3f03aa823cfa5335aeed54e6008610376a799c59874c6a0ecb34481a3d2bed46

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f03aa823cfa5335aeed54e6008610376a799c59874c6a0ecb34481a3d2bed46_NeikiAnalytics.exe
Size

896KB
MD5

5748cb5d073e2c3cedd0a94c08cde610
SHA1

a59e8d8313f1b9cfb13f5315df9df49481191909
SHA256

3f03aa823cfa5335aeed54e6008610376a799c59874c6a0ecb34481a3d2bed46
SHA512

c1b142a7287899c327a8d1d4d1c992dff73c2c72772fb17b5a1b4510625138cd214a091dfd18fc7b37418c1e4a2a223dd7e97cdbcaabef3c64d895a0d15cb0ef
SSDEEP

12288:xxbx5ByvNv54B9f01ZmHByvNv5VwLonfBHLqF1Nw5ILonfByvNv5HV:N6vr4B9f01ZmQvrUENOVvr1

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3f03aa823cfa5335aeed54e6008610376a799c59874c6a0ecb34481a3d2bed46_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	3f03aa823cfa5335aeed54e6008610376a799c59874c6a0ecb34481a3d2bed46_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgbnmm32.exe

Executes dropped EXE 47 IoCs

pid	Process
4572	Lpcmec32.exe
468	Lkiqbl32.exe
1280	Lnhmng32.exe
1368	Lpfijcfl.exe
4336	Lcdegnep.exe
4416	Lklnhlfb.exe
4748	Lgbnmm32.exe
2264	Mpkbebbf.exe
4152	Mciobn32.exe
3548	Mgekbljc.exe
4972	Mnocof32.exe
2040	Mpmokb32.exe
1984	Mcklgm32.exe
1904	Mkbchk32.exe
4228	Mjeddggd.exe
2160	Mamleegg.exe
3592	Mdkhapfj.exe
1708	Mgidml32.exe
3196	Mkepnjng.exe
4652	Mncmjfmk.exe
4820	Maohkd32.exe
3812	Mdmegp32.exe
4468	Mglack32.exe
3276	Mjjmog32.exe
3676	Mnfipekh.exe
880	Mpdelajl.exe
4232	Mcbahlip.exe
3696	Nkjjij32.exe
1580	Njljefql.exe
948	Nacbfdao.exe
2384	Ndbnboqb.exe
4004	Ngpjnkpf.exe
3952	Nklfoi32.exe
3280	Nnjbke32.exe
2756	Nafokcol.exe
2792	Nddkgonp.exe
2528	Ngcgcjnc.exe
2428	Njacpf32.exe
1692	Nnmopdep.exe
2876	Nqklmpdd.exe
2500	Ncihikcg.exe
4000	Ngedij32.exe
1428	Njcpee32.exe
4372	Nbkhfc32.exe
3736	Ndidbn32.exe
4344	Ncldnkae.exe
4332	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	3f03aa823cfa5335aeed54e6008610376a799c59874c6a0ecb34481a3d2bed46_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe

Program crash 1 IoCs

pid	pid_target	Process
3124	4332	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	3f03aa823cfa5335aeed54e6008610376a799c59874c6a0ecb34481a3d2bed46_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	3f03aa823cfa5335aeed54e6008610376a799c59874c6a0ecb34481a3d2bed46_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3f03aa823cfa5335aeed54e6008610376a799c59874c6a0ecb34481a3d2bed46_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	3f03aa823cfa5335aeed54e6008610376a799c59874c6a0ecb34481a3d2bed46_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3f03aa823cfa5335aeed54e6008610376a799c59874c6a0ecb34481a3d2bed46_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 4572	1720	3f03aa823cfa5335aeed54e6008610376a799c59874c6a0ecb34481a3d2bed46_NeikiAnalytics.exe	81
PID 1720 wrote to memory of 4572	1720	3f03aa823cfa5335aeed54e6008610376a799c59874c6a0ecb34481a3d2bed46_NeikiAnalytics.exe	81
PID 1720 wrote to memory of 4572	1720	3f03aa823cfa5335aeed54e6008610376a799c59874c6a0ecb34481a3d2bed46_NeikiAnalytics.exe	81
PID 4572 wrote to memory of 468	4572	Lpcmec32.exe	82
PID 4572 wrote to memory of 468	4572	Lpcmec32.exe	82
PID 4572 wrote to memory of 468	4572	Lpcmec32.exe	82
PID 468 wrote to memory of 1280	468	Lkiqbl32.exe	83
PID 468 wrote to memory of 1280	468	Lkiqbl32.exe	83
PID 468 wrote to memory of 1280	468	Lkiqbl32.exe	83
PID 1280 wrote to memory of 1368	1280	Lnhmng32.exe	84
PID 1280 wrote to memory of 1368	1280	Lnhmng32.exe	84
PID 1280 wrote to memory of 1368	1280	Lnhmng32.exe	84
PID 1368 wrote to memory of 4336	1368	Lpfijcfl.exe	85
PID 1368 wrote to memory of 4336	1368	Lpfijcfl.exe	85
PID 1368 wrote to memory of 4336	1368	Lpfijcfl.exe	85
PID 4336 wrote to memory of 4416	4336	Lcdegnep.exe	86
PID 4336 wrote to memory of 4416	4336	Lcdegnep.exe	86
PID 4336 wrote to memory of 4416	4336	Lcdegnep.exe	86
PID 4416 wrote to memory of 4748	4416	Lklnhlfb.exe	87
PID 4416 wrote to memory of 4748	4416	Lklnhlfb.exe	87
PID 4416 wrote to memory of 4748	4416	Lklnhlfb.exe	87
PID 4748 wrote to memory of 2264	4748	Lgbnmm32.exe	88
PID 4748 wrote to memory of 2264	4748	Lgbnmm32.exe	88
PID 4748 wrote to memory of 2264	4748	Lgbnmm32.exe	88
PID 2264 wrote to memory of 4152	2264	Mpkbebbf.exe	89
PID 2264 wrote to memory of 4152	2264	Mpkbebbf.exe	89
PID 2264 wrote to memory of 4152	2264	Mpkbebbf.exe	89
PID 4152 wrote to memory of 3548	4152	Mciobn32.exe	90
PID 4152 wrote to memory of 3548	4152	Mciobn32.exe	90
PID 4152 wrote to memory of 3548	4152	Mciobn32.exe	90
PID 3548 wrote to memory of 4972	3548	Mgekbljc.exe	91
PID 3548 wrote to memory of 4972	3548	Mgekbljc.exe	91
PID 3548 wrote to memory of 4972	3548	Mgekbljc.exe	91
PID 4972 wrote to memory of 2040	4972	Mnocof32.exe	92
PID 4972 wrote to memory of 2040	4972	Mnocof32.exe	92
PID 4972 wrote to memory of 2040	4972	Mnocof32.exe	92
PID 2040 wrote to memory of 1984	2040	Mpmokb32.exe	93
PID 2040 wrote to memory of 1984	2040	Mpmokb32.exe	93
PID 2040 wrote to memory of 1984	2040	Mpmokb32.exe	93
PID 1984 wrote to memory of 1904	1984	Mcklgm32.exe	94
PID 1984 wrote to memory of 1904	1984	Mcklgm32.exe	94
PID 1984 wrote to memory of 1904	1984	Mcklgm32.exe	94
PID 1904 wrote to memory of 4228	1904	Mkbchk32.exe	95
PID 1904 wrote to memory of 4228	1904	Mkbchk32.exe	95
PID 1904 wrote to memory of 4228	1904	Mkbchk32.exe	95
PID 4228 wrote to memory of 2160	4228	Mjeddggd.exe	96
PID 4228 wrote to memory of 2160	4228	Mjeddggd.exe	96
PID 4228 wrote to memory of 2160	4228	Mjeddggd.exe	96
PID 2160 wrote to memory of 3592	2160	Mamleegg.exe	97
PID 2160 wrote to memory of 3592	2160	Mamleegg.exe	97
PID 2160 wrote to memory of 3592	2160	Mamleegg.exe	97
PID 3592 wrote to memory of 1708	3592	Mdkhapfj.exe	98
PID 3592 wrote to memory of 1708	3592	Mdkhapfj.exe	98
PID 3592 wrote to memory of 1708	3592	Mdkhapfj.exe	98
PID 1708 wrote to memory of 3196	1708	Mgidml32.exe	99
PID 1708 wrote to memory of 3196	1708	Mgidml32.exe	99
PID 1708 wrote to memory of 3196	1708	Mgidml32.exe	99
PID 3196 wrote to memory of 4652	3196	Mkepnjng.exe	100
PID 3196 wrote to memory of 4652	3196	Mkepnjng.exe	100
PID 3196 wrote to memory of 4652	3196	Mkepnjng.exe	100
PID 4652 wrote to memory of 4820	4652	Mncmjfmk.exe	101
PID 4652 wrote to memory of 4820	4652	Mncmjfmk.exe	101
PID 4652 wrote to memory of 4820	4652	Mncmjfmk.exe	101
PID 4820 wrote to memory of 3812	4820	Maohkd32.exe	102

C:\Users\Admin\AppData\Local\Temp\3f03aa823cfa5335aeed54e6008610376a799c59874c6a0ecb34481a3d2bed46_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f03aa823cfa5335aeed54e6008610376a799c59874c6a0ecb34481a3d2bed46_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\Lpcmec32.exe
  C:\Windows\system32\Lpcmec32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\SysWOW64\Lkiqbl32.exe
    C:\Windows\system32\Lkiqbl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\SysWOW64\Lnhmng32.exe
      C:\Windows\system32\Lnhmng32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1280
    - - C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
      - C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3276
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        48⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 412
        49⤵
        Program crash
        
        PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4332 -ip 4332
1⤵
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eeandl32.dll

Filesize
7KB

MD5
49c3c2810c8a8d34b25ca5ffab3b83ac

SHA1
8f5f4b5677194a9c258884cd27ed2b1920229dba

SHA256
49d778451f8e7cd8bc77e3857ed7f6815ade2da096a08a3da0ccb933a2c5d817

SHA512
63677a4278d609d14b4db924fc54d7be9e30e8feecfafc12863ecb4f758b65c2034e096ee9802b33815f7d7b12a1cd5c11ba409500bacb1223b454f3c882a04e

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
896KB

MD5
b55d36241174c7966da0a8ac5b996618

SHA1
7855eaa009b4768b183b24d31271619df267053c

SHA256
576fb536ea56ca93fc37d875550a8b95918595cb571aa99c95adf75dc5c564e2

SHA512
558d6f70a606595e7d9cde40523032b1c0ba2165e1cfddbf5c689daba30f718ab7cc0e596658a05e59bce4624cb2a9f9b0e3a4c3ccc79f1a7f2e0c9bd63ae218

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
896KB

MD5
a079494a53064747d9254e3ed608cf7a

SHA1
23fc499c3bb453cad304903d1659129134bf5fb8

SHA256
d385a0066d7e5c4ce9b78b27611beb2da30eca3b9c2dd8a2102aada88cbb051b

SHA512
7a96ab7e51cb9216e4c8322528f32489b353821c56ec7ec652565086c1a472a14e35e1f2dff0e4a6f88c4d35ad74c9dc0a701dccb7b0084951f6859d48cd6ffd

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
896KB

MD5
c70fb5bcfd5fb9fac9d01472b63f5671

SHA1
51405e209b68259de2666e752d6dabe2bb2f7972

SHA256
d46a73089a0b404d1717b80db95789936dc5bd880d5133419b552693fb0386d6

SHA512
41e6d1e684215da6f55ef2214d10538dd52e39f727f3b94d350846d4d3f77a9f2553e9b14e67812d6ac462c274797038fa80e59c9b54ad164cefc4885dbe7138

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
896KB

MD5
04d1b537b1f6a96347a68e4093385dc3

SHA1
793213167416e1c89d2bbff465af8c42b5c7a874

SHA256
c926f822ab25330fa2f8dca0d971f16b7483ab1d28f30331c4d75fafd9ccf293

SHA512
219db6c7e79260d0bdb0cf7c8e0b2fbe8815dc62a4660d2a08603b1c55fdd296a8ad024df4e1221b4be44fde410495ac069b75bdf0bc719180e11122e070b9c2

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
896KB

MD5
804f4fb75b42f2d8d326adda9951d12c

SHA1
e2aa7bf9472d6fb5cabf46c82c4481791fef4250

SHA256
584675dc9027ca5428a5c6a0114a86268fc5edd1749ecb4dc70949444a330a1e

SHA512
8adb490de58bd156dddc1fd9c339a5a13281cc4a1d6dd3018594d5b3d192f9d3536b942bfd19e99f2dd5e2ca20989910cae7d2463cbd34cc47aa595e128c37e4

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
896KB

MD5
85966a59defdfb0616ec434ae2d5c29f

SHA1
cc0c6f52bc61caec982c1c9727d4237f705e021e

SHA256
415dadf6e07a4c5c55ae506b9a04df09607605c0dbe9ea5faeaa6c237b2c66c9

SHA512
7a1e56e1a29372890c4dbe46c7c62f2fb7821ddb7ebac4d0473a96e940e2362354be59b30998a216320f935aab099d5e98b7fb090227be8bbe49c34a88a1db30

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
896KB

MD5
cde20c7ff8d0fb52f8fc5789ec6eec01

SHA1
e35f9c1fad065930e10e9269c62262458e180d04

SHA256
0ddc8aa749484c6a07d8591b76528ea1ade5d1968707b9817bedade85e708923

SHA512
19f04dc8253046d0cd711512083b916b7b67fc3fa44672af00d4ce2b55a8fa5d0f015f150c6698ee1300ab156798977dbff3733ca049f5b7e5d7eef01f0eafec

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
896KB

MD5
34a45ab2ebfdc95394b80ec62ea68b03

SHA1
1832529ba4691430090188506ce065b0b07deca0

SHA256
ffdc0b337e972e8eaf9d8bc8d5f16bc3ecc1ba702f52a48f002f2e4768d9b71b

SHA512
b4e8145979bfb426d2a3ca9258993a5bb4efd1ca26b46437f0c879625cd8f3b02a95883c8f4360f2f5860d8b88cedfcbfae6979b5279d3262a42ff355857b3f8

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
896KB

MD5
b507e91cabf64e72a7fa4897db9b07d4

SHA1
82a37a2a09571d82f372d791b1f15843f1524d40

SHA256
802514a475e6f8f493109fc92fb07161f7eebe1cb430d05a46519dca1f187be4

SHA512
44120569312f10136bd6b6a93933395bb7e0a592c4fd6ec343e71ebfd9b0f7499e409f0a457e2dc2246be818e43612ff4646a766fbeff350ac64063e14853f38

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
896KB

MD5
bc2eada5185c81e4003942e3ba933f25

SHA1
a8c9508d62fdf76f2c878abea509468065ab50bf

SHA256
50339c70e62c448b6ea9ee8f90bebb412d25574585fa03d77f27460c9a475891

SHA512
42c149293c59bfaa0dba4f60743baa3f7cbc4979c60ddcc3640da8a0bb44d0d41fde11a858593ce8632b6d1009d02d945f3954f0f08eed1366c5f03406cdc434

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
896KB

MD5
d6e03d35d5da699e9630bbeebe8c613b

SHA1
0961f1b7eba453ca6d63f057b6b189dff9d65253

SHA256
9706cd7fc0474ebed89b8b13dd6e98c36fd91d46bc70e07a7429a35e0b6bf7a5

SHA512
cfe3b174fe3a47ce5a962c78fb50337442a4f1780e8fbdaa9c3778f7c8f3988e048f7a45ba74f4a577ba1ab5307fd2fe8c72b1f37e6e14300fd1f019cce2f7b2

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
896KB

MD5
455f3a45fba7ee62f9067111d371d5a9

SHA1
f8abedc2f432fde649d4fa9bc9f912c5d5be1609

SHA256
c528c941a13fd442b6f31f2980ef13c7d65e96e5960c5b8146ac1bc0b017f0a2

SHA512
59caeff8e3b81dfea7a4d5f60c6bc36e5f5967410a354656b93423333a30408e7dafcb46bcdcbab808c819b3498354152021013b2882b9c0ffcf6ef9339d135a

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
896KB

MD5
c1c70d1b874be3d8847f61023acba319

SHA1
a60a9d71ec0ca7fe70581ea1c62816c2e811bb21

SHA256
e83378dd197cca6aa08dc2d0707933f6ae9f6d919580762fa7dbcde6f1681506

SHA512
7c88221567b69997b75b292fe0aed3ac5708933001a904e656b058dcc37202db30a3986e92e69e61550225f07159470d94a12f219460e45ed85a179ec2f880fc

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
896KB

MD5
7e7de3f9d3765e1ccc37f3ba577f64c3

SHA1
8f83519be99e9c3f9c45b3e5d74272d854b73f8e

SHA256
728ee87a19c18900c329b0b12bf645d1917a9da826fe0e1ee911452f64220c9e

SHA512
96d972c9577f1e8474e64fb0106fa372932e62dc01daf57c58d5c994384e3af032d553c41b92c054890aaf4f653be1abb1f17fe40f28110a17909eaa185581e8

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
896KB

MD5
4ab9a60b738524d553833924efd986b0

SHA1
d85126025fa7c45b17463434aa605768ed2acb67

SHA256
3c465b6733ccca5c509b48a439f46ac9b600569ab31494cb202440839d480f13

SHA512
cc73813c9a4df52321d47e9dde8734881085e9754f05ac2ec6ab7c936dcbed89b10c7018217cec64e6b65210e2b115ca2a9addf70caff2753425b1ab6397cbb5

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
896KB

MD5
cf871a619a38d348356e521b2e2c0a65

SHA1
f2db7563cb28001114d631ad52f66dc3591ccba5

SHA256
fb71d8d8662e3702539f90d7ccb152c0ae108def6a936c0a7051ec2f9efd6f9a

SHA512
647b8283d8ed6018077b2862a228e0f91b47aed3104eb2857c1fdb08c6ae3d087e8951ed4bff23801a40eb4095c5d424bc30ac140980895eb6ece0832e30f7a1

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
896KB

MD5
dac9d62d5a1ee61e1d9d39489f90dcd4

SHA1
5c206ad9ede1312e569feae7039b05f927f3e301

SHA256
893c99e65041d305cca2dfd1b84a36379c60afb4ceb13ab13b4be15692b944d8

SHA512
09d7d8b7a9ef787f5f105ae3d67ad177ed78265de0d95f68bafe03f79c6689cece085364c530ffd43339dfc44b73df804d2a4406a8b43c7ef0e710b010f99cfb

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
896KB

MD5
91b7e93f0992423208db00a1d214c6a0

SHA1
14cfb1bfe52e9f8be573202fb390264b0cbead2b

SHA256
08278e787b3e3d728fc8cf22cfd2fe0186c527b090ae6dfadf0b4ea7e67fa501

SHA512
780f62620546d0a7b71031be4f7a86dc44483408daeb93766f6399d6e97d2ce89625e54515131643bb0999bc98e877cb6b87bb665410390d06755c4714a21d00

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
896KB

MD5
f73db373eefb0c2a83c9a25032c4e891

SHA1
251ffdab290a7443a5cff9529550487dedc3fcec

SHA256
ef2d6d107f30d4923e3acf51d0f7cfaeeeb188845bc4b7787e9eaa7427b97d89

SHA512
10babdb7baabcc925d42f285e498cc2d3a4370bcf57432b85ebd9bbb5831720945f22e35802dfb43448a6e874b3d4626fb00095099b18d904dfb4706896416b6

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
896KB

MD5
2b5655e553c81c0061d350bae0879204

SHA1
036ddd37cbf9d075d057b475a81127bfd67e9b5e

SHA256
fc9a18dd418bb41fb62b123f33a2424af98906cf79856c1e12c3076f77095bb8

SHA512
7f77b1fb74e886e621f08a615d2d216a2e69de5cb21fce000538567fde4125211f137291554780e400495ae5e6edc5371b4a0bee4d226109bafdbbc2a9ec5a3b

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
896KB

MD5
5cc45135dbe62556b4386938a3d09767

SHA1
3466ef6ed559f00989fef3e8ea07a722ba670f73

SHA256
354a883142eae70b14d2a086645ba76c3058fec92f5cb2dca3cd3914dff26fef

SHA512
4e7e85b48fb6c6144aa4235bacab09cfaebc86dd622db8e73b31c5e8663cf900adfb7846ff5ceb6a6bfeb55114652d1e13e38b20641dcd30ae438da9de234ddf

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
896KB

MD5
91f5c8b9af56bdb0c96339d1bdfab04a

SHA1
391e240c6f4ad59386f356b900ac619f39267d86

SHA256
ca0e9c4a1c815eaef7ef4483e7b46ec784c3e98ea7c726f219f0cc3c90ad1b0c

SHA512
f54704a74b84a3a11fb2c0dd09d62dd77fccd4cdcf14a33a2de6c9f33146da109da07128f2f399dabecdedad42ba7ce43636e745b1abcb5530edc8fea974a722

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
896KB

MD5
b8640fedeb3dc714482469e2db54a0be

SHA1
e5f8184d9dbe3d0b4af06ef45acd0fdb63ca5eb1

SHA256
ad92f4c8d9bf990ec161cbe14145a7483ec38eb22dc9d902620b720f5759dd8f

SHA512
7c0d4bcce0af1f1161b408c41f2553a88b0d33f579af3f9ba622ce8d903ba67b21338166fefa690e97b6e1403a70ebf299535d01aa34f4ea38d3ad1f831505fb

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
896KB

MD5
6ffacb997513bba1e11bf70427c94481

SHA1
7ccd3476bef97f07bac4439e04a5012e0b371a8d

SHA256
a47ad70192d7753f98529a084cd5db71f4976d2f04ee9bcf9a144d575a33b946

SHA512
19ba58ca82fdb86100afdc6c505b35986b9a4618df31f36c6c2b61535f80cfafee980c189f3c8b64ea162bc2cb3d3d4add5e39ccd6bad456b09b7d5e23250272

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
896KB

MD5
47ba19d1139626012751309591039c1d

SHA1
1fa3811506efad752f69706f6918215f95cefc8b

SHA256
4db4db803e011e1f5cee2e0e876c87374c3e5f95a2f8b5716fde70f5b48062f2

SHA512
88451a8eb478e0a0441abed4770add8942a2091dd4809aa254e657c4700f51b993e440c87be2986d452f061eebb283754190694e6abe37bacd5d12c430d563ed

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
896KB

MD5
2f98d8979bd4b9ce323e9f3c86a305a8

SHA1
da8f8f93cfefc4bd447616db5252d86123932573

SHA256
73df0c9515b7c3e066a3ac8b222cfc3aed25685f847e61a1f2f5211c8534b571

SHA512
8a87abe21ff76513b948c92b24b38bb7dcf7e05712dd7f719149a1bf3e1c9f654f41a76839798e0cf2513a3221a1cbbcbe93f2b32a813064174f0c007589da3a

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
896KB

MD5
914b2943a94735b520bd962150a59aef

SHA1
a9843253a1e8e0716c45f725f8f19f5bca7182a3

SHA256
479f4ae4cc99ed99fbbfff66ce8a49f61134ad33d468f93f497d75e6d027829c

SHA512
3a3727102482776fd565575b9098347abc058d5e09b3b91d9426c5ab3b1e41a26952910693a8a62898ce28c26cee2c35bf58f7bf232afb7aa12236a875d93010

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
896KB

MD5
c068f704c2c0514e412acc51458de125

SHA1
14c97c944ad19c5f492ef68e084efa26b878f987

SHA256
bfd7ffacd5c21436e09b805295cd047c3df39ce95703214f20f116ea893ffb44

SHA512
390a8f65f4a4fda0319134a7f3320360219f696a212285f047f9d0bf6819440da3e45808f4abef6cdd6670173c06c2ac38bb4ecd723c7290d1864efd59b3d8f4

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
896KB

MD5
8ee96cf55a5122701e5a727448d0a8d5

SHA1
bc9518ceae5740456721ccd66a2ce49bfa6a7eb6

SHA256
b42e66469661aaca60b57749746971fbdb1f6b47a7608b16c447ec0369126288

SHA512
7bf0f5fb5dde7257a545fb3b15834b02db56dfd02550c05a373ac3cf81ce077a9a0f516270a5c5e777443602800661b0887ef1fe49f94dc81bf5708322eefd46

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
896KB

MD5
5273acd703b4ac59d5c416d45d104929

SHA1
48c64c9aca85a39656eaec56f8dfa5ea6512bef1

SHA256
ce5ea9032caa70dffb97328e088b3efb8a9ef70f2ce34bdeec500f85a8c1f9e0

SHA512
15d9feffa46a99396340c865899b4dd259cfaecd440733db10a866544a26ad8c33bde26987984ab86b345cd2fb39a57de45b74eb18bb07a46bbccb202bab3b5f

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
896KB

MD5
a66214843dadc9524f87b59324fed796

SHA1
013cfec08ce52b4a7c1e68d3a72c244a3d7a72be

SHA256
75dcbcee1dca4e3d788bddbf2b81be16b0b057143d0874ea6f4b3d12b25dba20

SHA512
1b4571ebaeb8de70b68b24e5bfa42b840ac428c54abca908fa0ece89ef885583c42c2e7699bcce20fbe13989a86e1fd2b96f634dd60dfbbd87a9a59cf6e084df

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
896KB

MD5
ae60dc0da68a1427b27f2f7912f8d0b3

SHA1
2b314d68ee757515ecdcde8a44ef5084bf7d4758

SHA256
b5280c755a1989fbbd6f2405b09983134d03a802403184dcc1087744b8d9fded

SHA512
5a714fcd209df99752640e444108b49d4c2a798eee0a88be65069afefb70580a3eeef60400061b75391e6c475c9d9fbb8a36973b54724907b3b7cadfcb367c98

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
896KB

MD5
43ee1d123a149a39569660b0e834f606

SHA1
350805260cd2d3903b4a4606587fa620054f1a3e

SHA256
0f30ae9d7615b648be7e69e9f3cc5cc925b04b8e7a02fa2fb46cc47a3aae7300

SHA512
b1366fded3d797509e709778d7ab0e9f67b4e6b3363cd5abbb7755b3cf1b953b56aec39e4e2c8f2629c30db9b6cc4507e40e119aa4408ac2b89c31016d4256e9

Download Submit
memory/468-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3736-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads