06d942cb9a3eafa265a25cb0867d1bf0a74b84d41bea468fb4bbb0c6dce891ac

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06d942cb9a3eafa265a25cb0867d1bf0a74b84d41bea468fb4bbb0c6dce891ac_NeikiAnalytics.exe
Size

320KB
MD5

eea83e5c6e1743421535310f82d84bd0
SHA1

6d4a50ed22953e881bca67d76aec389ed4267b99
SHA256

06d942cb9a3eafa265a25cb0867d1bf0a74b84d41bea468fb4bbb0c6dce891ac
SHA512

82450fa7b7edd1e1105b6a73db8ee0a4369d61b68c277f9ceaaf4d3d8092f7668b2daec4a65237284c443ef2ab345b1d36c9d48b52383ae4c244b249d385e12a
SSDEEP

6144:uBGtZcJOldw6/eKxSlKKZ74ueKxff0qjwszeX9z6/ojwx:wVlr54ujjgj8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	06d942cb9a3eafa265a25cb0867d1bf0a74b84d41bea468fb4bbb0c6dce891ac_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe

Executes dropped EXE 59 IoCs

pid	Process
852	Lalcng32.exe
4468	Lcmofolg.exe
1776	Ldmlpbbj.exe
412	Lgkhlnbn.exe
2524	Lnepih32.exe
4368	Lgneampk.exe
2024	Ldaeka32.exe
3668	Lklnhlfb.exe
3984	Laefdf32.exe
3952	Lddbqa32.exe
3236	Mpkbebbf.exe
4676	Mjcgohig.exe
1428	Mnocof32.exe
4968	Mkbchk32.exe
4840	Mjeddggd.exe
1316	Mamleegg.exe
652	Mpolqa32.exe
4656	Mgidml32.exe
3104	Mjhqjg32.exe
4724	Mncmjfmk.exe
4312	Maohkd32.exe
3336	Mpaifalo.exe
2976	Mdmegp32.exe
3328	Mcpebmkb.exe
960	Mkgmcjld.exe
3608	Mjjmog32.exe
4776	Mnfipekh.exe
1716	Maaepd32.exe
2028	Mpdelajl.exe
2608	Mdpalp32.exe
3628	Mcbahlip.exe
3352	Mgnnhk32.exe
1940	Nkjjij32.exe
1020	Njljefql.exe
2372	Nnhfee32.exe
3260	Nacbfdao.exe
1208	Ndbnboqb.exe
2856	Nceonl32.exe
1876	Ngpjnkpf.exe
2376	Nklfoi32.exe
1384	Njogjfoj.exe
2928	Nnjbke32.exe
392	Nafokcol.exe
2168	Nqiogp32.exe
1996	Nddkgonp.exe
4660	Ncgkcl32.exe
1292	Ngcgcjnc.exe
2892	Nkncdifl.exe
1404	Nqklmpdd.exe
5008	Ndghmo32.exe
3400	Ngedij32.exe
1848	Nkqpjidj.exe
4052	Njcpee32.exe
1688	Nnolfdcn.exe
2340	Nbkhfc32.exe
3800	Nqmhbpba.exe
1548	Ndidbn32.exe
4592	Nggqoj32.exe
1988	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3528	1988	WerFault.exe	139

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	06d942cb9a3eafa265a25cb0867d1bf0a74b84d41bea468fb4bbb0c6dce891ac_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 852	2592	06d942cb9a3eafa265a25cb0867d1bf0a74b84d41bea468fb4bbb0c6dce891ac_NeikiAnalytics.exe	81
PID 2592 wrote to memory of 852	2592	06d942cb9a3eafa265a25cb0867d1bf0a74b84d41bea468fb4bbb0c6dce891ac_NeikiAnalytics.exe	81
PID 2592 wrote to memory of 852	2592	06d942cb9a3eafa265a25cb0867d1bf0a74b84d41bea468fb4bbb0c6dce891ac_NeikiAnalytics.exe	81
PID 852 wrote to memory of 4468	852	Lalcng32.exe	82
PID 852 wrote to memory of 4468	852	Lalcng32.exe	82
PID 852 wrote to memory of 4468	852	Lalcng32.exe	82
PID 4468 wrote to memory of 1776	4468	Lcmofolg.exe	83
PID 4468 wrote to memory of 1776	4468	Lcmofolg.exe	83
PID 4468 wrote to memory of 1776	4468	Lcmofolg.exe	83
PID 1776 wrote to memory of 412	1776	Ldmlpbbj.exe	84
PID 1776 wrote to memory of 412	1776	Ldmlpbbj.exe	84
PID 1776 wrote to memory of 412	1776	Ldmlpbbj.exe	84
PID 412 wrote to memory of 2524	412	Lgkhlnbn.exe	85
PID 412 wrote to memory of 2524	412	Lgkhlnbn.exe	85
PID 412 wrote to memory of 2524	412	Lgkhlnbn.exe	85
PID 2524 wrote to memory of 4368	2524	Lnepih32.exe	86
PID 2524 wrote to memory of 4368	2524	Lnepih32.exe	86
PID 2524 wrote to memory of 4368	2524	Lnepih32.exe	86
PID 4368 wrote to memory of 2024	4368	Lgneampk.exe	87
PID 4368 wrote to memory of 2024	4368	Lgneampk.exe	87
PID 4368 wrote to memory of 2024	4368	Lgneampk.exe	87
PID 2024 wrote to memory of 3668	2024	Ldaeka32.exe	88
PID 2024 wrote to memory of 3668	2024	Ldaeka32.exe	88
PID 2024 wrote to memory of 3668	2024	Ldaeka32.exe	88
PID 3668 wrote to memory of 3984	3668	Lklnhlfb.exe	89
PID 3668 wrote to memory of 3984	3668	Lklnhlfb.exe	89
PID 3668 wrote to memory of 3984	3668	Lklnhlfb.exe	89
PID 3984 wrote to memory of 3952	3984	Laefdf32.exe	90
PID 3984 wrote to memory of 3952	3984	Laefdf32.exe	90
PID 3984 wrote to memory of 3952	3984	Laefdf32.exe	90
PID 3952 wrote to memory of 3236	3952	Lddbqa32.exe	91
PID 3952 wrote to memory of 3236	3952	Lddbqa32.exe	91
PID 3952 wrote to memory of 3236	3952	Lddbqa32.exe	91
PID 3236 wrote to memory of 4676	3236	Mpkbebbf.exe	92
PID 3236 wrote to memory of 4676	3236	Mpkbebbf.exe	92
PID 3236 wrote to memory of 4676	3236	Mpkbebbf.exe	92
PID 4676 wrote to memory of 1428	4676	Mjcgohig.exe	93
PID 4676 wrote to memory of 1428	4676	Mjcgohig.exe	93
PID 4676 wrote to memory of 1428	4676	Mjcgohig.exe	93
PID 1428 wrote to memory of 4968	1428	Mnocof32.exe	94
PID 1428 wrote to memory of 4968	1428	Mnocof32.exe	94
PID 1428 wrote to memory of 4968	1428	Mnocof32.exe	94
PID 4968 wrote to memory of 4840	4968	Mkbchk32.exe	95
PID 4968 wrote to memory of 4840	4968	Mkbchk32.exe	95
PID 4968 wrote to memory of 4840	4968	Mkbchk32.exe	95
PID 4840 wrote to memory of 1316	4840	Mjeddggd.exe	96
PID 4840 wrote to memory of 1316	4840	Mjeddggd.exe	96
PID 4840 wrote to memory of 1316	4840	Mjeddggd.exe	96
PID 1316 wrote to memory of 652	1316	Mamleegg.exe	97
PID 1316 wrote to memory of 652	1316	Mamleegg.exe	97
PID 1316 wrote to memory of 652	1316	Mamleegg.exe	97
PID 652 wrote to memory of 4656	652	Mpolqa32.exe	98
PID 652 wrote to memory of 4656	652	Mpolqa32.exe	98
PID 652 wrote to memory of 4656	652	Mpolqa32.exe	98
PID 4656 wrote to memory of 3104	4656	Mgidml32.exe	99
PID 4656 wrote to memory of 3104	4656	Mgidml32.exe	99
PID 4656 wrote to memory of 3104	4656	Mgidml32.exe	99
PID 3104 wrote to memory of 4724	3104	Mjhqjg32.exe	100
PID 3104 wrote to memory of 4724	3104	Mjhqjg32.exe	100
PID 3104 wrote to memory of 4724	3104	Mjhqjg32.exe	100
PID 4724 wrote to memory of 4312	4724	Mncmjfmk.exe	101
PID 4724 wrote to memory of 4312	4724	Mncmjfmk.exe	101
PID 4724 wrote to memory of 4312	4724	Mncmjfmk.exe	101
PID 4312 wrote to memory of 3336	4312	Maohkd32.exe	102

C:\Users\Admin\AppData\Local\Temp\06d942cb9a3eafa265a25cb0867d1bf0a74b84d41bea468fb4bbb0c6dce891ac_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\06d942cb9a3eafa265a25cb0867d1bf0a74b84d41bea468fb4bbb0c6dce891ac_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\Lalcng32.exe
  C:\Windows\system32\Lalcng32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\Lcmofolg.exe
    C:\Windows\system32\Lcmofolg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\SysWOW64\Ldmlpbbj.exe
      C:\Windows\system32\Ldmlpbbj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:412
      - C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        30⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3400
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        60⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 408
        61⤵
        Program crash
        
        PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1988 -ip 1988
1⤵
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laefdf32.exe

Filesize
320KB

MD5
058493f607d9abbfb9034a991d5112cd

SHA1
d9daa8a795d924bc8417cbc1741214397b2c832f

SHA256
812d8ae28213062beb7c3af442859e0a4f22c6f4e0d1e8ee0814ff5efdc26b6c

SHA512
e6222b5b87a76b728847af865b8881862be7649c8e90ef4422ea8c04640e7b03542823cb1270c5e77f6d100af70ab73677fb1c253512c8b226a6d8c5ceb1bd0d

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
320KB

MD5
0dc0e66987657fcd54afd927eb46e5f2

SHA1
7041e3f4f276a2d29b95357d4cece3aaf5c5f4d4

SHA256
19b120734c71074af614eb7e0d05e40d11cdf6f76600a0aeba41211284b218f4

SHA512
ad6bd805ffc72562ce980f365f519d28616808a236331d1c730311e993d806cfe014e38bb34a9e472236dbb44465c13d259c4b06afcce4ee6a05fe9b410f474d

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
320KB

MD5
4784580dccfba8e1014e30c5205c60cc

SHA1
9fe01f9723cbae5cc5b80f0679784343f1d42825

SHA256
2387d52ff54c18d32d40a8f0ddc8be6539ef7398d3ff7255722717f769d3480a

SHA512
ee701fc44375946d53f50c28ac00d252e1389796adc99be3ab251fa1a7b6e5cb773d7e5a503eef858e3afb375253d44140f5146c3bc16cf13f555d22d27feb42

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
320KB

MD5
8f637597d2035a428179a3ee541ae764

SHA1
b6dd33ca461d592674cd4d13884d22e2d4a880c8

SHA256
7d9b0d2d3e892bd4f993f34817d40f08b097dbf9b0df4413e2177dd852174ec3

SHA512
bf55c71c0f3536dfb7373d2c88a0292646e779df4bceda8c66694725dfce00654a153f8aa61350ae1598ff9f92cc6832f93663f25f9a595f667ae6d7fbe9c1d2

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
320KB

MD5
41f4afe678a78974c2824d50fea7b1f3

SHA1
af3fca46ee2ac9bff5ca4a08526436994189ee4b

SHA256
bedb9b76a920ed67c293fd6ffe1d3585334252a99cd6b3cc1242b3e46522143e

SHA512
4bb70c4d5eedfcc93a6ccfd6276f8e4f1f2c328eea25842d31a1a40c2e0952388d416b475b4e43fb1aab9a37001e20157d46f2f4faa424af69e20f8ae51d3f22

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
320KB

MD5
2d8c22b840635b5dd20937c688e03c6c

SHA1
fac7542ee04fee853f10014bf06673830f452b28

SHA256
e3d7d4f2623addd01a704a7233b01def6846a8aba24fb9aebc375ec5b2f4329c

SHA512
e9d20e173b04e04629372120d50c8bef818a4db8f5bdefc7286eb9fd80641d565a03277faa8d720d8bc05c2abad0469554612fadedcfb0aabc7f0cdd228a94f8

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
320KB

MD5
c5623ea399d7af9a6b8c890a2c44ba5b

SHA1
c718682a3cff926c934330b636d56e8ec4ed61aa

SHA256
131cc9aa548d3aa3075da6a89a84b032331615cc17f48dd453ff8e719b60eee7

SHA512
b406940dd76c87839aed921f4ae3e1d0650e3ad7bf5cbf5105b0e5d7d72866132711b35db46fea462828d3591ae8dd1d8e85a2bc2cf6648b0904c5421005da42

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
320KB

MD5
dce4e283112530d36b8e32a3c2b9cdba

SHA1
8e8c4069763b5634be4247da361cc1d85807e3ca

SHA256
42bf10055badc6d3386e83ee029807b3648cd21f5063e4ee039bbfbe2e334fcc

SHA512
1d5c3a028b9495d257bb4c1166f849683a7ac74178314cd6b9791709f60910318eb5dd618e5d98a135c9068d1e2aa433d4755414de84c2dad96d304d47afd0cd

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
320KB

MD5
24d6a77897b2b9a8d4a1996c53497d8b

SHA1
905f04b71aea3c7ef71878effeb5cd01e0d5a185

SHA256
3005e09a2edc605aaa59bf6fecb5a61967ff1e92cbe31772d25712c01e9e438f

SHA512
1c3ebbc0fa6af3f629d0dd90d1f065ad393383556ce89e8c61fec09457ec0a3dd0ba53d935aaef6802b0039bedb9582c1d872d732d4c2c3f5bfccc8c9b1a20e5

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
320KB

MD5
77fdb4e3f450ffc134e13406c010bb51

SHA1
274b42bb5298a8f2066017ec7b8ea392afa545fa

SHA256
6ae166c80e2664d90b657f1e9a3d95374c01023cc1463e637d7eb212f48ddd09

SHA512
1c753f86eb768e729e8cb6fef39300bbff9fd8592e88314905b5301be7b5d08da3caf291e28e610141ca3a79f43e4beafe7ab3e0bc18c3f8386565c5f344f8be

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
320KB

MD5
45bb3f090335c1bfeba5709d6b4a83a0

SHA1
0851fb9a89d98f4afa38a67c3c4a98e546f69dd3

SHA256
586164cda2356b0b5bfa194b4d78facdcf5d09a59ce8dc6c214f069f11c1a1ac

SHA512
6fcbe3ee76e83e1b41d38f655e78c630c39ed1df160d0b6a18583fa5b56a22e01a1f63c1e3515b5d3b973fe0d938aa8b822b386dafe777fe2b220088b4a4aebe

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
320KB

MD5
9e74b120063ef074f79ff6f8bb58bd03

SHA1
a51fd16293229b00dfb923fddd3fa8c7c47bf1f8

SHA256
2c5fed60af1ad39ddc9367c5f59610d5271d0849db40ba2e3b19a3d87691b829

SHA512
019b7abc0ebd8bea04b3173798cafc7fd6e157f8d1060c1473a1cbc244745d2816fe954eb12f1dce54c7804604792887abfae9a5dcb923272f25c4f37c4569e0

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
320KB

MD5
321609f6696831f5062d5713d494fde8

SHA1
ba100a2479545a8f79bd0d88dd6d5357e9da8611

SHA256
e8fdc94fa5c6147aec8bb8437d4cfe35e097424b40df79b5088afe7159841c33

SHA512
def413ecae858783f0652dc3ba2baa5b2f8ff81e1d509850f2837316686c529854031aee71247ec651e378031a446b1e242723f13600e9f1fa4b41fe8b91e9bb

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
320KB

MD5
564cba653457b6adf8e081619efb3186

SHA1
9e7710e73b3866d0d59edfbf21570619262b789e

SHA256
e4435652a21f891e5062f762aede6602eae2544d66b34f851bb40f27a31acf61

SHA512
a59840f0ea89b44359623627b21334886343b22ecd8dbc19f444438b549eae791391b7b2540d12ef7ed3adf277897fa8278b818d70a21506bd67df5701938667

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
320KB

MD5
65047778d56ca02204b6b466e9122413

SHA1
d9de84a0a7ef047f8a8a79669d3fa3d3d2b79077

SHA256
7db497bfbd17b433fc7da9382c9a987f3e6ed7a060bf5fbba9fef279d41ac386

SHA512
5e79a8d84d0ff20395bac2a2334d86e50c83a1e5f291c7d76701f8bea1442e7309b3f952f44a797ab4fd2ee76d7a90ad9cbbb31b17efc227d14ed984499ca148

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
320KB

MD5
6f7280d9f98c283eb82ab82057e24bc4

SHA1
ae8b11998d9917bd3ef919bd75be6cf3e74f621b

SHA256
09f54d225413944799f0e457e8d424d31a71298ac0ae19098a9c12c789bdc0ed

SHA512
24d66daa58f817c05997d3c5504ac16e9a57fefb1f50c6da9a6bc0f485071bee4faebeb96bb0d2fcdcb2a6afc4631e59e03b5502114aa378063b99593cd6e3cb

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
320KB

MD5
0090be9b51fa74e099febb3fca6a5c02

SHA1
ac3c3b5440832bc21fe6b7d177a149f1b7aac038

SHA256
fde3239dff0c87be3710ec2fb89b06822324731bb0062e64677a0786d539a10e

SHA512
ec2002fc8392528ab8a6a8d6c2ca07596ae3e963178c314781e2a4829921f795c446fc59f858ddd6dec3f16f867f877444f18e8e5791827b41be1e69f6a29633

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
320KB

MD5
09ffecef3d6625c49f543649009718f5

SHA1
f07dd80d517d7a157142b7c2df0c46446d973bcc

SHA256
1757f660b2404179474d817b7f5c906e4d83e30a10de38b299a526201390df7e

SHA512
06311600b0c3556bdbbd3e2fcf7dbddfdd4188dee1225e9af89dd0b6c3ff6203e5103c83c3ae34100747480117aabb25d66ddd73f4b46f33be0c5f712765c051

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
320KB

MD5
e08fe4450f65dea05305dcde4668eaf7

SHA1
ec90dc06cf53ce3e7874254ce0fb315eb1f8b038

SHA256
fdd92f9648d17917149f209a89c5c74b7784fc3d5edb2beae87b133f1a180466

SHA512
8d4a8e18fbf9a2e8cdb72658c7a533b90697b94cf4e003774f65219454dbcda0f0754452dcd6754d965e99023d7be382fbceb1fe97c036496165fd0b773c06f7

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
320KB

MD5
82e3d541e8aa9a5308e4b5d5397492ea

SHA1
506ef5f59bb5cd0b2e271e93fe0e85eb576ab217

SHA256
7af3a92c32a6c0a3a5524d209e541ce9a1345117b7d44a8a58de31cbb58a5c56

SHA512
9cabb267ebf733b6acac5bf261f5e80c49ad1506430901bef10c75738280935740f7a42b9bb5850988a1ee154aad44943105f5d720e4f14e69c8ceec7cf96991

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
320KB

MD5
29e056b8047d718edae0c78eabb496bb

SHA1
f4efc38bfe7a121b5562b5bf0bb23ff92ced6f3c

SHA256
96925ddcbd2d972f0ae7b21f4e0309ff5598f44be8822fe7a198d764775e270c

SHA512
c61d7517bd1b7072664b0dba4310a3545ea6aded0948bc5f83aa6ea1b986baaa060cc603c6bc5a0339992971d5fb88921f7433907effd674b25775daeb055c64

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
320KB

MD5
311b4b14392221e49feab8bcfb7566d1

SHA1
79057db4c5781f2e1bfb74914e85a29d9b2526a5

SHA256
9a52b7e0206c4270f7000e9f91f0d35bedb78f5ad4b188a153378798df3d53fc

SHA512
f1bce36851e1478d9d87568d31e96c981d4e789e40bb66d5f4872871c6d38d9543a6c18c92331ca5a31185f9fcb240d5b12b9e0ee83ac94f7e97840e2e904d3f

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
320KB

MD5
c766aa7b9455251927430ad38a4ebad5

SHA1
70d6a472e11ac2a13a6fe3ea533ef80982b280af

SHA256
a9b62df2fe89b36351719f23092da814638b3045af11e1d529660ba5ce582708

SHA512
8a2961a522382675c119f98fbbb69dd40e74bcfcfd7849483766b7f570d9b929ed2b06188b53387f8673477b06d7e95c594211dc56ca8557515e4fd2e2fe5edf

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
320KB

MD5
e8cc77f09c008520fba6b1f874422dd6

SHA1
8260123bfe679bb4451c886e2af362c81c62763f

SHA256
d5f4e5f75bfc655d04e42c753770f7e2795a186d813b427cfd46d7166bb2cc04

SHA512
c316fa565dfa92b358148f170964e0e4d0971669c7d3c301934f71496b1e422572e95a1a4ae11613f619a7cdcbbc39e278829145097263916962961d441b4693

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
320KB

MD5
945ebcc0371d776c9eb80ccfdbfa49be

SHA1
2ceedced7921687a50816f2220a25e23285d7ea9

SHA256
b36f043d7f16bcf09f4521c63c59a86ef7bfa748b8339426c23f9cca86e5f37a

SHA512
73c1c20174ea31f3533ad2a5af8ace56cf9a4e3d843060c87d8fde63df296266778180c82a11d9bc2c8bc48d39e79ab012f3102d0b8bb3ee3474cdb24c89b127

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
320KB

MD5
0dfa8c01ebe8eb1256800fb6133182a4

SHA1
47b55cee0a5b92f74dcf378af25892fdc7b3c19d

SHA256
3c87b0a3825bb982c83d8d412897cda3b211c8e068ac785261c3c61375d6ab85

SHA512
deefa261135d2658e4735520274caff90f5b385f58cb50a9d0db8627d218a50e00e2a45b6a7efa8a5a556a2d9f1e4e75b43da13747f0eb633e73d1337f1a2b87

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
320KB

MD5
9e3c9500fde547ea5f82bef7ebf1f8ce

SHA1
2e759846704a0dc30dc82d1cda2591cf9d63c831

SHA256
de9f21059bd255521ff34c41148d5d0eee7200019c869047d0bd06099a95641e

SHA512
e60a005120bb424f1e5ed3828669f402b9fc5e68fbb8bab9616be249fd7de8d0f9cc6202dbe1ca4b78db67066b2b38a3e80ac42e5c81e23055805ef0bfa8aad0

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
320KB

MD5
4347ee3059d1973d6097fe76ae62ef92

SHA1
278dde23ba97473449ceca53e33256951d9dfc5e

SHA256
efb0ebd87f26d8fe6bac88e86e43f3b4c2c1a9ff744dce25b1c6a7e8e8313213

SHA512
0387b410b5f9e50f4e75dfa42265dfd3fa6fd9b8d2a0c4db2071eb0f485ac63cc18839b513d0fa6bf8f0f8e23dc69c2175d6bc83b03768830dbd503b24bbe772

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
320KB

MD5
5fed92a99307db4acbed93c350bd7711

SHA1
baff9fec1804d62ee3cc800be216f739aaf3541a

SHA256
7ea1e30aedab9ff2ec5f9ab1f51b7ed39b02caf84af6d4b6828c625fd7e44053

SHA512
0e8d13fb70ba7875e764b522efc4d906b61353e35b0587b6e3d071dad1a60f1f77d31b8a7a00d0230b1958315dbc3fcb03dd7a547bf96ace9d747e76ec201328

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
320KB

MD5
c6838b06e88ac8142bb03c750f0a8d50

SHA1
d42fcb21efc641ebe2b42c815466ded67c7212cb

SHA256
8e4ff2bc6f8b869abd6962c167ca35c6f79e446c57802f5b2673d181155e194b

SHA512
e51450246730bbeb9da40f0cfe2f983d17513976d1542f13d268de0b73d112dfccc3c413d6b126d5116d385383d909b8aa55eb6ab0e876fb60414999b9e7a857

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
320KB

MD5
e90464ff26340585e11490fcaa5d732e

SHA1
106fdb056e423779ab5473da3bd5efba42db9c86

SHA256
00beb60923583f049b8f8ca617158d31a44f800a34ed5a6c02410527279ede57

SHA512
2a476e5673b1dc82479aea1f300999b2fa5f5a01f2227dfff08e658837230f5427abbb51bdb9984c0df0d59b9c63c32f4d7f79baf5a7f43caa4a73c2af1f37b3

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
320KB

MD5
3df8effd658561b3d797254f90b28a28

SHA1
e412e568624e9cf9afc2ff041d070e904dc29b32

SHA256
d9c139e1da05679b4636150a3e13755ea7b99ca00e282238337547cec81db5ad

SHA512
0eee3fb3b260355f359023a7d834489fc9be7bb14b99db7129af7977f44176ce26e27745ce9193704a65ee84e63f44dc3f8da31372bcef2ec304588b9e19c860

Download Submit
memory/392-398-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/392-434-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/412-37-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/652-377-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/652-486-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/852-13-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/960-470-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/960-385-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1020-452-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1020-393-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1208-446-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1208-395-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1292-426-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1316-133-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1316-488-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1384-438-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1384-397-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1404-422-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1428-494-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1428-105-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1548-407-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1716-464-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1716-388-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1776-24-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1848-416-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1848-399-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1876-442-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1940-392-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1940-454-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1988-401-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1988-404-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1996-430-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2024-506-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2024-57-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2028-389-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2028-462-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2168-432-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2340-411-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2372-450-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2376-440-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2524-41-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2592-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2592-0-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2608-460-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2608-390-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2856-444-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2856-396-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2892-424-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2928-436-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2976-474-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2976-383-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3104-482-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3104-379-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3236-498-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3236-89-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3260-394-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3260-448-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3328-384-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3328-472-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3336-476-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3336-382-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3352-391-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3352-456-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3400-418-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3608-386-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3608-468-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3628-458-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3668-69-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3668-504-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3800-409-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3952-500-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3952-81-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3984-77-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3984-502-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4052-400-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4052-414-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4312-478-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4312-381-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4368-48-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4368-508-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4468-17-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4592-405-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4656-484-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4656-378-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4660-428-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4676-97-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4676-496-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4724-480-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4724-380-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4776-466-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4776-387-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4840-132-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4840-490-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4968-118-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4968-492-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/5008-420-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads