370ae9fbba6a8547c12ed53d6aa1453de9cc37272722b90cb5e4eee32c37e8eb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 22:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9c919e45b732d74d439cb592a30bcc10_NeikiAnalytics.exe
Size

64KB
MD5

9c919e45b732d74d439cb592a30bcc10
SHA1

d53dc3092ead3c9d7cf82813d92f8280aa1179e0
SHA256

370ae9fbba6a8547c12ed53d6aa1453de9cc37272722b90cb5e4eee32c37e8eb
SHA512

eae7b723d85594bd4fa49cc03a445f4ed01c373ca6942da84b04ada7a096d068a1d1f933ebe2324e8078c4358b4c1b2064d09671a6f78f782f6700c45f1df22f
SSDEEP

1536:b13vy4BGGUpSHJCyssjT4AZLZjaDXvilMSZ2LVAMCeW:LBgoHJR5/4AnKqlMxVpW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9c919e45b732d74d439cb592a30bcc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9c919e45b732d74d439cb592a30bcc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe

Executes dropped EXE 41 IoCs

pid	Process
4364	Lkdggmlj.exe
4776	Laopdgcg.exe
3900	Ldmlpbbj.exe
428	Lgkhlnbn.exe
1400	Lkgdml32.exe
2204	Lpcmec32.exe
1140	Lgneampk.exe
2852	Lnhmng32.exe
2476	Ldaeka32.exe
1728	Lgpagm32.exe
2284	Ljnnch32.exe
4652	Lphfpbdi.exe
868	Lcgblncm.exe
3108	Mjqjih32.exe
3180	Mahbje32.exe
948	Mdfofakp.exe
4584	Mkpgck32.exe
2968	Majopeii.exe
1836	Mpmokb32.exe
4932	Mgghhlhq.exe
4532	Mjeddggd.exe
3228	Mpolqa32.exe
852	Mcnhmm32.exe
3720	Mjhqjg32.exe
2032	Mpaifalo.exe
1568	Mdmegp32.exe
4304	Mglack32.exe
800	Maaepd32.exe
3904	Mpdelajl.exe
364	Nkjjij32.exe
4328	Nnhfee32.exe
4268	Ndbnboqb.exe
2936	Ngpjnkpf.exe
932	Nafokcol.exe
3456	Ngcgcjnc.exe
3968	Njacpf32.exe
960	Nqklmpdd.exe
3532	Nkqpjidj.exe
2316	Nbkhfc32.exe
4924	Ncldnkae.exe
4980	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	9c919e45b732d74d439cb592a30bcc10_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	9c919e45b732d74d439cb592a30bcc10_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4792	4980	WerFault.exe	125

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9c919e45b732d74d439cb592a30bcc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	9c919e45b732d74d439cb592a30bcc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 4364	3004	9c919e45b732d74d439cb592a30bcc10_NeikiAnalytics.exe	82
PID 3004 wrote to memory of 4364	3004	9c919e45b732d74d439cb592a30bcc10_NeikiAnalytics.exe	82
PID 3004 wrote to memory of 4364	3004	9c919e45b732d74d439cb592a30bcc10_NeikiAnalytics.exe	82
PID 4364 wrote to memory of 4776	4364	Lkdggmlj.exe	83
PID 4364 wrote to memory of 4776	4364	Lkdggmlj.exe	83
PID 4364 wrote to memory of 4776	4364	Lkdggmlj.exe	83
PID 4776 wrote to memory of 3900	4776	Laopdgcg.exe	84
PID 4776 wrote to memory of 3900	4776	Laopdgcg.exe	84
PID 4776 wrote to memory of 3900	4776	Laopdgcg.exe	84
PID 3900 wrote to memory of 428	3900	Ldmlpbbj.exe	85
PID 3900 wrote to memory of 428	3900	Ldmlpbbj.exe	85
PID 3900 wrote to memory of 428	3900	Ldmlpbbj.exe	85
PID 428 wrote to memory of 1400	428	Lgkhlnbn.exe	86
PID 428 wrote to memory of 1400	428	Lgkhlnbn.exe	86
PID 428 wrote to memory of 1400	428	Lgkhlnbn.exe	86
PID 1400 wrote to memory of 2204	1400	Lkgdml32.exe	87
PID 1400 wrote to memory of 2204	1400	Lkgdml32.exe	87
PID 1400 wrote to memory of 2204	1400	Lkgdml32.exe	87
PID 2204 wrote to memory of 1140	2204	Lpcmec32.exe	88
PID 2204 wrote to memory of 1140	2204	Lpcmec32.exe	88
PID 2204 wrote to memory of 1140	2204	Lpcmec32.exe	88
PID 1140 wrote to memory of 2852	1140	Lgneampk.exe	89
PID 1140 wrote to memory of 2852	1140	Lgneampk.exe	89
PID 1140 wrote to memory of 2852	1140	Lgneampk.exe	89
PID 2852 wrote to memory of 2476	2852	Lnhmng32.exe	90
PID 2852 wrote to memory of 2476	2852	Lnhmng32.exe	90
PID 2852 wrote to memory of 2476	2852	Lnhmng32.exe	90
PID 2476 wrote to memory of 1728	2476	Ldaeka32.exe	91
PID 2476 wrote to memory of 1728	2476	Ldaeka32.exe	91
PID 2476 wrote to memory of 1728	2476	Ldaeka32.exe	91
PID 1728 wrote to memory of 2284	1728	Lgpagm32.exe	92
PID 1728 wrote to memory of 2284	1728	Lgpagm32.exe	92
PID 1728 wrote to memory of 2284	1728	Lgpagm32.exe	92
PID 2284 wrote to memory of 4652	2284	Ljnnch32.exe	93
PID 2284 wrote to memory of 4652	2284	Ljnnch32.exe	93
PID 2284 wrote to memory of 4652	2284	Ljnnch32.exe	93
PID 4652 wrote to memory of 868	4652	Lphfpbdi.exe	94
PID 4652 wrote to memory of 868	4652	Lphfpbdi.exe	94
PID 4652 wrote to memory of 868	4652	Lphfpbdi.exe	94
PID 868 wrote to memory of 3108	868	Lcgblncm.exe	95
PID 868 wrote to memory of 3108	868	Lcgblncm.exe	95
PID 868 wrote to memory of 3108	868	Lcgblncm.exe	95
PID 3108 wrote to memory of 3180	3108	Mjqjih32.exe	96
PID 3108 wrote to memory of 3180	3108	Mjqjih32.exe	96
PID 3108 wrote to memory of 3180	3108	Mjqjih32.exe	96
PID 3180 wrote to memory of 948	3180	Mahbje32.exe	97
PID 3180 wrote to memory of 948	3180	Mahbje32.exe	97
PID 3180 wrote to memory of 948	3180	Mahbje32.exe	97
PID 948 wrote to memory of 4584	948	Mdfofakp.exe	98
PID 948 wrote to memory of 4584	948	Mdfofakp.exe	98
PID 948 wrote to memory of 4584	948	Mdfofakp.exe	98
PID 4584 wrote to memory of 2968	4584	Mkpgck32.exe	99
PID 4584 wrote to memory of 2968	4584	Mkpgck32.exe	99
PID 4584 wrote to memory of 2968	4584	Mkpgck32.exe	99
PID 2968 wrote to memory of 1836	2968	Majopeii.exe	101
PID 2968 wrote to memory of 1836	2968	Majopeii.exe	101
PID 2968 wrote to memory of 1836	2968	Majopeii.exe	101
PID 1836 wrote to memory of 4932	1836	Mpmokb32.exe	102
PID 1836 wrote to memory of 4932	1836	Mpmokb32.exe	102
PID 1836 wrote to memory of 4932	1836	Mpmokb32.exe	102
PID 4932 wrote to memory of 4532	4932	Mgghhlhq.exe	103
PID 4932 wrote to memory of 4532	4932	Mgghhlhq.exe	103
PID 4932 wrote to memory of 4532	4932	Mgghhlhq.exe	103
PID 4532 wrote to memory of 3228	4532	Mjeddggd.exe	104

C:\Users\Admin\AppData\Local\Temp\9c919e45b732d74d439cb592a30bcc10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9c919e45b732d74d439cb592a30bcc10_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\Lkdggmlj.exe
  C:\Windows\system32\Lkdggmlj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\SysWOW64\Laopdgcg.exe
    C:\Windows\system32\Laopdgcg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\Ldmlpbbj.exe
      C:\Windows\system32\Ldmlpbbj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3900
    - - C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:428
      - C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4304
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:932
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3532
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        42⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 404
        43⤵
        Program crash
        
        PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4980 -ip 4980
1⤵
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
64KB

MD5
e5fa484afc8295fbd857cbe5d732b19d

SHA1
2b93b93ee6f8a2e612eba7a1dc6b14ec4e909ca7

SHA256
2ce66faef59023074081fd744fa961477de2ab67396ec72ce1cc4baed776c838

SHA512
4bb28e8329a2d8b0c0ca01aba538aa708e76e11c344cbe20679c3f09d8acea71e996cd3fc84b8930bc544ae65826053a2a35f3dd543a698d009f4b656e766ec2

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
64KB

MD5
08053b79e54c59ebcaa7b50652eb63fa

SHA1
0ee73b6382b25387ffe573fc4098bddf1a239243

SHA256
a504154df9b6d4c8945967ed6f3489a8660d18fda0a421e97ead1778ad73980e

SHA512
98509c277ae4b117891fab2ea8758113c0ae3d40fcafdfc465023899e80c795cfce0ea4f22f2405657e502fd8df21e3d84239a00b94b66cc4112a5710f6f261c

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
64KB

MD5
5bf77434b798591524c5d1eeb9a309b9

SHA1
7257bfb2728a6e76a3f0758ccbbeaa9aa6ceb531

SHA256
c6a83cd24e8e9a4b8289207cee3c3ab87bb26c547138ab6cfd4b65f73032fba0

SHA512
b36c4a3f2e23a49a852a14fd1d0306c8f5a56216cd4c8401689a55c7208199c86f305669aba3d280cc6f16debf82e11955bd74fcf479f44a78518bacbe83b4ed

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
64KB

MD5
e0f183d90f5ddc7c6d184691fc090041

SHA1
82fbc1250f45174b56916dcee55bb38dbd478602

SHA256
90127d1910f2ae83db974c35a4b36dc68fe31f1359d758102d06ab2e46e7f11e

SHA512
2251d5b730aa4ebc643bd41cb107c8305c86a4de717e30169e11ea9e5657d66a2371a30575175726f57ad552d5f429aa911b67dc7c23c08c8bd37cb30c70032b

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
64KB

MD5
14301ac51e42fb3c892383e75139904b

SHA1
c08dcebd32cebe909c56632517788fc06fde0308

SHA256
c215708ab9073ae7e9a2ef3fd5f781617f3b472ce0e16730789f7f2916fe7e93

SHA512
340031297e14c83aa991ecac0ce775d29c09b4e5378d32576f0dd57ff71a4f397145ce3100d11535dd8a05f0b043c4aed2c717be75943aaa85772c5c18f2303c

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
64KB

MD5
a093f24b06021f4be80c2d6a05ebcf12

SHA1
291607fa42a1fa4a8861d205096606d21f35719f

SHA256
fd131923f07e19a5f128f424799cec06d830a5366f14dc9672f99fbef62d2dcb

SHA512
d26a0aba115a5e5fd94c1b1e597479a4c4815638fa8c67f32456a0d133e19fd96acbac14f7bda74d5c86343cc8b512c4f65f802fde988eb3532e035450f06c1f

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
64KB

MD5
48523c0e6c65d6f1096cee050b51ddde

SHA1
f0eb3a7e7021dafc1bb4472d55b734b3c17e5adc

SHA256
2c890fd7d702628d4500f4bb570cab9226871db13ed4195ee2904c6eb9dff24b

SHA512
2eeb1e05eedc7da7c9ccdb488cd70c9747ee549e5bd2b6e4cb5a6c4385012912bf46c08b69cfbc4193481fc416f14cec1ab6c0f94f561627d9ba4a632d57ef47

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
64KB

MD5
4d4dc424e7ac5e9a7870a99fa840b080

SHA1
1c4feabfc7cc0a13dbcb2365912b3d9e896b7ffc

SHA256
bc36b435fb47db59e1ba743949b73eea0f4e344a5b7812accad07cff97dfafd7

SHA512
a858778682b491f7a99b44dea658ae07fa57a1a66352b5aa952a8a8dfda0c90b01ffcb7580724685060b31919385e120fea143d17c35ee460005c4e8f8ec405c

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
64KB

MD5
99976fa38885dd8cba5c492017975ada

SHA1
985ae676d8d369a223565f824493307af99ae35e

SHA256
4b8dfa6b8259b14da343e3a7d46f85c7a792654150a59c31a177039ab7103e62

SHA512
1ee9cef1a29901562a26704bdb00ea7d1775a4542a28ffcd22f35e756e61ac69a0f16e7a062f86c356d356da04dd05bc0f91b8623c9fe78dc5658366de4d300c

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
64KB

MD5
ca719c9131d7a025cd897e4dbe4f0dc5

SHA1
2b52069eabf666a20138452ac22e7f99847f7d8c

SHA256
a378cc1cbf9f7bd3de553e2c782191398d9abd67c07969f96273f77017c46483

SHA512
387e7927b9ac28889f2d9bb41ac53571fde43596c0cb2a513c3583974fbf73b84f40e34fb14bb17126cb7cba2110adf10fa7179ac78dddc50aa3ee576de9e666

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
64KB

MD5
2bad54d72d4fc06cdf52e83acc021bd9

SHA1
ee89091392649b01e060f4bfa342185d909a8ec4

SHA256
abbaea0278a74b48cd57b26159e54571e32ee66ea46b4251fe08aebe08841f8c

SHA512
0e08a3ca7510594bcfe3800d7b532fd3cc13cd2b2e1db20d642842f10a4dc88ab3b11e4842d7c9d9b12007e78c996e3f3c1fd74d5df1e79c019dc7098cb45a28

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
64KB

MD5
19a47c40f3204012209ef98c97cf041c

SHA1
37e3760ba171fe421b9753f3e9e3a80ca3bceced

SHA256
54d87d7f6708889e0af1cc2cbba188e8708da57424cd31249e60bcd8db61b2ce

SHA512
4acfbbd1415b82faa4caa3a98d629b241e8477c5ce7ffc6601b708e0358f15079d443c4ada42de70a6d9c4da535505e12bc5d21b4c81cabc6d1a8b3fc25ddba5

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
64KB

MD5
77ab6a65f3939aaa66d866c6fef358b9

SHA1
729d3affb6078d21f4df56a970620c66d0ea7d97

SHA256
bfb31196d7d195a7039ff8b94b36b6972febd0f2efc7a55feeb8b6eede95372b

SHA512
fcca5e7bddb01ce4b79fc6b912fbfaa95f063c8010adcdae969571e902e6d32574e69e4ecf566de3eb2342bf48a13bdc03566024311b4c275fb43725cb254711

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
64KB

MD5
bf41e3dcf92833864f7ab3fa1cee6b24

SHA1
b48389c417c497747a92c3b1f15e5dece1a5247a

SHA256
bae5a1d55ad89f9e57d162635abd5c550afb0f17098e4d2a945d0f4b1305a673

SHA512
ad20db4f4eb7ead9c7119b676dd2db183427d38fb784f76923cacd19b7b865a42d76983bdff6286a4339c79c609cceb9a59794b347967f800cc5a2aede70cf05

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
64KB

MD5
46abd5b3cc09972712491cf435b113d0

SHA1
3acd5cb490f1c811a5fc0659b03fd0aa87a83f3d

SHA256
4cffa9e091ca0d84055470c2eb7f94a4b5b37af00324e5d7a03d4a4b39451d9e

SHA512
858f94206f065533073cf9defcde4996773ef3e128fe4b35b26c3ea1774861f1d58d01ad8133e740fdc59a93fd8f92d616f15b8a79ba0fc7b80325e4211d80d5

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
64KB

MD5
abe8b6c2e0cddf937c11d4432d4795cf

SHA1
818432edc55da2ee9d5cb97521ffc385eaa2da16

SHA256
0e00cf3354c226e5dcb314130dbb20ca8f6b44965bbb668455ca251cf6ccaff4

SHA512
36c1ee02dead62be8dc3f38ae2f46ed3c014333f14490e56c5f80dd62165cc2f0604748bab17450172175948650dc8a7d52f97d7c8559806d39bc6b2e5493c82

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
64KB

MD5
5359504c3954334d6c38b360e4b3b045

SHA1
4aa715f99dac64329c6ab3ebc4e5571d5f385fda

SHA256
8284e8e3148e4f51a549aeac63f56bef4934af2113b1be2052b90110c0c979a3

SHA512
eb008c3dcca6b7c27e3652d29ca4b262711b32539fc1abda29694aa2b40d11ae63c4b8afc146103370fd285c451788d38f401c089496beb5d084cbd35497c033

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
64KB

MD5
1d27452093a6456dde4641f180a3bfe1

SHA1
d3fd804a33c39c8af378dab6f5a6d963a1efa425

SHA256
96ea002040e1987b4dff6c83b8d555db832f7af97a97a53f0ea6354364ce8b8e

SHA512
25ca5bc8c3fa5ba3fab099455888261ca59ed353fba9c6f4ccb20ce405f378589284616d111fce4568b247a190d4eb0a16499570cf27d122660bc75e51ad2409

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
64KB

MD5
0e88e425711fa1df4fbd20ddd02b9bd1

SHA1
085dca84e3cc6f4ed7b70c3c849103329ab8d841

SHA256
5a83c1cd1e8aceba0fb2f39f18003fd270b466915005e83324cb91bb017c9cb7

SHA512
7dd0a4a931aa3b1ee361dde75f3cf612d3d002415c2ac112afdfa967e31c0f1a5cea0e16dcdb99c04c1188f6bad270b7af89dc67026a4ee9ae3042ff05d13fc3

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
64KB

MD5
93d24baad8a20fb7b8023ad63ce01b3d

SHA1
670bf9bfd133139745ee36606d87e28aea071e09

SHA256
2fc2ebaebef62d11d33abefee62d9433b087e8996798950393f217c4462c3d9e

SHA512
1485231720ded95adaa7792d9b8314d7837edf2b60eee753020aa41bd9f5a6e09772f3945fcb610f1f8909843cdf29620edd2ce0da352d579945c604c0a3afff

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
64KB

MD5
d8e08ecbbcfeb8b2a7b21b0c6d002aad

SHA1
89a042a94517b7823acfd702faed6ecefc43c05c

SHA256
4ee7b21e365579ae5d9545409487dc4e463d8a674ef9ddd407a13d9a53f5993b

SHA512
a3c4e31fee4a431a6d9fbca16361c5df4d6929964e3ab7b92cf7a15d1485b010f302140ee2abad822af67220c353943b66e2d359d5fa69c4cd0ef083069c45e9

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
64KB

MD5
91a9f4bc71d89eff96d0f43f1ad02e8f

SHA1
9432911ead2b2f930873937b924e0800a406e938

SHA256
f6bf523b37606a3349e60f864d16b0f63b4cdbcb1873f1b5bd862907237bf0c6

SHA512
bb89a47471410c80ddf9484e6b8319da959801f39fe79ad0e429e773e344fe2bb6513a77352d80d2211c5eda0233c77be6a8c0597eef7c45fe0ee1165703ce75

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
64KB

MD5
7d0158e159be0393994de7c2a29bb7b9

SHA1
598a0549a0e71f20950893e8c3d3264f54420ec3

SHA256
3dc811dfbdb44a051dff13fd1f282c74fe58f3ae8294a666aa76bf4685394fc6

SHA512
764580cf97d972c8267ec6e58841ef6eed7aab05009013ced512e24912a365f428be999f4661711ffc57f525f195fff81d5d1bc23a884cbbf7e71eedea4342dd

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
64KB

MD5
e4692fafbae5261f964aa061a9aef488

SHA1
fb03a0e07e939ddb581f7ce57090aeef53359318

SHA256
4cf87df638f09ab0de437275198047b1ce52a47d44cdc054fa3f6c5c029bd200

SHA512
79341b0f0862a2109dce6715e88bf3f96a43617b15b5e9733ad5f511e58b022a9e645819b22b199097160897f0b4f2327295999f50ed74e14a8dbcde7aaa533b

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
64KB

MD5
afb54ab6c44897f24d3a7ce01c32146a

SHA1
58dd558307779f5eda4348b0bef66b71af74c1b4

SHA256
45efd6576acb9c1f39740d3fe6d8a09b35598c39dbdc19ae97a054076139f0e1

SHA512
7e9774a691c8b3d5ec9f3a73645ce12cbfea93c7f7993d2ce65fa168e4e3b5f4ee8ccaa27b6667e5edde83ea40695e7b7462b339ecbc422eefee9c4d68019194

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
64KB

MD5
919c468be2011a82c66ac9ca3b2487f4

SHA1
b2bef36b8487c2d63a630c11c049c0002c37d481

SHA256
dbeb27585331c516380e88d210a15ec3b1373374637ac95ed9f60ba1babf1344

SHA512
8a03789e9b93340cb0b5dcef28b6504df4b475c0cce11a56930b789e7d7d372a7105648147eac04191aef5d5aae55f8eaa2e0e3a2d01d6b1d1d8e0939ccdde71

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
64KB

MD5
c2b2c16ed1c138e68f09b405dfd4628e

SHA1
4927d2d3e4476b2b5ffda401691d709f3b198168

SHA256
602e8e6e57b93d491259ce6f2662738bc13a7f8b175bf4457b43cfcf2ac7f6b1

SHA512
49d522b3f774453ec8ea605fe81263c6124536c19faad98890906ad8fbcf579cf84a20d2be03a77f5714a86adadb7c9c30d1c732cafaa36df405805a836bfd12

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
64KB

MD5
ec2f8ad06f055b6dfdb4ed0cd8969444

SHA1
81b7110934e4e68811f4186a4ec4eba2a94fc0e7

SHA256
87a5fed310488f32a99e6360f4245286c5a8b68f7261a2deaa76e2da417630b2

SHA512
dd524e551f31e29c09e579cd83ac9bbf1d19fe524201e7455f18ce764676f2a05b6ff4cd52c1f8c5491ade7ae163e1cf73aaa2e42d5ade933300812e89491b68

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
64KB

MD5
70fc74213790e3080cee48bbe7d6ecf3

SHA1
00846e61c3ee2b227fe3ffaa03081dc5af00cfeb

SHA256
653eaf38a91ff76ca639aa5134b7279ccd2f1b48345cedcf3fc739e6890cc911

SHA512
4d0daea4dfdb8d8ff2fd9cd5cd88db07af4e25629a96931cf387b6f1715fe42c0996417cda9217181900c7d0cebe4f534748864416e3950f9f34f02568ac7f5c

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
64KB

MD5
2488cd7dec752e68487e9189c26d990d

SHA1
a576d9cc0c32591484f7e7deef288c81c77388df

SHA256
65b2236e5fd660b02960141f83814d70f6e6ee0f328a4d2414f1572dedf847f2

SHA512
9a345892e94b6604b872ef18233f09abcd3b1bca9d7971b5235c6a6ef2b26c2894fa24d0aa6498e960d70bbe8576478aeb2533e3ec3f89843c633904ead73f67

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
64KB

MD5
06d45eac699f5f18c43d73f6d5fff1cb

SHA1
0fbff680de8763b1fc9d51d730d3b64d733f922c

SHA256
f3bfc5a160f9be8a81da49d92708a14256b33d281a50a3172239c1a700d2798f

SHA512
43e1c1aba491acd7728051c1e4dce4fa7ae802b3a640b51062a9d0fd0d8b34e7404b5af7144ee276b590fd8c0d9bd04a894778e7efe100d1f553a52c1b0da78c

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
64KB

MD5
c8cc1733e5e68a3edfbfc3623c1ae00a

SHA1
edaca76b22830387407804a958f2cff2ddfc9cf4

SHA256
c4b05b8dc48518be40a28a9e6cdc8981c3b989dbe17551a5857fa50ac2818fd1

SHA512
34f2b6ba23772e2374a46f794d14cbec4c18dfab4b2694f15bfcda1229962b685f7ff58a25070d4ce74be33339e32c57d23e47a29b83d005fb3cb344566d612c

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
64KB

MD5
ec8213203f580d734124087e4ac2b099

SHA1
d2bcf0fec0e430e466df5db93bd873ff8b5e0345

SHA256
b08f55b1d49b94f5c7c60ea7a418c74046a02b49a8a390390f6a8902da9e8eb3

SHA512
d15fe44d52dcbe58ac11d1b444f655ec6033535fbee96380a2414a77293ad85afada3feb29b6900a299bd571a2f20ffa516eef4e4c7642dd16bf78de3ba85312

Download Submit
memory/364-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/364-319-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/428-37-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/800-229-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/852-324-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/852-185-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/868-105-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/868-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/932-269-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/932-318-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/948-129-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/948-331-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/960-287-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/960-315-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1140-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1140-340-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1400-342-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1400-41-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1568-209-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1568-321-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1728-337-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1728-81-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1836-153-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1836-329-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2032-322-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2032-201-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2204-341-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2204-49-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2284-88-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2284-336-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2316-304-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2476-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2476-338-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2852-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2852-339-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2936-263-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2936-317-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2968-149-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3004-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3004-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3004-345-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3108-113-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3108-333-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3180-332-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3180-121-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3228-177-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3228-325-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3456-279-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3532-314-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3532-293-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3720-192-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3720-323-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3900-29-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3904-233-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3904-326-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3968-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3968-281-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4268-261-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4304-216-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4304-320-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4328-254-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4364-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4364-344-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4532-327-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4532-168-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4584-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4584-330-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4652-335-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4652-97-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4776-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4776-343-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4924-313-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4924-305-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4932-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4932-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4980-311-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4980-312-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads