516743176488cdc77d419ed4f6cf90952669456d334d0eae5c9274c57d849f50

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4652ae42cc53d5c889c9a56bc89a5850_NeikiAnalytics.exe
Size

168KB
MD5

4652ae42cc53d5c889c9a56bc89a5850
SHA1

3d6edc9514d921322444744f9c60b6ed38052287
SHA256

516743176488cdc77d419ed4f6cf90952669456d334d0eae5c9274c57d849f50
SHA512

2b0d0246a076581653c9dced8dc85f03a1737741c55cb6651e12086cb0a1b001797f4878eb687a049b5639f0a8db020d273748c803150c4667c280215d4cf257
SSDEEP

3072:a9F6AgJ48VqZ2fQkbn1vVAva63HePH/RAPJis2Ht3IjXn32HaJt:a94J48g4fQkjxqvak+PH/RARMHGb3fJt

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4652ae42cc53d5c889c9a56bc89a5850_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe

Executes dropped EXE 57 IoCs

pid	Process
4220	Liekmj32.exe
1400	Lalcng32.exe
432	Liggbi32.exe
5024	Laopdgcg.exe
4860	Lgkhlnbn.exe
4180	Lijdhiaa.exe
2308	Lcbiao32.exe
3124	Lilanioo.exe
3752	Ldaeka32.exe
4880	Lklnhlfb.exe
3040	Lddbqa32.exe
4508	Mjqjih32.exe
3692	Mahbje32.exe
1600	Mdfofakp.exe
2312	Mgekbljc.exe
1380	Mjcgohig.exe
3712	Mnocof32.exe
2500	Mcklgm32.exe
2384	Mgghhlhq.exe
4260	Mkbchk32.exe
5116	Mjeddggd.exe
4088	Mnapdf32.exe
3512	Mpolqa32.exe
3596	Mdkhapfj.exe
776	Mcnhmm32.exe
2300	Mkepnjng.exe
1940	Mncmjfmk.exe
1960	Maohkd32.exe
4580	Mpaifalo.exe
3668	Mcpebmkb.exe
4728	Mglack32.exe
4424	Mkgmcjld.exe
456	Mjjmog32.exe
1208	Mnfipekh.exe
3236	Mpdelajl.exe
4336	Mdpalp32.exe
1296	Mcbahlip.exe
3988	Mgnnhk32.exe
5008	Nkjjij32.exe
4004	Nnhfee32.exe
2296	Nacbfdao.exe
3972	Nqfbaq32.exe
5036	Ndbnboqb.exe
2916	Nceonl32.exe
4664	Ngpjnkpf.exe
620	Njogjfoj.exe
4692	Ncgkcl32.exe
3064	Nnmopdep.exe
4632	Ndghmo32.exe
4944	Ngedij32.exe
1812	Nkqpjidj.exe
1936	Nnolfdcn.exe
2744	Nbkhfc32.exe
1008	Nqmhbpba.exe
2652	Ndidbn32.exe
4460	Nggqoj32.exe
4748	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	4652ae42cc53d5c889c9a56bc89a5850_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	4652ae42cc53d5c889c9a56bc89a5850_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe

Program crash 1 IoCs

pid	pid_target	Process
1392	4748	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4652ae42cc53d5c889c9a56bc89a5850_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4652ae42cc53d5c889c9a56bc89a5850_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 4220	1076	4652ae42cc53d5c889c9a56bc89a5850_NeikiAnalytics.exe	84
PID 1076 wrote to memory of 4220	1076	4652ae42cc53d5c889c9a56bc89a5850_NeikiAnalytics.exe	84
PID 1076 wrote to memory of 4220	1076	4652ae42cc53d5c889c9a56bc89a5850_NeikiAnalytics.exe	84
PID 4220 wrote to memory of 1400	4220	Liekmj32.exe	85
PID 4220 wrote to memory of 1400	4220	Liekmj32.exe	85
PID 4220 wrote to memory of 1400	4220	Liekmj32.exe	85
PID 1400 wrote to memory of 432	1400	Lalcng32.exe	86
PID 1400 wrote to memory of 432	1400	Lalcng32.exe	86
PID 1400 wrote to memory of 432	1400	Lalcng32.exe	86
PID 432 wrote to memory of 5024	432	Liggbi32.exe	87
PID 432 wrote to memory of 5024	432	Liggbi32.exe	87
PID 432 wrote to memory of 5024	432	Liggbi32.exe	87
PID 5024 wrote to memory of 4860	5024	Laopdgcg.exe	88
PID 5024 wrote to memory of 4860	5024	Laopdgcg.exe	88
PID 5024 wrote to memory of 4860	5024	Laopdgcg.exe	88
PID 4860 wrote to memory of 4180	4860	Lgkhlnbn.exe	89
PID 4860 wrote to memory of 4180	4860	Lgkhlnbn.exe	89
PID 4860 wrote to memory of 4180	4860	Lgkhlnbn.exe	89
PID 4180 wrote to memory of 2308	4180	Lijdhiaa.exe	90
PID 4180 wrote to memory of 2308	4180	Lijdhiaa.exe	90
PID 4180 wrote to memory of 2308	4180	Lijdhiaa.exe	90
PID 2308 wrote to memory of 3124	2308	Lcbiao32.exe	91
PID 2308 wrote to memory of 3124	2308	Lcbiao32.exe	91
PID 2308 wrote to memory of 3124	2308	Lcbiao32.exe	91
PID 3124 wrote to memory of 3752	3124	Lilanioo.exe	92
PID 3124 wrote to memory of 3752	3124	Lilanioo.exe	92
PID 3124 wrote to memory of 3752	3124	Lilanioo.exe	92
PID 3752 wrote to memory of 4880	3752	Ldaeka32.exe	93
PID 3752 wrote to memory of 4880	3752	Ldaeka32.exe	93
PID 3752 wrote to memory of 4880	3752	Ldaeka32.exe	93
PID 4880 wrote to memory of 3040	4880	Lklnhlfb.exe	94
PID 4880 wrote to memory of 3040	4880	Lklnhlfb.exe	94
PID 4880 wrote to memory of 3040	4880	Lklnhlfb.exe	94
PID 3040 wrote to memory of 4508	3040	Lddbqa32.exe	95
PID 3040 wrote to memory of 4508	3040	Lddbqa32.exe	95
PID 3040 wrote to memory of 4508	3040	Lddbqa32.exe	95
PID 4508 wrote to memory of 3692	4508	Mjqjih32.exe	96
PID 4508 wrote to memory of 3692	4508	Mjqjih32.exe	96
PID 4508 wrote to memory of 3692	4508	Mjqjih32.exe	96
PID 3692 wrote to memory of 1600	3692	Mahbje32.exe	97
PID 3692 wrote to memory of 1600	3692	Mahbje32.exe	97
PID 3692 wrote to memory of 1600	3692	Mahbje32.exe	97
PID 1600 wrote to memory of 2312	1600	Mdfofakp.exe	98
PID 1600 wrote to memory of 2312	1600	Mdfofakp.exe	98
PID 1600 wrote to memory of 2312	1600	Mdfofakp.exe	98
PID 2312 wrote to memory of 1380	2312	Mgekbljc.exe	99
PID 2312 wrote to memory of 1380	2312	Mgekbljc.exe	99
PID 2312 wrote to memory of 1380	2312	Mgekbljc.exe	99
PID 1380 wrote to memory of 3712	1380	Mjcgohig.exe	100
PID 1380 wrote to memory of 3712	1380	Mjcgohig.exe	100
PID 1380 wrote to memory of 3712	1380	Mjcgohig.exe	100
PID 3712 wrote to memory of 2500	3712	Mnocof32.exe	101
PID 3712 wrote to memory of 2500	3712	Mnocof32.exe	101
PID 3712 wrote to memory of 2500	3712	Mnocof32.exe	101
PID 2500 wrote to memory of 2384	2500	Mcklgm32.exe	102
PID 2500 wrote to memory of 2384	2500	Mcklgm32.exe	102
PID 2500 wrote to memory of 2384	2500	Mcklgm32.exe	102
PID 2384 wrote to memory of 4260	2384	Mgghhlhq.exe	103
PID 2384 wrote to memory of 4260	2384	Mgghhlhq.exe	103
PID 2384 wrote to memory of 4260	2384	Mgghhlhq.exe	103
PID 4260 wrote to memory of 5116	4260	Mkbchk32.exe	104
PID 4260 wrote to memory of 5116	4260	Mkbchk32.exe	104
PID 4260 wrote to memory of 5116	4260	Mkbchk32.exe	104
PID 5116 wrote to memory of 4088	5116	Mjeddggd.exe	105

C:\Users\Admin\AppData\Local\Temp\4652ae42cc53d5c889c9a56bc89a5850_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4652ae42cc53d5c889c9a56bc89a5850_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\SysWOW64\Liekmj32.exe
  C:\Windows\system32\Liekmj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\SysWOW64\Lalcng32.exe
    C:\Windows\system32\Lalcng32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Windows\SysWOW64\Liggbi32.exe
      C:\Windows\system32\Liggbi32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
      - C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        58⤵
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 400
        59⤵
        Program crash
        
        PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4748 -ip 4748
1⤵
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lalcng32.exe

Filesize
168KB

MD5
7dd78350db0d1e41f900ca30ff950edc

SHA1
0a402d020c59635878d0b2cb7919ca21413874a9

SHA256
2d536e5e196b4aae82680a59bf93cd47a15f9fe972f1f6e0d05382a7c18319df

SHA512
3f6b1c58143678e82b40e40ff64d8021d06779f5333d534f119454d0d7e144a50f7791b6974331cd9f56cf7294b514583e689aea079bb82529d336c93a5f1555

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
168KB

MD5
152406b5a1c08e1cc9856f6b01cd9599

SHA1
5546ab386a634e02e4c90cb7a53d1d48ff010430

SHA256
1216968e6b5a9576fbfe67e8d12b11aeb289921c936f6a7ac44fb2a32d126bac

SHA512
a25b3632dba056c448cbb0c6c6d22e320a729189f67b459024967f5a3f4ca35b23880e713066ee7327e8d4c5af4cb9f545a6e952b5def403fc98ab82f2967e0f

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
168KB

MD5
035dea32bbf744d86da50e7a45e44b59

SHA1
46b7580992168ef7d3afd572cafdf09f9675dc30

SHA256
80ecc05f3db477f1017f114c69ef5dfc58070dd6450707550236feef02034b22

SHA512
daf9984205222211c45fbceb3f7e84e61ad08886625e085cb3cae4f8c329dfb28311c266c3860184b1a33418603b5510b4ecaa659a1009cf987c8c14fbcaa449

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
168KB

MD5
991a3fd2e98e8fec1e1bc5a1d51d52cb

SHA1
f6447a856ae2b1a3810361dcebdc943d161efe4d

SHA256
e8c30f60705c4cc5bd53268708a78e137cae7530b8981e9b21e8b18aadf115a0

SHA512
6e2254ac999a7550f7adf5223e2c37db8feab0c6cb101fe315cf70968d3ebe3dcfbbfb25f71dc19508e5b3d19be0ea2fa1202b857f3a5515ca461ab98f958939

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
168KB

MD5
31918e58b37e36d8d52a2195a3b0bb87

SHA1
21173693e2e7c25abebcfa3ff5748bac88862c47

SHA256
4dae17061aa226a38629260d044c3e95df02c9a1d81fb9601cb0606b321d9d26

SHA512
d7a9c333e0ff39a436b06b89f231ec2d6b5deb1ca5dcce1a71d371800706a24528a8f758def05d67db0ea1a93d206577727c8f7028f2ece64cc14c6e232f829d

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
168KB

MD5
423eb582c1dff207aa70c1e41a78f572

SHA1
e8d88736d9a74bf0c2cc26c171ae2c798ed047d1

SHA256
1a7c476326c8e46d4eaf259b9b5175a3a3cb112e304b2465da6c35fd8f603f58

SHA512
718bb592d01ef9ace77f8ad0c941ddb4cd9fa7a45efac432cd131f8c17406ded126c1d4efb3b2130ee9dd7c812ab90b21294596cdb76d153b797e2d26d35a0d3

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
168KB

MD5
fbfaf76ff63057ff5bcf728ab20564bd

SHA1
3c47d7582ac4273f892d8aa5fd0c7ed1be74e70e

SHA256
1092ef02333337c2ee321efddcc8357d18a62e0a5adb3e72afacb63540c7b303

SHA512
2bf7900af639f3afcd470e7cb91d59c4fb31d905f8528221c1c9194d0d2788a82146c607501425504d6c1bed9f565eeca97fd9597a7c0e42ad3a062045d75120

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
168KB

MD5
f46f5d7fe9927e8e1ae87c5b1642fddc

SHA1
e081d437adb430192bac63bf830f033c2d702d86

SHA256
03a8748480b29f4a258f4a5cd54b6744666cf93fca6d3370cff729657834359f

SHA512
89a0b2666409e978448fe3efde6dbc2ff27498c07dbb101c54afc0aaaa71b0883109d704498535fae7adda577ab0a05ab7bc35594ce3d383e695e5a89cf215f6

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
168KB

MD5
e1732992763e988fad0f9cd229683b0b

SHA1
3a8bb4ec6a8344f9062db549738a654b77d511f9

SHA256
9e5c42f30cff436b8db1967df0dd2211b39b8f8ebb73582b386c9d1f84d61e79

SHA512
c397bef20838b0c08c9d4dde5d2fe4a33db1fecb4c3f87d1fd22de76276d2731da575a982c5887974c5d8b2e041d00c8dcbec7c78b72653f53d9c2f7f11b57e1

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
168KB

MD5
3e98c7d5ecfd77c872f0f28a1ea4bff1

SHA1
75d3ab6dbe74de4c5ba0cbb1fbf3ed883411243d

SHA256
d3b40fef0edd94158a4b7f74d9e454803da5ed22b1037ffa19a17495b350d80b

SHA512
3c59a9865ef8e03f1414cdb67b40356f7638991e02cb99de0ad2b89ee0a2b5f2fd3c3d33628b8dc749e6127a6bc964f4886ef50a43d2f23a850589402c92db10

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
168KB

MD5
e978049b8d2c4734811e89e1ee5a812f

SHA1
1d65e27b565db248550214a64dc1b4a0ca706630

SHA256
2aeed845bef03f8bb6d5ace26f24605ff79a2e1c380747b7401234db961078e6

SHA512
235ca2555b7805fa100ac470d54d0cf7d14d695dedcca53c5b6a2e676d31a7196b4356071458ff5779bf0aaa2695d9718682a9888afd803d9411084880d01911

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
168KB

MD5
562680afefb8e6617e2b9032290c9536

SHA1
fb08d5ef94f6fbfe49007a5787a3e5ca29a863b9

SHA256
033a7a2a549b4b322203a09ab113f0184783f5ffb3b6857b93c8a2742f93b564

SHA512
f6635c57d3f780418badc7c704d858957714dc0c934e64a8a5f138b4d07caf4e2500d1022d7393c1e729c7d201de2f91a38e733fdb723137fa0d3261b88303ee

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
168KB

MD5
311ad0ecd8bc32bbc1dbe99aa09b02ec

SHA1
6be3fe6db14188bfce528972c8b3ab01fe7cd7dd

SHA256
a00630a8fec3b69f4b25c3859c341d1d562f1a07fb2e6584f7a7f5761f80cb62

SHA512
f4423ea46144a60a0ad9ec013138a622d8c4f9d48732068fa116b4fc2037482fee8f2af1790c9292ad6d3c599f02f8fa749d0a6fb2673b0370de9dcf082a731f

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
168KB

MD5
1c02916e200dff84219ad445f2f1ef53

SHA1
009c6a0c0ec295f5b5d8b9d6a2efac27ca8b1d42

SHA256
bf3f27fdb41d49896c49b8a7f1b78c9136a78f4ced90fa36a8ba14f94104d5a5

SHA512
9a7b61052dadfeadca54cf54bd56390caaf162f8f3fe6a47427921f1618a557e4bdc9f7b18954176f64adee200c18bdfba46c3c3a1055a10e67013470d7ea36a

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
168KB

MD5
d908411b1f09674b84f3e1ec8b9443f3

SHA1
ff928f7c7d3fd72c13e429e7cdc900cb3363b40e

SHA256
bb062c095a1530dc5ab90fe9ca241ca3113d0c4c81be429df3b6c5e390908ca5

SHA512
822cecc2157362cc1cbaa791640cf2ce720addfd70580b10e24e68d47c69254f60efc70c9644199879dc485bd3f376ea30b16a1ded3ecad5ab112680be4da7f8

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
168KB

MD5
216ed9ee25c48727fb05b8f71423d919

SHA1
58d020008c83b949ec448572ad769156b2be383d

SHA256
7875f47490632ef06617664c958e496ced144e4f3307a4ba36a7c089b4df4658

SHA512
cde86590a0f907530d13feeb2b172b13f29c62b6394b549ca8c5e1630bb1dcdbaa5c77d5ae4f6f3f161360d4231d5d1186bd0f0510d67d8cc4c66aca550ea955

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
168KB

MD5
3492bb9d964d8522f963ac085a2cef48

SHA1
a37769e494033833013680ac0eda23d289cf0dbb

SHA256
e02faf8ed063d6f13ce46833cabf5f6e31def7e33a1a6f29899d8c3ad2fddc54

SHA512
afd5d5d239c0e250df7dfc2bafd011c15e848ea03c1ecf89fc6c1c8c6b49a797b90579d8d9c22e1c5c86f29fc4e238ca2c8862ceee2ffdb39e477f667ed76f58

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
168KB

MD5
767ed7f87fb58edce59825bd5dadf6bc

SHA1
d2f160a12fa30a088aa324d9cf5cf2696e342147

SHA256
76b0e56520ae9fd8defbdf04483fd5b0f0c2aaf261b1c8491d8ccebd39f900f7

SHA512
11725068afef0395cdcce125615cc70349f2e570b83b3390c1625ba0b38c2020f1534c264a5ca5fc965f24f28d1c59d643b0dd68e4af374de07bc66e196bb0a9

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
168KB

MD5
0b3f3185886c0b27862fc3c98c73776d

SHA1
fc1566341ac695314e5e61d3a7f62471063d04ff

SHA256
efa525d4e7a2e768d611991d294f4e3481b86223967d06bd0f9b2e538a21b648

SHA512
fc1d64a6b064a8aa66b6a08d1c9ec1a8962c6ffe81e64d7de098e9797feb0185b0bc48bca8a896f644c5431d29d3ccb98c29c16d6b5573cd02d1c0b9dfe87950

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
168KB

MD5
4743b6971b34fb8460883344a06753b3

SHA1
b6a4c27215bea585ff64ed458f22003f6b7fb8a4

SHA256
1258d3069e9d8b1c1fcaed4a0ea3296a775dff1729a164088b648a6f2b1056f0

SHA512
bc72134d572ee4109fabf695a8f9885a31e0312f62b2932940216d92b159ad34ceb174aa1c3d6f885fccf57d289bcd5146f3640b6131f49fcc40825d67f0c6ef

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
168KB

MD5
d809cae0270e325f1cedc6985cc47a2d

SHA1
43ffb5d34fca150d546900815abf6204c54ed6ce

SHA256
9cc815edcc85ad22c966b68c12a35fc377478c1720c93c538a8353ad0be6bf72

SHA512
23932c509e8b4e67f0a3636bcf141b6ea55d54e9ee41750931bbb0850e470ab3eb763a1a221c2a47ee6ecc44a886d71b8c862c86a15c650a9e36efeec11957cb

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
168KB

MD5
02a4fbecc63bfaad95dc51120f8021ef

SHA1
37ddc3b9607199fb76ff8e063825ad1dc1ddee90

SHA256
1e6fad4c949489a4100c9f692ed33c9c27fa221f7d39c4337c51599641f4c52f

SHA512
029445f724abe221f51361221b4e93c1b560ad6e59a1eeea82764087287d916a68461f86435d17097b96d4612f804648df19a8da329431d9fc256037693597e3

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
168KB

MD5
757c8deb3ddd810c66c111e5031c04a6

SHA1
957220e138f8d6d640bfbf3ee6360fd483891280

SHA256
5ef16de4fd4e3599d02649c3aba3312c094df66c9f1d29319eec939e5619fb00

SHA512
32968f40c1bf31352808d33462905463d1923d0ab88145cb08a5c16f5b066875731a03f75defdd85488d7eef1a5fb190f4524e34db5cf7744d2238b0d3ce7241

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
168KB

MD5
fe62ad505e5756e1c16fb5e715386253

SHA1
7037cc9cdeeebd1c426af0f80497b1db508c4b59

SHA256
e74ce514c2b900a7096589a62ed4dd4ca11bd9ddc8881309e49bfd25d756b6d0

SHA512
4bb15e28d06f400d7d885de07f8845572e01ee8f3818271b19aea6b9a9b1c5d48403e3e49a1d02fd3df10d45090b773f56bf43731e6c8b719e253446b9d94bc8

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
168KB

MD5
bd1bcf5a317a08be221045ea63bba503

SHA1
cbd884c389a6aa7a0cd53a0fff00b9b262113df5

SHA256
79ef0dda7ce78b42692733e3c041a1250caa646ec7e7af8b696fc1a944e9deaf

SHA512
c0d45bc486f9dc94bc499d18143ccbbd31d6403481c0e6b730a63237400853a78c86c3bd2890b18ecf460d24cb5eb9411b690080d8afbb0cc75c00da0c9213db

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
168KB

MD5
530060a8ad25e9f5f3bf479318f42f87

SHA1
1742d4905025c45f99fd564f7461dc98de2644f0

SHA256
a1a02035dd1b7dc055346ca9ada437a71e5c25610db4e163d76e8cde7db9766f

SHA512
0ebe08f1b269bab5bfe8747def063f5dc94e8cdb48b8011abc0dd182fd592e1815b5b90a69375660ce5045ecfc13c88fa9a6f98552a32ad628451e21dbaa5a20

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
168KB

MD5
0c09ef9709a0782451aa7d6cdc6ac355

SHA1
d10e6b1e0a61e0d4245995f80736b14cd15b4551

SHA256
d934b5a1466a8debac4e4424594f723a2b49ebf9ad8d0185fd09c3c7a8e181e5

SHA512
a117e04131a0496490f74ed3b0f31f71ffbaa2ff7b1bbcf479530507a24658820a183fbad77cbf5c01b074910f285fb8e53e0f217b3d2f0057e4c6b6e0ef8ca0

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
168KB

MD5
624d25c578eec306f036c7e169fd29d6

SHA1
6bacfa69f959a70aba6ff1695692efc634e1d117

SHA256
b196b91f47aa27ca8153008b7618b3a100f79e4e21acf8afae3d03d9414dbf03

SHA512
33bb1f8c670681cd94ad7b40d72d0e63ebc19b9adb009b850fe598d411bd1a8896ffb548d278856c69692512735418f44acca126083baf63410ec2ba329afd9e

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
168KB

MD5
f170cde64af28e21c47846c8c9ed4ba0

SHA1
dbd9f6364f6efef33b1fbe86273f3f3be0796f28

SHA256
c66af65f4ed08aea4b02c7f22b5e796cd7fc36fcca06f0996ff088ee911d1aeb

SHA512
cc65c9d381cb37534681de6eaa0a812aaf911cdd08980e1cf71de08dddcd5fbb81b057c8f79568233ed8ae5dbe729174598a7347ce9330202ec44579e23897e0

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
168KB

MD5
3eff5828d76d4245f58be6b1fced241e

SHA1
57e75dded6c995cf25e67b3f6c69c32e3b42c9a4

SHA256
ec26cf09b449f456f489e08ff915c782ea405403bea48600fe26016bbfdaa818

SHA512
0c58fcab8f339d065a91bb37af795f1085e0a59a18b5883b283803162904aecf2dcf8a4f10a24a665a2a679df8c1c78259eba1a66566fcbfab014db859e71826

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
168KB

MD5
c6664f0fc886b01e7e8fefe0a489f811

SHA1
564e7957ece9e7d5961ef3fa8eb1e6a825a67688

SHA256
d2c995746ba20094fa3706f6ef80bb8265b9bac47a6d658908d899cf477f11a9

SHA512
dfdc268bccfce069d3a1d61e31eee53cdf17e0e21141b7043d6a8e5ff7633906ecc7f01dd9df32c04e105fde56695e7131727cffaac6a0eb5f99af61335fd409

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
168KB

MD5
e8e505706639b70f2fc066382fb0b1ba

SHA1
19ce50c51d405ec1f65cb19deddafdfa8b9d7fc0

SHA256
a7e56837ab5dac8ac3617e27645634c2160e5234a0b2498f5f198941bf4da303

SHA512
765dccdcf31d97e9c42a695013b4fd97cdf4cbe272770ebf94a82477b41085186c79e82ec96ebff49127e8dda2f57ca69077069b7c09d7bfcb8e787246c6e2a4

Download Submit
memory/432-29-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/456-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/620-403-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/776-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1008-411-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1076-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1076-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1076-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1208-335-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1296-338-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1380-138-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1400-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1400-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1600-415-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1600-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1812-408-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1936-409-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1940-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1960-329-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2296-342-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2300-327-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-402-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2312-137-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2384-319-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2500-318-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2652-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2744-410-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2916-345-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-416-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-91-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3064-405-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3124-420-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3124-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3236-336-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3512-324-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3596-325-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3668-331-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3692-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3712-317-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3752-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3752-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3972-343-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3988-339-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4004-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4088-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4180-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4180-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4220-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4220-13-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4260-320-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4336-337-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4424-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4460-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4508-417-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4508-100-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4580-330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4632-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4664-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4692-404-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4728-332-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4748-414-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4860-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4860-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4880-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4880-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4944-407-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5008-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5024-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5024-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5036-344-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5116-321-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads