6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72

Analysis

max time kernel
51s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72_NeikiAnalytics.exe
Size

94KB
MD5

2ea2f1950888f8995f5317c3ea307f10
SHA1

6f046fb6eb1553c48241c6b2c675c0922392a73c
SHA256

6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72
SHA512

6bf56cf0d491486e8fcf082eb2984aa954e268f3c27871639173d89fcc321f90a271a5cde6ffc7b11cfcfc62300475df2a0b131f4236129b2cb8ea86de8a2ea2
SSDEEP

1536:L5gLyIsx9sfNsIZeY3AUtqNWVxme3eRX2LgaIZTJ+7LhkiB0MPiKeEAgv:L5gLyxx1NExvi8gaMU7uihJ5v

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe

Executes dropped EXE 44 IoCs

pid	Process
1116	Kajfig32.exe
4368	Kdhbec32.exe
412	Kgfoan32.exe
4956	Liekmj32.exe
2208	Lalcng32.exe
2556	Ldkojb32.exe
3808	Lgikfn32.exe
2180	Liggbi32.exe
2168	Lcpllo32.exe
3868	Lkgdml32.exe
2652	Laalifad.exe
2344	Ldohebqh.exe
4220	Lkiqbl32.exe
3224	Ldaeka32.exe
3216	Lgpagm32.exe
2616	Ljnnch32.exe
4224	Laefdf32.exe
4256	Lcgblncm.exe
872	Mjqjih32.exe
4920	Mahbje32.exe
3524	Mdfofakp.exe
3956	Majopeii.exe
4228	Mcklgm32.exe
4716	Mjeddggd.exe
3952	Mamleegg.exe
4876	Mdkhapfj.exe
4344	Mjhqjg32.exe
1576	Mpaifalo.exe
1120	Mjjmog32.exe
220	Maaepd32.exe
1212	Mcbahlip.exe
4808	Nnhfee32.exe
4812	Ndbnboqb.exe
2876	Nceonl32.exe
336	Nklfoi32.exe
4232	Nqiogp32.exe
512	Ngcgcjnc.exe
3268	Nnmopdep.exe
3456	Nbhkac32.exe
3272	Ncihikcg.exe
4020	Nkqpjidj.exe
2692	Nqmhbpba.exe
4276	Nggqoj32.exe
3212	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3640	3212	WerFault.exe	127

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 1116	1172	6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72_NeikiAnalytics.exe	81
PID 1172 wrote to memory of 1116	1172	6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72_NeikiAnalytics.exe	81
PID 1172 wrote to memory of 1116	1172	6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72_NeikiAnalytics.exe	81
PID 1116 wrote to memory of 4368	1116	Kajfig32.exe	82
PID 1116 wrote to memory of 4368	1116	Kajfig32.exe	82
PID 1116 wrote to memory of 4368	1116	Kajfig32.exe	82
PID 4368 wrote to memory of 412	4368	Kdhbec32.exe	83
PID 4368 wrote to memory of 412	4368	Kdhbec32.exe	83
PID 4368 wrote to memory of 412	4368	Kdhbec32.exe	83
PID 412 wrote to memory of 4956	412	Kgfoan32.exe	84
PID 412 wrote to memory of 4956	412	Kgfoan32.exe	84
PID 412 wrote to memory of 4956	412	Kgfoan32.exe	84
PID 4956 wrote to memory of 2208	4956	Liekmj32.exe	85
PID 4956 wrote to memory of 2208	4956	Liekmj32.exe	85
PID 4956 wrote to memory of 2208	4956	Liekmj32.exe	85
PID 2208 wrote to memory of 2556	2208	Lalcng32.exe	86
PID 2208 wrote to memory of 2556	2208	Lalcng32.exe	86
PID 2208 wrote to memory of 2556	2208	Lalcng32.exe	86
PID 2556 wrote to memory of 3808	2556	Ldkojb32.exe	87
PID 2556 wrote to memory of 3808	2556	Ldkojb32.exe	87
PID 2556 wrote to memory of 3808	2556	Ldkojb32.exe	87
PID 3808 wrote to memory of 2180	3808	Lgikfn32.exe	89
PID 3808 wrote to memory of 2180	3808	Lgikfn32.exe	89
PID 3808 wrote to memory of 2180	3808	Lgikfn32.exe	89
PID 2180 wrote to memory of 2168	2180	Liggbi32.exe	91
PID 2180 wrote to memory of 2168	2180	Liggbi32.exe	91
PID 2180 wrote to memory of 2168	2180	Liggbi32.exe	91
PID 2168 wrote to memory of 3868	2168	Lcpllo32.exe	92
PID 2168 wrote to memory of 3868	2168	Lcpllo32.exe	92
PID 2168 wrote to memory of 3868	2168	Lcpllo32.exe	92
PID 3868 wrote to memory of 2652	3868	Lkgdml32.exe	93
PID 3868 wrote to memory of 2652	3868	Lkgdml32.exe	93
PID 3868 wrote to memory of 2652	3868	Lkgdml32.exe	93
PID 2652 wrote to memory of 2344	2652	Laalifad.exe	95
PID 2652 wrote to memory of 2344	2652	Laalifad.exe	95
PID 2652 wrote to memory of 2344	2652	Laalifad.exe	95
PID 2344 wrote to memory of 4220	2344	Ldohebqh.exe	96
PID 2344 wrote to memory of 4220	2344	Ldohebqh.exe	96
PID 2344 wrote to memory of 4220	2344	Ldohebqh.exe	96
PID 4220 wrote to memory of 3224	4220	Lkiqbl32.exe	97
PID 4220 wrote to memory of 3224	4220	Lkiqbl32.exe	97
PID 4220 wrote to memory of 3224	4220	Lkiqbl32.exe	97
PID 3224 wrote to memory of 3216	3224	Ldaeka32.exe	98
PID 3224 wrote to memory of 3216	3224	Ldaeka32.exe	98
PID 3224 wrote to memory of 3216	3224	Ldaeka32.exe	98
PID 3216 wrote to memory of 2616	3216	Lgpagm32.exe	99
PID 3216 wrote to memory of 2616	3216	Lgpagm32.exe	99
PID 3216 wrote to memory of 2616	3216	Lgpagm32.exe	99
PID 2616 wrote to memory of 4224	2616	Ljnnch32.exe	100
PID 2616 wrote to memory of 4224	2616	Ljnnch32.exe	100
PID 2616 wrote to memory of 4224	2616	Ljnnch32.exe	100
PID 4224 wrote to memory of 4256	4224	Laefdf32.exe	101
PID 4224 wrote to memory of 4256	4224	Laefdf32.exe	101
PID 4224 wrote to memory of 4256	4224	Laefdf32.exe	101
PID 4256 wrote to memory of 872	4256	Lcgblncm.exe	102
PID 4256 wrote to memory of 872	4256	Lcgblncm.exe	102
PID 4256 wrote to memory of 872	4256	Lcgblncm.exe	102
PID 872 wrote to memory of 4920	872	Mjqjih32.exe	103
PID 872 wrote to memory of 4920	872	Mjqjih32.exe	103
PID 872 wrote to memory of 4920	872	Mjqjih32.exe	103
PID 4920 wrote to memory of 3524	4920	Mahbje32.exe	104
PID 4920 wrote to memory of 3524	4920	Mahbje32.exe	104
PID 4920 wrote to memory of 3524	4920	Mahbje32.exe	104
PID 3524 wrote to memory of 3956	3524	Mdfofakp.exe	105

C:\Users\Admin\AppData\Local\Temp\6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6a53ee547961f6b8ffd9d62fa2ff3331d6d0330bc8f6de6d2141c56ad6df9d72_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\SysWOW64\Kajfig32.exe
  C:\Windows\system32\Kajfig32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\Kdhbec32.exe
    C:\Windows\system32\Kdhbec32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Windows\SysWOW64\Kgfoan32.exe
      C:\Windows\system32\Kgfoan32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:412
    - - C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
      - C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        45⤵
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 400
        46⤵
        Program crash
        
        PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3212 -ip 3212
1⤵
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kajfig32.exe

Filesize
94KB

MD5
0ff7e2e1d6b74062f90e62e0fb153fd4

SHA1
99f5130020788a962293d7c1efabaaca9533a5a7

SHA256
18cbbe93602cb072d9976f6f2b5b74b5709b5f94281bd2f50a8f2159ddc263da

SHA512
df26e0c7f98ca5c485826bf7a9b1fa7e76619e25091b5d69d080325b0b247359207f112e5906e535eee9bd08ab6bbd7551461966abf5c6f8878fb7d2345fbb2b

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
94KB

MD5
99736fcf624a1fd1a01d3df7a6178b3e

SHA1
ba62b603242258f104d3109f6d7b7b0bb9add57e

SHA256
201ff2a603e9a17b8430ae9b0cf776ea8cfdcdf0395b2c48f9710f16261393a6

SHA512
d9d21d60f20961aca81529b48d8642a1902443829f206cb9d82c3a6cf9c39820994df4c6b52dcafe72f7be15b6cd0f4abd5afbf6f8e25373072d8120882cf9c2

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
94KB

MD5
9469b6b5753aa78814cc2648e01ee1ce

SHA1
f3111610605d58c72aef902e394ab0800374ad2a

SHA256
d2d21b6847e14d57ecf532aa798f4fb23f2b53342b94bfd6777e70bcab42b612

SHA512
947eeacf138cbcd9d86574dd0f7473e261e54a4ae33557ec942f5d6b49a100fe592658f46fa3e1c175922c212a8bae1b82b63c1d1e255c47a9403325f6af8531

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
94KB

MD5
478a2aeb24434ff055d26fdccc35613d

SHA1
9fbafb1d9cbde81d2c45b374008ad51b55caa7ff

SHA256
8e7bf845cab66bf26c35723456ba26586f68b7fb9293d337be161c18604806e9

SHA512
acf4d62bc5607c481d3867f9661accbf6b6170d5a4fe0328739525b81e2510a3fa0d487e4d9fa9f6056bbe92e29b360e48ade4457c1617631df514fc259fd42f

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
94KB

MD5
1c48ffe808f40b53dd122593af8a4185

SHA1
6c82872967e75d56193274e0824e120f1f0c3220

SHA256
2a2aaa8c5dfb8a331ca8c6d808f3ca143088818378fec30e4020c3a663e9f725

SHA512
2198ab2af3fbdda49c61076ca7fd99c39b05021ad32049fc7b87f16dad2da1daa1901742e3fac76c331d7394e47c66aa868291364c51497124db8008a7340df7

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
94KB

MD5
04536f8fa4f84674ce37b5cf8f9f53a4

SHA1
f568179dd86538a15c7af2ba0e6e0305dcc7b076

SHA256
20072ee2d349b216ec486860b4e023bfaa742a9c336ede639289b7b4286e2d5d

SHA512
87f5d0f20c2c4e7ca16555d0f09a826ef081047c76954af2fa6cc52eb5b692db83650163a4f5424ede8034ab762304d758b541657e9b24812723be1e48c231f6

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
94KB

MD5
a3d2808ad0c0c5134661c5a1035d5d9e

SHA1
2de793c91d91b7bd0e96a6b3f226dbdeb9fbda42

SHA256
bbe4048715d9d04e10680ef79b66e62340529f2d6dacc2a1d9fff122ed469342

SHA512
b806b19e6437fdb27d04379a8df2c9eaefd52a013080288739ea6ae0af4d9fb4a3009c1eb80479c7783b50fb63693b03c0a8c3e35198df349edd7b126c4a6f12

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
94KB

MD5
b215287139ef009ebc354caadf34eb87

SHA1
9e3d2fe4c39bb797d0e4dfc1c1f7286efc4948c5

SHA256
fdb9ef0dc97d60dc07bacac50081543cddc8aaf1b746af1f1cfdd139104f416a

SHA512
0f0c2a2e6ea654a70966cbfe876046bd6838dc42a857498235e62bcf449dda555802e5ad60e65f2e92c8a8c95f206608913ca324c6314a7aa191d16fdfc8d35e

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
94KB

MD5
d3e2226e4991ad61636877449a6985c8

SHA1
32c09ba8af629d20842c54a37287d2144a757fc1

SHA256
54fbb94f1f1013fbc684a1a81e29a462e3f0a42740ab14d9f84b7aecfc006ce5

SHA512
27dc98f139d4844349450389fe824558a2851b45dba13283a51de3a4bde699e7ba6fcea98afa00125b11765ed44bad97b5b2c151f8ce2f3fe9b31678b71f6bbf

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
94KB

MD5
7cc881d9fb91e115e6e44474b8736c16

SHA1
138a7d9ebcfa7973cd1250327d8e4416b6605042

SHA256
a5822c5bff3f2ed0f48f5a3cf13035ccb2ccd9fa6071353ec2f772842be85591

SHA512
c4c063d4833c25e00d403ce6c208412189d7362c587f378e4f62743f342937ccb8a9eb97d723027c998fd013b3527ab52cf49c0eff98d6b1678b16f6b704d6e0

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
94KB

MD5
daa7c745433fa96e082ddd976873ad32

SHA1
ab55e09b903ebbdcba4136b2566e911ae38bb5b7

SHA256
eaf096e4af7e1be46098da319d0e40a3f86689d4fb746edf35fbdf7a968d0baa

SHA512
bfc88e4896dad5a0beef1ec9d5f76db94b22889cf000b431a90500a1d6122c221d3c7cceebd2b906751552b8ea358a67b4aefc55dc57d1d9be8430b454d3b408

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
94KB

MD5
dff51676d7a31b2769b257757c780e2d

SHA1
59f353fa5631113d45f6d04f05563dec15d3e31b

SHA256
a9df8788540e7f2ba36027e308c13275fae35ad8d098618201ab34c95a9b6e0f

SHA512
76fd2d3ad90baa618a7762ab6d3aec07eb5711140ef7be7b6dca1b8f43a6aea259e17c880cb3c79aff52d329d29ebb9b559613445568dd733be0d2707dc6f0e2

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
94KB

MD5
9fbb0f08fa6e36087c068b45e531db23

SHA1
8bf089370188b390c6785f5fcf89070663bf2d2a

SHA256
da5a04bf104929793e5d5706616fb1ffdb717e9f7003de1e25e2cd9c79a197b4

SHA512
91776c940a4e1cab96af402908aa7be3e6b82838449200412453f95460e7037a3f4ff30e5148de15a8d57b20ebd72ee3f5b85446452d266d0c7843181016c50a

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
94KB

MD5
2969f6e83f1fb3630662ea0c8d989a76

SHA1
7236fdcb89bf442a095e8068e2974f677d0dae25

SHA256
404576cc05f7053f3155fc029b379885562405f6e91c262071f334e0f617a369

SHA512
aea7c0a72f99dff58241885c8c2da23bab165d4ffe25f1d5a8e6d8045901a44c36f26b9f2e63e94a9dda9196c4faa772947a030bc64a0de1479ba0a198fc43c2

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
94KB

MD5
113cad532c2cb45c805602dc52397528

SHA1
11b93261b519614aba84e4f8f2a7ae319c2b03a6

SHA256
d55c0da29cd16a30ffab0e5d796e33ed4da3818d941b731e6c5f3b9ad6cf122e

SHA512
5722c7b44068c9ae904df4365fb2e3d2d7bb1d222cbb5616b7748f8709c13741e1578ce6321ff9cd4f385f450f429e6f21cce67e485598cd8f8f8162aadeae53

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
94KB

MD5
d5f2743a7856e5e863c019caaddd4a76

SHA1
dfb558b7377df3d7f3c59973dee99b05061ee39b

SHA256
c0b767be3cb37bf69c4d6e64bce82ad0544f0c219831c1d0bcc3e198cdda7fa1

SHA512
7b19bde26fbb83a01017747f78ac371e2666ae0023aa8c6e7a1a3a0dc861ba443b10627f6ace9e14993f9d1d66ba3647ee83b5f7fa68767dbef0ef05dc547146

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
94KB

MD5
c0db7d461ae54cfea523282e4a40c47f

SHA1
b72d12f172d40bfa9523b79ee634519f577b86bd

SHA256
9f0b74f6170b67a503d92a5c12ca276553f9caa48a280e6346d49d353e4f81c5

SHA512
9fd8b30e961cab91e6d1f2eacf81f598076771bef771acbfe30da2f724b62502e31db27483fa97afdc40fba75681ec1a28f15d357ca9ee8f11723db79e37186e

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
94KB

MD5
c1115a9f491107be15916d312829b70f

SHA1
f43556dc02b1f21f6d30adaeb22434cd88fbf5cd

SHA256
514f7511d8b7d13ad8c66b125ec00167bcbe9bda4861c93729bb4ba5fdeb5e99

SHA512
32d44a57d9fc6205a8da9f5d10f389833c0a851de357590e22df2e270f3ecea227cf894bd67da8cc61e18a3a2ad7f2f6779c9328f9584d4b8b2980ae3bd92278

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
94KB

MD5
b0d83b9600df5de8ffc48326d71f9a40

SHA1
7793a4fe36b5113a879e3c56f01ec62981c1b156

SHA256
8ff2a60e8448fb3c7183a2f8dc0299fdb8f956cd268ae65944621cf4595647b4

SHA512
8b65c51a65418da23e287305c9f2670626217cfa29f167d8eb0c087931e54e7feefa64ff63c0a5ef685827560a1597b0ed8ed9cd35110af35251a029da942a9b

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
94KB

MD5
a0b21194acacf0c34389cc278ec0ea4f

SHA1
f516d58e76169ee59071f95c7049d0a057ef0a87

SHA256
c5f1664496a3164fb9ef453a3868016d70eecf29f630cf379f8070eaba6ef287

SHA512
4ffd6e3b932a730cae3c326f9a957c5fc0666e5b37cab88785d2201922e011157dc5d06407e530542727a0669086d4ebf4bd467c5d513319e4775ad8ce7db73b

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
94KB

MD5
edcf49eabeb76494ad0916448e465eb0

SHA1
9463f8ef272202cf960ae8fa8e552f6079c17d6f

SHA256
efcb46f66137ced148516ece0267e6834d4873adc230842b3752902da3f9065f

SHA512
c7b7d4b18e4d3fa2ca3763dd63b1be67244e8576d503bcbb9bab24f30a8c32b4a0b2c9933211d23a840fe32abe4104a388b7d84edd94a0ca3fe46e86df7e8e6d

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
94KB

MD5
c1265e90551fa2eb45f1052015424004

SHA1
b3b35ba7e5430eefab1a0c2ad4ac02ed21ef1311

SHA256
066bae5d4dcb5142f4c5a884880ac8b80b80332bf803bff3a167cfaf23f796d6

SHA512
65f625929bc4711c138576547ee986e7ab87368c57d48b0155cb0697396f50a1f50ebdc07909386dcad6597afcbab171608d4f03593651605e83b7d5038fcee7

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
94KB

MD5
42d663a1869116c3b84247cbba2b9443

SHA1
a69975f90c1b3b4cd8f260a4c72efb5893fff439

SHA256
3d303b0089145d1f6ca89d1cf74cd3c8e033689697fe29c4fe7f9d003be8e467

SHA512
6535f3eda19d60a21af2d04cf7a69e45e9e91e86dc5282a9b23b3c97c8cf322a4c021feecc2622f06749190961e8be3dd3b9c991e9e421107efe7857bef85bd1

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
94KB

MD5
b1eb149de420c192fe68d3a332072be1

SHA1
6ccc58a9d12893fc45e2c17eb3f817491805837d

SHA256
491bd3528ef44dca8cff033d20653c5be0ea998b55105eb0f6bb273551425103

SHA512
73b7ab4ff2a6d461b164f626527b2c65602554b141bcc1d7cb8d4d656b2ab6ddb1eca0e0d4f9d9817ac18a9897af02a4bc1d8477c0750286d35526bd1b6ec6dd

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
94KB

MD5
6ff3e85cd51ea71bf57e48910e12ef7b

SHA1
a6eeb63f3a9cc732ebc3bf3a4ff0becc683cd36e

SHA256
8fabafdfcd0463535fb5d95ecdcbd49c38949aaa7b4c216366e9604020ced082

SHA512
0ea9944d9b519fe626f6b294c84fc3d59e55e498821adfb081ec92521b126d76cb193ecb8321748440170b3cb38bd016c8f493b8d58054cd1321d454aa9bd14b

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
94KB

MD5
7133152b37d01874bad0dccbb3f54d16

SHA1
194558da06485ed6214c544f5518a5aeb9249796

SHA256
5ee0c46f6f0ff72dd1fa60ef5a17e66d28294b5f59c1d65872a24a2a06ac9981

SHA512
f1e1026aa23b7c7e5e892d2bb7204da62904023834f9f640708f86cddcfc0af87307b57eeb5dd08fb4fb5b521cc220cf8df27b6c32124cbcee568169b486ca82

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
94KB

MD5
b5f8c44d228a81de1f2dc3651b1a5099

SHA1
709a60da62aec597d039431d7fecf34aab8f8b2e

SHA256
e53bbef480de5578c888158359e235ee0346bf88e9ab48501705af5616b0119c

SHA512
d7f52f8d325a69babe1f92f793f186d7ea4e2046f5c77140628da9863f0fdcf834c10854e217a3fd5bcb1537b64678c44b8425be073d203f711118e43384d7c7

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
94KB

MD5
fa6a407f3f2f30cbbda08d4faf5600b0

SHA1
df7c7ddbbcaaf0f4dcbd7cb18f6ba377529f646a

SHA256
ae22204c1df237bbdfc1ea74104e4445946aa1d39292404471a041f82a84a0b2

SHA512
095bdf046ad27bac35e2246da74a36bbf56d5eeb1bdc130a44dbf573b17173178974e5f41fa3e9cc3aadb9c654c38fe814d55ec67aafd28e014fb659a8b64931

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
94KB

MD5
3ab9c24d8f8cbd5fd2e7cb24c726df22

SHA1
ddfe446eb559ddc76faf8a21473f9395080b1e07

SHA256
9f9b6cc30e70f1c651b38dc6258726f4dfa722bce8c3bea2eade60ee786a7f3d

SHA512
c1bf42f28284249f78281f74e00b2d56ea1237a11cbd1052d8315779ff058c004187970f439152295faa7b6da4982df9d3521653f96695d6ce09c3b6bc424bac

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
94KB

MD5
df6670cd516c5e674fa112d091dc5ac6

SHA1
a28acb374bbc0e2084339b5cb1ef4bf4a503c72f

SHA256
a047dd7a3b14abbb04cc3a21780fe6645b385e772eb3db923cc487da46831498

SHA512
4a2d73e639a438fcca9973ecd45d4787f003699469aac3ab126af1f6c9f0bf6f5ceffd4a9485aa1263bcbcd9bc5a11eb10473211f71feca698f2758579af0b98

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
94KB

MD5
dfa12e41fd94237fa2b73cbbbd9808a9

SHA1
fbece8141ad3a393d8c3c6eff537438101e34d1e

SHA256
ec57794d591ef1fa04322e16f5774147d71e490e9ebaeb5060f39bf95db16d65

SHA512
faf321ce9fe78baea7808b08ec6c6226ef6d7dc307024c9003b16b74b1a2d76cd0a8d152997fb9aa97935029173244ce07c40083a2df580d86cdd7b668e45bd5

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
94KB

MD5
968015a6862c962e544658871b088c0e

SHA1
725e4427ebdc298d494c6876020c97cfebb6253b

SHA256
a7a82063b8a60e28ea176cb8987804576e3bb4e57e6be719359d248e55ce9a10

SHA512
81235bd65eb601a5658a3b196b84efe4e5a74ea55e6ea5b792aba514ffde8de3064941f6734b518a548f552f605009dd94cd3f7ae78c0fa5afd773c079738db9

Download Submit
memory/220-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/220-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/336-367-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/336-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/412-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/412-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/512-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/512-312-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/872-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/872-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1116-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1116-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1120-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1172-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1172-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1172-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1212-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1212-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1576-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1576-318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2168-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2168-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2180-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2180-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2208-45-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2344-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2344-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2556-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2556-138-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2616-139-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2652-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2652-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2692-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2692-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2876-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2876-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3212-360-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3212-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3216-219-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3216-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3224-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3224-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3268-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3268-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3272-336-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3456-363-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3456-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3524-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3524-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3808-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3808-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3868-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3868-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3952-220-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3956-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3956-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4020-339-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4020-362-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4220-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4220-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4224-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4224-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4228-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4228-288-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4232-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4232-366-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4256-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4256-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4276-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4344-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4344-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4368-102-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4368-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4716-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4716-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4808-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4808-345-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4812-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4876-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4876-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4920-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4920-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4956-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4956-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads