0863f459581ddc83eee2fe63c2855c50ca155de7ad5e2e93595a264992b5b1cd

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24990c7982236bc967020f413c237490_NeikiAnalytics.exe
Size

96KB
MD5

24990c7982236bc967020f413c237490
SHA1

b1ac5eb695520ba208bdf58e5d1494a83016ff73
SHA256

0863f459581ddc83eee2fe63c2855c50ca155de7ad5e2e93595a264992b5b1cd
SHA512

a68be5627c73957f936b3dee58f93aa816653ffa888878cfa397732365903f360f026973814f5095e6ee6dde3339355fa1ebc1c215ce548b95254e0caad8643e
SSDEEP

1536:QUVOBj6BqCuOhF4M6Z/+KsqV2LusBMu/HCmiDcg3MZRP3cEW3AE:QUVajEBhKx/w5ua6miEo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	24990c7982236bc967020f413c237490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	24990c7982236bc967020f413c237490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe

Executes dropped EXE 53 IoCs

pid	Process
4480	Liekmj32.exe
4584	Lalcng32.exe
912	Ldkojb32.exe
3564	Lgikfn32.exe
4372	Lkdggmlj.exe
4396	Lmccchkn.exe
4772	Lpappc32.exe
812	Lgkhlnbn.exe
4700	Lijdhiaa.exe
4592	Laalifad.exe
2636	Ldohebqh.exe
4984	Lgneampk.exe
3940	Lnhmng32.exe
3276	Laciofpa.exe
4964	Lcdegnep.exe
2324	Ljnnch32.exe
4924	Laefdf32.exe
4528	Lddbqa32.exe
2040	Lgbnmm32.exe
4092	Mjqjih32.exe
3768	Mahbje32.exe
1892	Mdfofakp.exe
4184	Mgekbljc.exe
4804	Mkpgck32.exe
3832	Mnocof32.exe
4120	Mpmokb32.exe
2924	Mcklgm32.exe
4144	Mkbchk32.exe
648	Mamleegg.exe
5068	Mgidml32.exe
4168	Mncmjfmk.exe
4332	Maohkd32.exe
3328	Mkgmcjld.exe
2752	Mnfipekh.exe
1640	Maaepd32.exe
3140	Mcbahlip.exe
5088	Njljefql.exe
4380	Nacbfdao.exe
5052	Ndbnboqb.exe
1860	Nceonl32.exe
764	Njogjfoj.exe
2280	Nnjbke32.exe
2028	Nddkgonp.exe
4784	Ngcgcjnc.exe
4088	Njacpf32.exe
4792	Nbhkac32.exe
3204	Ndghmo32.exe
3928	Ngedij32.exe
4232	Nkqpjidj.exe
4844	Nbkhfc32.exe
4620	Ndidbn32.exe
2328	Nggqoj32.exe
4160	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4960	4160	WerFault.exe	138

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	24990c7982236bc967020f413c237490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	24990c7982236bc967020f413c237490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	24990c7982236bc967020f413c237490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	24990c7982236bc967020f413c237490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 4480	2748	24990c7982236bc967020f413c237490_NeikiAnalytics.exe	83
PID 2748 wrote to memory of 4480	2748	24990c7982236bc967020f413c237490_NeikiAnalytics.exe	83
PID 2748 wrote to memory of 4480	2748	24990c7982236bc967020f413c237490_NeikiAnalytics.exe	83
PID 4480 wrote to memory of 4584	4480	Liekmj32.exe	84
PID 4480 wrote to memory of 4584	4480	Liekmj32.exe	84
PID 4480 wrote to memory of 4584	4480	Liekmj32.exe	84
PID 4584 wrote to memory of 912	4584	Lalcng32.exe	85
PID 4584 wrote to memory of 912	4584	Lalcng32.exe	85
PID 4584 wrote to memory of 912	4584	Lalcng32.exe	85
PID 912 wrote to memory of 3564	912	Ldkojb32.exe	86
PID 912 wrote to memory of 3564	912	Ldkojb32.exe	86
PID 912 wrote to memory of 3564	912	Ldkojb32.exe	86
PID 3564 wrote to memory of 4372	3564	Lgikfn32.exe	87
PID 3564 wrote to memory of 4372	3564	Lgikfn32.exe	87
PID 3564 wrote to memory of 4372	3564	Lgikfn32.exe	87
PID 4372 wrote to memory of 4396	4372	Lkdggmlj.exe	88
PID 4372 wrote to memory of 4396	4372	Lkdggmlj.exe	88
PID 4372 wrote to memory of 4396	4372	Lkdggmlj.exe	88
PID 4396 wrote to memory of 4772	4396	Lmccchkn.exe	89
PID 4396 wrote to memory of 4772	4396	Lmccchkn.exe	89
PID 4396 wrote to memory of 4772	4396	Lmccchkn.exe	89
PID 4772 wrote to memory of 812	4772	Lpappc32.exe	90
PID 4772 wrote to memory of 812	4772	Lpappc32.exe	90
PID 4772 wrote to memory of 812	4772	Lpappc32.exe	90
PID 812 wrote to memory of 4700	812	Lgkhlnbn.exe	91
PID 812 wrote to memory of 4700	812	Lgkhlnbn.exe	91
PID 812 wrote to memory of 4700	812	Lgkhlnbn.exe	91
PID 4700 wrote to memory of 4592	4700	Lijdhiaa.exe	92
PID 4700 wrote to memory of 4592	4700	Lijdhiaa.exe	92
PID 4700 wrote to memory of 4592	4700	Lijdhiaa.exe	92
PID 4592 wrote to memory of 2636	4592	Laalifad.exe	93
PID 4592 wrote to memory of 2636	4592	Laalifad.exe	93
PID 4592 wrote to memory of 2636	4592	Laalifad.exe	93
PID 2636 wrote to memory of 4984	2636	Ldohebqh.exe	95
PID 2636 wrote to memory of 4984	2636	Ldohebqh.exe	95
PID 2636 wrote to memory of 4984	2636	Ldohebqh.exe	95
PID 4984 wrote to memory of 3940	4984	Lgneampk.exe	96
PID 4984 wrote to memory of 3940	4984	Lgneampk.exe	96
PID 4984 wrote to memory of 3940	4984	Lgneampk.exe	96
PID 3940 wrote to memory of 3276	3940	Lnhmng32.exe	97
PID 3940 wrote to memory of 3276	3940	Lnhmng32.exe	97
PID 3940 wrote to memory of 3276	3940	Lnhmng32.exe	97
PID 3276 wrote to memory of 4964	3276	Laciofpa.exe	98
PID 3276 wrote to memory of 4964	3276	Laciofpa.exe	98
PID 3276 wrote to memory of 4964	3276	Laciofpa.exe	98
PID 4964 wrote to memory of 2324	4964	Lcdegnep.exe	100
PID 4964 wrote to memory of 2324	4964	Lcdegnep.exe	100
PID 4964 wrote to memory of 2324	4964	Lcdegnep.exe	100
PID 2324 wrote to memory of 4924	2324	Ljnnch32.exe	101
PID 2324 wrote to memory of 4924	2324	Ljnnch32.exe	101
PID 2324 wrote to memory of 4924	2324	Ljnnch32.exe	101
PID 4924 wrote to memory of 4528	4924	Laefdf32.exe	102
PID 4924 wrote to memory of 4528	4924	Laefdf32.exe	102
PID 4924 wrote to memory of 4528	4924	Laefdf32.exe	102
PID 4528 wrote to memory of 2040	4528	Lddbqa32.exe	104
PID 4528 wrote to memory of 2040	4528	Lddbqa32.exe	104
PID 4528 wrote to memory of 2040	4528	Lddbqa32.exe	104
PID 2040 wrote to memory of 4092	2040	Lgbnmm32.exe	105
PID 2040 wrote to memory of 4092	2040	Lgbnmm32.exe	105
PID 2040 wrote to memory of 4092	2040	Lgbnmm32.exe	105
PID 4092 wrote to memory of 3768	4092	Mjqjih32.exe	106
PID 4092 wrote to memory of 3768	4092	Mjqjih32.exe	106
PID 4092 wrote to memory of 3768	4092	Mjqjih32.exe	106
PID 3768 wrote to memory of 1892	3768	Mahbje32.exe	107

C:\Users\Admin\AppData\Local\Temp\24990c7982236bc967020f413c237490_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\24990c7982236bc967020f413c237490_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\Liekmj32.exe
  C:\Windows\system32\Liekmj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\SysWOW64\Lalcng32.exe
    C:\Windows\system32\Lalcng32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\SysWOW64\Ldkojb32.exe
      C:\Windows\system32\Ldkojb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
      - C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        54⤵
        Executes dropped EXE
        
        PID:4160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 404
        55⤵
        Program crash
        
        PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4160 -ip 4160
1⤵
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
96KB

MD5
b0e45219da58b47a25966a18f192aab7

SHA1
15f9a48d6c3dbaafe41a0f5ec3f4c2b9a6953af9

SHA256
efd92436acc06d4674f85bb68d5fce00861e9a404780bea4766fbc1934d6e9d4

SHA512
5f63700bfc073db492fbc8fb57a22430838d6ee6966df1ae948969e46714624531971747cbf60bcce21735b1e43499712ed00bd1bfe6834c67da03526eef73b0

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
96KB

MD5
1ddbbd39a4a22ec83d55f45c506b272f

SHA1
3602f0a42c31b7622317b46d23b7d0cf590786ab

SHA256
5c9a37ee5298b05ac86668b4a2bd589874ac43ce1954e41350db2032d6a259c4

SHA512
943b278b6df640ee0a515fc7c482b9f2fecb0ee66d9cbd4155435568dc69e6bfb720760a7e0d2cc17978225d6bc20686a4908b5397ecdeaab5a1e0dd0601a78d

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
96KB

MD5
4ca76e90a48861d96d955b8ffce91f4d

SHA1
5a877f8946923346302bf17b139cda7a637a9ee5

SHA256
292172f17e5c29dac50af0cd57d0d794850f776fefcd3bd4784870c0dfef05bc

SHA512
9220d4ed45f0719bd678201219bfed431bbfb70645aa6319bd58186b860dc53360e7e6e8df15eb926aa2d25c17a833fc86af0caa4a3fc95dd4baa80032b70b2d

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
96KB

MD5
58e45d736fb7a96d5f0fdea57be6debb

SHA1
e9671988333f5052efd97cf5fe13903068ac8c49

SHA256
82cacf2683f5be09d44a1e31f1778d29f0bbb8b8784eaeb73113b56d390bcf5d

SHA512
06228141254af94770b3b1c02574327612ec0341b95f65fd557153dab30a77a06521d5e652abd47026c1e3c079587e90c4ec19f14cca432a5e05cba58e54f0c8

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
96KB

MD5
592097eef73b412031bd0edfad1aed7a

SHA1
b39966f41d1f7e3d69082fb5f4ab4963128cb5a5

SHA256
7d9b35e998055aed2b3b93005d7cd4f7fab2e3eb1c2bf8e0df86cce0cc3d82b9

SHA512
d03f41836198fc9df34f15532f27566cad387a153bc8753f98fa0c70d496f1daaf66587c15e5ff64c0e21bae54a52e7d08b9e2397b03beac955fb5eaa80460e1

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
96KB

MD5
9a6bd2be4fc450208eeb800542cdea3e

SHA1
d53f64bbd6716939306687e5906d52fd2b1722b1

SHA256
73b305f4737a3ea0b86fd04d7b233c0d4fb4c5e98a5ce4ecd35d1e051acbd23d

SHA512
6f487e94e483815f6101541ca0b7e4b1d945cb5584f0cedfac2d7f2fbbb40965085f27fb4648f2c2e0188d1ab27711b326ea998c40d661a4360658b883a32e87

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
96KB

MD5
704a45a7358f729e360fd42c5efc4ad9

SHA1
3dc5a9d4b4eff7298a3d15e2db271025e13d9f3f

SHA256
07530f34831d6e1f34a6579e008ef2a74a3cdfa519fcf67822de88965b9c4501

SHA512
8931eb1e92e12079186d2e96d62a5dd3fdfa2e5696dd6307168e0a1879ac281324a1308f11078ced357569df60a7a35ba256d8e6ea8c30ce58b07e698b23fc56

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
96KB

MD5
0d4ebd1a3fb601bf749864934444d77e

SHA1
51995007d750a84b604baeef263679a8a34c3dc5

SHA256
2b18faa1ee31adc02b5f1c34ee632e3bc7061129626a307e68feafcbe641d8e2

SHA512
cae088c626646e6e1f7d9fe6845ab9c18de819cb555051f513bb57240193bd285e0b59511e0f7a52fdf9b88fb8d9430617aa9cc692b2c810131750a47cbbefd8

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
96KB

MD5
5330b8883b40090e1ec7bbe9f5c11030

SHA1
d492ebfe3ebf6bac6b51756c3bfa8d7bc7531a71

SHA256
b33664c27b7b2c764f29a2ec60b41870c1f3cd639b1cd416187b05f9a9d16cde

SHA512
4207005586bdb44f05b4ab22ef3bff3f123fd71e55eb8e0ded6f47cb6259540dee3424818a9c3794478c3dbd9859129e61569577289ea492db8ecaaf26ef3a66

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
96KB

MD5
45a51815a8af1792444aa8e814a2ec30

SHA1
8fcaad81ae37fc2894f4c11eef89a9b98f9c7e4c

SHA256
1b0fe27c90b14ab5b53063864dd0cef5bfe3941d48befba3b672bfd99792b3c9

SHA512
0353d9383f36ad66caf5d269a504613399aa2ff04a7363c37e1a65129181ae5b7c440e0da151dac86b8cff1b6b6f1261b569633556ee85b755bf20e037ca78cf

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
96KB

MD5
e57f4a550179260f67ae2f0463067c16

SHA1
2c6fc0e1cd7183df53b0251ade1c858c5622f4c3

SHA256
2658bcf8054cc92499ece3923ad24e259d0cd6c168aaf06ea587536a414a02c5

SHA512
5a083b075bc1facece05b18ae58b624f60f8d72f6cab1902b174778e57a4e50c52031028235be979fb3df965558c7a0b8f921e43eb78a17a99267d015a17661a

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
96KB

MD5
c42e9d3ce824d4b54fb1407557f748b7

SHA1
d991ddfd10f7101fe54655edf1bce2245b443d49

SHA256
17248895f20be4262ee001a48b70b5d997eda39faf0e39cfc1a7b3abb18051ef

SHA512
f3a33dc77a8afbeabb32e1f3ef3880ab77c18180ea7fc1fd0d3b42eb0f52bc1cdc0cfceba97b6123bb382aecff6ce256363d9c612281223f6fd56f8c4fda5293

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
96KB

MD5
169cc11c8b09570968dc8c47f2d109e2

SHA1
eb14ca66df82cf2c5c4bb94a5bab333aa37e5f38

SHA256
b6f63d01fab91b2a4fa3edd345af8f8a37bf68f20a43af10238f75190cb6d1fb

SHA512
dc4cc15722062e83b289228cb3f366892da51f71d0d6341ff6061873603cf04da9bb944848a8cf0097765270b2a8756c31185f10e41c95262fe438ced35cb851

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
96KB

MD5
6670503aed0900c6608af51699edd207

SHA1
2a334cd4488e75753357a0e1103bf2f885dba7c5

SHA256
6ca00679ecef6962d6dc495ccafe27e4c0baf43e983bad2d323ca364c19db319

SHA512
73f025d1107af4259ad85bf7c27059de046811d3bdca80bda2fff2edd5e22a6ffd45b80487cafa7d77f2ff2ad513d2976d3c60d47ae50b726ba996e5682d4941

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
96KB

MD5
6703d0dbdfe16bcce58818590f0cfe31

SHA1
5662f703b8dae12e15647e7a8227b4a489e917a3

SHA256
bbc8ebe83537b1720624e0f832fd5faffeed372010fde61f9626686687fc8134

SHA512
dc810b41ef3961ffaf8c7353cbb21167c3cdda52469c62e204f1e2d5259ad742892081065c9b0f109dfa158a9cd8e2f9e8b920c5f30438c0d43fc5610ec61075

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
96KB

MD5
8b81c60d2622184870af82c3d40a6e7c

SHA1
c75fffb8fddbd39f796f2e7d8e6ec07597b19997

SHA256
232c334dfbc65a2f906bdc90d2b6f83a936d1928b6a9f6e60f8106e1b348f99c

SHA512
af9841b7d08b1ff41454c4bf423ceba7166dbf3b521e8022c0782bb5ffc86ea57ca2f5e54cf79ef7fcb05385d7fb24530c6a6d5b92f7226f4ae2dee4e38d3ec3

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
96KB

MD5
cec7ad8c7acc8de84da8cf7c192beb7c

SHA1
8df252f67eecaa49732914e3732c9bf570d94ca6

SHA256
8948cc56482d1726e96b95b3cb3cae9e231ee93704d7feb10f22e6345145066f

SHA512
880d3fd2c971bd95bf38add5bc8cec4cf4792c1b7c0c2d9c325eb47aeb9d813b34b3f779142f6d67aa171a8fd3f989d22487fd55ccccb850fb1f7432a04f4cad

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
96KB

MD5
a85a8c09fda84ac4165c7be2c6d058b5

SHA1
3aeb2fd38c1b73551eade7711790e9c3a1f85b46

SHA256
456d0a987e8776b4835aadd2ee07333651c0270ca79f2bd24ade51356df3c1d7

SHA512
85e1acb95f9a638133116a582772a76daa49538e718bb416e973ce26a7bcbd2c79f7ed95d95056427ef097c945252e073da4281a6b48df357329e0c868f72dc2

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
96KB

MD5
36cc01c83c09be65738148c0531706f7

SHA1
41602846a79300c47aa2f57a825d929140510284

SHA256
9d1cda9af083855e6a8b5c2e17359ccff541ffaa459fdd8f002583ea09eb814a

SHA512
4644360c3a83e36a6d67ebc23190e50480bf6bcd449f182eaf2f0c25e7cc75fb865ee6f8348208ce89e1ce9100e33a67e7ae8571a4b138cdf9a3b28e35b362ca

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
96KB

MD5
ba9e77e940bc78be6bf57a1be56b42e3

SHA1
0431495dfa971fa7e84283c6b3f487159db82a01

SHA256
e8295534f8f7a37f7f18cb09ffbf035b286e68cd1b8b3130aed8c4e11728a9f7

SHA512
15838c0aad5220350126653e679e021598db8605464e70972a59bd02067979a6c19a651daff93b662eef0ed1fe71c22634b4a5e1bb2b96e58d91603854071157

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
96KB

MD5
2faf1d00887f4d674189b1ca0d2c0d35

SHA1
d19d717f632ae0b003d5436d109bf87b64bfa147

SHA256
5a989a3f60f0cc972961c98fc5561ace0d58f26772c399a5cde4968c4bddf100

SHA512
78aba7027b8ef589214c97ec7fade6066a00254e59494ec8251006e84093a073a39c44e10042a3c11b68b491edeac620debd3561b5a6f940c40f3a0bf4d75f3d

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
96KB

MD5
42752027596ad14b27ce4df542b6e7e9

SHA1
e6f33da90c790fa504feba7949505191d705c4f2

SHA256
d127740438a688b49765c55669cee55ee7850b874ca3836c49888977e3d1e900

SHA512
3fc9c15536a529d939eb74104eb11020949fa9274dec64a1792081f942f34a3f00fbe1f2f631b3262757c7c3dbd1c295d299e96ceaef10701865136f2498eb65

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
96KB

MD5
ec1189fe548ddf53714352021e607391

SHA1
0acaef20c617e31e9295750163420ea1b36852ab

SHA256
c06bcd89d1746ce761718346685d532ed623c8013f0b3bed9b7bdd6c079eef38

SHA512
336754bf3477d69c2fb815523e58aff573fd5288a54dd3d90f098d15c970cbd6e1e938548b0a4a08b28423c74e758e3e24d6ce2bb58bc1b31f80f9521a4c34ba

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
96KB

MD5
dea451afc0ba8e5a8082d9626a486f6b

SHA1
83e23a53a5774703d79693147008ac0c68fb5d75

SHA256
9590130155565bba0c4ce945e8e87858eeb4712ae36c60658fb2af04800388a9

SHA512
150ee46654533b85ad2f962e24c430dbd88669914a5fee67955db9e654ab981d88693bb732eae23548d16b9dbef9c6a7dd892c92686c3f941c6e3f9d2b16e0d1

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
96KB

MD5
271cd56c1b37582c4c0a5d8cdbe539c4

SHA1
878254cc68721b4d17164a37b4a2b35281d2d554

SHA256
4ef64461d124972da1a9dad8d96241162ae1c585a9215646a40ff921db4f8789

SHA512
4da14f1b5b579874c445479d0835cc7c27fdcef23fa3a1c709d275ce3cd1fcca0fbbd7eb574c05fe6eb0d42fc69f228844492e3bd5c05ee032454884bda49961

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
96KB

MD5
aa29746e8a3199986a7cdd9578a223f5

SHA1
43564066d8ea998abefd88025ca4c7171156f9a9

SHA256
2d2cba0454cc4e68ad90d5a80f94cafea9296c0ee133d1bfd4925e709b29bc45

SHA512
9d6345a0522c261f58eb6f09f93a3523c1eb683feb9ba552d6cb3c2af9d963187f7479900b2bb3bc066ba34fa852929d99ff7f1334ed5306ed616190911d3aec

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
96KB

MD5
4205f0cd98e97189f12fa745fcb0c90a

SHA1
7e563600c1c8106cd50bd3759bd1d132d0ed6ac6

SHA256
3a00787eeee20790a1dab2393dda193893d9a7b60816e0653b62010f9531c7c7

SHA512
bf0814c2e66af4a5bf77cd71746dd9d7109d2246bd7a7682292716b15d1e9a958d02afe39a8a4f577dc850ae499b711eb2e164528972a3a7f629def3a7240042

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
96KB

MD5
74f9479e61c111083b95704e14124ac4

SHA1
53adfad940741dd3b583dea4a10027db1f9145bb

SHA256
f3d7502a1c7705bc76dfbc11bfef5c85fafe1d7cf8d3e8f3c63a7b48532dd99e

SHA512
e602f82bc9ddb36f90d35bb533395919b19435a07cb948726c8592b4dfd803af9bee2529d74803f7a310cfcb2f1f797da03587213951f211985baabb75df48c6

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
96KB

MD5
add12e9ec65f6f6cd3f68782f150ee4b

SHA1
2d5f73fc1847ec0229c17cb9728225b8e456f98e

SHA256
190fa4abaa543c896f00c81677e14aa34e49dbbfb6fb94981cdb27d25b6ad163

SHA512
9234e892c82cf4b5a1229ef30f0b28923770da3810235082dc9a344b33d72ab1fad5a1ec8869f45aaecc8a34bcedf5493ec94623cd32dc5ae4522edd46382858

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
96KB

MD5
07f9e8ec6df9ea718694ffc26366b398

SHA1
a1a04102522629887298c234586099a01108acbd

SHA256
02c7430b0cbcb08e796ca3b69fe1929db401b08bdde7280c28da4233b5fc7900

SHA512
7d53fd725742fe8c51bd8945bb0ded881297a429c3dd6aab059a101374faabe9888fa321e8b2d5db7ade88f8f176d42ee6200dc362e1fb93d2d29ca87c8fdf6b

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
96KB

MD5
7968fbeffd807da61a8c20e7fe73c409

SHA1
3e2a0438d5efa44d67661d375ee2ff80a59cad69

SHA256
76deffe9ff3f63c0a2b6b4b10714aed5c3baecac5e224a5c61e18b763e1b38c3

SHA512
52f59a1b458dc7f7d7d471e2b1ea490dffe1624e82d2cf552aa281acd469fe9693cf379d404aea56844f88e1f36ce1405955c1703eccdcef05e777a73e4909da

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
96KB

MD5
c76960cdd5ee353240175bde12aaa888

SHA1
6e3695386e1857680041795c5ee0aeac34efed52

SHA256
6e6fc35b0d324c8f3616e3da53841a3f25eb8346ab5b707035a7fdd0e4812c77

SHA512
6e82b516c8fa235b91a92670c9d91dffcb9f24bc304c52e1cc4aac90190bf970240a93075116c8dd51847408b4cf9f2dc031a7c2cd6be566488eba23173fe8cf

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
96KB

MD5
eccd4c7a52eb70148fba29e5a751a1ba

SHA1
03fdc440deaef83917e77bb537264bbdf7300348

SHA256
9dc599aadf4ba52375a34b875d56254fe20de002d1bc72fc38ec3c6d140cbff7

SHA512
96d385ea9d2e9940e82541357ab901298b070d83a88ad81504b3acd9cf0f6a765d7b8aa5d38b94deb1a4358e882c9498e660d9fb556b3ee53b1eb032f0f27f4f

Download Submit
memory/648-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/648-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2748-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads