2d62ca975de47e12f7f46a8b2922ba737f36315df7fd1a56c8d00b06f4e6e1ae

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 09:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2d62ca975de47e12f7f46a8b2922ba737f36315df7fd1a56c8d00b06f4e6e1ae_NeikiAnalytics.exe
Size

79KB
MD5

5013a99ca2431953e3df4a2f9c565520
SHA1

07598507f1ccb3ae9ff35f8198d0dbfde4a3824d
SHA256

2d62ca975de47e12f7f46a8b2922ba737f36315df7fd1a56c8d00b06f4e6e1ae
SHA512

b76959a9c086b72ab5aa86028b5d396cf4b6d1690223cc5ebd84349e161f71e42369e75bbc39937cb9729612bba7083e0d23c439ae1ee339895cef437929cee3
SSDEEP

1536:dA7HaHpEuxOGw9Hz8PlUEAiFkSIgiItKq9v6DK:+O14Gw9HA9UEAixtBtKq9vV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2d62ca975de47e12f7f46a8b2922ba737f36315df7fd1a56c8d00b06f4e6e1ae_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2d62ca975de47e12f7f46a8b2922ba737f36315df7fd1a56c8d00b06f4e6e1ae_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe

Executes dropped EXE 45 IoCs

pid	Process
4664	Ldkojb32.exe
4300	Lkdggmlj.exe
2560	Laopdgcg.exe
100	Ldmlpbbj.exe
3700	Lgkhlnbn.exe
2572	Lijdhiaa.exe
2456	Lpcmec32.exe
3520	Ldohebqh.exe
5104	Lkiqbl32.exe
1076	Laciofpa.exe
3992	Lcdegnep.exe
2540	Lklnhlfb.exe
4584	Lnjjdgee.exe
4500	Lddbqa32.exe
2716	Lknjmkdo.exe
3832	Mahbje32.exe
3228	Mdfofakp.exe
1268	Mgekbljc.exe
2768	Mjcgohig.exe
2208	Mpmokb32.exe
1244	Mcklgm32.exe
4860	Mjeddggd.exe
3472	Mpolqa32.exe
3548	Mgidml32.exe
3440	Mncmjfmk.exe
540	Mdmegp32.exe
3908	Mglack32.exe
3716	Mnfipekh.exe
2340	Mpdelajl.exe
972	Mgnnhk32.exe
3760	Nnhfee32.exe
4356	Nqfbaq32.exe
3144	Nceonl32.exe
1644	Njogjfoj.exe
4508	Nafokcol.exe
3332	Nqiogp32.exe
1352	Ncgkcl32.exe
2568	Nkncdifl.exe
3112	Njacpf32.exe
1584	Nbhkac32.exe
3268	Ndghmo32.exe
3380	Nnolfdcn.exe
3216	Nqmhbpba.exe
4912	Nggqoj32.exe
2652	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lijdhiaa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1900	2652	WerFault.exe	130

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2d62ca975de47e12f7f46a8b2922ba737f36315df7fd1a56c8d00b06f4e6e1ae_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2d62ca975de47e12f7f46a8b2922ba737f36315df7fd1a56c8d00b06f4e6e1ae_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2d62ca975de47e12f7f46a8b2922ba737f36315df7fd1a56c8d00b06f4e6e1ae_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2d62ca975de47e12f7f46a8b2922ba737f36315df7fd1a56c8d00b06f4e6e1ae_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 4664	3748	2d62ca975de47e12f7f46a8b2922ba737f36315df7fd1a56c8d00b06f4e6e1ae_NeikiAnalytics.exe	83
PID 3748 wrote to memory of 4664	3748	2d62ca975de47e12f7f46a8b2922ba737f36315df7fd1a56c8d00b06f4e6e1ae_NeikiAnalytics.exe	83
PID 3748 wrote to memory of 4664	3748	2d62ca975de47e12f7f46a8b2922ba737f36315df7fd1a56c8d00b06f4e6e1ae_NeikiAnalytics.exe	83
PID 4664 wrote to memory of 4300	4664	Ldkojb32.exe	84
PID 4664 wrote to memory of 4300	4664	Ldkojb32.exe	84
PID 4664 wrote to memory of 4300	4664	Ldkojb32.exe	84
PID 4300 wrote to memory of 2560	4300	Lkdggmlj.exe	85
PID 4300 wrote to memory of 2560	4300	Lkdggmlj.exe	85
PID 4300 wrote to memory of 2560	4300	Lkdggmlj.exe	85
PID 2560 wrote to memory of 100	2560	Laopdgcg.exe	86
PID 2560 wrote to memory of 100	2560	Laopdgcg.exe	86
PID 2560 wrote to memory of 100	2560	Laopdgcg.exe	86
PID 100 wrote to memory of 3700	100	Ldmlpbbj.exe	87
PID 100 wrote to memory of 3700	100	Ldmlpbbj.exe	87
PID 100 wrote to memory of 3700	100	Ldmlpbbj.exe	87
PID 3700 wrote to memory of 2572	3700	Lgkhlnbn.exe	88
PID 3700 wrote to memory of 2572	3700	Lgkhlnbn.exe	88
PID 3700 wrote to memory of 2572	3700	Lgkhlnbn.exe	88
PID 2572 wrote to memory of 2456	2572	Lijdhiaa.exe	89
PID 2572 wrote to memory of 2456	2572	Lijdhiaa.exe	89
PID 2572 wrote to memory of 2456	2572	Lijdhiaa.exe	89
PID 2456 wrote to memory of 3520	2456	Lpcmec32.exe	90
PID 2456 wrote to memory of 3520	2456	Lpcmec32.exe	90
PID 2456 wrote to memory of 3520	2456	Lpcmec32.exe	90
PID 3520 wrote to memory of 5104	3520	Ldohebqh.exe	91
PID 3520 wrote to memory of 5104	3520	Ldohebqh.exe	91
PID 3520 wrote to memory of 5104	3520	Ldohebqh.exe	91
PID 5104 wrote to memory of 1076	5104	Lkiqbl32.exe	92
PID 5104 wrote to memory of 1076	5104	Lkiqbl32.exe	92
PID 5104 wrote to memory of 1076	5104	Lkiqbl32.exe	92
PID 1076 wrote to memory of 3992	1076	Laciofpa.exe	93
PID 1076 wrote to memory of 3992	1076	Laciofpa.exe	93
PID 1076 wrote to memory of 3992	1076	Laciofpa.exe	93
PID 3992 wrote to memory of 2540	3992	Lcdegnep.exe	94
PID 3992 wrote to memory of 2540	3992	Lcdegnep.exe	94
PID 3992 wrote to memory of 2540	3992	Lcdegnep.exe	94
PID 2540 wrote to memory of 4584	2540	Lklnhlfb.exe	95
PID 2540 wrote to memory of 4584	2540	Lklnhlfb.exe	95
PID 2540 wrote to memory of 4584	2540	Lklnhlfb.exe	95
PID 4584 wrote to memory of 4500	4584	Lnjjdgee.exe	96
PID 4584 wrote to memory of 4500	4584	Lnjjdgee.exe	96
PID 4584 wrote to memory of 4500	4584	Lnjjdgee.exe	96
PID 4500 wrote to memory of 2716	4500	Lddbqa32.exe	97
PID 4500 wrote to memory of 2716	4500	Lddbqa32.exe	97
PID 4500 wrote to memory of 2716	4500	Lddbqa32.exe	97
PID 2716 wrote to memory of 3832	2716	Lknjmkdo.exe	98
PID 2716 wrote to memory of 3832	2716	Lknjmkdo.exe	98
PID 2716 wrote to memory of 3832	2716	Lknjmkdo.exe	98
PID 3832 wrote to memory of 3228	3832	Mahbje32.exe	99
PID 3832 wrote to memory of 3228	3832	Mahbje32.exe	99
PID 3832 wrote to memory of 3228	3832	Mahbje32.exe	99
PID 3228 wrote to memory of 1268	3228	Mdfofakp.exe	100
PID 3228 wrote to memory of 1268	3228	Mdfofakp.exe	100
PID 3228 wrote to memory of 1268	3228	Mdfofakp.exe	100
PID 1268 wrote to memory of 2768	1268	Mgekbljc.exe	102
PID 1268 wrote to memory of 2768	1268	Mgekbljc.exe	102
PID 1268 wrote to memory of 2768	1268	Mgekbljc.exe	102
PID 2768 wrote to memory of 2208	2768	Mjcgohig.exe	103
PID 2768 wrote to memory of 2208	2768	Mjcgohig.exe	103
PID 2768 wrote to memory of 2208	2768	Mjcgohig.exe	103
PID 2208 wrote to memory of 1244	2208	Mpmokb32.exe	104
PID 2208 wrote to memory of 1244	2208	Mpmokb32.exe	104
PID 2208 wrote to memory of 1244	2208	Mpmokb32.exe	104
PID 1244 wrote to memory of 4860	1244	Mcklgm32.exe	105

C:\Users\Admin\AppData\Local\Temp\2d62ca975de47e12f7f46a8b2922ba737f36315df7fd1a56c8d00b06f4e6e1ae_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2d62ca975de47e12f7f46a8b2922ba737f36315df7fd1a56c8d00b06f4e6e1ae_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\SysWOW64\Ldkojb32.exe
  C:\Windows\system32\Ldkojb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\SysWOW64\Lkdggmlj.exe
    C:\Windows\system32\Lkdggmlj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\SysWOW64\Laopdgcg.exe
      C:\Windows\system32\Laopdgcg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:100
      - C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        46⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 408
        47⤵
        Program crash
        
        PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2652 -ip 2652
1⤵
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laciofpa.exe

Filesize
79KB

MD5
b114cd9bc970524d9b840cb2720fb438

SHA1
df16a1fed0df4cd7f14dbc119a9ad0880bf09006

SHA256
e0df54e412d58a2373c32b5067ac9c9ac604e2f72b34a26607208ea4dc428baf

SHA512
ac0d652cc0331647d940a9e925f7b81231a7906fd0bf9ee3489a84ad7f17d55fc74caa3ce9dc1851f3e35cd1584ef6f5cf84c7e9e493e194cb6802ed1ef9fea2

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
79KB

MD5
8bf58aec8e85f682e74dffe10b5e7f74

SHA1
08476da116381378c26c3b05710715db0da6234b

SHA256
064ba15d09b4dc0ab2f9b01076d2f3eb4d5740e3e277d9a4cff40c15ec2cbadf

SHA512
1ddb3c626cc113e04b1bc9bafe3ee0d656535bd26b112a5bca06d7f32330107c0fab3b28fbf566f6b8d84de167e696d073c4d0e2681f7fc54ea9f961ce5db8ef

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
79KB

MD5
3334c971c7790b21c12349cb2551e874

SHA1
196ebfdc4782de12d0547e27af6d21c8f7a8eda1

SHA256
7397b42f8d331ae291e178b55194ff429e354021cd3c60b351c7f7c4a0f87235

SHA512
b0bf1a96020b40ed674b6d5839ad4c5af6e3050db7b86b51912d3af7f6d97a9de88e829d08039b146615b8d944c70b5c4fe5eb16acecbcb836b8d415cab2b9bf

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
79KB

MD5
dfacd9396f8fbd7f2af7a5cde5ce2688

SHA1
f9e0a1ccb239e4607400798a37ece20cc5e2560b

SHA256
e1983449c0e25e471634dd4463064c3fa28deb72e6d0e8eba124311c60996ca2

SHA512
ac7fc081003d63bae9aa4acec4206f36d21bb69d1760288a99e4b9d23c08ee49af35549f0e8654474a5017e9a5169f7b14386dc36f02c4fe60acdbe11e7b9d69

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
79KB

MD5
350a0dc14339d3d54eb1257c0a505dfb

SHA1
3819e03e561dfaec4a655dcd96f76a73708410a3

SHA256
9ee0ac24c759b3a303b9ee3e08185dc9e9b2be2e49dac7aae121584125d15395

SHA512
0fab23ee4d9df35f1023592f18ac6a8b007b3fa20cdcbeac77480901f347b72219f63f19561a20fb5222afe062633512a824318206316e50ab946847fa108495

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
79KB

MD5
e1d66d7931da87a41c2b12582e59fe61

SHA1
106875d6d8bc65d75c580a54cf69802e6f70f112

SHA256
b873db4587e2714c3e624d4ac4120d2e3aa0c667471b0283a8c24c9749cdcdce

SHA512
8f3890c86cb1fd52a2ff7df0d1763e6cb9c40f0b39f3841572a6b144cdf9865a0ded5d2b99ac0e10c0eea54449f0c59d326df941913582222f1461fccb2199cd

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
79KB

MD5
e1ad74909d573955e56363d0cf910532

SHA1
2bfb08655c0c7c97083c2e36683940cae73de559

SHA256
1980984320c67d9ccbb00b1e217c60bf73ed0003ef7f4759629cb63f692cb9a4

SHA512
ca3850eb06152b35355de22f1f1b3d91d8aba49d0a8d87c1020a71d0b960257f4858766aa6181fd2b4b3b12b7615944949b07d5a4cdc50339fc8bc94466d6eb1

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
79KB

MD5
2b07b9bfc540f80c79af79eacbed7c71

SHA1
15e516d791463f328ab087408f1922728c748a14

SHA256
76af950a65836466fba5ad451fb85bbf11f1cc1eedbee18dce2691a60c14333b

SHA512
521ee217e6a73b1e8fe2c7056ab86a9c9fff96c64dd365d0b52192f5110d6b4efc724308080c7f0b1b3f2e11225c21179a8749c3dc1817a764b65008a3c33694

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
79KB

MD5
7616446eeb3c1a5801d1d4f34461e55a

SHA1
dfc45f1686c744a4ff4eed18f0c5e3186fcf2130

SHA256
fe110afe82edc5b3e6df932e9953a92feb483feff64137ef21e042e0c577ea88

SHA512
e58d88a770ea8eeb6a00a971851bb0f0a91bcf9c9913d355f9019a2cf95c180dc299e7fb6a341e8b2a015d29b388ac42463d6e76b6941b2dc1f55ac6386268fc

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
79KB

MD5
e255ccce1ccb735f1fddb160eefdfd67

SHA1
f84272b47f32e2e0bd681965f27be04a0350063c

SHA256
6ed75c166ff1e08033911be1e072df86935d09eafe359f7bf1fda325220cdab4

SHA512
e475e64b3b9b7ac9dda3e409cf960bf816c95ac38340c00cdd80d710477316a91a57d48fc9f7c0ad1ec3242fe01c209641ff9b73f651e362a82d869f2d48411c

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
79KB

MD5
12053ceafff4a36a0e3fa0be82de80d0

SHA1
130f93357b0f3ec56a53be2f4b03c1510383e161

SHA256
292b0e52d7f981f48910267a978046ea5adb089f143869035c39afb78ea08627

SHA512
5a39c57f6cca40a1ece309c963bcf8977abb135ff5e558288946291c5d8b228754acf9be60098395ac4f6e6fb07a4bec88b525e70791c7d6b5840aa7a8ea16d7

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
79KB

MD5
eb4360ddce8dbca70eca68cdb3d954fa

SHA1
cce690ae854903e75aea71d9071b34ae8153219a

SHA256
860f26dd0c1c1abaa3aff03787f686c9ca40dd4e45f18ef2dbd448ba2ba8d6da

SHA512
8f3c7718d31834dd36ec5fa69da86c6007a7352dc058725a3043141e4f5ce4ae30609dcd7f5d7274d0382682b01f3f09c2dd83e6afadf96d61ec6e17c7911ff2

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
79KB

MD5
cb4a7bc5791dbc332f7f09b2a6034a79

SHA1
c71d7d4d5e71947ec4fddad0d3030aa8bca96a2a

SHA256
678737e16c1b4132fa368a1b2cd44c1dfe1f0adfa0fe1fa5b49e1ccaa68885a5

SHA512
9bb31a9cd19b2907d8296c39abeb2510129b6ef7ace7ab183d2694696c41175994bf1dd80228e403145a15d627020383dda8f0fc5c16fbfce99050d3860c1207

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
79KB

MD5
de7e17b808cfddb393da0b9dcee7939e

SHA1
031c3b400f866756fdb44b82fa07be6aa11b91cf

SHA256
f923442cc59367a36739ccb138c43da71071ca0b5e98a36c6cc26a15107721c7

SHA512
3768002129e8c2b04ecafc070b9c6d84470fb1c50be7116f3ab4fe91ec1022789d43a83961085ada3dc6ffc898325c9c4b00712e5264cd5f9c092a1bc8f1d60b

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
79KB

MD5
66bd877ce0c87f9551c2e57f83b88035

SHA1
b2ebce1b0adedf73fd926a0df1e081dd5d32db65

SHA256
743677f11f5b59045f8b10b21ae3fd2da17759f37e5bf7aea2ad5f7500c3feaa

SHA512
125cc516cb28ddc938e8d7d1641a03cdec1ae16f76f3f560bc28676f568f40641f6b9147e12323c9abccf4f01d0b54af09417050ac260d50f6794a314dbf15ba

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
79KB

MD5
a9baf6b2e5683e717a93808cb535840f

SHA1
6d9cdcd651694b2fce23937c3ab75db442808dbc

SHA256
2bdd7a88483d512829670f3cc7ca548c78fbe867f309265c8214ce91feeb97a6

SHA512
6ef8e4f63e58073d59beb2179771d4cd690d58d2bf462d12d2508799a822a25b2f5341781e134f93aa9d51a7b7293610cd99d59767b3a736805cc9f6b4736712

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
79KB

MD5
5f0f080d9c670c0e4bb4d74e89160641

SHA1
7cf4ee64d170504807565fc908cd30d8dc8f9c6d

SHA256
f9a19db4b9d97f63e271339ebcdb9eb59c397684e508e3c9b3e79990bafc4022

SHA512
e1cfffbed1ed15e3a876736e9222917f3d58167852577842f0b8f2b69f3294ad87b242f696e7c112b58c42d309adb572d682a83e19e4553cab061ec7595b184b

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
79KB

MD5
87d1bd1ae898f09b506cbed67a09a8c0

SHA1
50dc39c733973cc4c814b77b6689e1364502dd1f

SHA256
4adf4dfe35f781a79eedc67d394bad94d9d01e1d1c97b24d051e7ad19eaf1241

SHA512
f79ec8bd4203d1b743a0b7c924b823b8f51904a3ebe4f22c36b7f5aa1ea763952faacbfdc6f5873fb4405f7f878a2a6935b6894050ee137d28705ae047147f33

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
79KB

MD5
c6140ee054241066d4bbcd949969c6ba

SHA1
85c5b450177b63657dd8f92c6fe28d05d9407361

SHA256
47aeaa2295b3c8f6dfe8ec1eed49e9f405fd53c1afcd3f77172b0e67bb235c1b

SHA512
9a3fcbcd0d111b9436880209ee14298a521fae3f950fc1cb9a3471848cbfe77dfe274f9a2291c917e2b31975c2f9d329a91c7d5b992c72290a3648e0be69fecc

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
79KB

MD5
ee7328a0a8baf5d971c86ea52e7b2b6e

SHA1
9aa73768603d90291f7897ef2b485c6e48818b86

SHA256
d7df2d3b6e4abb9f7199a72f18b66f3c44b583993064c4df11bfc3665187cba2

SHA512
3ff50678cf2605017242795910d0e8c5031258501e16be97f3177afc7965b5ece3b6798a42b775489b5d4b78fdeab0cb07f9346739ca10c9dc872f0e75bedd7f

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
79KB

MD5
41f5a178e6007258e78730b45b2496a1

SHA1
1b02b603a102feb0531be476bc293ccde6656706

SHA256
edd5cb3c47178c4986cbf6de6f62ee97c3838422a42b0af9086bb832e4baf246

SHA512
30ec63929eb26082cca6df71f3da811f9f5d3763f9460b0bf0456fb8843776e2b3fe1b4a88ad22b306c78ef92e4290b63a7e732f0bdb0b1c39454f56554aee5c

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
79KB

MD5
a1023a2a22b2dbf9c2e1db277e7515da

SHA1
8976749652f70438b43d9aea00da329466c16a86

SHA256
a19a8ca20a174701fc6c5d96112852615d59641544d049532f40d1b063524b0d

SHA512
4c40bb04148f76a191bdaf3debd1968391fd4d2a7dd6f0687f39c454448635ff32c9411813972164f6b475ba2cd6f96a9891858cab40944b23931e1a06e4e948

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
79KB

MD5
d758707c342047c0a22d734b335581cb

SHA1
b496bef6c7098a05560d5e60a1ca4032c793c3af

SHA256
bfda2705e769681ac3fb311bb4e060bec0a498d3cfeeb4bd1fb60b93e87d9f48

SHA512
948b02e1a9ccc508e5833652beb811a66f2214c4c83655d7e10cf131d106e5237d36a479f15678669337d3cc01bb96454369ba3946900e16f70971868dbba212

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
79KB

MD5
19cc0ed103d6308357d76e880998400d

SHA1
440f19c332c044e642ccc0c8968a204b1d265e1a

SHA256
d6c7480970c81891d4157ce089214baf828d7a1f9b99b84159bc661956fa7b56

SHA512
de95159371124c8d0b9277d53cb800a74f04c263b27fd1ba237dfe1c53b7c46cff1db4566e594e20563f03eb9b08903d0cdc5d32387354ae20dd0b9c00979711

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
79KB

MD5
cf8d303feb0769435814e059c72fb33f

SHA1
400ee6201f3ed54726fc3959ffef338c85efbb87

SHA256
558a2ba1db890326f53fea533ffc1e3435939b66324a3a3da147372993afb2ca

SHA512
e7ab9314f05090553050ff1c4e6ebd08a82e6be75df8b54a9b2619d398072f7c016c9c8de381101f4a17c70af6f992b7a8bc955abd42862a549ee6c2ae7564c2

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
79KB

MD5
ab678b3f8456f0b47610379a3aa4101d

SHA1
4302a6ee38e6903b5272161378950e4ce8ae9aae

SHA256
ed0437a8340deeafe46c396c11924cc1e9af9f272a65e31096db1c1e7a2fe05a

SHA512
511fd1172512381935d87b2d88d90f480324dea1f1a9f79b31a726bd656bd5b7beb678a65b8b32bdb08a94fb19d64edfbfc7b9d51172a459afc7562ed30dfa30

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
79KB

MD5
9836cc63b6f73882897cc300c3982092

SHA1
5a6e984eee40bcf01fcc6a7fb948fb14d848ee0e

SHA256
d8af40540f8df85b4b57ba83700c8d0d018a73add09231e9f5b94fb7784a2f5b

SHA512
c0bd6c755eedc984ed967e0c9f7f7159b56d03f4675e9c04ef835ceae92643d85f2056cd9f186031a5ab77afe147301797466ebd2aaec876198d529b9dcb8ad8

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
79KB

MD5
ab2c252601eb38ef1f8e7c848c6d3c6e

SHA1
ed760a3d641d766fb49e915efcfe84b50ab58dc7

SHA256
2eef6d6a0a932079b89927a52f6a5d068386c2b7529e1a38cfb1318856344acb

SHA512
eee70301c658ada1331b404dc85628f2300bc32e8658f0a289cb9e88f41a919386bbf7a1452f967e0c7bd2552b3ee566d6af27c9b13dfb9cbc00aa1922c96d40

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
79KB

MD5
e7a6d798cd5373b026ed58d369d1b6bb

SHA1
5fdb698e24e341d711d0d0b09ed4571e7224bf5c

SHA256
6ef8878d936daeebdcc64031e850932d745064b053ec7c4211afa4ef583c0663

SHA512
3ec32aec2534593933704ffce8bab95cb589b311cd4e5347638810a43b7f2e40241f98f80524822771334bb6be14717a6cb522baa03a29a4eb18f9b629850d1c

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
79KB

MD5
d5db23d3c8fc2abcdfc96891d4fdaab7

SHA1
88f7593681ccd279ab5bcb6ad4fbcef912665a38

SHA256
6acea27088f05781edcea6222d13132e2e51abc3b304dd5f95b8d0f0b3dee384

SHA512
4e29974f896f4f87c610eb0ee30c05189b270dbab5b4de010278780abdcdb6b1dd5fb8e0f6021c9723879de2a9a2cad8b108636d4894c3d5ebdc5f3ba6ce8f86

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
79KB

MD5
4067cd85b5370a4eee11f576ca30edd1

SHA1
bdd08aa3cae029d2b8eb5ff35e9e33660dbd5f90

SHA256
b2863085e597bee42b645f3b19cd6a9c76ef6b0af33ebfa6b9537c53bde297c0

SHA512
4707db0f7fb4916ddc62223c0893412437ea743568a839b9def7184df0d2da22e418434a5194a38150b29122bd91aa7b17316bb656d8c249f35e03eb7df48bf6

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
79KB

MD5
3fa3e474be0d943a18d7404dc9894f89

SHA1
190b0daaec1c81783f0097824d09aebf9f8b9f4c

SHA256
f5feaf1360ce6f634d3e43676d594e208501a5360dbbd4176da9dd280013ae7a

SHA512
71a402da3c769f903622db47a46516cdd1e72841767948b2ea54540d9856963668956807e689d73681971507753e4e7a164dd80c1ce7037cf23746403357bce9

Download Submit
memory/100-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/100-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/972-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/972-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1076-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1076-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1244-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1244-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1268-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2560-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2560-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2572-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2572-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2652-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2652-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3112-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3144-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3144-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3268-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3268-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3332-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3440-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3440-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3548-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3700-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3716-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3748-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3748-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3748-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3760-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3760-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3832-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3832-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4300-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4300-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4508-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4508-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4664-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4664-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4912-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4912-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads