4cf188fa16a54e574487

SHA1
ae253d1c034bec80c8ecb7c03f822ac43c2bca68

SHA256
b22ca8a32e75512160e0c12e666c7394ae67acd78cbb851caf2bd77c874aae17

SHA512
ccc106c819d72382fb800bc085ca33b3fe6513947ecfcfa375b65057fd1cb3e8ccb620792cb93185d0cd9bd163d6718c1a14896ae62e1c5913e9dfd2e45875c8

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
320KB

MD5
200b183364fc82e8302b3c7b7bfabb10

SHA1
91976c57ff6f1d2288544ecfd928ce06aebaf88c

SHA256
264670b7bce80b13c0053d59941d288fa3a60b7a270fd05d04b120d24fbdfd1f

SHA512
1e3edd9158f1c0d1a7a2d334e18860fa49961e9dc2517ee2d48d522d942256724cbd3c9f6450a789e4bbd55de5cbd457d9e2e9e0badbebdc801e4a89aba4f4cd

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
320KB

MD5
6f88280d711a76affae42b89dcc16ab8

SHA1
1a2966f394cadbdb2dec96b00ebcbb44d0ae6dfe

SHA256
045d8f0fa779f4c732b8fcaf7feecff4e6114d405321ed991f107306aa6a01b2

SHA512
37cd6cec59387a37ca1af7280c8238a1a847d821c159c8d79ef7dff9fc2337dd512ecd12e4f9b170b3636685815b58b3759d06f0b51e9f238dcaa91c4faeb0b2

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
320KB

MD5
c033be468db260ff71f1109771230a7d

SHA1
e49baf88aec109e18669040f6d1b16c65f02cb40

SHA256
c280547b560dbf46e2c6e9d2b410254bdd008a9dbd3cc0006c1ed2dfffbae275

SHA512
4fac7b11b76d15588c2a4e22240b3a20a6dc8ed46726b645b2ea53b0ae7ab4ef72ebd8eeadc8e21ec04fc9cec12cf032f96d41b884506a019529898e138346e6

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
320KB

MD5
d70b14c4ea16a2b4d4e2224131b43c86

SHA1
6b04771b8ed729524daa2a9242debbbeab14d037

SHA256
4b8f3f24e52d7340062529e14efcab722a1744d49eaf18d06aca6d9134bca529

SHA512
93edfcf6fe646349a0fffd6891506b9ed78dc6e8618aa64069b99f967464709314481d2891c5df38d5c81c911fb74c06d53bb81255efe44a8e2d2862370e22f8

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
320KB

MD5
102d70b31550a599d02d9cfecf356766

SHA1
67472af2155720d7493c1f3962347670bf53c728

SHA256
2c0e451749eb3b3153c314b4c6888456a789c3a8488490a773e2f3cdfefc01fb

SHA512
45e532c146405340049e5e7a42503e4209f14e2fa1a9369d3a4da4cf09806bc7be68877ab4207605c032d77d86893d6eb10ce3ebe6cb32d20c0c94ce56e6db4b

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
320KB

MD5
3f74f525942e49950c350f41c99506ee

SHA1
d824b4ddce5f66695f551b1a31e767efb7cb2d01

SHA256
7763d2647f6795c113d7cbe53407c3412ce3b0519ee9c206e310627b9e69f7ae

SHA512
f9a255f340d429a1d05f284c988cae3e321445f6c0a30b348ef67279328017618a80748b17ef32adba0541eff95d4b44b61d25aea2cb93ac05235fd869efdb93

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
320KB

MD5
396565dde24965987dea895f38e91e3c

SHA1
f37f8c8a2d2aeead80f6007f7066d155fe85ea99

SHA256
56e47005d82c1389d17efba2ef693972f6f6393a45cf1e1ed1f4e3d40df4e1fb

SHA512
584499e91cd03eda6e9155ef48ed85663eb3ea3ed5f05090279678c7c0835d6a8a195f2b28f75cae0c7c1073aad0f7f8d412f542cf2da5720e402f38bcf3fa0c

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
320KB

MD5
e4cae534583e077a17f47caa1b907c41

SHA1
007c0df24b4712a692339cdba59a6ef92770fb35

SHA256
c2bf8f782bb7cca4807b0b5025552047ca9b1953335235588de9e5e2effc0249

SHA512
276d143c3ebe53eb85c3a8aba78c1a9298d841a0ebcacfb08d07dec7662158624b7378b3566e4e70f1c6cb15861dc20d622b0107e3e25b15fa716af60465a005

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
320KB

MD5
1c2ec20f5e55425b775e3cb07143225c

SHA1
501eccb2aa6bdd47fe6b5fa58397e477e5c33210

SHA256
72681a1315dcf10b4027310d2de3cd6ff95d0cdf06f4fbebd02e3f15dad0a117

SHA512
d400f0f6217d5972d9bc0e67866fe7b668f67d3fe105670786f53b88ffdd36805be276e7983f384993bbb49c317a81ff1a7b7931e20e8589a645a8b781f54a85

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
320KB

MD5
f623f5fe96dbe5934c99da0ce7467433

SHA1
63a3b69ec8c20ad458787dd9c0708bb6f164dd00

SHA256
97eecbe127c2fb19bfd931953255e05e7ecc6eca9cc82ee008c162a4774d0c76

SHA512
435557c904b36757c98ab27bfeefbe16475308ec4ccd20e4a5e490874f774bc968f6d71326fc7347a68785a7e9f7a90679e19d75772ac194dcfc92275cb7ae0e

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
320KB

MD5
e8b6eb8d32474946b8071282ce374263

SHA1
c807ed767aa840fc039a9219a6a59ad7f2b3faa3

SHA256
4d227bba76c7b2d35eb002a4acfec78d656a91ff92e4a803cf89dbb161a7979b

SHA512
67d657020ca777da12ea66e5f01371587f2df3bcb1ab4e34f99e612d25c2170dc50b7429910c9fb785bfbed1a22904e018be969107d09949baa20aa306e9bfa4

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
320KB

MD5
d6918466593595d18103b7f0a064994d

SHA1
814e99226509447644cdc84fc209ecf14ac724b9

SHA256
f6c89b7a1d636b1e9299ec5bf145a5bf7fbf3ee9dc390a559266cf1830b38ddb

SHA512
53a1d68580650eaf5a05aa61fb03af01eca34c8c5649eeccf9a41c132e330fa13b55199bb6e959128d2be4439e432543c5b100fa0bc0383a4a11e0b4b54ecec9

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
320KB

MD5
2db23e516c0c911b460e372fbaa16c6d

SHA1
389ac93ee38ddd2b60a5a55ab9a5338f0bc788c2

SHA256
30b4aa55bbed9410223550ff688fb0549f6769c05907fbb2c0a11919372c3a1b

SHA512
ba1fbeb082e52e5d50534d79592c7900617c91efd7c4e3f83dab23d5d265c09ee4ed192f88f2c3630f99ad5d2c3b02fbbabc9cb0bac05ecde2f35a0855dc0ba1

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
320KB

MD5
124497b43a618ebf609450d2abd2838b

SHA1
ff333a0cc43484316fed34dfa0a768924c38d6ad

SHA256
010968f3c6d5003a24cd520aee2fc055c0680084cf0d4f9982f657e551b12526

SHA512
d2b003ce170b857e58a880b064a4a568ad7f614237a2493afbf1ec450edbce91cf47fb7105f62d3019d32c340e17dbcf2fb2de2389a2ae1bfed836619ace936b

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
320KB

MD5
c3a0b8f2ff7276cc42704239e08a8987

SHA1
8ddb41dd3b7afc91af31d40e8382c0d4006aac3f

SHA256
5b6873d6eb1ef3eb28627eb48c37234d8ac6481a285bdd2497fd8f9ffc7231af

SHA512
2277a1bb2ffcebc6f84bba7b7c284d16461a0829bd94e8bd577fc44977391c7addd470e43a2c257d93b2016cc72c795c65a8719f92a2580343ae2275907c5677

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
320KB

MD5
aab0690f33ca2956cd67730fe66b3d17

SHA1
8f3f304cad0545faeff3869fb5cfa493d31bb866

SHA256
7b272563404dcd393a85cf9d9eab82d9cc06532a18b1e097abd31331713cf7b4

SHA512
083f7bb82ff68b47068bcbcd019956486cc7b02fca5638d20ea5ce8048a724f74da8f169c5bbdac9c5589432005ed1434df99971515ef7ae96164aa741f6e3ab

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
320KB

MD5
8eb886e399fd23f91d3bb7206459f518

SHA1
a3049844d71f66e867293482dbc489d7ba2dc482

SHA256
072d032f2066d722548bd3471a54562f9553d1267edf26ec62fe5cefbb82dafc

SHA512
125b2cef943d50ae1b02cf095ebb1b9abcb07d7d7b24f9a74768b2480a553645e81caa4f8bc504ae0db898785bfae8c919c6994d10dbc42732cc7d7c9116dfdd

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
320KB

MD5
40e3418579cc4f27cfcbf4fce51fff90

SHA1
a41ffcc46d6b105face6b88494aec28cdaa33361

SHA256
b9c56351689490a8f1238e02c8d24cf8b6109cc178b4037ef19b161e3de23a13

SHA512
85664e2afa9f4797f6728a84b8bb2b80f28fc532d3d5c103fe00bb36c4ba18015827993163dfd27cc6344976bd29220f05b425ed4c2b1edda44055a595899fcf

Download Submit
memory/536-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/616-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/616-380-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/632-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/632-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/712-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/712-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1044-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1044-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-403-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1448-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1696-391-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1696-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1756-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1756-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1788-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1788-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1880-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1880-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1980-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2064-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2680-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2680-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3128-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3128-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3140-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3140-379-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3164-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3164-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3276-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3276-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3296-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3408-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3408-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3424-384-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3424-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3484-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3484-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3576-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3676-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3676-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3780-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3880-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3880-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4020-221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4092-181-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4092-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4260-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4260-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4292-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4292-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4336-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4336-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4344-166-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-101-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4524-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4524-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4548-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4616-385-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4616-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4704-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4704-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-386-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4716-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4716-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4760-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4760-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4796-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4856-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4856-29-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5048-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5048-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5084-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5104-245-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads