1277a18703fcdbc6291b4a2420842ab47688af48b9bdc6bc06362240352ee41e

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1277a18703fcdbc6291b4a2420842ab47688af48b9bdc6bc06362240352ee41e_NeikiAnalytics.exe
Size

448KB
MD5

02292058eecdbf9d6f05516ce0a266e0
SHA1

b88e11d4facd3583e8250f623f25f931fce19b3e
SHA256

1277a18703fcdbc6291b4a2420842ab47688af48b9bdc6bc06362240352ee41e
SHA512

5efecf5d579a086ce23cf2979d4897c6d1eea739fa762f3424970ae204ee44c6ddef2eed7f175fdc56b980fd8929c47f50e90778bab02d97877a662959e005f6
SSDEEP

6144:mBlB3CY8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrlo9:487g7/VycgE81lm

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1277a18703fcdbc6291b4a2420842ab47688af48b9bdc6bc06362240352ee41e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	1277a18703fcdbc6291b4a2420842ab47688af48b9bdc6bc06362240352ee41e_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe

Executes dropped EXE 53 IoCs

pid	Process
4820	Ldkojb32.exe
3292	Lgikfn32.exe
920	Lgkhlnbn.exe
4228	Lpcmec32.exe
432	Ldohebqh.exe
2528	Lkiqbl32.exe
4952	Lgpagm32.exe
4604	Lnjjdgee.exe
1376	Lcgblncm.exe
5004	Mpkbebbf.exe
2880	Mciobn32.exe
5080	Mjcgohig.exe
4692	Majopeii.exe
2724	Mgghhlhq.exe
3492	Mkbchk32.exe
1192	Mnapdf32.exe
4584	Mamleegg.exe
3620	Mpolqa32.exe
1388	Mcnhmm32.exe
2512	Mkepnjng.exe
740	Mjhqjg32.exe
2440	Maohkd32.exe
4848	Mdmegp32.exe
3756	Mglack32.exe
4308	Mkgmcjld.exe
8	Mjjmog32.exe
4384	Maaepd32.exe
2380	Mpdelajl.exe
3144	Mdpalp32.exe
1696	Nkjjij32.exe
3728	Njljefql.exe
4788	Nnhfee32.exe
3172	Nqfbaq32.exe
4340	Ndbnboqb.exe
2548	Ngpjnkpf.exe
3984	Nklfoi32.exe
544	Njogjfoj.exe
3968	Nafokcol.exe
3324	Nqiogp32.exe
4648	Ncgkcl32.exe
904	Ngcgcjnc.exe
4608	Nkncdifl.exe
3504	Nnmopdep.exe
464	Nbhkac32.exe
2340	Nqklmpdd.exe
4220	Ncihikcg.exe
3920	Ngedij32.exe
620	Njcpee32.exe
3700	Nnolfdcn.exe
1912	Nbkhfc32.exe
1276	Ndidbn32.exe
2984	Nggqoj32.exe
4528	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe

Program crash 1 IoCs

pid	pid_target	Process
3156	4528	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1277a18703fcdbc6291b4a2420842ab47688af48b9bdc6bc06362240352ee41e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	1277a18703fcdbc6291b4a2420842ab47688af48b9bdc6bc06362240352ee41e_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1277a18703fcdbc6291b4a2420842ab47688af48b9bdc6bc06362240352ee41e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	1277a18703fcdbc6291b4a2420842ab47688af48b9bdc6bc06362240352ee41e_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	1277a18703fcdbc6291b4a2420842ab47688af48b9bdc6bc06362240352ee41e_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 4820	2252	1277a18703fcdbc6291b4a2420842ab47688af48b9bdc6bc06362240352ee41e_NeikiAnalytics.exe	82
PID 2252 wrote to memory of 4820	2252	1277a18703fcdbc6291b4a2420842ab47688af48b9bdc6bc06362240352ee41e_NeikiAnalytics.exe	82
PID 2252 wrote to memory of 4820	2252	1277a18703fcdbc6291b4a2420842ab47688af48b9bdc6bc06362240352ee41e_NeikiAnalytics.exe	82
PID 4820 wrote to memory of 3292	4820	Ldkojb32.exe	83
PID 4820 wrote to memory of 3292	4820	Ldkojb32.exe	83
PID 4820 wrote to memory of 3292	4820	Ldkojb32.exe	83
PID 3292 wrote to memory of 920	3292	Lgikfn32.exe	84
PID 3292 wrote to memory of 920	3292	Lgikfn32.exe	84
PID 3292 wrote to memory of 920	3292	Lgikfn32.exe	84
PID 920 wrote to memory of 4228	920	Lgkhlnbn.exe	85
PID 920 wrote to memory of 4228	920	Lgkhlnbn.exe	85
PID 920 wrote to memory of 4228	920	Lgkhlnbn.exe	85
PID 4228 wrote to memory of 432	4228	Lpcmec32.exe	86
PID 4228 wrote to memory of 432	4228	Lpcmec32.exe	86
PID 4228 wrote to memory of 432	4228	Lpcmec32.exe	86
PID 432 wrote to memory of 2528	432	Ldohebqh.exe	87
PID 432 wrote to memory of 2528	432	Ldohebqh.exe	87
PID 432 wrote to memory of 2528	432	Ldohebqh.exe	87
PID 2528 wrote to memory of 4952	2528	Lkiqbl32.exe	88
PID 2528 wrote to memory of 4952	2528	Lkiqbl32.exe	88
PID 2528 wrote to memory of 4952	2528	Lkiqbl32.exe	88
PID 4952 wrote to memory of 4604	4952	Lgpagm32.exe	89
PID 4952 wrote to memory of 4604	4952	Lgpagm32.exe	89
PID 4952 wrote to memory of 4604	4952	Lgpagm32.exe	89
PID 4604 wrote to memory of 1376	4604	Lnjjdgee.exe	90
PID 4604 wrote to memory of 1376	4604	Lnjjdgee.exe	90
PID 4604 wrote to memory of 1376	4604	Lnjjdgee.exe	90
PID 1376 wrote to memory of 5004	1376	Lcgblncm.exe	91
PID 1376 wrote to memory of 5004	1376	Lcgblncm.exe	91
PID 1376 wrote to memory of 5004	1376	Lcgblncm.exe	91
PID 5004 wrote to memory of 2880	5004	Mpkbebbf.exe	92
PID 5004 wrote to memory of 2880	5004	Mpkbebbf.exe	92
PID 5004 wrote to memory of 2880	5004	Mpkbebbf.exe	92
PID 2880 wrote to memory of 5080	2880	Mciobn32.exe	93
PID 2880 wrote to memory of 5080	2880	Mciobn32.exe	93
PID 2880 wrote to memory of 5080	2880	Mciobn32.exe	93
PID 5080 wrote to memory of 4692	5080	Mjcgohig.exe	95
PID 5080 wrote to memory of 4692	5080	Mjcgohig.exe	95
PID 5080 wrote to memory of 4692	5080	Mjcgohig.exe	95
PID 4692 wrote to memory of 2724	4692	Majopeii.exe	96
PID 4692 wrote to memory of 2724	4692	Majopeii.exe	96
PID 4692 wrote to memory of 2724	4692	Majopeii.exe	96
PID 2724 wrote to memory of 3492	2724	Mgghhlhq.exe	97
PID 2724 wrote to memory of 3492	2724	Mgghhlhq.exe	97
PID 2724 wrote to memory of 3492	2724	Mgghhlhq.exe	97
PID 3492 wrote to memory of 1192	3492	Mkbchk32.exe	98
PID 3492 wrote to memory of 1192	3492	Mkbchk32.exe	98
PID 3492 wrote to memory of 1192	3492	Mkbchk32.exe	98
PID 1192 wrote to memory of 4584	1192	Mnapdf32.exe	99
PID 1192 wrote to memory of 4584	1192	Mnapdf32.exe	99
PID 1192 wrote to memory of 4584	1192	Mnapdf32.exe	99
PID 4584 wrote to memory of 3620	4584	Mamleegg.exe	100
PID 4584 wrote to memory of 3620	4584	Mamleegg.exe	100
PID 4584 wrote to memory of 3620	4584	Mamleegg.exe	100
PID 3620 wrote to memory of 1388	3620	Mpolqa32.exe	101
PID 3620 wrote to memory of 1388	3620	Mpolqa32.exe	101
PID 3620 wrote to memory of 1388	3620	Mpolqa32.exe	101
PID 1388 wrote to memory of 2512	1388	Mcnhmm32.exe	102
PID 1388 wrote to memory of 2512	1388	Mcnhmm32.exe	102
PID 1388 wrote to memory of 2512	1388	Mcnhmm32.exe	102
PID 2512 wrote to memory of 740	2512	Mkepnjng.exe	103
PID 2512 wrote to memory of 740	2512	Mkepnjng.exe	103
PID 2512 wrote to memory of 740	2512	Mkepnjng.exe	103
PID 740 wrote to memory of 2440	740	Mjhqjg32.exe	104

C:\Users\Admin\AppData\Local\Temp\1277a18703fcdbc6291b4a2420842ab47688af48b9bdc6bc06362240352ee41e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1277a18703fcdbc6291b4a2420842ab47688af48b9bdc6bc06362240352ee41e_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\Ldkojb32.exe
  C:\Windows\system32\Ldkojb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\Lgikfn32.exe
    C:\Windows\system32\Lgikfn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Windows\SysWOW64\Lgkhlnbn.exe
      C:\Windows\system32\Lgkhlnbn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:920
    - - C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
      - C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3984
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        54⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 412
        55⤵
        Program crash
        
        PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4528 -ip 4528
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgcomh32.dll

Filesize
7KB

MD5
6bf5ee649e6c30536d1a2460b9861453

SHA1
c4952636649c43bb69eabc78268a0b0316957cb3

SHA256
960ff6fe6fa81394e2b6eb42d6aaf40255382f46bd97685e44dd40565a60b9df

SHA512
3023c644d18b6916f9a93eaa7cf2b04f83a4a3a32394d865ff6c6b9d0248cfb59305828428c54e6c21864a7327c549416b699209341b0a4e376530c181b587ea

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
448KB

MD5
e35388d7d24958eadff2d6e4c9e55b78

SHA1
11faab09a560323c99508a773a25b1ff8d31a6e8

SHA256
1ef1a7cf6c24200977199923f435fd273817bb94fe9c8421b685ae05e169aac6

SHA512
6568c34012f7af9c8e0ca876508076ec8157fdcd7a476abccdc502b2e43932ee8ad9405c20a75096333f6c04411aef8a9ad9ea0fabc304ee244e5299a50a0128

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
448KB

MD5
b8cd690e7fc1d823b18adf4cc2346ac4

SHA1
2c566b8e72eb7ff899bbd2bab926a17e089f868c

SHA256
be8ad248f8930e0e1297ca1e8afd834cd0d70500a967b981a6d6e814bd41a71a

SHA512
b70b9acc46add6311506ed15322f1cdf68d62df6cf5dc70c000b218fec7580853bde3b76d12734635fab61cfd47c0a166cfa9e98d9a40096bcef3e8fe22e2bc3

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
448KB

MD5
7e2c6560d8ab1f5f295e0b887d68f510

SHA1
394a3f6a380a1419fc659870eb28f5e3bee88003

SHA256
50f86563da7cb1715f38e15fc0a05460242558c70f32120418259aaa8423fecb

SHA512
49ec05f4dad77424db792cac806ddc93e3697a3966534d249b8aeaf5d68e40c9f056cf7432bfba28806e59bdf3e987366e074cdc974ee0809940225aea0c83f0

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
448KB

MD5
8ad79d14de023259fc277890056d26a7

SHA1
471c12e48a164299c72a3639d5fa62d1a929c5df

SHA256
c4d81281c0c1a8d75f0827659e99d302363c2c8e5855155cde1b6d8f261abe19

SHA512
626649e1bfe96ef5280212efc925291a7feb7a099393f4793aca494b651d1450d831c55c9eb2ff15e24e226002294874ecea81a56fb0bdffd7d71a28664857ee

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
448KB

MD5
f8b14638ceaf9d16de85f86689ca282d

SHA1
ab312e9e2ba085934df23f2a2bb10ad831e2fec4

SHA256
632d211da51184abd16cd2c337ba56452a50bb46be93b1f2818ae15d822f3161

SHA512
d63218a52cadfe0c1daf0c8fa62e1b3e6c9725bc5a83a45e83f9214664e6c2888be21d431213f93e1ec16caa36da33ced88d2d5eb93ae344170392bc223d434c

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
448KB

MD5
8442f35c721b7705650b97c1d5492af5

SHA1
5336c6c2dd8bcf60e846655622584bbc1e09a83f

SHA256
e76d05d7c5f2217204526d7c9bac994c37dc7f709e3714c7fe0192ef46236181

SHA512
ebffa51bf741b5553c7a6273ea836a188626eb4fcf04cba656df967c0daad6e685ed0eb13b31c1c27f70f4c325f829e9f0d2fea5f81fb676baf98352839e1d19

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
448KB

MD5
21200a090dc96d98e42edb4a8700fa35

SHA1
b970d2d7b4138b783687f5c198efb1df68f4badc

SHA256
4c09a466d4915ec2aa6d3c1447c4cf5458c2a494a71decb51b95fddd55291aa2

SHA512
371fc34b7b92cb563e412e1128baee70806f80c18f2c75a2a2977c4bab3642b3ec1c1d349142fa10274d8700b9f69e35af44b137fe56176ff759d65f93d60b5c

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
448KB

MD5
c2978a5820201be75b688d269bdd3d8d

SHA1
ee5a7ec55178d931a4f2786b975b937c63901c77

SHA256
60684ba5f1981315acb05564996d47561f6a531a26e53c41c5692ead85586dff

SHA512
78a80cb70783957a1533861681af983d0622ce7ef0e699d86870e7c6446a51467057ff2e158aa799ca07fc339a7afa5f7d738fecbcbd3125d75508fee71db5f8

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
448KB

MD5
08d8b56531c2479eeb3d94a32447bf8a

SHA1
077c4faca2e59bb35f74ff3369a04f06c491c782

SHA256
876ebb5e63655b3a26ae58a5567a19ec5ace0b59cdb736415578554783c7bd54

SHA512
06064aae33ed7531431f4223725e34d7600f570ae975b31039f05a20849fe2038368ca995497c86aa73933dc5cd32fa36770099942aeda8caa19f9d5fe2737da

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
448KB

MD5
811763166abf37fdc84df940a9066a02

SHA1
8b67a19eb402b9def9f46ab4b4201ba35c055c1c

SHA256
b53084902e83fc7166ead91e9d2c35b0e91e5700d5f4be7567032b00aef03ad9

SHA512
fa91567369c7cb67e7eb3e217462e00984fa17bad86a97acff678d5d5895dcb47fc380f3b9ff97346913e080f6f886e54a691742d09df55728359ee6310e0667

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
448KB

MD5
f02cd5cbb96637461f82164d58458ce1

SHA1
07e74b8317e5b31d74c81f6ed889a520e541f856

SHA256
e391e8883906a3b7fb81497eb322648db0b75095b94625c36b9b4cb897cac69f

SHA512
1c7cf20aa9b7c74e1bc59126185da0e18526abf85b2d164dc809ecacba077cf8a1b10687497318f9caca9dac6d4131e1f4d9d707530c94d3a63451221a6da99c

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
448KB

MD5
469e3a042494f60741f6aa5ab3782c39

SHA1
56ecb5901d886fb22e22d75d15aa1efb541ef273

SHA256
32cd4aecfdd9933a5e1783d1b54dbc0f872d7206dd061cd2d4ab94e3b7a28b86

SHA512
4e3a5af080479587c85966cd642bf0fd6add5e14716fde8fb1daf792f64d0926bb22a77cf8e42dc115e283e95e619c281e483bdfca76aa8d854c3486dac88754

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
448KB

MD5
2b723790485087e5032c4ef32d488950

SHA1
7ff355de8fb5e1a76ccea8e39b39e12a2c12289c

SHA256
984a310a0d4c4a3ace28037eaf88e93d493b52afc0f2beb2e537be51c2938772

SHA512
7ca65f55da08a2f4165897571b709c69feb32df5f8fb1dd0bd805fd2fc4007e068158f0904a420eab5a8c8d6d5b1c059188742a753aa442b037514af00241ffb

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
448KB

MD5
bf53232943a03c85fdaed7529dcab50c

SHA1
546a7f01ff9454e456070782326f9ba7fec05250

SHA256
30b361a142d423abc7bffffb18219dc6225193fcabfb16156fe2068763261bd1

SHA512
acc6744170701f6f6d1e440c71843e933ec42bb0779deb4eb0f07127ced2403bbc0585dae442334d987b809096090f5d51626c8e1bae0c9cf9719abb905eb85f

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
448KB

MD5
814b59c9aaaa336845b8bcfdb8a96c87

SHA1
708670980269e0b9d2668ddf1be8945f7a1f109c

SHA256
35ce48396e6908e3360f6fa4598656612d2e22706eb95fd4f53829d7e21381fa

SHA512
c2c940b4c9e5e4da06413c9247615912360538456509e29417be7eb55f62ce75c014d032636b3265771a7c86e60f965a6351ce14182cebfed98ad42c488c3b30

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
448KB

MD5
efda21b82aa4cc71caae6982119abe80

SHA1
d8df5b9519570683b0bd237c2af34511e6b66f11

SHA256
f38406aef89f92e5ede3759cc7a3f4b3a9b51bb64955db78f9ac7262537aaa56

SHA512
e74ab26496727eea89f1964d2cfff8033e7ae964e46ab51570146aaa878e7bcfd84f0f7722346f63f9d83c2c60962edf1f46a79ecf86b8c756945aec295de5dc

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
448KB

MD5
85b776c0baed28a4f585ac355300baf6

SHA1
346d4f3de54dbdf9de72ee7e8f0c8df33fcd32d7

SHA256
16ac208b9be57bd97219c7d28257b7c3cc18499caf200e8777c9308ca1ab62f6

SHA512
187b971196c498ec56269b4bfe3e4dff50d0bdfca68a32b27272d3883fcd904909d4ab8e3099eefba4018cb4dfa754b334b7add0af89c79870a014e37308e4a4

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
448KB

MD5
31e34d416f9828d20705d1254c87dbf6

SHA1
55b8171d940f85dbc3ce1214d32b510c135dab16

SHA256
356b00f287b54ba971b5ff051e2cf1f56049b6fe04ead94a60f247493b1b9043

SHA512
e612c12315c25506fe480abfc5465f809878dbcf4cd6c945be9b189c2d0e4774f2fe217298ed5a53c1d9de42258da4a789a0deaabd4cf5bb20c1569c5fa1a9bb

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
448KB

MD5
c12cd384fafeac79ad6e3804a434f519

SHA1
37af85210f257e5249603402a397c17728e36697

SHA256
1cfe0488dac432c6652e585d0d26e05abc08aac07603b61a43817b017a115772

SHA512
e8caba05a465bb006a56d6d6a04e1609b7d832a6c2e3b391317f71ab97c24d29bfba36c8f2a67c78528fe08864cfaae1aaed034160189f7d97147e1e23f870d0

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
448KB

MD5
2c0972519f2fcd09093331edc6bcda85

SHA1
92953c94eda46313a01c4796fe0579b47eb780b6

SHA256
92d84b48d147a7c790cfda08ce2a85e52940e90499fa5eb90d2161289e22e0e2

SHA512
2769598e079d701622c5c70ed34fd1b7fb8eb8bf09527c5ffd290ad0ab3bc6f43f0347cd0f2d0ce2f849b35dd18f1ad0e9cadddaa4ae9047fa62e1636dcda06d

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
448KB

MD5
4ac3fc7b48354717742d4522b519ebc5

SHA1
5656fbd80a7d6232f57600bfffc79aebb40b7f83

SHA256
ae3f2f08872650e9753c9a55cc9ea0c9aca0f66dcb9b7a8004d002d642b93d8f

SHA512
6cb89f497424116d99fbb49aee344abd95b140266cc2ae8ad6de3ede77aa58046b09965c15150ad90c7d985956ff858585cadeb1ec994269c16f1d5801012fa6

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
448KB

MD5
5e3afd6f2a7f2cc176773897aeeda130

SHA1
2f8690d5fb802a6d77fd6ea17e79119635bc9539

SHA256
bffc2abc52cbb0d300896f208dc7b415ecdf55c86b7336276e8eb32c34dc2e97

SHA512
1f7a1ce40d85270d23a2db6dca28dc611cced1b3391071986802c2fad5461b73d824cea4531c4eda4fb8e4a67ad852b5b2364c803f43453437b457ad300a92c9

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
448KB

MD5
231a6992533107e9f0dad6c33154ac84

SHA1
f02f38743ee5da024054024c26e5c296060f4de6

SHA256
214e29212a322d8cd6a178237c455bfba3ad9f4b3eaf3d65a87f89a40ebfb2fb

SHA512
d7e3dc5c5c44bda50e136c526bac83c17a82bff3f72a132f5ab704ac4a82df92fcbca8741d9e42f8a9495d32993707845b5876dcac6823d47c180c7515074269

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
448KB

MD5
bff2290f61ae1cedffdd69e9c62227e0

SHA1
f2f53b0373e81dcb6c9b3cfca291cfcc2825ef98

SHA256
2b3b3463e4961356fb1ad4163fd6f7a42faf0a1bcf771c1e674f2d5137c52cb7

SHA512
ef402f54fbf73b9473fbda70755fad9493616b1e0bf7881b3dbb65cc8ac381b5c089f8eed2a356c1e4cf5b26ce49da6e0471460bf37a8e7dd5c1f08c5d4d60c6

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
448KB

MD5
754630dc69a87341e040a3e22c5d01e3

SHA1
6632473870601c3cf44d507abff192ed4bd5bdf2

SHA256
279282ea10ddda57499794ecf10e1d59cee76365d14837fa19cb8c38011922b8

SHA512
8e0978cfd32fe0ce2a98d0132a857de55a2ea5977fbbeb356fec3623791778a7a89ade0df813c728629f472a5db73abe2f1ba690d8b5d93c739b572afb58a544

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
448KB

MD5
514ec2747c6149769076b3541fccea6e

SHA1
c1d7ba9864aaed600be16f3c2b94369e0e9f9b41

SHA256
16c310a6e69ff3a224b4ff09380b7e8287b4ca640828909243777b244389a58b

SHA512
3105c698bb00468572a04e3fb7b31bea9f196ed307b289fbfac8b2fe319a38447230b75ae1e421d72f546b20db32b7fa93cb442aa236f3b6e60b0a3c0d527b18

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
448KB

MD5
142157d0273eb632091921e975007894

SHA1
4879cb17d5da8f55c6b0ac8a321ad05b53ab7352

SHA256
6585ee527b2ac1572d7ca3f84c9249451e99e0eb72e89dc356a9f27480cfe6ee

SHA512
3b61cfc58cf602ecc0f0db36d713d737193da04823f9e6f8f3027c014db9120e487f2377189a20e4a3f01290e21b6b8a9a2ebcf73aaa65fb65bc8e74b6d2c726

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
448KB

MD5
5689c5191fbacf794686a3f81a7cf989

SHA1
c06ed010cc45c7c6a25e4fbf176d3bca0194c16f

SHA256
661324453a656d893f41150e40e02b554250e725955a57b0c8ea07581220c274

SHA512
ade68faf299ab97eda7a46db267e4b601c0efb1d55e71528ec6396b6aa6559159d78679410de8d99ee557c0caf52bd83c1cf5f82d07c4d069edcec47aaa6256a

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
448KB

MD5
1a3d4fe4b3c5ed18e697716e6e1cd9bb

SHA1
9120890610b6bf2e6f915a1696e104d5703c8668

SHA256
bb7c1f99940c37e985fe3872218ed0044d89e238278f047784ea8dceb214281b

SHA512
aecc7f4a7184e771f1c226b2159533063d73417d9568694f58d636a57556437700c86dae71f1370286885adb25044f5e2d2cd1b086986c1de8c9e95d32465421

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
448KB

MD5
afa7395195819b87d90b415da7df0097

SHA1
a693da25a4e8fd94bd45b6fd0909dedbed52518f

SHA256
2d86450e4bf92d52a35d881b5b010c21d5055329ef88b36e742ed727a0338511

SHA512
26f12e6ee46af0672e0b8eda6b4f801b5e373651e6ba26194f819ae40ef556889eb4c551ac78c6b95781ed3950af3b0c2d4061f03c4236292334ba09d869bbf9

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
448KB

MD5
9a411e1b5a289ba738aea1c6c1243955

SHA1
40558abca7ecadc1e2fdf9a6ac72af63e4bfba52

SHA256
71bbc7008947ac1c031528d11f58de759c5ea22f811d873a570c6c7ddf333b48

SHA512
46268c194231175df3983a550486974342a944fcffa91567bda7d8700bf3acf24bec7c01dc5e1e3c51da23ddd6f8a716c9ab119cd362348025d6384ed45ed0c1

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
448KB

MD5
8c3249e86166614636ce90cfa5d82d79

SHA1
e5677e5822ace21434595e243df0663e8348a3cf

SHA256
f5656c04592f1a3ef1cadaf18d4eb84d6017cf64c35cfb3ad1ae17f07c4014f8

SHA512
ba037dec14fad92f3e4bb10b2140502d05125a99f753c79585490965eecabe64aba0fbf973b89293f803f9d9ccefcc84acddf8ae6d538047657384828af4c68b

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
448KB

MD5
bfc444f85787dc9de14b74fe80458384

SHA1
45c7eb6f6f8c693d346ad16a90335d89992ab48e

SHA256
a2cf8a3829fb29ab074ecb6b0a8fe5dc7216c45ee1d1d4be79587ac8c0b2e243

SHA512
7c38f5cb151078e74de04c210e1abd5e59d50fb4ab2c2ddfdf927271a5ba9abcb1d07cedf53fa5a6ef131cca9e2e6742f2c033cc491540712df339409575032d

Download Submit
memory/8-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads