e7a2a34c7a49c3942cef4cca69bba767ae25ebaf990d36a78677bb5f902eada3

Analysis

max time kernel
136s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 11:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04420d52cb1b10fae0abf06cdaa78740_NeikiAnalytics.exe
Size

81KB
MD5

04420d52cb1b10fae0abf06cdaa78740
SHA1

f63aa87222cb7663a22f610703788fb5de8b89b2
SHA256

e7a2a34c7a49c3942cef4cca69bba767ae25ebaf990d36a78677bb5f902eada3
SHA512

bb70b8a616c353f59e1ba0bedab0db4694346f5ad65aaf539c502c5bcbc46915c190991320e5db005c66236d156bd07d11a57d27cdbb206d779431b6c3d12469
SSDEEP

1536:B5qxZYOreJJbIiFTJAiB7lgpZAPX7m4LO++/+1m6KadhYxU33HX0L:Y/OJbIiFvDgXAPX/LrCimBaH8UH30L

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	04420d52cb1b10fae0abf06cdaa78740_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	04420d52cb1b10fae0abf06cdaa78740_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe

Executes dropped EXE 62 IoCs

pid	Process
3192	Lnepih32.exe
2236	Lpcmec32.exe
920	Lcbiao32.exe
1576	Lgneampk.exe
1396	Lilanioo.exe
884	Lpfijcfl.exe
4888	Lgpagm32.exe
556	Ljnnch32.exe
2036	Laefdf32.exe
1708	Lphfpbdi.exe
2228	Lcgblncm.exe
1516	Lgbnmm32.exe
5052	Mjqjih32.exe
4552	Mnlfigcc.exe
4716	Mpkbebbf.exe
1652	Mdfofakp.exe
3048	Mgekbljc.exe
2388	Mjcgohig.exe
4868	Mnocof32.exe
240	Mpmokb32.exe
224	Mdiklqhm.exe
3004	Mgghhlhq.exe
4616	Mkbchk32.exe
1856	Mnapdf32.exe
3944	Mamleegg.exe
2684	Mdkhapfj.exe
1092	Mcnhmm32.exe
1792	Mgidml32.exe
1704	Mjhqjg32.exe
1636	Mncmjfmk.exe
3888	Mpaifalo.exe
4428	Mdmegp32.exe
2676	Mglack32.exe
2196	Mkgmcjld.exe
3116	Mnfipekh.exe
5088	Maaepd32.exe
116	Mpdelajl.exe
3584	Mgnnhk32.exe
3800	Nkjjij32.exe
2012	Njljefql.exe
4980	Nacbfdao.exe
4508	Nqfbaq32.exe
1760	Ndbnboqb.exe
2240	Nklfoi32.exe
4144	Nklfoi32.exe
1960	Njogjfoj.exe
548	Nafokcol.exe
4932	Nqiogp32.exe
1476	Nddkgonp.exe
3132	Ncgkcl32.exe
3576	Nkncdifl.exe
3032	Njacpf32.exe
4512	Nnmopdep.exe
948	Nqklmpdd.exe
3640	Ndghmo32.exe
3744	Ngedij32.exe
4496	Nkqpjidj.exe
3864	Nbkhfc32.exe
1124	Nqmhbpba.exe
1536	Ncldnkae.exe
1048	Nggqoj32.exe
2432	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	04420d52cb1b10fae0abf06cdaa78740_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	04420d52cb1b10fae0abf06cdaa78740_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	04420d52cb1b10fae0abf06cdaa78740_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3704	2432	WerFault.exe	147

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 3192	2480	04420d52cb1b10fae0abf06cdaa78740_NeikiAnalytics.exe	83
PID 2480 wrote to memory of 3192	2480	04420d52cb1b10fae0abf06cdaa78740_NeikiAnalytics.exe	83
PID 2480 wrote to memory of 3192	2480	04420d52cb1b10fae0abf06cdaa78740_NeikiAnalytics.exe	83
PID 3192 wrote to memory of 2236	3192	Lnepih32.exe	84
PID 3192 wrote to memory of 2236	3192	Lnepih32.exe	84
PID 3192 wrote to memory of 2236	3192	Lnepih32.exe	84
PID 2236 wrote to memory of 920	2236	Lpcmec32.exe	85
PID 2236 wrote to memory of 920	2236	Lpcmec32.exe	85
PID 2236 wrote to memory of 920	2236	Lpcmec32.exe	85
PID 920 wrote to memory of 1576	920	Lcbiao32.exe	86
PID 920 wrote to memory of 1576	920	Lcbiao32.exe	86
PID 920 wrote to memory of 1576	920	Lcbiao32.exe	86
PID 1576 wrote to memory of 1396	1576	Lgneampk.exe	87
PID 1576 wrote to memory of 1396	1576	Lgneampk.exe	87
PID 1576 wrote to memory of 1396	1576	Lgneampk.exe	87
PID 1396 wrote to memory of 884	1396	Lilanioo.exe	88
PID 1396 wrote to memory of 884	1396	Lilanioo.exe	88
PID 1396 wrote to memory of 884	1396	Lilanioo.exe	88
PID 884 wrote to memory of 4888	884	Lpfijcfl.exe	89
PID 884 wrote to memory of 4888	884	Lpfijcfl.exe	89
PID 884 wrote to memory of 4888	884	Lpfijcfl.exe	89
PID 4888 wrote to memory of 556	4888	Lgpagm32.exe	90
PID 4888 wrote to memory of 556	4888	Lgpagm32.exe	90
PID 4888 wrote to memory of 556	4888	Lgpagm32.exe	90
PID 556 wrote to memory of 2036	556	Ljnnch32.exe	91
PID 556 wrote to memory of 2036	556	Ljnnch32.exe	91
PID 556 wrote to memory of 2036	556	Ljnnch32.exe	91
PID 2036 wrote to memory of 1708	2036	Laefdf32.exe	93
PID 2036 wrote to memory of 1708	2036	Laefdf32.exe	93
PID 2036 wrote to memory of 1708	2036	Laefdf32.exe	93
PID 1708 wrote to memory of 2228	1708	Lphfpbdi.exe	94
PID 1708 wrote to memory of 2228	1708	Lphfpbdi.exe	94
PID 1708 wrote to memory of 2228	1708	Lphfpbdi.exe	94
PID 2228 wrote to memory of 1516	2228	Lcgblncm.exe	95
PID 2228 wrote to memory of 1516	2228	Lcgblncm.exe	95
PID 2228 wrote to memory of 1516	2228	Lcgblncm.exe	95
PID 1516 wrote to memory of 5052	1516	Lgbnmm32.exe	96
PID 1516 wrote to memory of 5052	1516	Lgbnmm32.exe	96
PID 1516 wrote to memory of 5052	1516	Lgbnmm32.exe	96
PID 5052 wrote to memory of 4552	5052	Mjqjih32.exe	97
PID 5052 wrote to memory of 4552	5052	Mjqjih32.exe	97
PID 5052 wrote to memory of 4552	5052	Mjqjih32.exe	97
PID 4552 wrote to memory of 4716	4552	Mnlfigcc.exe	99
PID 4552 wrote to memory of 4716	4552	Mnlfigcc.exe	99
PID 4552 wrote to memory of 4716	4552	Mnlfigcc.exe	99
PID 4716 wrote to memory of 1652	4716	Mpkbebbf.exe	100
PID 4716 wrote to memory of 1652	4716	Mpkbebbf.exe	100
PID 4716 wrote to memory of 1652	4716	Mpkbebbf.exe	100
PID 1652 wrote to memory of 3048	1652	Mdfofakp.exe	101
PID 1652 wrote to memory of 3048	1652	Mdfofakp.exe	101
PID 1652 wrote to memory of 3048	1652	Mdfofakp.exe	101
PID 3048 wrote to memory of 2388	3048	Mgekbljc.exe	102
PID 3048 wrote to memory of 2388	3048	Mgekbljc.exe	102
PID 3048 wrote to memory of 2388	3048	Mgekbljc.exe	102
PID 2388 wrote to memory of 4868	2388	Mjcgohig.exe	103
PID 2388 wrote to memory of 4868	2388	Mjcgohig.exe	103
PID 2388 wrote to memory of 4868	2388	Mjcgohig.exe	103
PID 4868 wrote to memory of 240	4868	Mnocof32.exe	105
PID 4868 wrote to memory of 240	4868	Mnocof32.exe	105
PID 4868 wrote to memory of 240	4868	Mnocof32.exe	105
PID 240 wrote to memory of 224	240	Mpmokb32.exe	106
PID 240 wrote to memory of 224	240	Mpmokb32.exe	106
PID 240 wrote to memory of 224	240	Mpmokb32.exe	106
PID 224 wrote to memory of 3004	224	Mdiklqhm.exe	107

C:\Users\Admin\AppData\Local\Temp\04420d52cb1b10fae0abf06cdaa78740_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\04420d52cb1b10fae0abf06cdaa78740_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\Lnepih32.exe
  C:\Windows\system32\Lnepih32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\SysWOW64\Lpcmec32.exe
    C:\Windows\system32\Lpcmec32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\Lcbiao32.exe
      C:\Windows\system32\Lcbiao32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:920
    - - C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:240
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        37⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3584
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1960
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3864
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        63⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 400
        64⤵
        Program crash
        
        PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2432 -ip 2432
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laefdf32.exe

Filesize
81KB

MD5
b9e14b09d9c4dcd04eaca7492e9c2fa8

SHA1
5093ac6eca4d7d8cd15ef28695434889ef408707

SHA256
396751917af769d9403f32bf14649f3e87901ecc4f6058bdb14d2f3fe2d9c61b

SHA512
30e495247137110716e10c0d2c3f60f25a1fa6fc263206fc4cad50c69ac207e6e5a3d9c49c51d99301daeb4c42cfd52473cd8a82cd43b4b71445733c7865947c

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
81KB

MD5
e85f2cf26ffa9c3a1273e0a55f8fc66a

SHA1
bb09fad841ad17b06af10d4a00b6ad5e8af6633d

SHA256
f332bf13c758108a1d54adc3e2dc5ea349cf5848b4342cdee7a3d1b2a0625091

SHA512
8629329ed3b5a9155830f0239fe80eb40d0f2fb1eca58061112e4c88aa983b9a8105a3e859f0c655b230ae6a42bf5b68beb768332d233fc7c1b35447149980b7

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
81KB

MD5
1689ffcba0e9ed888bfba19bab353c63

SHA1
3fb2be18254d6e38341bda37fdd60c4ec4aa88cc

SHA256
73e22b5bf7b3c3de15fd657f1dbe700bf27aa488e46b06c349b26a0397781943

SHA512
de6a351a01fd8b33d918e1a546d58a414a65d5ce360073b94a84c76b2493d407d581e5446cdae3e041f7ae68212ef888a064eb0af0433de1c144f946124bccd5

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
81KB

MD5
c2dc5e66b19a45f47dce5924ca2a674f

SHA1
921755d4c90d37e75790f3a9b2b15474c88a0227

SHA256
97a9e238f76400dd9ac87d7e823d74c250886334697b4e257e137a0bdf67124c

SHA512
7b3c1147883987f8565c94301bf57bb8e2bd1094a433f094a438b22c86435c7714707c467d7e5887bf3689e920e68b4d9aa586f1dc07192a52d75f8a4dfdb4d5

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
81KB

MD5
1f4d8b794015b8858c206f0befd154e7

SHA1
fd53e88803a3021a35bbf03ad86f53a950500b3c

SHA256
67ef6e217f76bc78dafc884a94989405d2d1bd3789b50903ddc2a38cfef6a1d1

SHA512
80a523ec53c7d5f095aa99457d2d79b91f3e695601719cd82d11c08752a945303a173ac3b4b5ea41640f1d8d9f7b3e4cea6e1c1afb35f09e95e252c03061fffa

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
81KB

MD5
45622bab827fedf5010ebc1543b8e1c6

SHA1
c278bde2bf92e5a59bf4edb488d1212658027c63

SHA256
362972cfd1d9feb9e66680de8ccf2025396d94cfa85db2df8d433620b76905a9

SHA512
5764075bd41e71b7e5aa369973284dd14904bfd30379eaa5a9d695d43e87878b0a0b6054f6a66658a2f1817f0271bb33ed782d6af369827c4e971370ec0d7dfe

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
81KB

MD5
8bb0a0e13dc5809aa5ff1738a765c754

SHA1
3b4e8e42280b08ad31f564aba6cbce00a226a05e

SHA256
a12b7ae595cb61359a4ec3cad7fe8fed1588f73d0dc1bca39ac5f4833504e457

SHA512
f7e83b897753684df061c2bff4055b7e6c882f2dcaea33b8e566e66da34291490ba3b1eef0babda4f588e69c280eed732145c5569ca9f221b534e7416516ba8e

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
81KB

MD5
3adb05a948944b40c1ebee98c31f263d

SHA1
37df73917092568c36eb9a25d3e9a80024949bfb

SHA256
c5ac113f363fa6c884f1bae72b1c72badd75a46cdcca1311554cfe42b4d09705

SHA512
6398b4720782b56017de010b100876abb487458e2a87da51ae09e2839f87fb28da758d11476e43307564d8371f96314e12e67c518a78dede03c93091c03341ea

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
81KB

MD5
99a79e96257005749a91bd6bd4804617

SHA1
8fd0f0cbcc670b7989ac629bab9c71112e4391bb

SHA256
c41453646ec85842aa1877021bf971062505644fe12f8152bb5442504e6a7ab8

SHA512
165fa80475f5591ac2bb310ccd24f12a98ebcb1614eae2ea75fe84919a88a5051b4394a8174894b5d52e2c8001bc754218757efd8452ec44c1d401b14737c086

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
81KB

MD5
ae169710ec6d145cd8a143b0d3decacc

SHA1
0530db29887133992c8d94c318db5984f43a6448

SHA256
32053c469001de0d4a906fc10937c576deff431bc2dbd67b2cf5125e7e240ea4

SHA512
05c84b3e022e6cb29bba81c3515a198df47783703904c7a3718d5b40fd09d7c5f93ba0559e7d32f2c31ecc8f999ef21b998761fcea02d9866e5e49a1df08ba5c

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
81KB

MD5
48ee03aa68307835910fd8810005d926

SHA1
8340ea7275c7896226830cef210014a3f1a69d1a

SHA256
466c378886ecd8206aaa69f2aaa85f267d7ff4dcc4d59a11abb505017fb33be7

SHA512
b8f2488c5520faa6d42bd321305a898bcafd3b26c162b9541ca41e21ff5b00a8372d839a280f582d7d15eb9b3c3a353f3763b3bc29f9245f42a0cd4c491052fd

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
81KB

MD5
512bd49df74a6fba4fde3128e5fdec2a

SHA1
748443acc4e0fd7bfe1753013376001867aa80e7

SHA256
8e1948840c7bf7bbefc8b8b302d9f8e52bb34daf6a4e2002dcf01742456c7168

SHA512
8d9d828953d3f47a097397df55cad6fdd25d5f302dbef8d808f676a6054409f1333b912e75311b799b58cfb46d8a492173cb8f8286aafee4ba3318ecf2dd34ea

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
81KB

MD5
53187adb64192db5dda8d55a88441de8

SHA1
a2beabf3282a9bf1ea64aeb34fdc2ed1755d75a3

SHA256
ac6d0b3b69d22566df1802394b1b776b43e044ef5253b5f8256ecb0c8b77b24f

SHA512
71870671a09e7a1666bae0e7679803d73d6b940fcd5cce31deb6b347ce1cf590f96affb30c44dfb9c5e888216f24ae58b0014dc5ca81048cca3e54f29b06a84f

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
81KB

MD5
93110f0efe6ab3b56147a68a2aa4bf96

SHA1
fe5495be3cc9a437a4d855220e9762a3a74e4776

SHA256
5cf4127c39879999901fc5893e2bf1dea096689c554c39921d37feb4ef2c4fbc

SHA512
f00a551518e616fd41894c7b96844059292b51d069eabf65bd9a1bffe8c96a96af8699d22b631646573f5f03b6dcdaeb3c4030340330c5975d5c656dafcbba72

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
81KB

MD5
3108bcf0f151c920529e7b7044af4c58

SHA1
0cf8f28f00d6424206bf75b9d0c3f89050b0b13a

SHA256
fa656077761600cce5235a6c6d44b9ef8b84e41dba56a74a857749ad6feb3dd8

SHA512
dcd7ec094f3d00d09db14e6c335d06c413d58392c411b8501eb9e3c8431b001e1e97481d1ca9f64ad9e99e554cd907a77ef0826b9e3dc6b7c568efffa2278c8d

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
81KB

MD5
8b8775d34e0e075d3bf38d60a94f4e94

SHA1
b967a4892275a2fc6e95ee95700f1fba69673511

SHA256
f6bd262cb7351b6ad41133f7e66ac2ab52b9199b7d314bde89595a6b525ea64d

SHA512
c98e5fb284033983644e60083ecba027a1160ee0830bfca50de3374cdabe41d1c2963312e13cd1b5aee73fe77611d6ec654e4db6053444cc73b3d998de92e738

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
81KB

MD5
8e5d13d106d237a14131ec5395e3cb27

SHA1
210d73df8fea3d560582ea4391b3973a0f930222

SHA256
c1c5c9248d046afda4a47c36939b6f56b12de155955b2b69b143c66a9013edf4

SHA512
6e28cf396b5d593e440c24f1bb4db39ee7420205450ec4518e13c06585dac07681d4e48e4f72b59c0f5a52ec28f5b9da67cd99f1126513d540c7af48ed8c0c2e

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
81KB

MD5
91ce6ece38d59b5eeb56c86b92da5d50

SHA1
ccf04c43e2cbb6cbe45f10df6eabd6b9e9e57134

SHA256
a4c52fe1e67b311cf036b0dd1844191725b7a7827522dba4dc7e70206bf4e159

SHA512
94010f5ddb46630383e914ead918a7f8e507ff5e469d67dd7270504befd60225214d3a548c0c4ae6ef147ee93fb02991d62e8b4c927f01bc86b5fde656f1785c

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
81KB

MD5
07d474e923e58afb08f1ca680b73578e

SHA1
4ff0de71faf620bed5adff72fd82590bc11fcec0

SHA256
b4da079509b9093d37c5ec6d1062f6d43b40cac6d857aa1390e8f12e9e6a6f22

SHA512
11248dd40c164148ed1d865549fc50a85e5b76f09e9f57271348e2e1495607f846ea1d9b9630be63fecb85cc5846fdbd7d2aa693cdbbf31f6d8da327a38ed1d6

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
81KB

MD5
5c6acdd239b4c073e4ddd20317c62207

SHA1
86ff960c103c79ef237446b8a4e85cbe80960b4a

SHA256
e2fe0b4b2e7a3eb8f78a76373a4b51a1830ea6ed8134ff51dad960144d3c225f

SHA512
0edd6c81a84cae28bd94a006f02dca8c07560094551270c719c7611eb8e8ac11e1162320dabd8d8501c5a921ab3137b6ebbd4e4765d2308b3d9373bd4ebc45a2

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
81KB

MD5
cbce72b77c1b990a55446b43fb3296ff

SHA1
0c99b25e78518e0347719ce2056ee37982c9d1a7

SHA256
f528d33b4f19c9252c052785a385316487b89a912166ff53ee49c65c47ec7ee4

SHA512
05f086eb6fa58e44a6f2fcae14b973c11cb0d6b77ea7f30bcc91803d931b2a64a1f976d91197754bb1f110a3ae499b1fc224903380fa76825d9ef601e2b9dd69

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
81KB

MD5
8f3fe109f44dba59b785e50d5e52ef49

SHA1
cbab74e4996f5fdb90978686cb0c1f63a5711df1

SHA256
0c64633cab2c587934806edb38a8c2e2d6732f0f6c1c226b06d67211f94999ac

SHA512
11004aa50029e5d7af8f6ebfff123e19d6af925e446963ea592f9d53e04b542802ef034499fa836d3f3be1ff17c367d7c8cb9d4000a70ec38bbbe7c6e53b6e87

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
81KB

MD5
48170b292fcdc3ef21615cc91000a732

SHA1
4547266c57d80f048728ffc463e3b36b3f4b4da1

SHA256
ab94fc9cf85865a8e190900afcc74d256de38c5b43b99cdd8e92bb63300eac8a

SHA512
1f14281a328424d13bfbe4c24ef2531de0ac800b73cb95073e0a90e2e06ef4c68ab29a9b3af0c0cb1d0c12bbaa19f472f9d4719c20b3819b81bd219f04ef882d

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
81KB

MD5
3eea3b286fbc8e9bd22a48ba432a4f7e

SHA1
b1fbf172651bd69283ac2cfff468c398f4b20332

SHA256
cd6de480b6188ea9821ac5dad5835e64f69310ba2dc02a32d0dedbe96308fedb

SHA512
d423bcfe94c2075fdbf1206eea917695c16174fc9c67b4f9233e0074f5e011ac573a697bee646da34ed41a2b1404cc303af2cb2e91c1c1f91d75d564a3a0497c

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
81KB

MD5
b24fc022e804e62f872f1caf8cac7c06

SHA1
d20d3dbbcb53bb9c11437561f1ccc206f904eb89

SHA256
b67fe18746464e06f8899845d67ffd6ceff26b1f8dda19ceac08c874d5a8b334

SHA512
03094a6bae403320c738c383288550a13d3ed9f914074b020a8d3eb5e1a1f90ff3fc0e6f8f011e7da6ac4637ff62e9c6893a31176e5a4dd49de9e6165f293f02

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
81KB

MD5
d6ec201eb538166b47612ca989855808

SHA1
6b4e1976b1a978937910630341410d76f36f05e5

SHA256
b104b3ab4e82d0bfd03fbb80ee2ff2d71b459b9c38e65f0f775be121af21c9a9

SHA512
ac0d9c64f62fd4ba779a75ad3905df19b08776986eb37ddf8c3921bca0597e4e1f539f2b80866ca38ef91e5152db44d099442603b6862c65da69fa0e1eb33ef0

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
81KB

MD5
1cecd5b593bfed3b2cc436d8a8997b50

SHA1
9fb9bb8996db0db112a30b427ea26f4c47ee42d3

SHA256
9e0373bad65a8d209038d3d2defb59ef4d0a9c855c82d5a4cfa6b73146fa4e48

SHA512
20420c350badb7cc4645e2270011159a3ce3d516a51eff64489c09167f8c6860399071526c8c72438a4dcd220fb2a72bbcff26e0000f81c85cc2451ca68b2a18

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
81KB

MD5
5c1d996e241740bbfb64915183a8de12

SHA1
9bded2f86cbe44479efd107e966d9fbc22db2dc0

SHA256
1078c67e074d6de14e7c6ee9ec51e28462a650a87c0349d5a05170c5ed69a3a5

SHA512
c52a83ac50ae4e3879165cfe4d03e0692ee55a39763a44ad013e5a004581b4fa0d5e18b537a115aa786da293287502a5d3b55e8e1f60d203ae7cfeb517cb8999

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
81KB

MD5
54e60504ff309f4e000f22b6cfb1d468

SHA1
e3885311661169dca88dd167ed8cb198c2615436

SHA256
5540f8738875a68cf3c1054a42c57777e1c5f54aeb9082a506fc321011d5d104

SHA512
44ec474725ba3b14e1d6c76821784ac21d203b16edb9accad7d4599d3227ba9ba332c83e0e9e52102caf89c45cbe640bde50f908bc15d1f09db75501d810f004

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
81KB

MD5
a81b982742cd416d4e84a32aa9715b50

SHA1
be23fee6f6a4fa216017c7c32059ef0debf9787c

SHA256
b446c917de93a3fc1ae8b4133a0d53b860d7ae9074ca38ff9b1d62e36f071b5d

SHA512
60d87d8475c2a664122754308e67c1224eb0a80527f58d6bf38dae87c45f627da19b7ca5116c0ba71906ff0045ef76c3ca95646d7260117c3a9d08e6ad50ca60

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
81KB

MD5
839caa38b3c0fa7bc63cf653f036408e

SHA1
992085b2f04c9e3b9c7ca025140c614c458d8f15

SHA256
2758d6694ce99c581d3bfd80fb1ead66f4c3287fad1a864f8c2b65a67950baa5

SHA512
bf44d9da9b94f6b591b83300db711d5d01eaef437bfc0da6d1c31ef538e841768cbd1837d6db4e4371b02710c22420527539cd3ccac06e23aa93a18976306639

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
81KB

MD5
aa78aa05a495d3ce2cc75f0678f7c1ea

SHA1
c22f021a61e0920f63af5f82f0f9b32aa32af5a4

SHA256
9d363fa7e12202c0b96a0622a26a5703b118e986579c835a1ac7a9358fc11fdb

SHA512
6da41f1fa48c1aec7d18b37d10b1bceea63283d974057603bbb5cf286792c046c62059b78f1a12a4a0710f3c273a907bb7691b2d8b2d8c51738b07f879e90888

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
81KB

MD5
f0bd486df3c2672072b1589f167dfe6f

SHA1
529e4f407cb095323c12cd75591ad3a300d1f5c1

SHA256
8abcfdb8ce78494888c2a649cada6ed6049460ed32a40ed56ea0d3f4358cd073

SHA512
f9bba21ddbd5d912d231927aec4cdb5c01fdc0f14db9d6a02fe1929f167bf3add607548b4d198f12f7170ad212b17e349cda10f60d62ca5c79c54328c85c677c

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
81KB

MD5
2ad23c0a323b4a521047479c65f2db76

SHA1
3f4e3648b6bb9ac893d577af22ac565c22ef8b3c

SHA256
a2c6fd225607727e38c7344044dc0a24f17bf9bc1322269412cb106f86076dab

SHA512
a3d6d0e4520fb4ac2726ddf3ac6246482376207c3c0e2f6aba6d086a7c224b87c50ce96f10c93ca14e722b795738ad31e4194a8a5c27371455e69b5c88087c89

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
81KB

MD5
63dc2c49a5d9649595130bf7bdfc7592

SHA1
3a4afa83874813c5e22c6580fb1ffb2d0963c639

SHA256
255f8e9990d9d26ac4fbcdcbae40125f1ebfeff03a84854b3edd22735f5c69b5

SHA512
f5beed1408563f0f666a704e3c7e975261b4eca447fecad491d55ceda82388351b1eea7d9ffac7e621af10cea1189221f14837854baf67c628fcd890d29cd162

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
81KB

MD5
9b85725efd5902d315cb8f9510a05caa

SHA1
2e2710d62a7e6c63538c8e1078cdc99a938890db

SHA256
981b18debcbdb0b228fed05314a44285a5e8a18be288ebd91a3c4e59193f3203

SHA512
a506a21620df8064e2a3a4f6fb9307b5727aa9f7a9ac8106537e66cf573685c49cb6cc6386638150664ea5bf1b0bf9bced7377562faeb8bb8d62a97a638404fa

Download Submit
memory/116-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/240-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2480-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3800-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-512-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads