3317e6851ee4b3ea33d7ee91a9e162e64805f7a1852354e5e04a8621d556cfec

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe
Size

435KB
MD5

3e0b4acf6c96177e48509ccd99a79980
SHA1

a9e9284c0ca2fce441b5c0b58b1975dfa128cc73
SHA256

3317e6851ee4b3ea33d7ee91a9e162e64805f7a1852354e5e04a8621d556cfec
SHA512

30ce9c413bd9e97e4432d24f6cc0bcc7430945e5489a17f7499291ce01ea612fbd1e172c2b11bb5f1ed5641cc972653d68060cf211841f46d012c58d366a97ec
SSDEEP

6144:Fz5pPCywbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/Y+mjwjOx5H:FlpobWGRdA6sQhPbWGRdA6sQvjpxN

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe

Executes dropped EXE 44 IoCs

pid	Process
3828	Kkbkamnl.exe
2136	Lmqgnhmp.exe
1184	Laopdgcg.exe
1444	Ldmlpbbj.exe
4664	Lilanioo.exe
4584	Ldaeka32.exe
3496	Lphfpbdi.exe
4000	Mjqjih32.exe
1524	Mdfofakp.exe
1016	Mjcgohig.exe
5068	Mdiklqhm.exe
4348	Mgghhlhq.exe
1404	Mamleegg.exe
4516	Mdkhapfj.exe
1252	Mgidml32.exe
1520	Mjhqjg32.exe
4384	Mpaifalo.exe
1384	Mglack32.exe
2992	Mkgmcjld.exe
3720	Mjjmog32.exe
1160	Maaepd32.exe
3348	Mpdelajl.exe
896	Mcbahlip.exe
2340	Njljefql.exe
2760	Nnhfee32.exe
768	Nqfbaq32.exe
3928	Ndbnboqb.exe
2932	Ngpjnkpf.exe
4564	Nklfoi32.exe
5088	Nnjbke32.exe
2256	Nafokcol.exe
3320	Nqiogp32.exe
4656	Ncgkcl32.exe
408	Nkncdifl.exe
2228	Nnmopdep.exe
1748	Nbhkac32.exe
1572	Ndghmo32.exe
4956	Ncihikcg.exe
2892	Nkqpjidj.exe
2720	Njcpee32.exe
1980	Nbkhfc32.exe
2612	Ndidbn32.exe
4844	Ncldnkae.exe
2692	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4684	2692	WerFault.exe	128

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 3828	4940	3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe	82
PID 4940 wrote to memory of 3828	4940	3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe	82
PID 4940 wrote to memory of 3828	4940	3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe	82
PID 3828 wrote to memory of 2136	3828	Kkbkamnl.exe	83
PID 3828 wrote to memory of 2136	3828	Kkbkamnl.exe	83
PID 3828 wrote to memory of 2136	3828	Kkbkamnl.exe	83
PID 2136 wrote to memory of 1184	2136	Lmqgnhmp.exe	84
PID 2136 wrote to memory of 1184	2136	Lmqgnhmp.exe	84
PID 2136 wrote to memory of 1184	2136	Lmqgnhmp.exe	84
PID 1184 wrote to memory of 1444	1184	Laopdgcg.exe	85
PID 1184 wrote to memory of 1444	1184	Laopdgcg.exe	85
PID 1184 wrote to memory of 1444	1184	Laopdgcg.exe	85
PID 1444 wrote to memory of 4664	1444	Ldmlpbbj.exe	86
PID 1444 wrote to memory of 4664	1444	Ldmlpbbj.exe	86
PID 1444 wrote to memory of 4664	1444	Ldmlpbbj.exe	86
PID 4664 wrote to memory of 4584	4664	Lilanioo.exe	87
PID 4664 wrote to memory of 4584	4664	Lilanioo.exe	87
PID 4664 wrote to memory of 4584	4664	Lilanioo.exe	87
PID 4584 wrote to memory of 3496	4584	Ldaeka32.exe	88
PID 4584 wrote to memory of 3496	4584	Ldaeka32.exe	88
PID 4584 wrote to memory of 3496	4584	Ldaeka32.exe	88
PID 3496 wrote to memory of 4000	3496	Lphfpbdi.exe	89
PID 3496 wrote to memory of 4000	3496	Lphfpbdi.exe	89
PID 3496 wrote to memory of 4000	3496	Lphfpbdi.exe	89
PID 4000 wrote to memory of 1524	4000	Mjqjih32.exe	90
PID 4000 wrote to memory of 1524	4000	Mjqjih32.exe	90
PID 4000 wrote to memory of 1524	4000	Mjqjih32.exe	90
PID 1524 wrote to memory of 1016	1524	Mdfofakp.exe	91
PID 1524 wrote to memory of 1016	1524	Mdfofakp.exe	91
PID 1524 wrote to memory of 1016	1524	Mdfofakp.exe	91
PID 1016 wrote to memory of 5068	1016	Mjcgohig.exe	92
PID 1016 wrote to memory of 5068	1016	Mjcgohig.exe	92
PID 1016 wrote to memory of 5068	1016	Mjcgohig.exe	92
PID 5068 wrote to memory of 4348	5068	Mdiklqhm.exe	94
PID 5068 wrote to memory of 4348	5068	Mdiklqhm.exe	94
PID 5068 wrote to memory of 4348	5068	Mdiklqhm.exe	94
PID 4348 wrote to memory of 1404	4348	Mgghhlhq.exe	95
PID 4348 wrote to memory of 1404	4348	Mgghhlhq.exe	95
PID 4348 wrote to memory of 1404	4348	Mgghhlhq.exe	95
PID 1404 wrote to memory of 4516	1404	Mamleegg.exe	96
PID 1404 wrote to memory of 4516	1404	Mamleegg.exe	96
PID 1404 wrote to memory of 4516	1404	Mamleegg.exe	96
PID 4516 wrote to memory of 1252	4516	Mdkhapfj.exe	97
PID 4516 wrote to memory of 1252	4516	Mdkhapfj.exe	97
PID 4516 wrote to memory of 1252	4516	Mdkhapfj.exe	97
PID 1252 wrote to memory of 1520	1252	Mgidml32.exe	98
PID 1252 wrote to memory of 1520	1252	Mgidml32.exe	98
PID 1252 wrote to memory of 1520	1252	Mgidml32.exe	98
PID 1520 wrote to memory of 4384	1520	Mjhqjg32.exe	99
PID 1520 wrote to memory of 4384	1520	Mjhqjg32.exe	99
PID 1520 wrote to memory of 4384	1520	Mjhqjg32.exe	99
PID 4384 wrote to memory of 1384	4384	Mpaifalo.exe	100
PID 4384 wrote to memory of 1384	4384	Mpaifalo.exe	100
PID 4384 wrote to memory of 1384	4384	Mpaifalo.exe	100
PID 1384 wrote to memory of 2992	1384	Mglack32.exe	101
PID 1384 wrote to memory of 2992	1384	Mglack32.exe	101
PID 1384 wrote to memory of 2992	1384	Mglack32.exe	101
PID 2992 wrote to memory of 3720	2992	Mkgmcjld.exe	102
PID 2992 wrote to memory of 3720	2992	Mkgmcjld.exe	102
PID 2992 wrote to memory of 3720	2992	Mkgmcjld.exe	102
PID 3720 wrote to memory of 1160	3720	Mjjmog32.exe	103
PID 3720 wrote to memory of 1160	3720	Mjjmog32.exe	103
PID 3720 wrote to memory of 1160	3720	Mjjmog32.exe	103
PID 1160 wrote to memory of 3348	1160	Maaepd32.exe	104

C:\Users\Admin\AppData\Local\Temp\3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\SysWOW64\Kkbkamnl.exe
  C:\Windows\system32\Kkbkamnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\SysWOW64\Lmqgnhmp.exe
    C:\Windows\system32\Lmqgnhmp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\SysWOW64\Laopdgcg.exe
      C:\Windows\system32\Laopdgcg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
      - C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4544
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        46⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 400
        47⤵
        Program crash
        
        PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2692 -ip 2692
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
435KB

MD5
eaead05d0d1613368e0a1cb6c1d7ca34

SHA1
10686cad77eeea29414271a23a4017a85e61343d

SHA256
96caa09711f3d0dcccd8b9deb7a9d348882b649417d3d954ab798e814dec94c6

SHA512
a419d8181a2f3f2254dc01cfe78dcd1c082801e2cd2709c05bd391fcea64e7764e7979b70ed22a1674e7d17147f86e010c526e710fbfa62af65ff23b38dc9097

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
435KB

MD5
8fc186771a8e0d7849259e3bb5bee458

SHA1
5a846948b41dc6a27ca1e876a2bd13655ee7eb0b

SHA256
168b6021ad8f6b444e4da8aba09d17e4f4b16873e5144e3326f0a7e13ca6f103

SHA512
7899c20a5b5ad262f0ec9ff06d1c57a8fbeaf3726453d251aa6ee2a61c8d9f4e617aac55c89ec88ff2738ab091f8fedb53c9c3ff93c40282c4c6efcbcaa496a4

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
435KB

MD5
a5f51405f66c672fa5749a40d2548558

SHA1
3f5c7d1eb4d99271663c313f71aaa0b8ae09c3c7

SHA256
023e56c88f7233d98390cc27766c122a4f600d6e60f5109f74441e8239ad4841

SHA512
d42a145263c4291bd01ab222c8eb37a2fe1bbffef8d962121722b98475308baf820f2600f0e8a50ce3ef188752be6e70c97a06276f44151deea9ebdf51b648d4

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
435KB

MD5
f8b691d5b064f577ee95594fc3cae9b4

SHA1
9a4fdb9238f0401639e56b1fd8dbdcabfc027c22

SHA256
38b776d25b18afd495dfa027f3a3c0e92f4a2251c5ea1e832f29b8cb7d73899b

SHA512
22fae53492c9fc458290db5cd1c40d731e2f078fa025439a2c35d46f9b001be7adc66ab5ec93492d4b48f3eacaebd0eac80fd3a5926d8a1db50b4febf4134ea3

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
435KB

MD5
e1c98204e632ed3337520a219ed75ab3

SHA1
08fd3ef7a13c567ad7c131d3eb328dc046719780

SHA256
559b6792d56f3903aee84791c5a08cd9028ef300d192dc36b627d25eba9724da

SHA512
1dbdc883e2e075709bbbf6e3eac5129fc59bdf91a2cd5b8160a5863eb0103cb848ac44aa5b4fe2fb57b92749343d5e917bdcb0d9234465cfaa01133ffee8f8e9

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
435KB

MD5
824b957ceb802d3fc47c2aaa4af9aeb5

SHA1
2c88a3622aa58d387b4eccf74b7c6075354557bd

SHA256
cfdce943a05d832427e99930d20ff5aeb753aec483fd4f9ddc957e3e26a47b0b

SHA512
894251b2598a9ff8c43b4c11eaa951106f3afc1388840ecfcfd46bfb8c3ae336d783da05bd328e56360379da06f8ba9cbda536dd541433c0cc0c24d4b6788ca9

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
435KB

MD5
006c0ae3879bcd02f04ca6fce7dfd987

SHA1
72c318cc7c3a9d3613277619c29bc0ab5e624a5e

SHA256
02624a9bb63fd24fabe3a0b5a486691ee7e88f0404fc812c81dbe692e157f42e

SHA512
71aa2046d70c343cb3101c4d1373872c87fdf6749bb9b3a1f3958700db55f6e8bce70c1ab747819a2499f4ba68b3346a0a67945ed2bf45200d1bd280113887ce

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
435KB

MD5
6946af5f988bac178de6e7b4171b8361

SHA1
0a03a99cfee8c35d2369dd1dd60b39a5f17e675b

SHA256
7aff683569935f0681cf37ce45d2e5f3e3eb21a21c4c222abfb1af1a70872c73

SHA512
cd223a30f9b746c58e3109d8c7ff0292e8607cde6be1c9d50a50580760abe7cf3fa89bd7c2512a24ffc5878888005ecfe5d22d093b0140191e78bc621f8c36a0

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
435KB

MD5
28c166c409613c67b3471cf67cb0ebc1

SHA1
b0389b92aa047a1b986a4d507784036f431b8c57

SHA256
706fe754dc228052be7795bf044c0364ddfdb6faa25a151e5cf7796c9aa04dc9

SHA512
29c493ad896da1087080a9ab0fd3009050e07a1ed0a6b0bb9a5f0567516c9ef6949b01beb67a3b8e369cf8f58a7324ed8776f4be4c47021edbbf907e737ff322

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
435KB

MD5
e024f9580b87ec5c8e33e2c0720cc932

SHA1
06bba8b57b858020ddcbf3a0aa807c9773d42ddb

SHA256
eca538d6d5001cfb32e6493a2c60b8b1b99c27d6d797759b2a982ae94de366d1

SHA512
1ea5db79752a1d4ac7eafa1eca1917d069d245a4ec1cabcbada52d8da480381685e2d81de6824f82e3298bace331c157f79822a0ff46e6878b2ed866ed44d733

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
435KB

MD5
1d1b605f9dfe1f8382607d9fb4d1c8b1

SHA1
0c12f4bcf86184fff0a03b7ca69964aa3c6cea70

SHA256
a582564cb7cae5611a3e713031044f0fb220689850ada2091945ca35127651ca

SHA512
8db10f1b6ebcd76e22575cec013e658a2737e21a9008197e0cc343ca3bb1c4f0b0a95f058366ba98e5689f1bb5edc21109f823688e55133b8eca22873f3d9a8d

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
435KB

MD5
273e47c480b71db62fb046c5775e54e4

SHA1
f2e4dc9a4d8db43ec7e64775474907813a535659

SHA256
17b318822abf713b570c62c9355a8b456c7f0847110e891a16bf0e0a9fb80f83

SHA512
214614a3a5bcedfe052f2ab3a5216a572884d383932975ed7e7831e3cd4556be75f107000be1ddd66ec1aa73787558661d37cd9955509399509f9348955d50a9

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
435KB

MD5
c57c9b4664a1b5021f0d2c36f123e664

SHA1
cda83c6ba4dbec27614043ca2ae07dd0af4947d8

SHA256
0beeb678b07aa59c62cf66d4b6c2f32f1c0add0c067b96a6bba08cdc020a8497

SHA512
17b3dc38d5ff70623f6df739513df4c1affdb3043352652fe4a19d5d2bc719d53dcd98a1b85c787a9f064ed293608fc0215741694c0b434a645e49b76c181099

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
435KB

MD5
3ab16b74db601126af10c27ad470018f

SHA1
1044e99b6f3a9babd5cf6d0e717d0347db3de3d4

SHA256
4d1d34b7c42155923e34f8a95f3b431fb19b6bb06bd650ceb4ad44974e08d4e5

SHA512
2d8524b953f5c84fa535eba0af89f30fa2c4dd4a8408b8915ea09661d24689d19f626622e2b02ff1620023c3a99fbd183ecb69ee9354238167b2cea6f9036b2f

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
435KB

MD5
ec7b4d4086e8bf4ba1f2dfa69e9ae639

SHA1
9b522b9a52937351e2f0912ea07416c1a7f00694

SHA256
f4ba2128309473da2e86b1053411c739acba6775970c322662065a6e633a9e57

SHA512
c17010dfc106069783dcaf1b63f25e4f95a97e728ff5bd2d54b34ebd1f308132d554023c3a1da1c219b40d6c695b00c437baaeed5ee4880a60658612bd6e73a7

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
435KB

MD5
1e0de1100985038222f08b0fee2daf41

SHA1
e6815d4d6e9f046f8d9d48203182750829aa1a6f

SHA256
e7558630c440cbbfc128bc7b27a12e1c5e96059c2f7034f045649e13b8ddb854

SHA512
5807e739bb6077b0e22078875a4e1a25805bf058a3b9a00245efb5af2b5cdf10eb24948003ec6ab3613720a9effc9368a5f0752069a54e4be645c7876bb7398f

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
435KB

MD5
2a1586d9524133059546e048dea919d2

SHA1
98bee32d134f7d06952abf40292d49ec42c904f0

SHA256
ec3db94d2dcd1b0706444150c083eaa9dc2b90318eacf4856b9fd2c3d1f89c69

SHA512
6e42638a2d3fd747f6772efa7c898c310dc39f9269753a90f7932b0722e05babf51f12088aab0978f3db791c80571df6160f1e8706928ae2806a9d0448aba4b0

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
435KB

MD5
30b2155013936c9753e49982ae8cf510

SHA1
19496bd0ebecf798425b1235c8dbba1c911a9a03

SHA256
16847f6ceb7fe501b628f74af03458f8c3b90b7cf4850f25358dec2eb94e527c

SHA512
105778a61dacc6f83332256335b31b126340c381bad030560f932eab02120a87a70de414bb0cfa3fe8dcfe7cf82f80427a6e39107e709c649c939d4590782f53

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
435KB

MD5
20b6026d1ea93ad7d3c403685eb94617

SHA1
4d6acd1ef1bbe2f3a007e7fc1c677b5a17e3f202

SHA256
e49f4d67a1d80b08e69ecf6566ba90fb528299896b5e82e1e73f383c7bffa479

SHA512
ea65239e054d06903e7558cadc1c4cc2a83e017de36bc52d47498f12d3220cdb441999f0fb0580a040bb48a378d692b4172fddcf9cfce9388cbcd209c9f4653a

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
435KB

MD5
e56c56c17b74e3ce15de892861cf7681

SHA1
21e40294a504ce081891fdfdc21601a24aa5b145

SHA256
1a95e3233aa058ca580dd726e6dd08f3e67b48f43647608748bc52a887219099

SHA512
267728a36188b496f3ce686c7dc47f32b267b0743d124de8e013a836c2c13c9073c5e4719fcdec796050c5a5b9e127a8257e3960e1b0309606a7e6dbfbf5010f

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
435KB

MD5
c5f8c40affc06242ca85fc3b4d206526

SHA1
8f0510f4dada108e5adfd154e1ab91f67f347beb

SHA256
20d54f51f0d007b00064352365e3277f19ebc29f5a27a8edc15c4246d8e88d63

SHA512
ad4c3d177e059e682b3dab398439be241433b2a0e0ae6cb144b4e78b7e26c3451119095201b08372464b27de87f101b8c99b3cdb4b49eb40420366271f427933

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
435KB

MD5
7b2431b9ab92ba0cbd00bb7cfb3e0099

SHA1
92a3ed72db13f45fb6ae87e4309c6dcc12803ce4

SHA256
99999e4273a2446a13bf8d95a97cf23d2c7434ef495412413b3f88c87aa386a1

SHA512
7205ef3761b0023d21f8ff6ec1a4b1ee0bd508f58f5c3b2cdd095c52539fc47fe6f5e2c9e8f577e5056d6246492e24274f0b51bbd1567881151804c519db8022

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
435KB

MD5
67066d73561a6e47474208a58b21d97e

SHA1
061ba838ef7848b293f6665fa199c80b42d195db

SHA256
7ac6e3bc434f2668414af3cc46f6c01a3dd79f4fd91869c5dab4aae6fec6d9cd

SHA512
a429d67d8b8889b8482f42c03409acaa41d723068cfad5173fffc67ef0e74edf56b21f8f73b06194e132b99e9697ad449c687e588e7489fe1eac4464e0a3754d

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
435KB

MD5
4518febea64880345add1dc435bd0cb7

SHA1
ceb34bb619133723fc608e02e646c732d0e6da91

SHA256
2aabca67601abc81c7eb9d6131658da20a3bf2adb9be41b9219b02620028d867

SHA512
128aeb32f947a856b6a0ccae1accd582af05a8aeb2345a801d432b87229438648b11dc1ab7b43b787f63cb0f0dcde4df60ce220f6f565e615106441113516f10

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
435KB

MD5
c726d443e0227992a1070bce864bf7c2

SHA1
f58cd88f40260b801011849aa1737b4aae7e9158

SHA256
79cd4d0aca47d4bbbd3a5542f92e4b8a9544e25f77531341797f837546b0b03e

SHA512
629e36d4a46e9aceb1f0471f30228bb5036e8c7aa2fbf22ae52f2ecd2a50f86999ec83de4b505299f6f28676919a43860f0bf8a4be94d280cea3e6d619055635

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
435KB

MD5
259031e0fa56453568b3c9f50632c07d

SHA1
06b463040da34ecc6a0365331e5bd4c207b3f056

SHA256
955ebb2b68e54cc2ce168849d67e744314ce1c1e77a2c993a05f34afd4ea4632

SHA512
46a3fa54efeae64baae582ea2faca4cf8a51d2fdcab05403d332d67ee1f38d8451905b9f4fba103cb3c309d9f00e29ab187b2c39fc538a17dc4d3ef8db3ed139

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
435KB

MD5
e968a550b2b3c536b8a28b681290d791

SHA1
a8a9c21bed52512ee8fe11e5eccd7cd97fd4c88e

SHA256
7aed2480dbfda4972567648e1bcb62f575736496a3fb3154f0207df4826976eb

SHA512
405cdf04e49a2e7679036e45860ff823dad80a1f1c790cac91c5f04f0f728287e9021b389c70c7f417c8b11044360282b0607d77afc99941c4efffb2af75a49d

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
435KB

MD5
2bc40cf6d84c58835cf0b0caa84eeea8

SHA1
1998e5ec5b9a47cb8cececb7cd98e0ffcfd5fd8d

SHA256
35af8454c2fa7d46695efd458e9eefd7cefbfa1d16ab2809b30c27fa80076548

SHA512
f27ba6acba9abbe058dab657107d1952d337a86304661d413683fd3c10ad2cd8693351093b8fd0197d629d32aa5c2381e5efe2863c39fab97a592829458ed824

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
435KB

MD5
de8f2b2d00963f75a0608d70b2775a22

SHA1
6fd9edbd34b49f40aafcf8363103f1e2d3be7512

SHA256
74fbd1a829a289cdf10ac102081646751da884184d3aa15ee542f173ab850ea8

SHA512
40e7f1e1d9593aee3ae23dd2b94483bac7165740c38d8b879987ae6b2b846d69774814478f0e23864f87296d38280e915b0b98f082debf0f3c08d08fa577f94f

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
435KB

MD5
4e67812c1c74d51146ee1d717b1b3fd6

SHA1
5228fbf52fc7ef1522cabbe1bfeeb81a6d79eb1b

SHA256
b83d3799fd0c24088ddfd23e035f49be162a0ea2ba0470ae01a8cbd56e6ef1e2

SHA512
7a98bccadc60bc597dbec6d26714e53db67c34b30765f3eff37aba25cce1fa37e4b7a7ddc4beec942048f37a261f2edda397c9a9627ad58b5319b3c1dc352b8e

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
435KB

MD5
8b0b37c09286027948f567b6476cf7de

SHA1
f2e27aa07c53560a6477227ad3ba2db8dd795c17

SHA256
e2ac7e0acdf2f50d6265993577484916f58fd9d09bf35bc14f768391b513f76c

SHA512
01655ca6473e4fc1a0d1b719fd52956fdf4d18024affa99c55e919a91f14b4dc4696d32900d0a9e9f87bb342172bb97d31c337a5b8e6c4a022e19e8a5018dbc7

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
435KB

MD5
e36e52ce2771e276b3ad1881b496320a

SHA1
6b91b18f1ab447cd1fd52e2a5a11b2d472dc4b36

SHA256
8085eb2c784465706316255812ed40747e6edd0cc42c00924e02fc7e0e605d5a

SHA512
5c31c7457a7db2e3e7f253c4ab11adfe6732b0209983915c2b5673684368815c6a04569d7af623dfbae3f0dbb860b36321d4c11d1e5aec644c97cc66b28b1a5c

Download Submit
memory/408-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-7-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4940-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads