da5fc845527e0f8f59236fa29580ed60df1ae8dcfc920f8f84b4238575c05b9b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b518d6b86832ab43b78f2ed2c8215710_NeikiAnalytics.exe
Size

80KB
MD5

b518d6b86832ab43b78f2ed2c8215710
SHA1

d4c83c02a9d81b95171256213c9f5999c6224019
SHA256

da5fc845527e0f8f59236fa29580ed60df1ae8dcfc920f8f84b4238575c05b9b
SHA512

1c5369c9dcec24cb9124277cc62d514fc28c16ccbd1242cc9f73a48cb1113017a55b353e4b068f242b1ecf8f0d12bc6368576737b1ca460fe2e5b2e5ead9de43
SSDEEP

1536:Ng+L1w/y8/uF4AcaO2LbS5DUHRbPa9b6i+sIk:NhyG3caTbS5DSCopsIk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b518d6b86832ab43b78f2ed2c8215710_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe

Executes dropped EXE 42 IoCs

pid	Process
1988	Lalcng32.exe
4524	Ldkojb32.exe
756	Lkdggmlj.exe
1600	Laopdgcg.exe
1156	Ldmlpbbj.exe
316	Lcpllo32.exe
1696	Lijdhiaa.exe
4892	Ldohebqh.exe
5052	Lkiqbl32.exe
1764	Lnhmng32.exe
1076	Lpfijcfl.exe
5024	Lgpagm32.exe
2924	Laefdf32.exe
4708	Lcgblncm.exe
968	Lknjmkdo.exe
1548	Mnlfigcc.exe
3228	Mahbje32.exe
2564	Mciobn32.exe
4928	Mkpgck32.exe
3744	Majopeii.exe
2504	Mdiklqhm.exe
2376	Mkbchk32.exe
1924	Mnapdf32.exe
1540	Mpolqa32.exe
4488	Mgidml32.exe
2680	Mncmjfmk.exe
4784	Maohkd32.exe
2720	Mjjmog32.exe
4108	Mpdelajl.exe
4532	Mcbahlip.exe
972	Nkjjij32.exe
3760	Nacbfdao.exe
1904	Nceonl32.exe
4392	Nnjbke32.exe
4180	Nqiogp32.exe
1644	Njacpf32.exe
4508	Nqklmpdd.exe
1204	Ngedij32.exe
4716	Nnolfdcn.exe
4384	Nqmhbpba.exe
4040	Ncldnkae.exe
1584	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	b518d6b86832ab43b78f2ed2c8215710_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	b518d6b86832ab43b78f2ed2c8215710_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	b518d6b86832ab43b78f2ed2c8215710_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4444	1584	WerFault.exe	126

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b518d6b86832ab43b78f2ed2c8215710_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b518d6b86832ab43b78f2ed2c8215710_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b518d6b86832ab43b78f2ed2c8215710_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b518d6b86832ab43b78f2ed2c8215710_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 1988	3516	b518d6b86832ab43b78f2ed2c8215710_NeikiAnalytics.exe	82
PID 3516 wrote to memory of 1988	3516	b518d6b86832ab43b78f2ed2c8215710_NeikiAnalytics.exe	82
PID 3516 wrote to memory of 1988	3516	b518d6b86832ab43b78f2ed2c8215710_NeikiAnalytics.exe	82
PID 1988 wrote to memory of 4524	1988	Lalcng32.exe	83
PID 1988 wrote to memory of 4524	1988	Lalcng32.exe	83
PID 1988 wrote to memory of 4524	1988	Lalcng32.exe	83
PID 4524 wrote to memory of 756	4524	Ldkojb32.exe	84
PID 4524 wrote to memory of 756	4524	Ldkojb32.exe	84
PID 4524 wrote to memory of 756	4524	Ldkojb32.exe	84
PID 756 wrote to memory of 1600	756	Lkdggmlj.exe	85
PID 756 wrote to memory of 1600	756	Lkdggmlj.exe	85
PID 756 wrote to memory of 1600	756	Lkdggmlj.exe	85
PID 1600 wrote to memory of 1156	1600	Laopdgcg.exe	86
PID 1600 wrote to memory of 1156	1600	Laopdgcg.exe	86
PID 1600 wrote to memory of 1156	1600	Laopdgcg.exe	86
PID 1156 wrote to memory of 316	1156	Ldmlpbbj.exe	88
PID 1156 wrote to memory of 316	1156	Ldmlpbbj.exe	88
PID 1156 wrote to memory of 316	1156	Ldmlpbbj.exe	88
PID 316 wrote to memory of 1696	316	Lcpllo32.exe	89
PID 316 wrote to memory of 1696	316	Lcpllo32.exe	89
PID 316 wrote to memory of 1696	316	Lcpllo32.exe	89
PID 1696 wrote to memory of 4892	1696	Lijdhiaa.exe	91
PID 1696 wrote to memory of 4892	1696	Lijdhiaa.exe	91
PID 1696 wrote to memory of 4892	1696	Lijdhiaa.exe	91
PID 4892 wrote to memory of 5052	4892	Ldohebqh.exe	92
PID 4892 wrote to memory of 5052	4892	Ldohebqh.exe	92
PID 4892 wrote to memory of 5052	4892	Ldohebqh.exe	92
PID 5052 wrote to memory of 1764	5052	Lkiqbl32.exe	93
PID 5052 wrote to memory of 1764	5052	Lkiqbl32.exe	93
PID 5052 wrote to memory of 1764	5052	Lkiqbl32.exe	93
PID 1764 wrote to memory of 1076	1764	Lnhmng32.exe	94
PID 1764 wrote to memory of 1076	1764	Lnhmng32.exe	94
PID 1764 wrote to memory of 1076	1764	Lnhmng32.exe	94
PID 1076 wrote to memory of 5024	1076	Lpfijcfl.exe	95
PID 1076 wrote to memory of 5024	1076	Lpfijcfl.exe	95
PID 1076 wrote to memory of 5024	1076	Lpfijcfl.exe	95
PID 5024 wrote to memory of 2924	5024	Lgpagm32.exe	97
PID 5024 wrote to memory of 2924	5024	Lgpagm32.exe	97
PID 5024 wrote to memory of 2924	5024	Lgpagm32.exe	97
PID 2924 wrote to memory of 4708	2924	Laefdf32.exe	98
PID 2924 wrote to memory of 4708	2924	Laefdf32.exe	98
PID 2924 wrote to memory of 4708	2924	Laefdf32.exe	98
PID 4708 wrote to memory of 968	4708	Lcgblncm.exe	99
PID 4708 wrote to memory of 968	4708	Lcgblncm.exe	99
PID 4708 wrote to memory of 968	4708	Lcgblncm.exe	99
PID 968 wrote to memory of 1548	968	Lknjmkdo.exe	100
PID 968 wrote to memory of 1548	968	Lknjmkdo.exe	100
PID 968 wrote to memory of 1548	968	Lknjmkdo.exe	100
PID 1548 wrote to memory of 3228	1548	Mnlfigcc.exe	101
PID 1548 wrote to memory of 3228	1548	Mnlfigcc.exe	101
PID 1548 wrote to memory of 3228	1548	Mnlfigcc.exe	101
PID 3228 wrote to memory of 2564	3228	Mahbje32.exe	102
PID 3228 wrote to memory of 2564	3228	Mahbje32.exe	102
PID 3228 wrote to memory of 2564	3228	Mahbje32.exe	102
PID 2564 wrote to memory of 4928	2564	Mciobn32.exe	103
PID 2564 wrote to memory of 4928	2564	Mciobn32.exe	103
PID 2564 wrote to memory of 4928	2564	Mciobn32.exe	103
PID 4928 wrote to memory of 3744	4928	Mkpgck32.exe	104
PID 4928 wrote to memory of 3744	4928	Mkpgck32.exe	104
PID 4928 wrote to memory of 3744	4928	Mkpgck32.exe	104
PID 3744 wrote to memory of 2504	3744	Majopeii.exe	105
PID 3744 wrote to memory of 2504	3744	Majopeii.exe	105
PID 3744 wrote to memory of 2504	3744	Majopeii.exe	105
PID 2504 wrote to memory of 2376	2504	Mdiklqhm.exe	106

C:\Users\Admin\AppData\Local\Temp\b518d6b86832ab43b78f2ed2c8215710_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b518d6b86832ab43b78f2ed2c8215710_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\SysWOW64\Lalcng32.exe
  C:\Windows\system32\Lalcng32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\Ldkojb32.exe
    C:\Windows\system32\Ldkojb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\SysWOW64\Lkdggmlj.exe
      C:\Windows\system32\Lkdggmlj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:756
    - - C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        43⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 400
        44⤵
        Program crash
        
        PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1584 -ip 1584
1⤵
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laefdf32.exe

Filesize
80KB

MD5
6dd253578031f7d2ed9569d4a0321845

SHA1
065b3b9a5dbd690ccb00d5f736695d899fb2e1ba

SHA256
fa66f90db607bdd2f8c2c57832ed977a8a0b9dbc979b5287ca12b57cb984d219

SHA512
2f7a0b7c50666d686d5e68f9c1e0b226cbf13925b47164e8cf56dcf49a148c6183bb0ff430789967ffff5dfaefeeddbc52dd7077e9ffbcdb00a15d65b8fe888a

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
80KB

MD5
57f08a10d6cb3f4d473b027083311986

SHA1
23db5a3122e9984e1fe1637e1f1a4d003077e3f7

SHA256
1e2087d0459802e2582119fb5a3aceb5297bda67e230f918e6d14d025d8a6613

SHA512
b48eff3103443273c4be13eb10fbf7ec43c0beea001a1df44fe133b1349b5e36273d2dd49bce3da88c311f3c2f0715f77243c1ba52df0d285c136bce8cbc8760

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
80KB

MD5
7adbeb9335dab961aae9e2a4d450ae23

SHA1
8356422fab7349bc905cf5f0912e06023167db27

SHA256
6c17284219d2ce1fd47fc7990a4c53d604c0bf729cf7dacedea1939a3b59ac81

SHA512
eafdd40bf94fabe3c83452f7f2761a4e14051fc0ac1c3e3c91c0c3b44f41ff3320dee4b43feb13cd9812fce5ab672b56e06bcd575da90cf3bd608603cad5bd37

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
80KB

MD5
1a55781b21ddcb1f678d4929e6bc7267

SHA1
9eb3964c1e058ab1eb6b5f0a0924c80a4cebedf2

SHA256
ac68a0e5d8a93884bffadf8c9494ac64be0a0bad972188b4412c910cb14b7cec

SHA512
5b0a8f05f4356ad0600a1f4f18d4e3833c670f3ddc7eb0c1be72017a49abedf3273a292ac73e84b5495139f188024ebdcf635a4dab1bb73815a07dc96e170cb6

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
80KB

MD5
49d5977fba2face73e96eaf4b6cfe434

SHA1
5db49096018823702ebea9478293fd0e77a81b78

SHA256
de150ab590419def1c2c17cf4f31dd58a644bd7ecbcd06670e2046ccfcffe277

SHA512
4c5462e34e24fd8a9566badae355ead28ea51825cc1c720079645159949ffacecdf7d0da3cd67c4a3a1d3c5f7521481080ac47736b3fc626a1c13670736f602a

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
80KB

MD5
28ab6dad61014fca722f5b40257eddf1

SHA1
9e0a7cb535a1f6b3e96e74fc6a784b15b1f33417

SHA256
f2caab34d718b5400ebee138b082d70315dcf247d5ad9c1a75c9d93724d43fcf

SHA512
d026fec7aff26ab42cb6489e0eb3d857299380e10f2abf5363e7097a480602efc5cf57d1cc9dcb26b863d744d8d0738f169a57b0d30158e5c3aaa6a57795681f

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
80KB

MD5
789a75d8a8af7a333615b4feed614909

SHA1
9821def642af6685dd6d271f3be6a2356df20dd7

SHA256
42e93ab8e4cc37a974a31383a71fcb2cbf24d6d79efdb63e76d5a515c4ef77dd

SHA512
2bd334a0c527df086d6223092b0bc55a397d36219992b9e07910155b7873572184922bca278611e6fa27f615d2171ca02330cd9106af9298bc515c01c3b6da77

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
80KB

MD5
da60139004bb553f8730bb4310c74f6b

SHA1
fdc58454a513e7a956c7afc7b8c3d0e2e4f414cd

SHA256
0826cfc220e4e695c8c2d4b532e9cd5f8f9185f0fe2c2ddfdc545634f893e1c8

SHA512
67974b57b128ca68042bdc6630e580cf104a377cf04d850bdcee9d3fb1ff9bea5a97c0b95c7e0781b7d26b238ca622dcf0891523f718e3c1202a65af5689806d

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
80KB

MD5
546a855409f2de4669c59c9c6cd5dc75

SHA1
f460eb66a4a6cdd71a3ab4d66e5a644f877e7f09

SHA256
532f2d067bf0f77abed0a581c9d13f9e45a38dd9155590097aff03c5deecd088

SHA512
34268bdb08a8d0b6d5ba1dbe62e9cbfb60d45cfc95c55bc6279eae652e43c078430fad4970dcf406f69d7c387a84edcf7e9390f52a5a6fad63f65daefbc58498

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
80KB

MD5
dce67832e9fa9a299716a865abea7a8b

SHA1
1945d75fe62e6fba90015aff73f2648307040cb9

SHA256
e74d00bd0ca497996c38df654159d55d0643f001d5d84ecd927f181a473b19a7

SHA512
2632818d1d67b2fb9197dd3c654e677e36a6ab57cc79a0a6b78a4806fdb8d65f55dfdf7c956b0bf643155fea9cf8b8110f005080eb095871b12b4cd95cf53179

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
80KB

MD5
49839080c99a14caeddb1444cbf6e162

SHA1
28cfb5db271ca72ad543fbac1509c3dab735829f

SHA256
fda14e5db21d434f96a616348f631c4804e5ce5e2f5a859e3e2fa78e892b5a6f

SHA512
6d1e96d16499aeb93188e8e74c8c28c1a1388e1b46e06bcf9e2ec82bae67b38d19b2621d33adc2eff7b8f835a3ae545e79856eeab740bd4a3334e7b62a108262

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
80KB

MD5
f4143149b20ab1c3ee7892b08b1403ff

SHA1
be7874699046c20af133b41c73089555021bd9d9

SHA256
84de4135bcbabd9c1127c818921fd829119bc63ab8fbfeb402863c764d1ad3cb

SHA512
f855fdde2e628f55895b4458dc342f0b3539696ed7e34acc423399d6f1e12a235d909d8f84b8ecdba0442a0a8fdadb62459c8e361530502eead1ac25d225b96d

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
80KB

MD5
f8f4199dfed4b8b5a9b188af352dd7bb

SHA1
b791281afb4d6b832f982f56e62e63972492bc0d

SHA256
fecf9180f1bb9817258d40527d02866665f363116ce736cf4f08c92c7f3d0f91

SHA512
3b365a8b318642e60410c1a99c2998df931e53e68e547b88dce33cd2f4b166d58ea62aa3627bdacec60dfcda3e323b6f4a9619b98739376324d7e720c2e62c43

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
80KB

MD5
8b3115cfffdfa8eb1bf6ff529253f776

SHA1
ad100582bcadc7cb3a2ede7ed3d241fb19bbd0fd

SHA256
bd674cacca813d016950b5136d3525407134284231c892b292ddc49362bb2072

SHA512
4f2cf5d76b1af74615000d81cd8e88de573b6d5fda0c548a57f567a8f2f2321ca54f4c27d2b45265104ba0ba7b9e0f80c06fdfefe165d7c14493581e0b9b4ae8

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
80KB

MD5
3a3eac91ec016019ddbd2289736c6aed

SHA1
069147a2a2d6835d806c0f37689057b0a463ba58

SHA256
4e8f8c16ef379649ea27c52988c325b0fa89a7fcbf5b56d02dca76a181e99f29

SHA512
512cff9f18d35a2877f7bc87c298376253118b7405ec914dcd8ff0f60e19edc3ba4b45987465da42c4b02dbca0817f1b3d378db62f9903f02e2dc834055bcf30

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
80KB

MD5
d20d46815a5f99a06f6fb9db19fa9c9b

SHA1
ca078da8860f97cee78ee69653221eb036e49972

SHA256
83289a0819586d9601c14e9e697ac1145d2c82c4bec83c5ae6c3fb50823bfe57

SHA512
47a202a64660a647df33513954016a9ec16f852d5daf43aff65a2d697ce4c3b1dec5b0ac8565ad4648ccc28f62dfb35b903c2b6de72a9dd30dc78c73466d28af

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
80KB

MD5
90e257267d4a79156f67e44bbbdd2e53

SHA1
08741a22a8f43723bfd243e396625f1f5831b192

SHA256
c3c5bb1d5d4ad0daa51e44cd549092d3ada2ed26914b833892bc4186975bdbc9

SHA512
7c3e0e63e909a46f163d0024d44a72264eee7c2321009accbf1148411cec2d6be754a16f501f24c8e2f893422f6ff573475c2e34c1bb9dd9f79945dc4e92a9ef

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
80KB

MD5
2f7a1ed3a3a2e715d1f519813e1aa8cd

SHA1
9079553b2ec02fa0336339b1d37645ac2750324e

SHA256
06bf9ccd23441e0bf4709cd40c2fd49859f5124b21fca5cd8263aeea9eb7da9a

SHA512
0533d3c7c0941c44600d4dfe1623ee98752bb1ceee05ff458d214c10b7003ca81b682613bff8e99170bc5c533e27e3ffc19a82fed50bbdb79de3cd5d4cf8e6b1

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
80KB

MD5
1265c7cbf38c2ad7aa76a673d55b56af

SHA1
70c7c271b85427332be67ed9af259c6de7d1f137

SHA256
5f8b39ecf9cc8dd4b9551a25b2d93ce2f56dc22c7a046bca3ed7d54e266ca3eb

SHA512
3292c4b259a2b9d4358e17f333e78227cc441f94855f96cbdd65ceafb9daaac48ce5631801a572b98fe78f1f293ee059b6e48ebeefa6de9431cc5e818440eb0c

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
80KB

MD5
d2f6777f46a0aafb2bcdb1a4c1df4dbf

SHA1
4dd8aeff48d57687d88a9be9d9d3f09df8da1cec

SHA256
a640cd2003307d8f1d7964c698a1541e9570ec20d678cbecdbe773030f0cb362

SHA512
67a6e9bd8ab1bd4510d5f00b2437196fa1babbfd362e7c4c581e0d2e8987986fee9e0b301060b4f93b838daf8f38bc83c2ca8a598965bbd75a591064a31fba1b

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
80KB

MD5
25f9d25a7488f0560b7483800128c8c3

SHA1
8323bd22c63d32bbe0768ed6339d5cebe2106b9b

SHA256
c936fe1ae9a4dcb556b0667c318a2c73d48bf2dc23a008938b5eba9e75304065

SHA512
061aa25a210996699bd0de915718d7ff81dcecffec41409868b0632c84cca861cafa662ee692c700842e1a4d86fd22f136c88fec950f621e729cd9446bb7c7b2

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
80KB

MD5
08b3b910bf6a6bca132378c67cefc5f1

SHA1
105a6886addcab70262d0373e24ad0400d327956

SHA256
d505f25a86342af03955d2b5393ad63bc4a44bf7ebd9ddf2a972dd4b96140a16

SHA512
70ec6fbc331626d2117007159a7e10aa009d7c0356314db1f910970ded7600fc850939c42cef242da156134ec7f28246dc79ae1bfe5424d162fac873b87a0b62

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
80KB

MD5
1ca0c19c57d36131c102ba3e416f4513

SHA1
2684347a92af4aae1bd67a470d64f193e9fcb8ee

SHA256
6a90d6f5dc0612e36dcf74d129e63f3fe462708ee1b43fceccaa302a2b1a9164

SHA512
0957c2b7c918882f291d5e98d4a48d47237c7e4d622d6cabc3ce69686a5b2a14b1529ea9d1273c47f7ec72d4519e79d7c2ca8f6d4d57f76a0285a62fbe8bdd2a

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
80KB

MD5
9fffa13295b6ef003bd6b5da3d2e6c26

SHA1
f411df81477e749e84c5c6636d58de953539ee31

SHA256
23496cc596dbf373ba0b669518679cec9802379b3257c33b92276d90d377ce2f

SHA512
7381d719c7a4983b1b68064471fe5305508149f3c206dbdfa73d9b3b948d38065b9018362923c6c915d53b45eba8c2567d0c463f9f82bcc72abc11ed038162dd

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
80KB

MD5
a1fa3899b2ddffcbe36567aa7289a33e

SHA1
113001a972cdf93a9de4e0ab4dc89f7ec7eb25da

SHA256
c1540568f1de2e75efa4ac682b7ac039bff781efbaca186b6a48e6ff3998ed06

SHA512
583fe8c5169de53533d4a420067c47b2aca34ca087d0eae29c9d58b33e96cf0634ffb9338c830e6dbfcab04d493c71383e5c1d5e0338471c4bf5c82697f0823f

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
80KB

MD5
ac6c84fb6bb7695326ea3c7707410be8

SHA1
1ff28100d900af30b423994469144cbe3ddce1f6

SHA256
401d6a1ec505d879f3f9dbd9270d12dbc7aa4fcf06b4a5de3a1781ed2c5601b2

SHA512
268d6eb83aa0746f755928290ac2143c6b54e54935eba52fbbdaae8dca0a886f684900603f5658121ed419a886125904fbf8d290a161b9c3e6a57c8b2c2b9074

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
80KB

MD5
11c4e2b4fd8e66a764f4159fe42e476b

SHA1
b14bd1fab2d499e80d98990931b74d4980690878

SHA256
e32e32be92267d95b7a8de7fd9fe037513126548f8ee31f03dc44f301d96ebd1

SHA512
c529e7955e3033f11c59d8d5c452884cbe0be3c20bfb9703ff0535c10f4dac95d50439005fb836680bc4cc3ac1d2eadb1330d0eb7cc7269a3901e7be46f502bc

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
80KB

MD5
044401d86269f430caa8b24a6e5013e1

SHA1
ef0783bcbf8291a26ade542d27efc355abb18aa8

SHA256
30682ffc9d63d03b7ebc9eda575b4b72bd637f225bd97973c250b75b26d1ea8f

SHA512
2009666551779d3c4ceb26690e75af17f3f1a17c9d222d44f6c9f520f62b4fe56a73a278fc381926e75d30026a5c1181eeb2327929b2b75a024335524aecdc30

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
80KB

MD5
2b27cd815094a54e99382eff4ddd0c71

SHA1
8fe8e86edbda4f9b20da7248826d431dfbdda157

SHA256
f2a36c5d170680c0f728a39ef35e36a7b53fb372b40fb4c815f64b8136ef47e5

SHA512
9dfdf1ec3b6eba389f1f0499601f734317f422a303a20f6090c40cff781f3593e46f287e89cda8a86ca142bc6b9424e4ae676997f83c0180666740e2c4a9716f

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
80KB

MD5
06cebb4f9731425f8d321ef4bf9f9f71

SHA1
0322649c4ca43adf20cc12a805b8748a9a71c9b0

SHA256
b3731eb6e867295499e20a94dc44fcfcdaade493b7fd8f447a5f8d2413913ab4

SHA512
667fcb334ac880a7896e2dfa32d0c541695535c044ecacd16e4db40a968a6e4540faf4891acafe5d000586add3ea7f91a71ebb06a459c55365b718bc26dc10f9

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
80KB

MD5
f483737b5afb33dd69a4388864fc1321

SHA1
333d5871b9d2131c165ad09ce9844a2e8825d543

SHA256
0e0527acd273fa7d8f482dd5011f1fba084cbfb08e426a3391f01c7473828e29

SHA512
c728dc41772faa85b29f60f658b4175ca8f602c26fe30e61899aae9ee0a9be1ed7cea375e767e8b7539423640833c3db5600fdf5a4da622ad9c37c89b9d73c08

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
80KB

MD5
a258db9489d7f0e9752987ce8f2e9f42

SHA1
e152dddfd2ba6756d1cd73f56aefa754fbd08be5

SHA256
e7d95c0d88561650b3568cd76b687c900f78401750d34fdcf236bd360d007a5a

SHA512
1e15756f85759f821019d4020daeb681555d875a249e7c5dd3c9e676c65d60d0a56381cfabbf074c59f29f5469f7936d3c7f36d2254b8e27d79990826700dafb

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
80KB

MD5
0e910e61b1af982435d741fda42fbca8

SHA1
af81f81dc04ff642374d555958be1dfd50eb2e29

SHA256
7c38725c2007bd5e0d4328d96d30f25170f382af017c2ae49b796823af10f9e4

SHA512
b9a1f3bdc99314554e5da7ca86805f698675e484f93bd165a91af687bc0730722966fe13ff478406bccba5a62a194090d678c5eccc98ef99730b562a75ba11c5

Download Submit
memory/316-350-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/316-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/756-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/756-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/968-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/968-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/972-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/972-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1076-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1076-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1156-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1204-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1204-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1540-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1540-333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1548-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1548-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1584-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1584-318-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1600-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1644-285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-349-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1764-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1764-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-325-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1924-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1924-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1988-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2376-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2376-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2504-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2504-336-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2564-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2564-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2680-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2720-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2720-330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2924-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2924-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3228-141-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3516-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3516-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3744-337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3744-165-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3760-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3760-326-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4040-319-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4040-314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4108-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4108-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4180-324-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4180-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4384-320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4384-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4392-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-332-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4508-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4508-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4524-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4524-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4532-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4532-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4708-342-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4708-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4716-321-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4716-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4784-331-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4784-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-348-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4928-338-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4928-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-344-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5052-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5052-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads