721813adb3d8961e6080238d758c0bec360e6769975f70b93cd7f0c51fabcceb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcf52aee5ce9cad2e3c2564dcb2b85a0_NeikiAnalytics.exe
Size

69KB
MD5

bcf52aee5ce9cad2e3c2564dcb2b85a0
SHA1

b9c836a17b2afb5471558871a69a1473f42ce569
SHA256

721813adb3d8961e6080238d758c0bec360e6769975f70b93cd7f0c51fabcceb
SHA512

669623d9e187c6ba19c581ace3669bca6f97690ccfbf0c844e3616139512a03d841de27888ed717592afa04eb91bfd09fdc2ff45de19d8e31d7778fb0fbf4932
SSDEEP

1536:a9VDhRvN/b6218KVVF3zNein/GFZCeDAyY:ARjvN/XDDxzNFn/GFZC1yY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bcf52aee5ce9cad2e3c2564dcb2b85a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe

Executes dropped EXE 53 IoCs

pid	Process
4452	Kckbqpnj.exe
1344	Kkbkamnl.exe
2404	Lmqgnhmp.exe
3780	Lcmofolg.exe
1072	Lkdggmlj.exe
4740	Lmccchkn.exe
3888	Ldmlpbbj.exe
5076	Lgkhlnbn.exe
3588	Lnepih32.exe
540	Lpcmec32.exe
408	Lcbiao32.exe
3696	Lgneampk.exe
4408	Laciofpa.exe
3480	Ldaeka32.exe
4012	Ljnnch32.exe
4332	Laefdf32.exe
1764	Lddbqa32.exe
744	Lknjmkdo.exe
1100	Mahbje32.exe
3832	Mdfofakp.exe
4924	Mgekbljc.exe
4316	Mjcgohig.exe
2300	Majopeii.exe
3240	Mdiklqhm.exe
2532	Mkbchk32.exe
3300	Mjeddggd.exe
2892	Mamleegg.exe
4148	Mdkhapfj.exe
1660	Mkepnjng.exe
432	Mjhqjg32.exe
5116	Maohkd32.exe
2612	Mdmegp32.exe
4536	Mglack32.exe
2124	Mjjmog32.exe
2032	Maaepd32.exe
4492	Mpdelajl.exe
1520	Mgnnhk32.exe
2004	Njljefql.exe
4056	Nacbfdao.exe
4708	Ndbnboqb.exe
3136	Ngpjnkpf.exe
3464	Njogjfoj.exe
692	Nafokcol.exe
1832	Nqiogp32.exe
4280	Ngcgcjnc.exe
2468	Njacpf32.exe
3884	Nbhkac32.exe
3508	Ndghmo32.exe
4888	Ngedij32.exe
2420	Njcpee32.exe
4276	Nbkhfc32.exe
1376	Ndidbn32.exe
4820	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4856	4820	WerFault.exe	138

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bcf52aee5ce9cad2e3c2564dcb2b85a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	bcf52aee5ce9cad2e3c2564dcb2b85a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	bcf52aee5ce9cad2e3c2564dcb2b85a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	bcf52aee5ce9cad2e3c2564dcb2b85a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 4452	3704	bcf52aee5ce9cad2e3c2564dcb2b85a0_NeikiAnalytics.exe	82
PID 3704 wrote to memory of 4452	3704	bcf52aee5ce9cad2e3c2564dcb2b85a0_NeikiAnalytics.exe	82
PID 3704 wrote to memory of 4452	3704	bcf52aee5ce9cad2e3c2564dcb2b85a0_NeikiAnalytics.exe	82
PID 4452 wrote to memory of 1344	4452	Kckbqpnj.exe	83
PID 4452 wrote to memory of 1344	4452	Kckbqpnj.exe	83
PID 4452 wrote to memory of 1344	4452	Kckbqpnj.exe	83
PID 1344 wrote to memory of 2404	1344	Kkbkamnl.exe	84
PID 1344 wrote to memory of 2404	1344	Kkbkamnl.exe	84
PID 1344 wrote to memory of 2404	1344	Kkbkamnl.exe	84
PID 2404 wrote to memory of 3780	2404	Lmqgnhmp.exe	85
PID 2404 wrote to memory of 3780	2404	Lmqgnhmp.exe	85
PID 2404 wrote to memory of 3780	2404	Lmqgnhmp.exe	85
PID 3780 wrote to memory of 1072	3780	Lcmofolg.exe	86
PID 3780 wrote to memory of 1072	3780	Lcmofolg.exe	86
PID 3780 wrote to memory of 1072	3780	Lcmofolg.exe	86
PID 1072 wrote to memory of 4740	1072	Lkdggmlj.exe	87
PID 1072 wrote to memory of 4740	1072	Lkdggmlj.exe	87
PID 1072 wrote to memory of 4740	1072	Lkdggmlj.exe	87
PID 4740 wrote to memory of 3888	4740	Lmccchkn.exe	88
PID 4740 wrote to memory of 3888	4740	Lmccchkn.exe	88
PID 4740 wrote to memory of 3888	4740	Lmccchkn.exe	88
PID 3888 wrote to memory of 5076	3888	Ldmlpbbj.exe	89
PID 3888 wrote to memory of 5076	3888	Ldmlpbbj.exe	89
PID 3888 wrote to memory of 5076	3888	Ldmlpbbj.exe	89
PID 5076 wrote to memory of 3588	5076	Lgkhlnbn.exe	90
PID 5076 wrote to memory of 3588	5076	Lgkhlnbn.exe	90
PID 5076 wrote to memory of 3588	5076	Lgkhlnbn.exe	90
PID 3588 wrote to memory of 540	3588	Lnepih32.exe	91
PID 3588 wrote to memory of 540	3588	Lnepih32.exe	91
PID 3588 wrote to memory of 540	3588	Lnepih32.exe	91
PID 540 wrote to memory of 408	540	Lpcmec32.exe	92
PID 540 wrote to memory of 408	540	Lpcmec32.exe	92
PID 540 wrote to memory of 408	540	Lpcmec32.exe	92
PID 408 wrote to memory of 3696	408	Lcbiao32.exe	94
PID 408 wrote to memory of 3696	408	Lcbiao32.exe	94
PID 408 wrote to memory of 3696	408	Lcbiao32.exe	94
PID 3696 wrote to memory of 4408	3696	Lgneampk.exe	95
PID 3696 wrote to memory of 4408	3696	Lgneampk.exe	95
PID 3696 wrote to memory of 4408	3696	Lgneampk.exe	95
PID 4408 wrote to memory of 3480	4408	Laciofpa.exe	96
PID 4408 wrote to memory of 3480	4408	Laciofpa.exe	96
PID 4408 wrote to memory of 3480	4408	Laciofpa.exe	96
PID 3480 wrote to memory of 4012	3480	Ldaeka32.exe	98
PID 3480 wrote to memory of 4012	3480	Ldaeka32.exe	98
PID 3480 wrote to memory of 4012	3480	Ldaeka32.exe	98
PID 4012 wrote to memory of 4332	4012	Ljnnch32.exe	99
PID 4012 wrote to memory of 4332	4012	Ljnnch32.exe	99
PID 4012 wrote to memory of 4332	4012	Ljnnch32.exe	99
PID 4332 wrote to memory of 1764	4332	Laefdf32.exe	100
PID 4332 wrote to memory of 1764	4332	Laefdf32.exe	100
PID 4332 wrote to memory of 1764	4332	Laefdf32.exe	100
PID 1764 wrote to memory of 744	1764	Lddbqa32.exe	101
PID 1764 wrote to memory of 744	1764	Lddbqa32.exe	101
PID 1764 wrote to memory of 744	1764	Lddbqa32.exe	101
PID 744 wrote to memory of 1100	744	Lknjmkdo.exe	102
PID 744 wrote to memory of 1100	744	Lknjmkdo.exe	102
PID 744 wrote to memory of 1100	744	Lknjmkdo.exe	102
PID 1100 wrote to memory of 3832	1100	Mahbje32.exe	103
PID 1100 wrote to memory of 3832	1100	Mahbje32.exe	103
PID 1100 wrote to memory of 3832	1100	Mahbje32.exe	103
PID 3832 wrote to memory of 4924	3832	Mdfofakp.exe	104
PID 3832 wrote to memory of 4924	3832	Mdfofakp.exe	104
PID 3832 wrote to memory of 4924	3832	Mdfofakp.exe	104
PID 4924 wrote to memory of 4316	4924	Mgekbljc.exe	105

C:\Users\Admin\AppData\Local\Temp\bcf52aee5ce9cad2e3c2564dcb2b85a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bcf52aee5ce9cad2e3c2564dcb2b85a0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\SysWOW64\Kckbqpnj.exe
  C:\Windows\system32\Kckbqpnj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\SysWOW64\Kkbkamnl.exe
    C:\Windows\system32\Kkbkamnl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\SysWOW64\Lmqgnhmp.exe
      C:\Windows\system32\Lmqgnhmp.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
      - C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5116
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        54⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 400
        55⤵
        Program crash
        
        PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4820 -ip 4820
1⤵
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
69KB

MD5
44411ce6fe9c16bbac14a6a0a7aa937f

SHA1
eccd647a13208f9d79b9c9a46ddf766a3361e464

SHA256
4e2c0084ff85589a829835dfef5ec6bc155e6602af0d3ea4f5a0f9f2454cf031

SHA512
20c434d882dbe612183d54d4b8501a49f4464dbd64ccf28b5d202c26b7bc1b5ce2e0b67846911b3b7fbfa8b0848fa28d2b29796f4c8a039e6d01e9b5c6ba793a

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
69KB

MD5
cc992b1d837a860f736d1ccef0d8b282

SHA1
36354701e70bccdc7db4a672262b3cdbc1bb23f8

SHA256
96e0a945079a5c5991a423f2c944a853e59e23d1d1edf3e9682b19fe5915d706

SHA512
36d73828155979c746e44e3bb02591b4039dd1c3eb8681987fb393ea457f53d444838f211a4e741d657380b573f591c5b5d1b653e460e351158d310ac13a584d

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
69KB

MD5
ff122430465c3ed7ac2bdf03230d34d2

SHA1
491c8871766b83ec315c23b769bac534272a4433

SHA256
2a212833206e00849d9cb4f9c78d477a05dab718318d65aa284b37402e198bb8

SHA512
e7831bedcd398d76138cd619f43a6663e0319661254503a9c7721ec966d16049aeef001db6b9958bfb8d904676fb0635e09f6024b067e72364de39ddb803ecd1

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
69KB

MD5
a898bb99410c5403bb0372649f17d025

SHA1
aad2f3a4eedf1a4009279e9fb674cb12badbb1df

SHA256
517927ddb0dba550682972dbe66c6b9284b86c92915964facd5f36b32f869ec7

SHA512
45fae4dc6d1e02d9ceefda8be66bc91abccaa85cf1b61ec44b2de488ed6a6a0fd397bf68856eba1089eda248e9d493c1cb35c1c3448f0580b1e24085212bda96

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
69KB

MD5
02260303f9df3faca2bfa2cb6ef31552

SHA1
244b7342114c26fa42beb1251d4461e56fdd77f5

SHA256
044da509fb6b1d772c03fcf2f8906d025751454fa6990ad0f0ab4bef55265b51

SHA512
f0c076862641f6e3db90087ca37cbc56c31a3bedb96e58ffb0bd7b9add28c23620760dec534b229a5ba138a3b9291c35a0ee89a52a8b4e91e726add2a6ffb224

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
69KB

MD5
c9250a004a4c3747b08f4c17eba8ff13

SHA1
6972324615d6724cc98771f97f2dc55fafa4416a

SHA256
0a80a4d7f7e9a4c7f1c1a51e75a6188a896d7e2947e2b71209e948ba8555c931

SHA512
75cc5d7706e36b4150075c52225121b7acba952284225c989a3101ec5434d6cd1d112c712c2d5e245f6ba0d88b15ec2be9ffe1cf9f6d89c4909fdf4e8a4fddd8

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
69KB

MD5
c9097d9cb5a05afda5f8c77e16d63fb3

SHA1
c26bb8aee2598e78e3097468fb3de2b359a3b1ec

SHA256
d1d68bc424cab1e5ea030462373bdc703f7566e45f1018e34a63ddb9b981a801

SHA512
a8b8d372a1e3246634e6dc20ee757bd6c947fb272451ac13c4a660c05ba59f885958ae611e43587a6005bbdfacbad7965d37c417fce82af6f5a41a2d2ba47f1e

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
69KB

MD5
df63461630e78cd426ceb594b34b214f

SHA1
7332185399025bdd23d08675e192b5f831efadcc

SHA256
c056f24f318914a2ecf42bf61f7e8d3168890c58bb1592c4339e686eb458492a

SHA512
473a0357e55df6a315ca936645e8522ecfd2578ca69d50e997d7d9316cc697071e3151b7ea737399cfe0328ddbe00257156eea4f7320772c65fa440ffcb88277

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
69KB

MD5
4b611f1d0ac83c661a3fc9f87c1b681b

SHA1
189e61f6cfb4799e49176d1ccab476b0fa0643bd

SHA256
579857c7c30e039bbbc80162c54a4e1f1a34b3e1fac0ae3758a73496a77874a8

SHA512
10ab5bbe17d33e2266d4994f0f1bc60ed53b8f950cf10b04044f8d65fcaa493d7bb5db5ee6d93400f675afc8e210787ed59641e08968652e7acc64234c2fd9f3

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
69KB

MD5
8a86e28cc94f1a80983f8418a4ad18bf

SHA1
7f98c39eb64efc3c6553ca69cf0062a615f9fc6d

SHA256
c920b3cdd187c3bb522e722ca9cf22874b256d7f5acf2dc2b8ef2eb7636bf70e

SHA512
ad4f11ade2177a46e0ea4875fba64c8e51094fe0fd2d989a6482e851e791921ea9ce0f00412a4ceb00a61f0569ae8124f015a8b0f5df657c36306e7e3f5ba78a

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
69KB

MD5
22cb6cbc448c70bd41e9397a882bc10f

SHA1
5cb4bdcb0b2367f07a307b68f6c4960ca2ae727f

SHA256
34c7ad7ffa1b9ef88dc6a2f5316671271fa7c199bf5708f23ff86f3fe9b951bc

SHA512
88b1f501205c3d7e2f8dee0e7fab6e61eabbeac6b36dd6cb4c9c88ebfc10681a21cfe0e2b9c56f64a3868d75e302c32c6aecd13483a0a2ccb229fbdb8e440ff7

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
69KB

MD5
7092883cd533e98d8cac62a24048abe2

SHA1
6c209d142334fa539c4ec3142e5d6ca974f9d8be

SHA256
2a0d1b71099490536cbb33293d6d8d8811ecb2b7e7f4e320834f5eb69b36d470

SHA512
d75bb1c2c2ef1f2b21ca157e2cf09a37c40fdb60f3a098e3c16dc09d0c23d9d6ecb6c8cd5eeb7e1f1facff2dc70f1abd931d96ce418324da66a4476a32597693

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
69KB

MD5
6c3e7ff954a92d44d0f131122adcf425

SHA1
50855a8af3e40649c6ab39d9810f71f7f18e0c60

SHA256
9741b33032ba7fcdf3db658c54e36777482bed1c40efaed46f17be349a65ba0e

SHA512
05e370f31b361224cfae2f522be9f057f29de9a3af5df0ecff3a8ed670ce3801a98d9e376eb5cd5911834d89e5821834c389fb43e1d84cead11900b4476c4438

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
69KB

MD5
999cace936e851f77315985754282196

SHA1
214403377d8eeb3b3f2134028808d2a557c77e40

SHA256
677cb45e8b03cdc72b368375f93d1f829d9716c051ee233d2a882e00b86f7c1a

SHA512
d90e1655276f11723833a3d251d1f06f5d7acedfac9dbf822ae55fcee1040c1d80568b4ea61480bbd03e334191c8e5e505091dc66a47765ae311c47e82e0c203

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
69KB

MD5
b2743781dfaae4d75ca0898615129eec

SHA1
ac4847b157072b980adac8fdb37dea48da57ebea

SHA256
d36efaae093a28e5461ec3416f9ce6748584ab0e6da2a486ef2f5866953182cb

SHA512
085e15ff3f2a529ab2f446242e4ccc732a9580c5a8a5ab6b53c80081ac979d4624dc05bcad7c10d6505128a6fbe25e345b72671123bce8e9c97bd0df87cf2a34

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
69KB

MD5
955ba19c00540b1d011aa4fec0980020

SHA1
0929f5b3e47b43a08f4504879cfad9f919ec52e0

SHA256
94c5af3e2be07bdd34866c6a0a5becc0c9697462061e31f144813d0b39ad1f24

SHA512
9906f6c245d40d404ab5616009d4c8be04b47932a884abe4347186af99b97b8f5bcafda60e156be5e3d97d95eee9c007f3c23ca9c93bb35c60e5846301951986

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
69KB

MD5
fbc17f22852cc4c673fccce6f4f09f7a

SHA1
3c6c6ee52d9943ede0a87a130ea9709fac32de90

SHA256
66dc585de028e8b77f1871ecad54a637a4fd917a61a70519644f7ab75ef59548

SHA512
e1f08feb2b01ca2004302600e7b6cd25251f3d777c3cca1191d4d0b64558dac268027ea528285a8aaed4dc4469706e31ef4cf6138a6213ea4e59540c8d64a06c

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
69KB

MD5
baf0cf578aed28fec094f2a95430438a

SHA1
7d16c8a557a49db2a83d56e2d7f8e3a6167a277b

SHA256
97f4f0b1e6fc39dc6a66fa79ab25699c9fd45827b08eb962e1c4c7cd49243b95

SHA512
36499d1a9b29ed4e4028f56254ae07f9574b80ecd7d89c5a8eb9264939290d9fa1074a2261d0b6718fdd09834489014ab2646843356101d6cb7586a87c4e7e3f

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
69KB

MD5
e7a94e1885b2075045e28991059b403c

SHA1
89168906099855d5510aa7a1a37430383a805b70

SHA256
e4d4180e37f78efab428d30c14a286c638565f1bad49eae2560b71d47ac228a2

SHA512
49912fd34dfa630f7b2568568219fda95286c1827362ed667c008094b8251c0979780a0e77aa92bfbbb0be02fe9b46aa953e97e978a9010c71fd65787eca38fa

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
69KB

MD5
067eacc0e76d6dace71ea8fa1b897eb0

SHA1
9c4fdb1ba182573cfcc0f0577af0a34b5c3b7bf6

SHA256
a41b6b01002ab90fe8c1c494ec7829577d4c3f637f1c0119364cb744f4448138

SHA512
36a5399fe9afe1db4577db084d1f85c7773eb6e53450a69a21cec778dd6d5fe6fa784bff784d7a4fc9479b92d15b4848a5476349cbadca19a17f568721650a99

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
69KB

MD5
4ccf63a564c46e6e42986790b52a79c6

SHA1
798b2e5181311707ebda7e605ca3c16de2d105e4

SHA256
3e5a75e81eb3c94f8acb3ef102bbbe5fa6b3cb68cd99507cbcfd1a2210633c1b

SHA512
57d0743752258e42bfb9335b840f1daa91503fd200c7c86b188b597f9a2108620ad7b20e292089084d445e4ad78a9ca3db58533fac03d632efc9081abd4de3ad

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
69KB

MD5
063de62f6183037d3c5171dabced7867

SHA1
1d70184c1edb7db858a5994a3b950b367b19e403

SHA256
5dc98d7dd8142e3ee381535b266886098037be2aa54005bc0d266409f571d675

SHA512
ba8297c2ab2e1686ad20eb32ba39dbfcf9b3ca8496a1ad6de906fdb3f7c10d042164b1a6c4e9ff8700bd53e0220cb899ea3e32cd1c167ddacfa294cbdd248b70

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
69KB

MD5
e8d79659ea311be8ec9296e4151924da

SHA1
3554eb71af3f46ec838bf90002bed8f6ee00f9db

SHA256
f51021b99732d8a068be9668e9e9be763d1c30d523e3a90475114d76496ff8b1

SHA512
d5012997a1773be7f54fbb664c0618541fe2ddd3e287ebd7247d7c2e983d603c5aea77b5efd80872b5bbf1b93be5520c2795a382a5802e59426a9db8c9817838

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
69KB

MD5
ecff1b37508216b1da250006fad0dd11

SHA1
c94ed58c0ae8bea21419de549ad317ca5ae6257c

SHA256
c485532231d5c86c8539fedfcc9c72eb07a4f9b94f69336650578b7e04d07817

SHA512
89e8eab5c5696a435aaecbc6930c864e6dcb2eeaa6d3bed2d2a0e4773ac220f13466cf47b7260063411591410cf57d28f3d5fc132f98777535232ddb5c60e8e7

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
69KB

MD5
eb9228a256303d47a47b9de9839224ba

SHA1
1ee4009ebd2d0b96f20e2874d27f3b0113618b39

SHA256
f963861d79a175e9a5202d82f4881d3a71c79120ce970cd22c97a0a4ad631816

SHA512
0f239ce8bdd96b929d8b193561492a373dc5a4f4f04296d37128daee45664b939f45b584ba5fcdc102e04f23346d0ac36323857f543f829d1c24e6af5e29207a

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
69KB

MD5
0012e0e498bee5ec9422c234f6682967

SHA1
28acc9bd773ea26600a4d2f0766777743bcc3623

SHA256
939701f3191b081402b5e48db182d3b353c54af81b8c3626c9cd16b17445350d

SHA512
28054fb30978d58d4256520a2aaec7b53fb9d3b748a8909ddba66275488b8b67390b9f8fb05f11fa50a376d26f49d3b87a162278d9d8e2b42077200c0c805c42

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
69KB

MD5
00a66eab2c829a17952bda750311d7a1

SHA1
5137043f622827927a3c9deb7b5916e421a44caf

SHA256
1b1d7665328d1f288ecfeae79397f8977b190c3426915ab3763f62346ff18d69

SHA512
6c586459279064aa639abfd515c568f4d633612f68d8c3b85600c8bf2432b772a83a3b311e03facb1ba27a123bb481e2f8b3c5a0418c7ab937f203a734a6f27e

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
69KB

MD5
c5d8f7d50cd27f261ffdb85dff43676d

SHA1
1ddf18ba627eef1e67f7aabe28c6d6ac381670c6

SHA256
5f34c12b9003a01fa9d3d1f45409bb14c45fc5821dd8395085f97138b3545113

SHA512
b45e8eedc6b8defb7aa16881f74ea934d3cfe47a8815fcf177d4db70d67c66ef93fc7778ce4e8f6e94fb51d1f58717cace6f10db8e79913da64cca074feef2a6

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
69KB

MD5
3e3d9c0478606daffbf8d056e8aad124

SHA1
3a284a0ff0a3286197422211e2b627010e6d5dc5

SHA256
0495d4acf9e8d4e9a89b79daf4552e027ad2a29fae4791c3ffe1515d6b57b923

SHA512
3e9add0af7a7f7642c9eb7d06f39ee0701ae507a921a99e03316bc105e670c28ed550f750f2d76476d192edb89e40957c362a432c5c4f8d0f3be92d3fde8e706

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
69KB

MD5
bc60d521887e3fe3359bd44a015a31bd

SHA1
d6bc64799fa6f80e556735317ff1aec220ab5d24

SHA256
75bdb5fbbcd83a432884982580ae185120d79449d477ce796a1dd3be935ca2a8

SHA512
c9eac961b13664dd36bd4f97f440822e9852258a44037781b13a08fbba792fbcbe07615b0307bf95478628fcdf2fe57918e3e514ce73954b5290b226d8439be1

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
69KB

MD5
6469fe8e0e5f9fd906298962759d556c

SHA1
6ffe1f4b6e1682acb50af01a45362e8175c17a68

SHA256
e1411d1b4b1c6840969bd0979bd7e204f022f0f4a5c044f8f11ed25996aa0c1b

SHA512
00b77cde4ffa3cb8dce742075c06631be5d92cc8196cdc98db260c7a94e148e70869755ce4ac7ec90c0c4901c984cd25f83fc4ed37e525e00fb430112f38d696

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
69KB

MD5
d02c1797f75419c74906fd0190cc35cc

SHA1
d9418a67338a1dd14231dbb5a5bfe891f75d8615

SHA256
6fa22f106d9555def4d3d35017a50c0b92fda753c0940e355b4230865e223f64

SHA512
86c8c7cb22c30c657f6d7a51f82b9e8a6f59f0f126462d315b55c62fb174c4add2286a2768c0e04e0b4e52d906154fc2f2ccb05081a5cb230a0cbc5a3507dd98

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
69KB

MD5
9865c4bd7fcbb0ec23fde591faef43fe

SHA1
10d93ecc72f471469e39860568e016144c33f7fb

SHA256
1b74c3de4afecf5dcafbfd5339c31573fb9f032f65eeb63b5027f0a2d68d84c4

SHA512
25cab9b9a34774d380b5edc8cede78f3e37cf1ad28798bf223d541d944aac83a7811801d2277b5bb81795458ffc3c3c7a42304c36644666e2226eec353fa4d60

Download Submit
memory/408-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/408-87-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/432-245-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/540-84-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/692-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/692-392-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/744-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/744-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1072-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1072-417-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1100-156-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1100-405-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1344-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1344-420-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1376-384-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1376-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1520-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1520-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1660-399-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1660-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1764-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1764-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1832-332-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2004-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2004-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2032-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2032-398-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2124-273-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2300-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2404-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2404-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2420-386-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2420-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2468-390-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2468-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2532-199-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2532-402-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2612-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2892-220-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3136-393-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3136-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3240-403-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3240-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3300-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3300-208-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3464-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3480-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3480-409-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3508-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3508-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3588-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3588-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3696-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3696-411-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3704-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3704-422-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3780-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3780-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3832-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3832-404-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3884-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3884-389-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3888-415-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3888-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4012-408-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4012-119-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4056-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4056-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4148-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4148-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4276-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4276-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4280-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4280-391-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4316-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4332-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4408-410-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4408-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4452-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4452-421-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4492-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4536-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4708-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4708-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4740-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4740-416-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4820-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4820-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4888-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4888-387-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4924-173-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5076-414-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5076-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5116-253-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads