6c61d5279ed6b11fc9a2b36fdd880af9721900a81634d3f9c4268046588c11cb

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 17:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b0f1952151419923def544902b9374b0_NeikiAnalytics.exe
Size

664KB
MD5

b0f1952151419923def544902b9374b0
SHA1

3ba99ca66ca9b7e8bda3f331724b7eb789e61099
SHA256

6c61d5279ed6b11fc9a2b36fdd880af9721900a81634d3f9c4268046588c11cb
SHA512

e667942214951c44dc7caefbbec9f23288444756cc54fd836e98e03ad2ea0aeb004550e54c881886d5fd0273119c7c2ea280827a26baa5bb12cc24a2b03dce06
SSDEEP

12288:YptfmM0pV6yYP4rbpV6yYPg058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJmDYx:EtfiW4XWleKWNUir2MhNl6zX3w9As/xi

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	b0f1952151419923def544902b9374b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b0f1952151419923def544902b9374b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe

Malware Dropper & Backdoor - Berbew 32 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000800000002328e-6.dat	family_berbew
behavioral2/files/0x0007000000023429-14.dat	family_berbew
behavioral2/files/0x000700000002342f-38.dat	family_berbew
behavioral2/files/0x0007000000023431-46.dat	family_berbew
behavioral2/files/0x0007000000023439-74.dat	family_berbew
behavioral2/files/0x000700000002343b-81.dat	family_berbew
behavioral2/files/0x0007000000023445-116.dat	family_berbew
behavioral2/files/0x000700000002344b-137.dat	family_berbew
behavioral2/files/0x000700000002345d-200.dat	family_berbew
behavioral2/files/0x0007000000023465-228.dat	family_berbew
behavioral2/files/0x0007000000023463-221.dat	family_berbew
behavioral2/files/0x0007000000023461-214.dat	family_berbew
behavioral2/files/0x000700000002345f-207.dat	family_berbew
behavioral2/files/0x000700000002345b-193.dat	family_berbew
behavioral2/files/0x0007000000023459-186.dat	family_berbew
behavioral2/files/0x0007000000023457-179.dat	family_berbew
behavioral2/files/0x0007000000023455-172.dat	family_berbew
behavioral2/files/0x0007000000023453-165.dat	family_berbew
behavioral2/files/0x0007000000023451-158.dat	family_berbew
behavioral2/files/0x000700000002344f-151.dat	family_berbew
behavioral2/files/0x000700000002344d-144.dat	family_berbew
behavioral2/files/0x0007000000023449-130.dat	family_berbew
behavioral2/files/0x0007000000023447-123.dat	family_berbew
behavioral2/files/0x0007000000023443-109.dat	family_berbew
behavioral2/files/0x0007000000023441-102.dat	family_berbew
behavioral2/files/0x000700000002343f-95.dat	family_berbew
behavioral2/files/0x000700000002343d-88.dat	family_berbew
behavioral2/files/0x0007000000023437-67.dat	family_berbew
behavioral2/files/0x0007000000023435-60.dat	family_berbew
behavioral2/files/0x0007000000023433-53.dat	family_berbew
behavioral2/files/0x000700000002342d-31.dat	family_berbew
behavioral2/files/0x000700000002342b-23.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
1612	Lgikfn32.exe
4788	Ldmlpbbj.exe
5080	Lnepih32.exe
1580	Lpcmec32.exe
452	Ldohebqh.exe
1096	Lkiqbl32.exe
4928	Lilanioo.exe
3292	Laciofpa.exe
3396	Lpfijcfl.exe
1708	Ldaeka32.exe
2808	Lgpagm32.exe
404	Lklnhlfb.exe
4912	Lnjjdgee.exe
3508	Laefdf32.exe
2740	Lphfpbdi.exe
3956	Lcgblncm.exe
4476	Lgbnmm32.exe
1240	Mjqjih32.exe
2212	Mahbje32.exe
5068	Mpkbebbf.exe
2804	Mdfofakp.exe
3688	Mgekbljc.exe
1576	Mkpgck32.exe
876	Mnocof32.exe
5064	Majopeii.exe
3680	Mdiklqhm.exe
3840	Mgghhlhq.exe
2120	Mkbchk32.exe
4064	Mjeddggd.exe
1196	Mamleegg.exe
3284	Mpolqa32.exe
944	Mcnhmm32.exe
1516	Mgidml32.exe
4736	Mjhqjg32.exe
1992	Mncmjfmk.exe
3940	Mpaifalo.exe
2968	Mdmegp32.exe
1480	Mglack32.exe
4420	Mkgmcjld.exe
4820	Mjjmog32.exe
3560	Maaepd32.exe
4532	Mpdelajl.exe
2104	Mcbahlip.exe
3520	Mgnnhk32.exe
2208	Njljefql.exe
3448	Nnhfee32.exe
4896	Nqfbaq32.exe
4604	Nceonl32.exe
1560	Ngpjnkpf.exe
4856	Njogjfoj.exe
2800	Nafokcol.exe
4212	Nqiogp32.exe
3312	Ncgkcl32.exe
2972	Nkncdifl.exe
2056	Njacpf32.exe
1068	Nbhkac32.exe
3996	Ndghmo32.exe
4848	Ncihikcg.exe
2008	Nkqpjidj.exe
3104	Nnolfdcn.exe
2080	Nqmhbpba.exe
1996	Ndidbn32.exe
4076	Nggqoj32.exe
4500	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	b0f1952151419923def544902b9374b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe

Program crash 1 IoCs

pid	pid_target	Process
2420	4500	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	b0f1952151419923def544902b9374b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b0f1952151419923def544902b9374b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgekbljc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1612	3044	b0f1952151419923def544902b9374b0_NeikiAnalytics.exe	82
PID 3044 wrote to memory of 1612	3044	b0f1952151419923def544902b9374b0_NeikiAnalytics.exe	82
PID 3044 wrote to memory of 1612	3044	b0f1952151419923def544902b9374b0_NeikiAnalytics.exe	82
PID 1612 wrote to memory of 4788	1612	Lgikfn32.exe	85
PID 1612 wrote to memory of 4788	1612	Lgikfn32.exe	85
PID 1612 wrote to memory of 4788	1612	Lgikfn32.exe	85
PID 4788 wrote to memory of 5080	4788	Ldmlpbbj.exe	86
PID 4788 wrote to memory of 5080	4788	Ldmlpbbj.exe	86
PID 4788 wrote to memory of 5080	4788	Ldmlpbbj.exe	86
PID 5080 wrote to memory of 1580	5080	Lnepih32.exe	87
PID 5080 wrote to memory of 1580	5080	Lnepih32.exe	87
PID 5080 wrote to memory of 1580	5080	Lnepih32.exe	87
PID 1580 wrote to memory of 452	1580	Lpcmec32.exe	88
PID 1580 wrote to memory of 452	1580	Lpcmec32.exe	88
PID 1580 wrote to memory of 452	1580	Lpcmec32.exe	88
PID 452 wrote to memory of 1096	452	Ldohebqh.exe	89
PID 452 wrote to memory of 1096	452	Ldohebqh.exe	89
PID 452 wrote to memory of 1096	452	Ldohebqh.exe	89
PID 1096 wrote to memory of 4928	1096	Lkiqbl32.exe	90
PID 1096 wrote to memory of 4928	1096	Lkiqbl32.exe	90
PID 1096 wrote to memory of 4928	1096	Lkiqbl32.exe	90
PID 4928 wrote to memory of 3292	4928	Lilanioo.exe	91
PID 4928 wrote to memory of 3292	4928	Lilanioo.exe	91
PID 4928 wrote to memory of 3292	4928	Lilanioo.exe	91
PID 3292 wrote to memory of 3396	3292	Laciofpa.exe	92
PID 3292 wrote to memory of 3396	3292	Laciofpa.exe	92
PID 3292 wrote to memory of 3396	3292	Laciofpa.exe	92
PID 3396 wrote to memory of 1708	3396	Lpfijcfl.exe	93
PID 3396 wrote to memory of 1708	3396	Lpfijcfl.exe	93
PID 3396 wrote to memory of 1708	3396	Lpfijcfl.exe	93
PID 1708 wrote to memory of 2808	1708	Ldaeka32.exe	94
PID 1708 wrote to memory of 2808	1708	Ldaeka32.exe	94
PID 1708 wrote to memory of 2808	1708	Ldaeka32.exe	94
PID 2808 wrote to memory of 404	2808	Lgpagm32.exe	95
PID 2808 wrote to memory of 404	2808	Lgpagm32.exe	95
PID 2808 wrote to memory of 404	2808	Lgpagm32.exe	95
PID 404 wrote to memory of 4912	404	Lklnhlfb.exe	96
PID 404 wrote to memory of 4912	404	Lklnhlfb.exe	96
PID 404 wrote to memory of 4912	404	Lklnhlfb.exe	96
PID 4912 wrote to memory of 3508	4912	Lnjjdgee.exe	97
PID 4912 wrote to memory of 3508	4912	Lnjjdgee.exe	97
PID 4912 wrote to memory of 3508	4912	Lnjjdgee.exe	97
PID 3508 wrote to memory of 2740	3508	Laefdf32.exe	98
PID 3508 wrote to memory of 2740	3508	Laefdf32.exe	98
PID 3508 wrote to memory of 2740	3508	Laefdf32.exe	98
PID 2740 wrote to memory of 3956	2740	Lphfpbdi.exe	99
PID 2740 wrote to memory of 3956	2740	Lphfpbdi.exe	99
PID 2740 wrote to memory of 3956	2740	Lphfpbdi.exe	99
PID 3956 wrote to memory of 4476	3956	Lcgblncm.exe	100
PID 3956 wrote to memory of 4476	3956	Lcgblncm.exe	100
PID 3956 wrote to memory of 4476	3956	Lcgblncm.exe	100
PID 4476 wrote to memory of 1240	4476	Lgbnmm32.exe	101
PID 4476 wrote to memory of 1240	4476	Lgbnmm32.exe	101
PID 4476 wrote to memory of 1240	4476	Lgbnmm32.exe	101
PID 1240 wrote to memory of 2212	1240	Mjqjih32.exe	102
PID 1240 wrote to memory of 2212	1240	Mjqjih32.exe	102
PID 1240 wrote to memory of 2212	1240	Mjqjih32.exe	102
PID 2212 wrote to memory of 5068	2212	Mahbje32.exe	103
PID 2212 wrote to memory of 5068	2212	Mahbje32.exe	103
PID 2212 wrote to memory of 5068	2212	Mahbje32.exe	103
PID 5068 wrote to memory of 2804	5068	Mpkbebbf.exe	104
PID 5068 wrote to memory of 2804	5068	Mpkbebbf.exe	104
PID 5068 wrote to memory of 2804	5068	Mpkbebbf.exe	104
PID 2804 wrote to memory of 3688	2804	Mdfofakp.exe	105

C:\Users\Admin\AppData\Local\Temp\b0f1952151419923def544902b9374b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b0f1952151419923def544902b9374b0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\Lgikfn32.exe
  C:\Windows\system32\Lgikfn32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\Ldmlpbbj.exe
    C:\Windows\system32\Ldmlpbbj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\SysWOW64\Lnepih32.exe
      C:\Windows\system32\Lnepih32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5080
    - - C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:876
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3284
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        65⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 412
        66⤵
        Program crash
        
        PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4500 -ip 4500
1⤵
PID:1352

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgcomh32.dll

Filesize
7KB

MD5
6bf5ee649e6c30536d1a2460b9861453

SHA1
c4952636649c43bb69eabc78268a0b0316957cb3

SHA256
960ff6fe6fa81394e2b6eb42d6aaf40255382f46bd97685e44dd40565a60b9df

SHA512
3023c644d18b6916f9a93eaa7cf2b04f83a4a3a32394d865ff6c6b9d0248cfb59305828428c54e6c21864a7327c549416b699209341b0a4e376530c181b587ea

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
664KB

MD5
83629c9e92ad3a4a0c2cac1da3a4d964

SHA1
2f5561c42b45462d50a536b6dd2652c0d0c46ec8

SHA256
f055e0ea0b71e791b385d8d652eb638f53b0d8203fcebee4b438f66803030e2a

SHA512
b8f760fd24c6b88f0df56ca3f69c1e84aa4ace97f2e920a95e4b8d93c27e0aa43347d9ac23cc713c955efd58f2498299115ae3f4a5a635c4e3bf48f6c38ec387

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
664KB

MD5
0355b187dbef772d76fbc19bbca32f97

SHA1
32af1a8aed424366b7b754efdcacbe108f40abbf

SHA256
7522f26a5d8cce243040cff2d7064ee049db54a8f730e0455932bf6ab1b2354d

SHA512
ce8dbc97c93c6bd38aba64e64a6bd128dfd765bb7ad0cba8608d2902c1f2f4f5105ca7380a5bbf35891025ce3c145192f08a173ec87c471e49d76942608a0918

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
664KB

MD5
0f53d27a92e2f46d82840f8b42fa28b3

SHA1
5d51762336813bdc458a9c10eef8fc668d0ebde5

SHA256
ee237b7173bf81c9e4fb5eea5df930da8452ea0f971ba930d5a4f8750a15deda

SHA512
2d8e591b245dddc3dcc69024b3bd60d1d1cd56cd66db649130467cc3db2d2d4a556bdc2050f66987a0d6d9d7019641d33357162338bd52bc28fe27861df96dd9

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
664KB

MD5
37cd2de129578895affdf33ffd344840

SHA1
584905de975b1a10abe5ffaf8d7a15c700ed8f06

SHA256
7724d377d5ef91fa82715943409fa422221aee5805da1579674658aac952b02b

SHA512
a6dbb2697090643b9df83898ebad4f4977759fa3746ba53815623afedf1635de0055eb047f2a1299cd44ea90146b6bf4cdcb643b841260aeb8d3a0b4e2e1e71f

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
664KB

MD5
acb71944392a77aa920ea32480ec20b6

SHA1
26a1ea6e22cb13386d9ea52145d085ecc07a95e3

SHA256
70ae3c68c2be34541381c07e94c9064c892ebd267bb2cff4773b7e959dfee768

SHA512
95f59dd91ae3717889406ddf010dbd16fd29ff862b8f5ea4bce91e42220770283777072f640d62084fe9559172f0500d5dba598233c15ee99ae66ff5adc10ea8

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
664KB

MD5
6dfa3c3cf43d88c934eebabc7ef31ecb

SHA1
b18062aec41256ac3ce89822b25f2f0aea9c735b

SHA256
7ed238e9ca00b42376c7589e93994f907bfbca77f6b3f498cfedfd7368b1bd1e

SHA512
c3e8131005cf5d0bb5abdbb64f601e079b121984a5c56aa36f5571042d15b468c9936097dd3f5d99dc5e7a9a56ca98b4a819180f76b7b8820fe097b57f05cd42

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
664KB

MD5
2f6bfdbb947b483518243e99c74b58f4

SHA1
e12fb010b6e2e976f738191d98cf401859db461f

SHA256
e80f698c15f31410a348a37483f58d75e6fc8fd3404ba3962cffb3726828d8af

SHA512
9b560bd051a8c9db307f0c7f0f203a50cee75b062a601f601d4ed1ad4696a58187467011cf6d06a21806319bb77ad45236b422d01406296493833857cb79447e

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
664KB

MD5
65822f731efc7e6b78bd0a3b5c67a76b

SHA1
f8d681a2703d3ce0c5778c2ac6fbf9173c4ccd4a

SHA256
4a8c2a80a3c260cbcf05b1c3c9459a84809b4b90b11ff17d41032490a0e7aa43

SHA512
fce983fe3f4ca763187f0b67dbd7ebdf835f1b8f7b4889e13e1e4f8390b228c6282cae6eea30970bded48104cea57f1091cef893feef810c82de05e6f5bc6887

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
664KB

MD5
aed23bfd15787c1ba2ab80c0664c167e

SHA1
89c5cdd19c725201ecad46f88bc68a44670a72e0

SHA256
7b6a170eb7526fdf2fa5a9638bf8a49287f2ce9693e9ff91347087cbf7f171b5

SHA512
47661a6c80c14f29723be9867de2fedd6a38e198a937d8207858ce03de6ecd351bdd1c5c34813ffe27ad623a228519512be950fa8fd9db6c7fa82d8fa1a6beb7

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
664KB

MD5
12fb28db5f737bde9cbd226cd89a4294

SHA1
5efc5e6cb66205e2b8c0c9f60a9041860de4ac22

SHA256
80001318094989c21dbd73606dea0f26bda9e480d66cbd114f637edb133ed737

SHA512
4d7e4230a634b3d4a10e1b8e1ea17d6697b5ddb936252e903adc692cf8bcd84b51b8d4a8a9fa569acfc3c094a977cf0721c6decf6595bea3b84d657c9c8164bb

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
664KB

MD5
4611261a2e2ae2efa4dac37e6de22b5a

SHA1
cf1192f62dbe789aa3694d15444f7b683c76e5f0

SHA256
a2cbd2b798d44ecfd7f64d9644d39fbb9e6a9c832bc18df092b41a300e585363

SHA512
26cc03a48885259f9fa2db9654de0a00306c689c69be81570d129cae2203aeed04fa1dc798fd5f97aad9755586bc78294b4240ae8bf60fb1f5e20d9a47ae3f3d

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
664KB

MD5
d135f8e7265335fab7cfd59ed61d9bce

SHA1
4f98416871f73028db6f0e958a9ef0811bcc21cc

SHA256
ba2d99bef27a08b31f2ef642097403c4c0ef507cd31241eb583fee4c88e824a0

SHA512
1c8086b38a4e621515dcacc892bc3376aa5762b7ff0fbabaee004f4d47fcdae1c3bd1dfc6f8d7a0ce3a92479dbf817ece1d535485f4a8584703ae358686b7ee2

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
664KB

MD5
25e9c485cd9e9810dd96e3dfeb7704d7

SHA1
75299c3e38e819ae45e9222e0d240974d063c9d9

SHA256
195be6abdadcc50436647fe0b14edb7c9b4e03991b363d502ef79cc73949b248

SHA512
288f8504f7f503cccfaa944716377b0a01c5d7e687d62dc9493617873bd0371a49f4552e666173a8052ce2f63ef1b48d797fe62dedac48262777c2729f6afb33

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
664KB

MD5
a541ab6397c600a6a49b9dca8952683a

SHA1
973af83e5d477cdd79fca3317dce008e77ece8e4

SHA256
79bb054f2a6deb6e02e90b1c20b2077e036bb52aaaff39d75a9e9a52a43879cd

SHA512
c119ddb268f2ad72bd837471922a30b15bd508653a7b647aeddbebee4a5269961169388045fca5b47add1ab6c47f9eea0f805b59651595bf8bdf7f1451552f92

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
664KB

MD5
d7c0109d962e8e238d8f9bc2b228833b

SHA1
eb235c343604353d1a3e6586181bfe5264300fc2

SHA256
332911b53a67e098f9850bcd8cde2d85cf1619455479397f1a1645fa243f9dd7

SHA512
bcdd374471871df20a31a0c74f044c50d7fcb83b4843c90d9eccd08bf167e160d7baf2eabb96b73e9755640e550c12a52610908cae210ca03a8e0d4b25cbd676

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
664KB

MD5
20476f37eb6b54dbd431bf404a9d8ea1

SHA1
24b3188aed88273072bd08b38ec0385336b3665c

SHA256
bb5770f09e18ac8d9e83cb8ef69001201d690dd3842b741f0467b66549b3d479

SHA512
ea50c15ba6de970f0adda54b60bf77e594f4eb5df2d37a2472a4dca3a2d4adb51c65788e677fd19f34386e2c975f0c6aaf508090d69fa2a23ee0eadcc413a14a

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
664KB

MD5
440d3d1acf8fa243bd5a7952a6e692f3

SHA1
cef422067a7d24e76e322ebd0c1479ae8dfab8e8

SHA256
c914989aa4ecbbc25b00c14ee64799811cccdd00aadf7d4c1e46ac95462779ce

SHA512
6380c8fb17ea0e6d00beb57788e85894754faeb8b347f42a02c03ac54729ab1e844cbb456c33bf4e9f04ce99bd3f16c0b452260a53895bd59730efe7f47a9d5a

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
664KB

MD5
b31cdacca25d78229f213e9d2fb894bd

SHA1
32f8919286579175843131a1ef1fd3c6a4baca86

SHA256
50bd122a0a7c158f559519a82db96dcf1496b14351dbe4ec3fda0e7a836396f1

SHA512
07887b434fbbe924331f5b13a32bf4ec6434bd52a1311f32cbee7d860149579c575f79ed5762f4fb1a42f7bd641d9a0456495d11ab67a17483a94c2c2246a723

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
664KB

MD5
c8d89210fdec07549cf8eef7ce8d3ee5

SHA1
10e661d1fa3b07319abe010e3eb3667b36ac4ce0

SHA256
4e7f4161a799860417eefb5d1767969d681227ab31975013d76a0a30c6d595eb

SHA512
1ead7bd5ddc5f02ce0f898660ea9766baaa2f4fc65112cbfb6374fd891180ac5bcc496084894d8d8f23e3a13def0dee9c653a44d53a62c4b0c5397e438489c82

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
664KB

MD5
21a19d346616efcf1dc8bf10011daa01

SHA1
fa5976120b3e6adc9d46e5bc020081643d93771e

SHA256
a1cf0cf0fdb5958d1e80725507c13990f463d820869270cf7543348e6ea4e70f

SHA512
fdd50bdaec85871c2abd35090940952b42b6c1af24aa069474a75c1255d06461ae34bcd324bf7ca5571cc2873ff6cd592e364814e428b4fa3f3af0fe9d43587c

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
664KB

MD5
fe1d4c5c5d7abaf51e209f7e20fb0f3b

SHA1
a6e47ae21cb60d5b2faedda6e6b00c1a83e167da

SHA256
3c13369fc4e130a2418c2dd34a691c91660d04f53e716481a5e454796bf228e3

SHA512
dc26b3c93860d6628379d38539bb2dc7860130d812f73f05c750466c4f9e68582562c057efe29e14e0cfad6ad85b25a00d2949947b32e1329d1e3c675ada8ed7

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
664KB

MD5
cd2cb58b746543f7f81bf9fc2516300f

SHA1
c172ff19969a30ebd6e8fdfc87895c170e6bebc5

SHA256
9b1c40b992349173c6ed74949121179c20d7542dbf8c93a4982b692426794206

SHA512
61b1c0b102e5f739192ce7f3495c091b70bfc81cc834165f984cf4da6ec2669b7f0a6d5e5ead032c227dc7947097e9114107724d5ce9e3fbfd1b26411f47d8bf

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
664KB

MD5
38ae5821629f29725a6d0b1773c7fc93

SHA1
fa5935458d5078b399c57fcdc908d21166221ad3

SHA256
53f00b26c30b03c9063ad425c8d5eb71d71507dbfdc571c47faec47633fea305

SHA512
bea3503fb82d29274e0e70fafb1dfe4575f4be419beb7e55859bfecc6f54f93dccd652e5616dea7cc8635a27a5f4ac087b0eb1f8250508ade6e09301dc3f8b4d

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
664KB

MD5
37a5a637034d13d7e81c9b7e0aec4495

SHA1
9712a524e8ed950d8a7e647096186d4168a6e9e1

SHA256
94d21bacc4902c51a089d2b0a8f437e8a92b2ebb4a275c839c127c6301041738

SHA512
8cc06964b6bdf81245a016f391a768dc0691bc7c32d049aadcf6fdc740593f63787b43dc6f7f25fd3af0e90fa95e083cdc96641378a69a12ee3a5a3d27e61d3b

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
664KB

MD5
e3090c7046d130a004a97c13dd11fc17

SHA1
149f3da7bb3f63d6f1863bbd69587f2f96caa548

SHA256
cace0a9b13146437622acd38084734e8e74a5e1d8fd98efeadd6846de9c6c539

SHA512
459f4ade54ce157a542bda8d86bc23b2b07e64b4a1f1e30f77862f96c713356cbea996421bbf8891126dd4c53237e1321a7198771acf48116d7971b42932d5e7

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
664KB

MD5
84430e353a7ace0f425dc7c8453c819c

SHA1
6b465a590948435a9ace05ee2d8e3d31bb86bb45

SHA256
7f862054c82e89fe994b7eec431b34efef7ca08258ed6c60046225bc89b0254d

SHA512
bcdb7cc45f3ad2239e216040c6d1e8ddf2221ff4dff4184085364c31a90466c68256533f1a4a3773522f89782484f6729f0642bdfcd4317911520ce086a55dc8

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
664KB

MD5
def7678340db624796c1d0b76b06c2ae

SHA1
431f54b3e1fcb921a00027c0a346ce9ecd059c93

SHA256
ffca7149e5232498b5362a57d1feb4ae65094b599e1a9f2d8c7613873612a023

SHA512
1a927c096b5db0269967d7af55cecc1b1e31688c73f8b60a5628a4f994535639e6e33cc32062719996b2f63efdd689a8e1b5984d93517813cd90c7620ccd2f05

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
664KB

MD5
a765001775bd7bcddbeadc48cfd39570

SHA1
7898f40233f07f355ee2cc9ab2f64f0b6de95347

SHA256
33d5f3465d29263e5f5f9f55d69f6c400e840d8f9504540452dcacae2e8913e5

SHA512
5cf58205e2b5f3c2edc8dc65d58199997ed1a330547ddbd3161e05a56f5e3d9e42ca676f4b5e4dd9ec706f42871891360338cbec6e7b72127f1453f2c30fcee1

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
664KB

MD5
f274832498126184947ce5b69297a5c8

SHA1
0963f21f05f190b3fa939f3ba93fe34b28d9e45f

SHA256
e749025d9d6c445f8695ee8e47a305452ecf439a0ed436c12e0c774f0a7d5deb

SHA512
f8c0e8c38b24aabc19d6eb6e84768a20d0a41584c40b2a7a8224a78a0cf9dc56e69ce73935811d06e55ce5e716d102e749d04f67164cc62bc16de286760c498a

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
664KB

MD5
2f452d00674b6cfa6dc93754588b41fe

SHA1
b9d6f1280e1a66d9ba83db5181e26482644ce020

SHA256
e63518bd1f12c2a02543f12c3f17f227fb36d31bb2eb421fa987bce44113d068

SHA512
068b90f80671dea3e8aa861685b49a755481c2932cc1226d4ebe1dff17991f1ae4c35e45b7e019f8e6b12b85ecd956bca02bd5a93c19f04eac7b452fb45a63b0

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
664KB

MD5
b91ce2fc60eb8bdcb5a29aa6b970f203

SHA1
d4f2b4691709c67597d2b5efe5e78135ca5928f0

SHA256
abf68e2791a7085e30f3c0a9c62871c38df0b3b331b82b2cdf90c230e0ebed59

SHA512
b273b6a059e3f5a04d3e3adafe32a8b0ca7b8b39bc298a311ad86c40676d522c8648b75a4bd1e201403f99f125b2834710203c7c511835bbf0a9708763c1961a

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
664KB

MD5
fffbd020b3bc1ba440976d15c5f434ca

SHA1
f548e7fe57c124ff2ca8b75ecffc816b54169e77

SHA256
6dd22accff55f51256c18e08f3a4637a84a04c413ec314d3071ee2c353548b0f

SHA512
7be04477aa312c11cc738f7b900284206bea2dcf019632707d8607b3d69f8251ba26ef35b5e9d721006accbb0ad3b71d1cc34d57bdf37c25730344852b8e0f2b

Download Submit
memory/404-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/876-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/944-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1068-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1096-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1196-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1240-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1516-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1576-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1580-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-450-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1708-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1992-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1996-391-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2056-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2080-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2800-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2804-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2968-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2972-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-451-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3104-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3284-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3292-445-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3312-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3396-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3448-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3508-439-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3520-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3560-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3680-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3688-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3840-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3940-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3996-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4064-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4076-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4212-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4500-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4532-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4604-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4736-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4788-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4788-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4848-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4856-403-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4896-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4912-440-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4928-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5064-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5068-433-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads