0c8e2af89edc45a109576ec6c2ed9b59def8c0552b78f718d39e829d2eed9907

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cab9098ef04fa82fa0716035ff512aa0_NeikiAnalytics.exe
Size

42KB
MD5

cab9098ef04fa82fa0716035ff512aa0
SHA1

0daf72a02e68df5066a7035db522bdbadf75da27
SHA256

0c8e2af89edc45a109576ec6c2ed9b59def8c0552b78f718d39e829d2eed9907
SHA512

8827ceadf2f883aee502b40e12a314f92a7b216b346f4f00df76a40d6772557f26dab84a08e0b1351ffdd65704839df6b17b5f307f8fe695dda1774aa2a3c015
SSDEEP

768:87mvP//kZ6Rdr7yDAkww7Do7qKmFkq5xTGlsuglwZZAWVdd/b/1H5:mmvPUZ6R97IhD8qKTanuKwZDTdV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cab9098ef04fa82fa0716035ff512aa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cab9098ef04fa82fa0716035ff512aa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe

Executes dropped EXE 47 IoCs

pid	Process
2344	Kpmfddnf.exe
4404	Kckbqpnj.exe
2264	Kkbkamnl.exe
1124	Lmqgnhmp.exe
4688	Lpocjdld.exe
228	Lcmofolg.exe
4660	Liggbi32.exe
4700	Lmccchkn.exe
3488	Ldmlpbbj.exe
2732	Lgkhlnbn.exe
1528	Lnepih32.exe
4060	Lpcmec32.exe
4608	Lgneampk.exe
2240	Lilanioo.exe
3728	Lpfijcfl.exe
2272	Lcdegnep.exe
4132	Lklnhlfb.exe
1708	Lnjjdgee.exe
376	Lphfpbdi.exe
1244	Lgbnmm32.exe
2812	Lknjmkdo.exe
1564	Mahbje32.exe
3700	Mdfofakp.exe
3952	Mkpgck32.exe
1888	Mnocof32.exe
1144	Mdiklqhm.exe
2364	Mkbchk32.exe
2224	Mpolqa32.exe
2448	Mjhqjg32.exe
4372	Mjjmog32.exe
4908	Maaepd32.exe
2892	Mdpalp32.exe
4432	Nacbfdao.exe
3528	Nceonl32.exe
2184	Ngpjnkpf.exe
4740	Nafokcol.exe
2484	Nddkgonp.exe
4400	Ncgkcl32.exe
4108	Njacpf32.exe
4640	Nbhkac32.exe
5040	Ncihikcg.exe
2228	Ngedij32.exe
4572	Njcpee32.exe
2792	Nbkhfc32.exe
2400	Ndidbn32.exe
2552	Nggqoj32.exe
4540	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	cab9098ef04fa82fa0716035ff512aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	cab9098ef04fa82fa0716035ff512aa0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	cab9098ef04fa82fa0716035ff512aa0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2708	4540	WerFault.exe	131

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cab9098ef04fa82fa0716035ff512aa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	cab9098ef04fa82fa0716035ff512aa0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	cab9098ef04fa82fa0716035ff512aa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	cab9098ef04fa82fa0716035ff512aa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2344	1692	cab9098ef04fa82fa0716035ff512aa0_NeikiAnalytics.exe	82
PID 1692 wrote to memory of 2344	1692	cab9098ef04fa82fa0716035ff512aa0_NeikiAnalytics.exe	82
PID 1692 wrote to memory of 2344	1692	cab9098ef04fa82fa0716035ff512aa0_NeikiAnalytics.exe	82
PID 2344 wrote to memory of 4404	2344	Kpmfddnf.exe	83
PID 2344 wrote to memory of 4404	2344	Kpmfddnf.exe	83
PID 2344 wrote to memory of 4404	2344	Kpmfddnf.exe	83
PID 4404 wrote to memory of 2264	4404	Kckbqpnj.exe	84
PID 4404 wrote to memory of 2264	4404	Kckbqpnj.exe	84
PID 4404 wrote to memory of 2264	4404	Kckbqpnj.exe	84
PID 2264 wrote to memory of 1124	2264	Kkbkamnl.exe	85
PID 2264 wrote to memory of 1124	2264	Kkbkamnl.exe	85
PID 2264 wrote to memory of 1124	2264	Kkbkamnl.exe	85
PID 1124 wrote to memory of 4688	1124	Lmqgnhmp.exe	86
PID 1124 wrote to memory of 4688	1124	Lmqgnhmp.exe	86
PID 1124 wrote to memory of 4688	1124	Lmqgnhmp.exe	86
PID 4688 wrote to memory of 228	4688	Lpocjdld.exe	87
PID 4688 wrote to memory of 228	4688	Lpocjdld.exe	87
PID 4688 wrote to memory of 228	4688	Lpocjdld.exe	87
PID 228 wrote to memory of 4660	228	Lcmofolg.exe	89
PID 228 wrote to memory of 4660	228	Lcmofolg.exe	89
PID 228 wrote to memory of 4660	228	Lcmofolg.exe	89
PID 4660 wrote to memory of 4700	4660	Liggbi32.exe	90
PID 4660 wrote to memory of 4700	4660	Liggbi32.exe	90
PID 4660 wrote to memory of 4700	4660	Liggbi32.exe	90
PID 4700 wrote to memory of 3488	4700	Lmccchkn.exe	91
PID 4700 wrote to memory of 3488	4700	Lmccchkn.exe	91
PID 4700 wrote to memory of 3488	4700	Lmccchkn.exe	91
PID 3488 wrote to memory of 2732	3488	Ldmlpbbj.exe	92
PID 3488 wrote to memory of 2732	3488	Ldmlpbbj.exe	92
PID 3488 wrote to memory of 2732	3488	Ldmlpbbj.exe	92
PID 2732 wrote to memory of 1528	2732	Lgkhlnbn.exe	93
PID 2732 wrote to memory of 1528	2732	Lgkhlnbn.exe	93
PID 2732 wrote to memory of 1528	2732	Lgkhlnbn.exe	93
PID 1528 wrote to memory of 4060	1528	Lnepih32.exe	94
PID 1528 wrote to memory of 4060	1528	Lnepih32.exe	94
PID 1528 wrote to memory of 4060	1528	Lnepih32.exe	94
PID 4060 wrote to memory of 4608	4060	Lpcmec32.exe	96
PID 4060 wrote to memory of 4608	4060	Lpcmec32.exe	96
PID 4060 wrote to memory of 4608	4060	Lpcmec32.exe	96
PID 4608 wrote to memory of 2240	4608	Lgneampk.exe	97
PID 4608 wrote to memory of 2240	4608	Lgneampk.exe	97
PID 4608 wrote to memory of 2240	4608	Lgneampk.exe	97
PID 2240 wrote to memory of 3728	2240	Lilanioo.exe	98
PID 2240 wrote to memory of 3728	2240	Lilanioo.exe	98
PID 2240 wrote to memory of 3728	2240	Lilanioo.exe	98
PID 3728 wrote to memory of 2272	3728	Lpfijcfl.exe	99
PID 3728 wrote to memory of 2272	3728	Lpfijcfl.exe	99
PID 3728 wrote to memory of 2272	3728	Lpfijcfl.exe	99
PID 2272 wrote to memory of 4132	2272	Lcdegnep.exe	100
PID 2272 wrote to memory of 4132	2272	Lcdegnep.exe	100
PID 2272 wrote to memory of 4132	2272	Lcdegnep.exe	100
PID 4132 wrote to memory of 1708	4132	Lklnhlfb.exe	101
PID 4132 wrote to memory of 1708	4132	Lklnhlfb.exe	101
PID 4132 wrote to memory of 1708	4132	Lklnhlfb.exe	101
PID 1708 wrote to memory of 376	1708	Lnjjdgee.exe	103
PID 1708 wrote to memory of 376	1708	Lnjjdgee.exe	103
PID 1708 wrote to memory of 376	1708	Lnjjdgee.exe	103
PID 376 wrote to memory of 1244	376	Lphfpbdi.exe	104
PID 376 wrote to memory of 1244	376	Lphfpbdi.exe	104
PID 376 wrote to memory of 1244	376	Lphfpbdi.exe	104
PID 1244 wrote to memory of 2812	1244	Lgbnmm32.exe	105
PID 1244 wrote to memory of 2812	1244	Lgbnmm32.exe	105
PID 1244 wrote to memory of 2812	1244	Lgbnmm32.exe	105
PID 2812 wrote to memory of 1564	2812	Lknjmkdo.exe	106

C:\Users\Admin\AppData\Local\Temp\cab9098ef04fa82fa0716035ff512aa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cab9098ef04fa82fa0716035ff512aa0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\Kpmfddnf.exe
  C:\Windows\system32\Kpmfddnf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\Kckbqpnj.exe
    C:\Windows\system32\Kckbqpnj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\SysWOW64\Kkbkamnl.exe
      C:\Windows\system32\Kkbkamnl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1124
      - C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        48⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 224
        49⤵
        Program crash
        
        PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4540 -ip 4540
1⤵
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
42KB

MD5
10e2d1bfcfc3545371605f8dc99e49e7

SHA1
6357e2c19f5ae79856388a687f07bdd86ac6d156

SHA256
6d889fb0a5232925db0ef793fd6a07c61a6ef2ae9cb75d875e03ef1266067aac

SHA512
df32d995b76affef2056c2381b8c67997e6501d2e0ea1afd4fe05cc225b40aa4322d711d4d56a31f145e96d65c1634a3b875ce87f377bd126be98c388b7fd8dd

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
42KB

MD5
5ad491757139fc35f074093ce9620536

SHA1
f87861c51ff44445e7108a66d648c2de93ce4489

SHA256
bf4e86132b1ba9010562e99a186b513ed0a5bad0c14d36c18866502ab6b3ade1

SHA512
7acdd5fcec50c369285e03267205323db6b0d2a45f9fcd8ad6e4a14065b43542dcee63f96b63eeea6c9683793c1f342a86f8ada89bd5c00480244bbddb926ca5

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
42KB

MD5
b67bb646a04a37af83ad2a127583d153

SHA1
3bc738b1ac3919d88913e1bd57cbccdb5abd872c

SHA256
177138313b4070b6c49810128aaa2cce0951ceedad6d11bdc99ea4590643f8ee

SHA512
2eaa953f99e803af3d402d32b5419a6318dc4aaa099dc1dad2f71165cec33c585a88d2d4a704c77f50da3b528a19fcd29a37d236b7ed4845b5f1567dcb55cb56

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
42KB

MD5
54b1ccbbc84a804396ddf22e01ae1fdb

SHA1
b11839daaa6fe44810fd318e3f457d9ed26233b0

SHA256
3c83b3b2da48b51caa56767c558eeb5d8382e58f69bd1a990c54b5744032f22c

SHA512
a7cada50f65d79edcd99417738c2d271e50b840a1e9f8987d107225a519a0ea9845d517a1c2366aa1bcb7b136271fa1a7511364a874ce60675b885fd628c3522

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
42KB

MD5
4b00a29c93b2eb33e52f31ce7ec870a3

SHA1
fdcc8722cb638d8fcfa36148cf4fb39a03de7517

SHA256
44f5063cd46acb914839634dae62c8acce5a15cf767be408c7f822a5505a5a35

SHA512
77cfc1f09d2aac83d6c4ef4dfd867071b13e25dbba78662f2e5ccb0fd67b8b71ce1a81620dbc732bfae85898f51925c70ea063580ae93b10572b3e11275c6e7f

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
42KB

MD5
c24d3a138621f69c920b970afa1148ed

SHA1
a35b0ffb49c482c7853e5b055d3fcfd0b45a44ab

SHA256
36591c494a8ca15fba3f1a695d3bc053931899d3b18806ed2b6178da02d5cabf

SHA512
0408c752effc418dc2211d21912e611c333ad688870421d7c88cec472630141337b5d61792363bc1139e93726fdd0a5f27d495c467baa6adcb5bcdd0818840ba

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
42KB

MD5
b9e4e60d5c0cd7bce14803ccbd5a660c

SHA1
3d2d590d61bb70bf06795009e1b2b9f74d42c7aa

SHA256
d28c3ddc2c6a083efee2c769d5c04436ce4987943f8784223f720046187dc549

SHA512
8b4985f7a8933f711fda4e35633e2b6396028e07daa825eb48732d437745e98c17f93f20541a88d5cb3b80a1d7ce5c5b77b1072acd6f2458c4e47769ba1a3db0

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
42KB

MD5
1fd027c7387e9bd0a9d34e3aef4a6df4

SHA1
bca72d2a7a32c6eba913af6d7fb73bdfe2541ae1

SHA256
32894f02266db45f8fa06960a2209bb69672508a8a91263ac1958db7fdad31d2

SHA512
ec666cc3aaf447910cb2ebd802f6ab446ddded19f4dbb801d498ef4a1808326ed2d7bcab49e3e6a60f1cecbb41f2ac869fdb3daad15881b6c4340c231d97b86d

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
42KB

MD5
4e7f3bda3f085dbec22ab40fe5974de7

SHA1
aa88b015e51cb359101f14bf571afbf609cd5b86

SHA256
749498a99ef12b72449ac4e3129bc109280a5cbc7d51b2ebe500a7f729c99631

SHA512
6efe2a290fd82b3ae356723f445f77e51bce1b79789c50470f9e2e755ecb827afc63d30ba05ac26cab3b0e20dd4df5ba314e2abf26203c26c887f3922b7bd0e6

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
42KB

MD5
1506dc908c49968484235d0579a05ee6

SHA1
ce5545d4fd2e8a3bd73a2d20e5bf1c2129b18885

SHA256
806cc0febafdf79ae8fa93c3c22de0a0d97159186cde8112e8081192014aa949

SHA512
e1b2f9f5f42aa4c06c84a2c292d4d3c2f25b9fce7ebbaa63d7bb6413d07a01e64ed1ec27691d545d19ecafb30c722aa7be5c95f106af28e0926f26e6ab18d82e

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
42KB

MD5
c487b2837f987636ddbb29deca2ed6e1

SHA1
44561b7d55bee7ac11fd6a6ff97c606efde82f41

SHA256
042b88d46942e3f23c11ef0da80ce473ac16d59192f677a3dcbffaada875fb58

SHA512
03fd1fef3aef12d6e98b4f7877d468f47319aeafba4465598dc66f0f3d164cfd3d5a3373964207d8828339efad66780fa07d65c2728f2643a26ac8265d5ece8f

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
42KB

MD5
ef0621535e8f7d15ef4241672a44934d

SHA1
56c8457ccd0dcb4b8c16d761a6095b39601c8acd

SHA256
d94c6a35cce01412a49071bddcd49321e3e670365ea98a18fff8b3902428b6d3

SHA512
69797db24284c06b66a373458114dcded75ec5fac939b83369c255ff3efdb335060e533dca07c8a697a519358e986cddc9f82dafdd9471f4cf8b4da8e7782b65

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
42KB

MD5
f4b6ac3702a9a418900dfeca8ef74d5d

SHA1
151be6f9018a9e741b13959cdef096ecb2c9bd59

SHA256
e63cbd73a764754d42df078942b7bcd5a27b8158edca09013aa65ea6020f0d42

SHA512
a607cf1c35a435a69a534f3818ae41eb47706404e4e04a15f202b70eb831499dafa5af9c94ddb0f8768ce42a9892c8ed7bf2865bb6a64aedafd1a1a2818e52d3

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
42KB

MD5
2bbc03167ea0cd72b120a7031dc24c59

SHA1
ea8af85d5d7ef098ffd29649cca36e1e60f35023

SHA256
0f91ef5795094a60889c18a70a99195103aa7a01f5fcfb60c42e9170426481aa

SHA512
ff9431789ef3017ccbdeb49e2f4b5ab9ba3d363666748c05d3d6b3d610181ba2da06c597bc155a1a29801c59c5bf149b8f9f51e061ab7a0178787a106fd726ee

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
42KB

MD5
70062bb9fd0ce4ecccc897bc6313a44a

SHA1
f6ce7095efb5038e483724b8fe71f132c3df7648

SHA256
e03fd2ceca9386436647d4ea1912d5facac48b9b94abab93e002da4b13b005ef

SHA512
0ad5324a70ef47d5ab364746b8b90497c2add3cd5b38dc9f96c5b158a07df5dd9a6379a467154f4b898f879f0cb8e1fde55f439de4f2bee05659b76dd222bd87

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
42KB

MD5
2996ca3f9a26a0626239eeab3aa7b5d1

SHA1
08cebc364212d9a9ef3a2adbd42d9b0c40f741e6

SHA256
580e9066b6596408a10f9f0236e275826871e80ea2fa65b633df6518926ab22b

SHA512
9bb4a42e3f15a198e0bc536fe7dd4d8d88a165e67ce1772f127a583805f0391f476c8ff7b07556a3cc528fb80120b01bd2c075245858b9d57adfeabc1b8bb7ae

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
42KB

MD5
a5c5b97ae95504dbbfc48b85469c3d4e

SHA1
cfcba62e4b5f2777f2197f8389b427eca9ac065d

SHA256
2437f327dc7b90c61b4236946975f631db77d9a924758948c2d28ad04bbf8b26

SHA512
e7658fdef0a443162a50500a6a535aafeca9ec19cf286fe7989526dbfd10913cf0404cd81a9549b1ca532bbc179798dbe9b2b83b64649496b36a99cd0d1f329c

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
42KB

MD5
2196b7ee2af721fed99ac9b10db1a1df

SHA1
d45df5e2ab0aa2cd3d0c8cc15438f76bc351a787

SHA256
f0c896bad014d5ba5a7ebb1e064a8d808b16744ea49285f9ec016bdd258b38e7

SHA512
3b3b427d37448d1229228fe5c6ccec786afc582d62dbead616be4fedc7fed4933e8aa194598bf243d422dab4e03cb79a997984e4b6e1c8025800fdff6a313f27

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
42KB

MD5
60837b158ceb767c65353704be0ebbbe

SHA1
5d8c8400107bed268416a85d6af451101d9f8cb1

SHA256
47fbfbc4d443767a4caebc33078233f6af9645c65d20b4588d23527fa7e7b7a0

SHA512
9d55aebd0541ce4a2a139d49a33239daaac5eadbb905f8c63e3fd0d8037361aa8bf5ab92eaa4373c3e4ce11bd9e4f785e8c101dae97d73da509e9e54beecbcb2

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
42KB

MD5
6e38b4323a5adc08577e1433c2af0062

SHA1
47ff2af8b43ee788dee6010cd82d61345a65c437

SHA256
bbace42d0d483654a117d6143318a7b0124eb2240c45133d715f5ae3e74558f7

SHA512
727749f00cab18776a4f20baeb79afd47b1dfbfe2737e250348a26da041255c6d391ed7b0b5bee38ce05830e496fec8acd672931c13700cc824218083f8dc911

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
42KB

MD5
0d116ea0526091f7da8825e9c7f30df5

SHA1
b8ead7ccb8da0ceb1b3883e1f17e878ae62cddb7

SHA256
32bfc385c89027336a9474f64d33203e354af587aad9f4b8622681bbe2ff66cd

SHA512
659e65135295d861a8c9f0cc01321136d71f1148b0432b4f169d8ac1f1ed3e0f2f99e0d0cdea85f253346d73cc9646d552b620873a9c140ceeb7d04c0a9ce630

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
42KB

MD5
3960add5acc120579d56eed41656c615

SHA1
a8455029396a17846ee4435b3f6ee1563889557f

SHA256
c40fff0923a8f14bffd3cb4d722f01295b985c4885fb92d87474319adf806e24

SHA512
f7c47c7903d7fa0ea2a6b8e944789d92cf2f45561979d4fafb3b80daa37a6f2991e8188363f84163c49034d21609cd8be7ffcef8bd6f08c1059b59d151d0994c

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
42KB

MD5
9963a766e2b20dee6f519737b616a274

SHA1
6fca6cee6720b29d61b3fc0b8ac7b44f89fdb2ec

SHA256
4619bc495eea30ac60137b05ab784832cc1f1319ab2b9a66344c8a54713d84a7

SHA512
a6dd1581d7395d59df793c23ea102022ef1838171d0087515f1d4f5a9009c35e7e9c22c70a1ab2e8dc7a22d64d1b1f2736c817288070a78bfc4711d53a38f20a

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
42KB

MD5
493386ae0fdaa550f4e41fe4b5756cdb

SHA1
97ba1b62366f89a9f844431f891fc6aa9bc0d150

SHA256
ae401f350a11762d4a0a9b01c0da5d803f44a225a645f9595f606b1daa79781c

SHA512
90f89765895d04ae075ce93990a219b81aad222aaac4e1f0be886060491e658717324db089171b168b0027042fc3a787e603938ba0d65bdd8a0ee0d100191fa5

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
42KB

MD5
d8089a36edfea4f1c52f308a3beb7064

SHA1
8e2ae00a16c20fd8f6484eb18b3868b128078bad

SHA256
870c2650c72df617fbe8b97a3fb25fb4d66586237e890e044c544342ca9ad651

SHA512
8a131e5272ffbb540ef812b311836282f4dc0222e52cb358fa403cf5ba155f1d6402d4356b2258ed7c9500e8bb249e26350b9d578863ce4b8c21c21cf4b7809c

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
42KB

MD5
6945fd824e892a038b5fbf006c97caa8

SHA1
d71f3a91610afe89bd9b6e32e68c70a10fa1bb56

SHA256
471871aab2ebe5d5370a304a67e300c097f7344578f752023d97b20fef671e40

SHA512
88a9520489e62c5717785ee8b8a8c3be30ddb7299e42c4362f683cc286dbced1df075a5d7d13eaaace826ceb39be8a0195d63ce86fac82729b0d25657effa7b1

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
42KB

MD5
3685c769b4e9287422b04444ac68b599

SHA1
daf85dd123e98d0c6b9c2f469ca1dbb6ff9c3f58

SHA256
dbdfe1f762e6fdee6cf4b3f296cfbc351219011c1fc43bcf100b7fddb87f25a1

SHA512
d040d7442c77b1c2c414d788535818f26def6e7a215ed52003914badfec7a2adba37fc425b9367f082f7b0322db910e481d91fe7d4d09cd64c01afebbfd513d5

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
42KB

MD5
4bf8f541024631bdec5cc2d5cdf03722

SHA1
f1191468bb665fdfb0e7af740cfa08fb808fcca4

SHA256
8a1e9a730a892d637dd6afd872f9eb6be71c1ad4dea4252a6301d957cdb7fad8

SHA512
00635ba2f1932729805f5ab63f000563e0567dc551c1a7e889cb28a6cacafe305f3351ece73e55636f21864cfc8f6e3810823eba7f2a05fd2cb127ec83ac8897

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
42KB

MD5
28d0215b2bcf5a6e53433f9c09e56034

SHA1
0a1788fe3f1466f0ccb33afe4c038989a5780e92

SHA256
472b01d2fd896db822b5e641c4cd7d658040763ede077d9a467a51962b6f18a3

SHA512
be0e9899fbe2cd8c26e8a4bf165eb82b09da5ac421bd7f222401c0c0321f622046803c4e79ff939ef2a6b8d61385ed2fe2f6479da27f2ea18d4da1cab834ab29

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
42KB

MD5
5f08b6df4a37d0c234f05059e0893549

SHA1
81d319539e677e878fcaac0a39d9a6fa5339ae80

SHA256
9243d8e2309d2cfc38bee032cf871377b67ad9a0f961bb3f9e184b7937de826c

SHA512
3079f6748ef7d437bd7247ef56eddb4735135417569e14ca2976260799eb22b00de5544d81c14e444aa128c36d45d71322e19963a8b4ce921eec71ff45ed047c

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
42KB

MD5
d070491288687c73bc3afcdf413651da

SHA1
7d026885b7824904be95a5d6eed29609a69f8d6b

SHA256
a54160cad20df6350b46865a2dff4fc73193bd8e40f145af3087fca097a4f20f

SHA512
497c5fa883e5244e8e38a7255d37912156574a09b7a2bf7f202cb8cf5a28b9e409d5263cf550e4013b26516dd2f21ac9b60761599754c2eb9836b21373a28f42

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
42KB

MD5
e720729aef805f7eefed1312afd6bc69

SHA1
d926d896b32ca2859b2de5db5ff49d3dfb812404

SHA256
e09f4249a683583dac8ff6a2f144a372fd65a1e9c47166c5d45ff0f3a2387efe

SHA512
7481e1b8478a2704ed9ca55633380735735ca00e991242468c237117bdaf8f9555506029c7381495f447d061c49a911f684c536ca4c6c169ad5a2fdaa6627e89

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
42KB

MD5
e5c87bd8f629a54057231a6e7f5cff7a

SHA1
6e8aaf2bd9b3f2a903acd0dc0a9a9b2c8e2efe75

SHA256
eb587182a602aebc7d3cbafd6227707b7d642bd2cef5682b2830b485d63b8d86

SHA512
cd7a6b7867ba3b66c84678e5b4e4f17ecdf3d5992c5f79decf62ff10d9bbd0e262c83cdd4f581cf46fc3640f5702e82ad3bbfebe1e2da5f7aa339ed36e0ad0ea

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
42KB

MD5
b7045f9f8726d7eadf87e7e7610c77b8

SHA1
dfbc80c0ac7c307c484539bb59993545b3ada5b7

SHA256
db5727cc437f117498a674b80fb4eec909073253fb5b615901a28cf9eb86c9af

SHA512
3b1355d19a60d16a7c6b13e55448ddd2e2c60e1de0aee54271fa6faf2f6e50af5034340a1131c29a7cb6f1443aee7a00abfea860f5f695a7c471624b700c8c1e

Download Submit
memory/228-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/228-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/376-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-420-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-355-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2264-422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2264-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-397-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-426-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2484-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2552-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-408-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-366-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3488-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3488-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3700-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3700-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3952-384-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3952-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4060-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4060-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4108-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4132-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4400-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4400-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4432-372-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4432-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4572-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4572-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4640-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4660-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4660-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4688-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4688-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4700-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4700-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads