0cbbc2d837a7323ffbe76c391951128538335b5c29d76f66a1be777bcefabc58

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76dae5e30fae0962d36dd89f17e11280_NeikiAnalytics.exe
Size

59KB
MD5

76dae5e30fae0962d36dd89f17e11280
SHA1

301578f0490afef7d68a0bfbb44360bf67aad8dd
SHA256

0cbbc2d837a7323ffbe76c391951128538335b5c29d76f66a1be777bcefabc58
SHA512

dd93e4330014fb75eacb72437ca688f7139b4ddca5ebb50ab9e8fd11c5f0040e30081f4d56248ad6015a1d7c5cd1d6cf14f39ebb1ab83f41e2998f56ba1914eb
SSDEEP

768:v/gSFjLK9wTRGr1K6d06+9GGggUAMDYOaclNlzChQX4w9GBQ4t2X2p/1H5XfXdno:XX1NC7gNXENlI24w9GaX2LbO

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	76dae5e30fae0962d36dd89f17e11280_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	76dae5e30fae0962d36dd89f17e11280_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe

Executes dropped EXE 55 IoCs

pid	Process
1656	Lmqgnhmp.exe
4584	Lpocjdld.exe
224	Lgikfn32.exe
860	Liggbi32.exe
4384	Lmccchkn.exe
1320	Ldmlpbbj.exe
3840	Lgkhlnbn.exe
3620	Lijdhiaa.exe
3176	Laalifad.exe
4792	Ldohebqh.exe
4840	Lgneampk.exe
3272	Lilanioo.exe
628	Laciofpa.exe
4592	Ldaeka32.exe
3776	Lklnhlfb.exe
3596	Lnjjdgee.exe
5104	Lddbqa32.exe
3588	Lgbnmm32.exe
4400	Mjqjih32.exe
928	Mpkbebbf.exe
1088	Mciobn32.exe
972	Mjcgohig.exe
4024	Majopeii.exe
1836	Mdiklqhm.exe
4336	Mgghhlhq.exe
3940	Mjeddggd.exe
4504	Mpolqa32.exe
3092	Mcnhmm32.exe
2856	Mkepnjng.exe
2580	Mncmjfmk.exe
3824	Mpaifalo.exe
2368	Mcpebmkb.exe
1772	Mkgmcjld.exe
4284	Mnfipekh.exe
4524	Mpdelajl.exe
4060	Mcbahlip.exe
4908	Mgnnhk32.exe
2740	Njljefql.exe
2968	Nnhfee32.exe
1748	Nqfbaq32.exe
4388	Nceonl32.exe
3292	Ngpjnkpf.exe
2252	Njogjfoj.exe
2168	Nnjbke32.exe
4676	Nqiogp32.exe
4772	Ncgkcl32.exe
4156	Nkncdifl.exe
4604	Nnmopdep.exe
4120	Nqklmpdd.exe
544	Ndghmo32.exe
4660	Ngedij32.exe
1556	Njcpee32.exe
1792	Nbkhfc32.exe
976	Ndidbn32.exe
3172	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bheenp32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	76dae5e30fae0962d36dd89f17e11280_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	76dae5e30fae0962d36dd89f17e11280_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
868	3172	WerFault.exe	140

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 1656	1824	76dae5e30fae0962d36dd89f17e11280_NeikiAnalytics.exe	82
PID 1824 wrote to memory of 1656	1824	76dae5e30fae0962d36dd89f17e11280_NeikiAnalytics.exe	82
PID 1824 wrote to memory of 1656	1824	76dae5e30fae0962d36dd89f17e11280_NeikiAnalytics.exe	82
PID 1656 wrote to memory of 4584	1656	Lmqgnhmp.exe	83
PID 1656 wrote to memory of 4584	1656	Lmqgnhmp.exe	83
PID 1656 wrote to memory of 4584	1656	Lmqgnhmp.exe	83
PID 4584 wrote to memory of 224	4584	Lpocjdld.exe	84
PID 4584 wrote to memory of 224	4584	Lpocjdld.exe	84
PID 4584 wrote to memory of 224	4584	Lpocjdld.exe	84
PID 224 wrote to memory of 860	224	Lgikfn32.exe	85
PID 224 wrote to memory of 860	224	Lgikfn32.exe	85
PID 224 wrote to memory of 860	224	Lgikfn32.exe	85
PID 860 wrote to memory of 4384	860	Liggbi32.exe	86
PID 860 wrote to memory of 4384	860	Liggbi32.exe	86
PID 860 wrote to memory of 4384	860	Liggbi32.exe	86
PID 4384 wrote to memory of 1320	4384	Lmccchkn.exe	87
PID 4384 wrote to memory of 1320	4384	Lmccchkn.exe	87
PID 4384 wrote to memory of 1320	4384	Lmccchkn.exe	87
PID 1320 wrote to memory of 3840	1320	Ldmlpbbj.exe	88
PID 1320 wrote to memory of 3840	1320	Ldmlpbbj.exe	88
PID 1320 wrote to memory of 3840	1320	Ldmlpbbj.exe	88
PID 3840 wrote to memory of 3620	3840	Lgkhlnbn.exe	89
PID 3840 wrote to memory of 3620	3840	Lgkhlnbn.exe	89
PID 3840 wrote to memory of 3620	3840	Lgkhlnbn.exe	89
PID 3620 wrote to memory of 3176	3620	Lijdhiaa.exe	90
PID 3620 wrote to memory of 3176	3620	Lijdhiaa.exe	90
PID 3620 wrote to memory of 3176	3620	Lijdhiaa.exe	90
PID 3176 wrote to memory of 4792	3176	Laalifad.exe	91
PID 3176 wrote to memory of 4792	3176	Laalifad.exe	91
PID 3176 wrote to memory of 4792	3176	Laalifad.exe	91
PID 4792 wrote to memory of 4840	4792	Ldohebqh.exe	93
PID 4792 wrote to memory of 4840	4792	Ldohebqh.exe	93
PID 4792 wrote to memory of 4840	4792	Ldohebqh.exe	93
PID 4840 wrote to memory of 3272	4840	Lgneampk.exe	94
PID 4840 wrote to memory of 3272	4840	Lgneampk.exe	94
PID 4840 wrote to memory of 3272	4840	Lgneampk.exe	94
PID 3272 wrote to memory of 628	3272	Lilanioo.exe	95
PID 3272 wrote to memory of 628	3272	Lilanioo.exe	95
PID 3272 wrote to memory of 628	3272	Lilanioo.exe	95
PID 628 wrote to memory of 4592	628	Laciofpa.exe	96
PID 628 wrote to memory of 4592	628	Laciofpa.exe	96
PID 628 wrote to memory of 4592	628	Laciofpa.exe	96
PID 4592 wrote to memory of 3776	4592	Ldaeka32.exe	97
PID 4592 wrote to memory of 3776	4592	Ldaeka32.exe	97
PID 4592 wrote to memory of 3776	4592	Ldaeka32.exe	97
PID 3776 wrote to memory of 3596	3776	Lklnhlfb.exe	98
PID 3776 wrote to memory of 3596	3776	Lklnhlfb.exe	98
PID 3776 wrote to memory of 3596	3776	Lklnhlfb.exe	98
PID 3596 wrote to memory of 5104	3596	Lnjjdgee.exe	100
PID 3596 wrote to memory of 5104	3596	Lnjjdgee.exe	100
PID 3596 wrote to memory of 5104	3596	Lnjjdgee.exe	100
PID 5104 wrote to memory of 3588	5104	Lddbqa32.exe	101
PID 5104 wrote to memory of 3588	5104	Lddbqa32.exe	101
PID 5104 wrote to memory of 3588	5104	Lddbqa32.exe	101
PID 3588 wrote to memory of 4400	3588	Lgbnmm32.exe	102
PID 3588 wrote to memory of 4400	3588	Lgbnmm32.exe	102
PID 3588 wrote to memory of 4400	3588	Lgbnmm32.exe	102
PID 4400 wrote to memory of 928	4400	Mjqjih32.exe	103
PID 4400 wrote to memory of 928	4400	Mjqjih32.exe	103
PID 4400 wrote to memory of 928	4400	Mjqjih32.exe	103
PID 928 wrote to memory of 1088	928	Mpkbebbf.exe	105
PID 928 wrote to memory of 1088	928	Mpkbebbf.exe	105
PID 928 wrote to memory of 1088	928	Mpkbebbf.exe	105
PID 1088 wrote to memory of 972	1088	Mciobn32.exe	107

C:\Users\Admin\AppData\Local\Temp\76dae5e30fae0962d36dd89f17e11280_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76dae5e30fae0962d36dd89f17e11280_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\Lmqgnhmp.exe
  C:\Windows\system32\Lmqgnhmp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\Lpocjdld.exe
    C:\Windows\system32\Lpocjdld.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\SysWOW64\Lgikfn32.exe
      C:\Windows\system32\Lgikfn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:860
      - C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        56⤵
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 404
        57⤵
        Program crash
        
        PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3172 -ip 3172
1⤵
PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
59KB

MD5
fff94f7968b296210f85138812d6ffee

SHA1
eb54d7b811e61276651509f5b919850a7eba708e

SHA256
28342a068bbf1a6a08d1e201c32fb0790fee3fc031228a80dd9d0d0d1e4a1f51

SHA512
fffaa8947afaeef5d9dd3df37f751a4fb3367f33c086e3f1b4423cabf912f7fc72c683d27679d8dfece3d2171b98e0919b57a780a98194859d49452e81108db2

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
59KB

MD5
d4a097065697c8d4c20f5402660819ba

SHA1
0e57281c0b22868d1dec3d20f4d5986795eb0992

SHA256
bba5299e23e381707b11b61e9aaa0e02d13a1031a5259a4a982fb1fd9c3455b8

SHA512
f6622d268a0fb92f8fe5eabdad24d1cbf35b01a22c7f66804946d93ce5808733bb91e9c922c6e5e11c29e5ab793995114bd524453199e1189d82ceefb1ef81b3

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
59KB

MD5
c53e1eb63e623ce9d783a4409a7f92d9

SHA1
af1a287d234f5dbd3dce37d5acd97a7d1bb9556d

SHA256
fb91ff12b88d4551442454b6c8c0c73db5dc0bde7fa4c56ca91bfae51129dff0

SHA512
ee6be6bf41a94edec801b612def052ee6f093c48e99fd8b7f00250df4c013dfa1065599443cca564abbc5a63178ca7fcc3740d256e8857cafb871b9b65b34ce8

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
59KB

MD5
44c26d847a65bb45644b573ca7e2ef74

SHA1
c075ae1d858ce4a8dcdaa97508328d69c03e00a2

SHA256
08330ed8d24b77650fa6662fd34e3ae0aa0a0cebc865ef718c07960d5354b194

SHA512
07f09f32792acdf96a951166e230767165b42303fea1761cab38897819b141f116631ee2248927a9b83cc5f9528e22ee02ab9aeac3e1133469b372665499a0f3

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
59KB

MD5
759043f49c823df6cfd31976efb38039

SHA1
8a9656c0def52a9e7046c3e051caf79416938ce1

SHA256
a1bdfb89b268d2dc223c61ffb44c75b971d79dd4430e06fb0e3b5fc7f0cd67f8

SHA512
bf2e9db1924d037c1b0b87badcbb3b0da693d1f54b392a621c0984af81ceb167e412fbe91e91ed126fd42fb4a4f6cdc58e69945a2721b5e4475d30f14a606db1

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
59KB

MD5
661df94921807bdf7d5ad45f4363ecdc

SHA1
44f64307ad6c902a550cd3743223fdb0f2ae724d

SHA256
4928678fff4bf519005b8fe44964cf907f80aa63bca54dfe9316d7508e2e0cc7

SHA512
a6eb323c9738bc06d7c6e8f084d21c6c9b57b456994c7667669f0c93aa4fe3f24aa052f5694c55aa4af73239969b84d23f279ae58958935fc684a3c68f1df8a9

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
59KB

MD5
3c83d9eee05038566636193148ad648f

SHA1
c464a150287be5dfef8f72eeff48f6e903c24b50

SHA256
66b09be3e76e2006c243feff81033e762e4b46c8f3f86301ecdf4b0fb56a0383

SHA512
d3099ebf162a9c824ee0ea43abcb0971e2de76fe76e71d182fe79b3f058fb24fca22737fa12c9da2b585d1723a4437f4d631ad579fedb403ebc2c9ad38325159

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
59KB

MD5
264aefdf482b63703bf247bc63648f3c

SHA1
39180cc94888082a1f95b587a97983da012ee6ed

SHA256
a40413d3bdcb7bf0ece372c7af8a743c81dbbb9a0d68ff3a3869f25b6effc2bd

SHA512
a91ec9bb001989406af5dfabe4a5dbe2aa8644137022fff200668b88d4ece0ecdd0387cbfb358e2873774d94b988bee18249456bdc7890c006530f0f825e47d1

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
59KB

MD5
95fa07dec75a508a6b1fb94750810f66

SHA1
b1ea96b1debb2c08a8d0d9699856d761f5b111a1

SHA256
0c6e1ff6ad0aed013c8904975e4fb3840076012225fdd2384ca168e708bc3f72

SHA512
9fd872b80c1cf61d454fd5630868996868b54cb64fb62dae8bebc8ac0dc9ebb6f893f06b1c352d7677a467f3b3df8ea0d43f1e5c9636c230640fed66cd83f285

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
59KB

MD5
08034a8c53bdf87cd482f7d5c3d0343c

SHA1
c5a41310c1305c29ddb2cd608ee1b2913db179c4

SHA256
f83cd29de1fda877915be9bf1f72c39993a133f21fdd1b7dc479373d8a66376d

SHA512
a277b7aa723d96125b08fc5dfc0e0134b4db88fd46e56e2355ee35a71628adafd399cb0fa781adbf310eea1c5cf28723036825d44243c97f7c6d925d123819d8

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
59KB

MD5
4deca10cae0fbc1e2d4c9bb5170ddc8d

SHA1
a21f06f1b64786b3363e8e21c2241ab6c6e19277

SHA256
c06708800baeb2131e318f8ec6da696345c1b6dc3a40a273d563f952aff9590e

SHA512
da2c1b9e1dd2c9c0b63d49b72b0ffeb51313a3a388a3c9e8a8e2d58f82f04a1cf0599f97a6134001d5c720bb72b0f4a60991f441ade88b620563567cd616adfb

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
59KB

MD5
b962b33390e33a574c626fdee4938154

SHA1
967d6c631f6807cf2898f920d6fbda9341616029

SHA256
7ab964c9bb3674c29f403e2af12728c715a646945bb233c0065130b73b302bca

SHA512
3f192e30e9daa0e6848002daad1a55d71a7db5d054d99258cbd1add01b6ff9eda2d85b8c20cd2b4b60c4ad0a9a9d8666a8671d64fc97334fd109e3621ce61a5a

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
59KB

MD5
0fc03decbddba98ae3ec98148dc421f3

SHA1
651b8fe5d3911734c47a4e57289f5deef4b85777

SHA256
0d5effb7622c529356f71cd241c556e518782e56b32a574d04fe02417919b0f0

SHA512
c4d8f09e26ca58ec905901ca02440afd4403a9c4de139a9a5733d8693f0af0dcea65d133cad62ba89ec97d99353c53f9ea6f85712cf4af25b80c48aee44ad8a2

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
59KB

MD5
02b8d3ffb4e05b813fedf6de764f513f

SHA1
7c90af2282b61c3881f86a452d8e6a41b43211e5

SHA256
ee7c54487067e790d778433eb4d6e4b6ce0fee6838f8dcd5b85b2a26fb7ba252

SHA512
11e65ecc6404a3796cd8c8884ac49e8b5ca6ff09a17bd779e6fb9df8ffab55311529d7f4728849cfdc78caf1add5b41c9da0fa5918365cf54593b57c4aa6c505

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
59KB

MD5
b1ade11d11b0300ba098c2447e260980

SHA1
167aee41753b60ce3aa674c2731c50cd580da31a

SHA256
e3ceb82200925443ac30d63bb2062be6bde05581698ca55b263f23512e0a5b06

SHA512
565b312e9fdb58eb5a07f618f7328bc1579dfb60552c2989abc7e1cd3395ab8035bb5874f6a7f5a284ad7c07aa08a912cadbe2db8744f798a346b79adb7184f5

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
59KB

MD5
9951c186dc8b2fcef743d6d8262dd367

SHA1
01c882f0c8bf41aedaa186b518c71a452b28a0a5

SHA256
8fb9733247c74a4649d2fecc0884692f501f01bb117bea681e8ca065b78e694f

SHA512
9d08a75421eea97d727158500d4ea9fc79053976ac97ad1386818180e12dd2757daffc2e284ca307acefd939789e7427c794d3e776f0d4cc4ec68df491b1a854

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
59KB

MD5
f035683ba12f3ddaa9579cc9ddadb087

SHA1
21c84b1762eee201e3fbeb0f41d9095019d3f752

SHA256
2ef2d3cc9cb2b3f6d6932d26e926e8d69d46cd67be6f74976df6e97c39fe0f28

SHA512
ff9bc6f57c1983684a212d5707b1d52cf70b21c52fe69babcc1b214d0718e2307984367bdf0b26d72339b00e6d14dcf992d271e5edfcd5d71373a37afa49f3b5

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
59KB

MD5
7ab572d1fb39e354d0c13ab55d478f00

SHA1
e3dd9664df4c9b6dbbc22268d24ae7d442681eb5

SHA256
bdafe87d7479b820c584b5388fbffe3f69ca4bd998b0d6ba920b3e4f48de81b6

SHA512
910246e48b8ae4ee59ad3c89c3c2afc66105415ed467896d7ec117f8a70d95ccb59863db6405641ba2caf759fc2c7535a2d83a68b48736e1a0296fae5e60a4b8

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
59KB

MD5
e73a6baedee03442a2c9b6103a326db2

SHA1
8c063c2dee7c8fee9af1b85e8d312dca6adde305

SHA256
8f9199c8d309d675c4ac7ad747018153fcc2a93ba2cf324b5284a3309ec80b1d

SHA512
858ad940a82799a19fe08c7a08217e8c7bbdc38f1b45396782181f44cfb8c740f3211b1c97e64c9313894d593bb52e659c74f55d9d10f0f9645df99da2aaeb79

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
59KB

MD5
689ef05ccaa73a66ae1b0c7074364c77

SHA1
dda13b0de5f1d8a8e85263a0ebbe443145ea9fb7

SHA256
00370a3aa2c9cad307930b10c6541b6f8ad7fc1ccc5fabb5cfcaae90a8c26e76

SHA512
cccaa805b3618ee280b65f07e671d8e7b3e220e304a29fae56e7d9c3612987306a98f5800c77d4beaa70db104fdcebfe319b4b80ca96be2bd62a6d4583f6f04d

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
59KB

MD5
75e709a661ab7461b7e7bc699c0e18e6

SHA1
ed375abe935a1e85b1786ef1bdc154a7f6c58b96

SHA256
35b2c56279bda05e1bb5c8c01c1c4df7e7c96c249b37dcae0fd7338b5b205e99

SHA512
11808047ec6f7277035b566a19e586ea2afb176ff2bd17ba0e83d914f4f514ef6b839c2a186b7fdb13e8947e4e9121432ce44e767930f25b36d39b641f2e531e

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
59KB

MD5
43da0e8db0c4b7dbcea4b05171e08b59

SHA1
9dbe81dba2c0c994ac8310a3f08aae1b4a0d33d4

SHA256
3c270117f922d9ef11275bc323100955ee270dbeba4da0218c6f9cb56ec622b1

SHA512
6db050662f9a02a71cb242db86faf23e6df550dfea4afcbb4cebb950c593b0b0d646107d850302095cb8ecb3d5356e8be658ef20d84fe29354409df411adef8b

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
59KB

MD5
6ca426b447f4db1d3881cc75cafbe94c

SHA1
1dfe2af7f488ae6faf162c117fb4b80788639228

SHA256
d90aa0f15c5f83252840cd4b06238226a1ea8ac1fd0accb02968e3d24f095f19

SHA512
dbc8352d6bf1f4c4bb521d35923a0ca879e8adec4ce448233b0f1ef1ed92be790318c9cdb91487ea9a1d82d1a2c24e6c81579f103fca30d049c341d168a102a7

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
59KB

MD5
268e6247a3bc3225d83d7718074b20e6

SHA1
fb93974595fab526e7a1bec1ddcc1f48c06633fd

SHA256
ffa6a71bbd815bae952d2dd6302a3ab5ffdf5bb719f3e8b9e0070ce741082200

SHA512
1bc098acd76c583b0b6c8a4e44ecb0dcd4ab0d6fe7d0c582242dfc404de032bcc0673fd9ae377dd39fcf68e25716fa3e06692e20911d3ae2f87c3e6e449f4e23

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
59KB

MD5
e1f0add5ab6ec5e8a830eb9a96241aa1

SHA1
9e3574fd1d1f22da783c7c2e04301d1f2b20ace6

SHA256
b7ca488eca2ebdac2e85d185ce650b25b1dedef2702850b8aa3b4cb263f4721b

SHA512
e49d7b00f03631be0ac15f19b0342bfea648b333debe0d4e78f3f396b408a0cdd093c4593d82e00b344524d482be300a929edcba7fea3e3d639d124b796edeab

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
59KB

MD5
4efd520a1605d571ad6cbe6c13de2f57

SHA1
607ebfce4f671eaed21f9e0cd27ffb8139c9b7e1

SHA256
2458964143a830fce369aff5270cad78b0c128714acde1a753ca3570b70ab815

SHA512
ed66e1c3a9137f69e8f03975f20343b77a6b5841dcbc6c38705f7612dccf48a7732ea516e53b850419f77d7aa3dbdd900a47775c1fbc7027e3e2902447de785d

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
59KB

MD5
1327e0b0bafb0859558cbeeffc2600e8

SHA1
40fcb6fa3a0dbc07f085c273c0c27267b3fad28a

SHA256
4d507782875c2fea4169be448cf31a08f1af959855189aebc7ac58079ccc1ba4

SHA512
c5e8e06d4b599b87c615b71e4dc016d0a6bbc9362f7b315315d54de26a114f0aef05cac48ba13c40d6f5e5a2898ae443da37f0e534278f28004a0ba8fceff061

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
59KB

MD5
f32a85d930cb094294450ae978f3c45d

SHA1
e8c5bb9cc488ef46961437201a7aeb02dae99c21

SHA256
5de85759e1029f8286602c9a316fc0e50012a6b78e2e50261e6215233b790617

SHA512
4f41bd6b312f857b0bbe961d913198ae70cdeda4f58d208798bd19c36c40e677e210ea280dda18d6bba6dc1e3085127038f417440d1c7ab5de73930f930043c6

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
59KB

MD5
1c5f9a600e2de7533f7cca54b097011d

SHA1
ce96f100db339de0a7cdb7b8e0811a8018c42516

SHA256
31270eae5b434c50a553584b604db0e8c00f7c5b02e6007461a65c70c7b2b6ba

SHA512
2c01f0caf44c6c92f28488418e92170fa89782f79cadc51227e2c6944c272b27dafec5c30a8dd10d7a56d3ca10e1314e6c41e22ca0bd12b5ff98d79f53eed0ca

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
59KB

MD5
ebb4cbb2a615ef9e6914563d96f7bbcd

SHA1
d2cf4226ed3c00939065f69794a60e5a5d82d3cc

SHA256
0f757ecc044e530907480e1a98fd439b9e396fef58576bc0610722565745e9d3

SHA512
1c59640b3cf769e0dc858c61607311e653c2ce1849924e1933db3007f9369828b1a856ad9d74d331b94dc35ab36ec9898e5b6c5e70fd1f363ac7394796bd208e

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
59KB

MD5
9ce3f177b3a4916d15333209151aa5df

SHA1
a2c5f44b3766d62b1b2fd55481bfb3e638db4a98

SHA256
706d349a20f7997e7fc445faccfac8fc6a64cfd97643ca84ff82db8cc1899faa

SHA512
7a24ca5037233d3a2d02d086bf0dc19fe220839ef30f7c2792ecf8ff6953fc967a8a493bbb17bf089c0a9761961ffe71a01e402804fbe985f091e099459c4e70

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
59KB

MD5
40e6e190a9731a059c22945d3299f233

SHA1
efadd5949733f75e1534535e067d22cf64ed0e49

SHA256
7195bcfad0183b15b84356ef787015dc73b0f7f4b7c8953b9cf4309bd4532f0e

SHA512
93e426ab0edc4628c8b951e75236caa4c57d9dc42b61f4977618cac3f4ea89784efee18449423bf334190600e07de761e93f431f125f1af1fccbb4ca8af226cf

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
59KB

MD5
849f108993da5c6c51738b758fd521de

SHA1
c07efda20cd81956cedcb5e6f05f48811b67b6a8

SHA256
434b7d0c2b68f77b4cd371e83e56933957a48286cc961e49371b285aaf8f080d

SHA512
00005ff746284ea6201743d18d03632dd33b10b0ce02275bcd819a0978725799ad096cccf64533a9da62e8b2a163fd903350e57b0f00c5e0fcdeaa55078e62b0

Download Submit
memory/224-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/544-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/544-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/928-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/928-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/976-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/976-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-5-0x0000000000433000-0x0000000000434000-memory.dmp

Filesize
4KB

Download
memory/1836-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3176-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3776-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3776-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3840-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3840-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads