575c1f60f2529206cd98f5b041733d82ea381439ca8137843bdede96fcccd4e2

Analysis

max time kernel
62s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

575c1f60f2529206cd98f5b041733d82ea381439ca8137843bdede96fcccd4e2_NeikiAnalytics.exe
Size

470KB
MD5

e1f12951a786b933633b59cb521a7990
SHA1

813e2c32a96aa49b1cd022d76aa848998136d894
SHA256

575c1f60f2529206cd98f5b041733d82ea381439ca8137843bdede96fcccd4e2
SHA512

bb839615097969f5e6e5d3ff6ad346f011c20a156f7d1dd8ae9915a79f99fda49918dca42eac50b6ddfc712eee2d03707768f1daabead588bcfb9c5d635b95d1
SSDEEP

12288:k/Qc8QVj94nLiFzN3b7CUq1u2ztB1XQKTQInqyS6Rm6TIJ3l7DurTG9c8QVj94n8:k4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	575c1f60f2529206cd98f5b041733d82ea381439ca8137843bdede96fcccd4e2_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	575c1f60f2529206cd98f5b041733d82ea381439ca8137843bdede96fcccd4e2_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe

Executes dropped EXE 64 IoCs

pid	Process
3168	Liekmj32.exe
2308	Ldkojb32.exe
1124	Ldmlpbbj.exe
4688	Laalifad.exe
3228	Lcbiao32.exe
2820	Lkiqbl32.exe
1532	Laciofpa.exe
2460	Lpfijcfl.exe
5080	Lcdegnep.exe
1008	Lcdegnep.exe
2196	Lgpagm32.exe
4572	Lklnhlfb.exe
1704	Lnjjdgee.exe
4608	Laefdf32.exe
1304	Lphfpbdi.exe
4504	Lddbqa32.exe
3892	Lgbnmm32.exe
1808	Lknjmkdo.exe
4760	Mnlfigcc.exe
1652	Mahbje32.exe
376	Mpkbebbf.exe
4712	Mdfofakp.exe
4720	Mgekbljc.exe
4064	Mkpgck32.exe
4580	Mjcgohig.exe
3288	Mnocof32.exe
1196	Majopeii.exe
4500	Mdiklqhm.exe
1880	Mgghhlhq.exe
3568	Mkbchk32.exe
4204	Mjeddggd.exe
4112	Mnapdf32.exe
1592	Mamleegg.exe
2472	Mdkhapfj.exe
3328	Mcnhmm32.exe
3184	Mgidml32.exe
3188	Mkepnjng.exe
756	Mncmjfmk.exe
4460	Maohkd32.exe
4432	Mpaifalo.exe
3916	Mcpebmkb.exe
3600	Mglack32.exe
5096	Mkgmcjld.exe
4480	Mnfipekh.exe
4036	Maaepd32.exe
2336	Mdpalp32.exe
3752	Mcbahlip.exe
4060	Mgnnhk32.exe
1240	Njljefql.exe
2244	Nacbfdao.exe
2508	Nacbfdao.exe
2324	Nqfbaq32.exe
1848	Nceonl32.exe
632	Ngpjnkpf.exe
4924	Njogjfoj.exe
1268	Njogjfoj.exe
1424	Nnjbke32.exe
2096	Nqiogp32.exe
1400	Nddkgonp.exe
728	Ncgkcl32.exe
1500	Nkncdifl.exe
1388	Njacpf32.exe
4700	Nnmopdep.exe
4648	Nqklmpdd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	575c1f60f2529206cd98f5b041733d82ea381439ca8137843bdede96fcccd4e2_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Eeandl32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Legdcg32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe

Program crash 1 IoCs

pid	pid_target	Process
1248	3460	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	575c1f60f2529206cd98f5b041733d82ea381439ca8137843bdede96fcccd4e2_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	575c1f60f2529206cd98f5b041733d82ea381439ca8137843bdede96fcccd4e2_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 3168	1168	575c1f60f2529206cd98f5b041733d82ea381439ca8137843bdede96fcccd4e2_NeikiAnalytics.exe	82
PID 1168 wrote to memory of 3168	1168	575c1f60f2529206cd98f5b041733d82ea381439ca8137843bdede96fcccd4e2_NeikiAnalytics.exe	82
PID 1168 wrote to memory of 3168	1168	575c1f60f2529206cd98f5b041733d82ea381439ca8137843bdede96fcccd4e2_NeikiAnalytics.exe	82
PID 3168 wrote to memory of 2308	3168	Liekmj32.exe	83
PID 3168 wrote to memory of 2308	3168	Liekmj32.exe	83
PID 3168 wrote to memory of 2308	3168	Liekmj32.exe	83
PID 2308 wrote to memory of 1124	2308	Ldkojb32.exe	84
PID 2308 wrote to memory of 1124	2308	Ldkojb32.exe	84
PID 2308 wrote to memory of 1124	2308	Ldkojb32.exe	84
PID 1124 wrote to memory of 4688	1124	Ldmlpbbj.exe	85
PID 1124 wrote to memory of 4688	1124	Ldmlpbbj.exe	85
PID 1124 wrote to memory of 4688	1124	Ldmlpbbj.exe	85
PID 4688 wrote to memory of 3228	4688	Laalifad.exe	86
PID 4688 wrote to memory of 3228	4688	Laalifad.exe	86
PID 4688 wrote to memory of 3228	4688	Laalifad.exe	86
PID 3228 wrote to memory of 2820	3228	Lcbiao32.exe	88
PID 3228 wrote to memory of 2820	3228	Lcbiao32.exe	88
PID 3228 wrote to memory of 2820	3228	Lcbiao32.exe	88
PID 2820 wrote to memory of 1532	2820	Lkiqbl32.exe	89
PID 2820 wrote to memory of 1532	2820	Lkiqbl32.exe	89
PID 2820 wrote to memory of 1532	2820	Lkiqbl32.exe	89
PID 1532 wrote to memory of 2460	1532	Laciofpa.exe	90
PID 1532 wrote to memory of 2460	1532	Laciofpa.exe	90
PID 1532 wrote to memory of 2460	1532	Laciofpa.exe	90
PID 2460 wrote to memory of 5080	2460	Lpfijcfl.exe	91
PID 2460 wrote to memory of 5080	2460	Lpfijcfl.exe	91
PID 2460 wrote to memory of 5080	2460	Lpfijcfl.exe	91
PID 5080 wrote to memory of 1008	5080	Lcdegnep.exe	92
PID 5080 wrote to memory of 1008	5080	Lcdegnep.exe	92
PID 5080 wrote to memory of 1008	5080	Lcdegnep.exe	92
PID 1008 wrote to memory of 2196	1008	Lcdegnep.exe	93
PID 1008 wrote to memory of 2196	1008	Lcdegnep.exe	93
PID 1008 wrote to memory of 2196	1008	Lcdegnep.exe	93
PID 2196 wrote to memory of 4572	2196	Lgpagm32.exe	94
PID 2196 wrote to memory of 4572	2196	Lgpagm32.exe	94
PID 2196 wrote to memory of 4572	2196	Lgpagm32.exe	94
PID 4572 wrote to memory of 1704	4572	Lklnhlfb.exe	95
PID 4572 wrote to memory of 1704	4572	Lklnhlfb.exe	95
PID 4572 wrote to memory of 1704	4572	Lklnhlfb.exe	95
PID 1704 wrote to memory of 4608	1704	Lnjjdgee.exe	96
PID 1704 wrote to memory of 4608	1704	Lnjjdgee.exe	96
PID 1704 wrote to memory of 4608	1704	Lnjjdgee.exe	96
PID 4608 wrote to memory of 1304	4608	Laefdf32.exe	97
PID 4608 wrote to memory of 1304	4608	Laefdf32.exe	97
PID 4608 wrote to memory of 1304	4608	Laefdf32.exe	97
PID 1304 wrote to memory of 4504	1304	Lphfpbdi.exe	98
PID 1304 wrote to memory of 4504	1304	Lphfpbdi.exe	98
PID 1304 wrote to memory of 4504	1304	Lphfpbdi.exe	98
PID 4504 wrote to memory of 3892	4504	Lddbqa32.exe	99
PID 4504 wrote to memory of 3892	4504	Lddbqa32.exe	99
PID 4504 wrote to memory of 3892	4504	Lddbqa32.exe	99
PID 3892 wrote to memory of 1808	3892	Lgbnmm32.exe	100
PID 3892 wrote to memory of 1808	3892	Lgbnmm32.exe	100
PID 3892 wrote to memory of 1808	3892	Lgbnmm32.exe	100
PID 1808 wrote to memory of 4760	1808	Lknjmkdo.exe	101
PID 1808 wrote to memory of 4760	1808	Lknjmkdo.exe	101
PID 1808 wrote to memory of 4760	1808	Lknjmkdo.exe	101
PID 4760 wrote to memory of 1652	4760	Mnlfigcc.exe	102
PID 4760 wrote to memory of 1652	4760	Mnlfigcc.exe	102
PID 4760 wrote to memory of 1652	4760	Mnlfigcc.exe	102
PID 1652 wrote to memory of 376	1652	Mahbje32.exe	103
PID 1652 wrote to memory of 376	1652	Mahbje32.exe	103
PID 1652 wrote to memory of 376	1652	Mahbje32.exe	103
PID 376 wrote to memory of 4712	376	Mpkbebbf.exe	104

C:\Users\Admin\AppData\Local\Temp\575c1f60f2529206cd98f5b041733d82ea381439ca8137843bdede96fcccd4e2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\575c1f60f2529206cd98f5b041733d82ea381439ca8137843bdede96fcccd4e2_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\SysWOW64\Liekmj32.exe
  C:\Windows\system32\Liekmj32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\SysWOW64\Ldkojb32.exe
    C:\Windows\system32\Ldkojb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\SysWOW64\Ldmlpbbj.exe
      C:\Windows\system32\Ldmlpbbj.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1124
    - - C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4688
      - C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        26⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3568
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3184
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        38⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1388
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        73⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 412
        74⤵
        Program crash
        
        PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3460 -ip 3460
1⤵
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eeandl32.dll

Filesize
7KB

MD5
49c3c2810c8a8d34b25ca5ffab3b83ac

SHA1
8f5f4b5677194a9c258884cd27ed2b1920229dba

SHA256
49d778451f8e7cd8bc77e3857ed7f6815ade2da096a08a3da0ccb933a2c5d817

SHA512
63677a4278d609d14b4db924fc54d7be9e30e8feecfafc12863ecb4f758b65c2034e096ee9802b33815f7d7b12a1cd5c11ba409500bacb1223b454f3c882a04e

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
470KB

MD5
1b7bfbf0bcca298761dd5ea8da9f52bd

SHA1
519860cdc7e09d573c9bc4afc9551dbc3f91ea1f

SHA256
8a4c21ffa5062de55c5af541bf8c62dfa09cbb83469c9f7ff67ff34cc8d6dcfa

SHA512
54fd236be43eac1e7fae774dc59ea57a02b8e60073c77b67df8b92999c503878db40d925733a3eea3f7de228dc27226989c397ba680f4bbbd0d1aa145938e4b2

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
470KB

MD5
a21019e36e1a4eb07a07ad7a750d701c

SHA1
7d948c308adb711f4b3897a07fca87170d5b15b4

SHA256
974fef1037aa5cb22c1c965e730de291d2e232e720ac0140b033d3a2ba457637

SHA512
1d76e7a6ffa60b7c3e25624b70ca0a48f205e53d9e81d34413e0d37f2e0c5088588c1f38d74fa4cd39434345f883b55bc6cb02b47d441d63fe9c68896c6d1875

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
470KB

MD5
d3ebee4bd3e1e7d28348dba24a0422b9

SHA1
82950235ddf9e2fd675f96aab95f833d782c1405

SHA256
7f210c2bd943c063dab4c14cef98cef0f8ee8c1f1782d7d94709906a3008ade9

SHA512
36b2a9f73216b0a4b0a572ef29e7d261054021d1dc67eec59a0fb720c81def73be936ed5d1c60ef3897a5f9b813d589bb94591ac124ec3751aaeed3546878eef

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
470KB

MD5
b91e3531ca7c0d401b92b9ee15bd1a04

SHA1
69e895d16ff88682739773e7201f0f7771e3a1c4

SHA256
036f1ffb74d3ee74d7db4d76283ad5d54297d6e9ed840ac51a63c5ae26d24709

SHA512
d7fdaef46323316843f3819e119e16a322b3fe46383236bd962b5022893ed57124242c19cc94938c46fce88ef8a7106bf46e37649d7bd6c0b48094b6227f65ee

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
470KB

MD5
0644a6ade8326dd09946956ba6fd0b86

SHA1
dfc0efdd0b3f97448cbb5859aa390718683fe865

SHA256
4d8eba8b7f46a5f0a3d37ab5fec9169ccaa28d88cc7b940b85144dfc42d4358b

SHA512
d24adcf7c8638814cdc341194a24aa38b2dc20375b706fc42db45b1e91c0672530b4d9550937ea6c0d6de1124ed152a351892f90f99fa6efca70dd01976499e1

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
470KB

MD5
fab7528a414966eff2b8dff090fd8d7c

SHA1
d52ff47269ed10579f8961b054118f4208561c92

SHA256
b059b9093a81eaf04f839eaccf056135a4814798ad0df3033d6c5981085f15cb

SHA512
c5c69178546158fedc3692d925dbabea7f3e93590abb0e39be39e78367a285c205e8a20cbb3c728708afc788b0d1ee4dca1cf3d17aea2c63c13dd9fb67dd8474

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
470KB

MD5
3344f49e52303c32a6b0849f0e955b16

SHA1
791d7add85a8e28b1c7653e869bb9c2375d737e5

SHA256
27782316169ad6762837f9da40c8239598eca61344ed340d626a8c57bd29de96

SHA512
c3b04541b36df013d81dbf005ef1f7284a01bbdcae503612f774fc68adb3f4af7bcbd6aa47749a7a3376f2b2fa84696ccff8a03d6a4c01445c591fd4e6cae3b4

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
470KB

MD5
cc0a8f1b6afc672fd408100aa880579f

SHA1
2b99912a3e8b7a6147346cebbaf6717394281b73

SHA256
1c5b58632a57c8374ec45c12277b37f52960087d2e2b2c0a8877c3e5b290860b

SHA512
1bdf6bdcce895dcaa41312789664f725e1088114feb2d8af4bb62f47e98853ba421667126d369d0bc41f5ce18bad41baddef785a34f1f1a9b5c7cd0cf9f82f7a

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
470KB

MD5
2397a13c1fddee7cc73ee79ee7c79e09

SHA1
03e5fe151190bfa41e85240963b8c94afc5159ba

SHA256
f9261f38e0f32fdc0a2846ffde7685491bf4a9b5bd2304b9ee2e738776256376

SHA512
e3f6654ecf92a7757ac2fae7d9de7a55579a8db308b7e9cc21483943e52440c8d86d887bb0f19f177e6eab81d2605e68f0ba9689899d89e847fdd48f8b4e9c93

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
470KB

MD5
f1b805b2946c540e5e8aba3312d57200

SHA1
ea08f4b567bdcf7e51ef16f0498987e46a2f1067

SHA256
c17132e0ed5a0f086d5cb7798be319b5a5dc4c80b62d57a7d0f4468c5f762694

SHA512
deeb041e0f04387c58571380c38253f9bc30d4b623625e98e84d6398ffaad81fea93a218e3d36830bcf8f99a77f198210b90ee945642fa70fcbbd30a53821963

Download Submit
C:\Windows\SysWOW64\Lidmdfdo.dll

Filesize
7KB

MD5
f6437de82e2aa65861ae4fe65eb61496

SHA1
8cffbac371665deb02b2259d286cf880b546f2e5

SHA256
e70e80e80946ddea8291d1ef20910d6eb1228252e71bf1dc10595d52d534f09e

SHA512
9102ad0c192f2f4e6fa30ba94ce7294dba28dcdc65514dd93e8ad30e3588548a36442ad7623409227356b9f79076085cfb35d176e459ad029366bd1580e3d32c

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
470KB

MD5
ec2c61f4c1089bbe7cc0fadab51815ad

SHA1
0057492a8d6681e96faa70f2d6d9a31187d14ad5

SHA256
663935df67fe3b4f7ef718ca6505073ddfbf3104cdf603f8a9de3311dd6b435e

SHA512
d4d25966d77448d5e83744a68e7f4980830b885150799e90e302ecb344e512163eb99df338c7882858da9658d65070f2de54eed9e19fc307def8d496bc649ea4

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
470KB

MD5
fd34f513807a75226e5337912edcb1b7

SHA1
ae18543f20107e5b6f9cecfbeec8705c9062573a

SHA256
b547690b5e7c73f4d08f69a67452970ce38218c35a3e55face3766ab241e1a7b

SHA512
68faa47676f8a0689eae3bcb2ad578cfde1213b98a71aceb34103259a98917ce8fa0d635145c2679450649f8578ba770664dc9542a4395fc043f8e24855dd554

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
470KB

MD5
001e8b6c278d799752b2eefa60dc1bcf

SHA1
8567e740308a2c854e58617762f2f41cf3b3abff

SHA256
cfc85a504b00083693d48ccfa5faacb5d86bbde904f3fa6de25f4ffb47c52fd1

SHA512
c7d32c834dbe5010a25f17338d647824185466b4ac77349c6a4f3ac83cdae969b74966db7a730055264e5be862dcff9132ea8d5861c74445499f2d2abc30045c

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
470KB

MD5
f65da88d308bb0d9646db1c300608609

SHA1
04280b7427334d123ef3f31abead944cf789166e

SHA256
c1b65592e3c8a7f7904a62c5ad98ca9b2d97d00af0f23a09110b08a0d5bc3a97

SHA512
cc21db6f78918104c36adc377bcc478d020416b5ac45e4f94a4eacaa775fa98eb9caa16d90b075e85c540cfb4a6138245a268898889cb5dd919096cda26fa651

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
470KB

MD5
60bcbb3b09431daa079a45b456cf0399

SHA1
178ab9ff856109a077dc68fef15343c734756df1

SHA256
eb36a781d11d659924c4d0cf55ebbd8521ba9448f28d9b75add963fce186611a

SHA512
e4c2bebcbeb8dce65e77ae6edfacb2acbbff40f10a680763a2652a34945c5ef4d285a1ba0d49575acbde64fd64b745758783994476f317a79c4824c8949f1a9a

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
470KB

MD5
26f1413f9e95713122552113e96d32f5

SHA1
e7da8cf447b92b339096ff3d67f201f6d17109f3

SHA256
7f10008882b2cf3f6ac9457cde11bd586fc52a11407798f8bf446aa44167fc50

SHA512
2a5a34c40da08e4ad349cb79ae2f20239f54cb237f2a0de4b96140be11883334bf0f6c806afb703eedc39e9ace569db4565976c005e882a28b8d1b3dbe497933

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
470KB

MD5
c32dee8776c8c85386d8daa0c1d63633

SHA1
17f7173ac290e49e2de674d8098b907daf4c2333

SHA256
45a135e7c4510dcf32bb252b58573c40a938bf6c636eece3037a97d7e24aaaf9

SHA512
7ddc56637eeb825a3cd594614b5233ca4350972004757de10da13bf023c23641222a0d02df26afbcb60905c1933e9fa7d8d7eaf17cdc7250a2e8ed6251ea097b

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
470KB

MD5
1c512de62d6a436ea34d2a9803fcdaf8

SHA1
49096150a437fed61e5824b02c0f8db02f985bc5

SHA256
5728c698593ac93133031b093212b09f3a61afafc07353b3085a99471e5645af

SHA512
a265b807525448a034b8226a6dc8c49ce236dd2e273b2f80fbe0751b124b825c07869f9fb998f61ba55d61c285cb374209e4bf9f0b1832483e2bd9e7bff8caa6

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
470KB

MD5
63ef20159aa572b31eb1687bc8ad69b3

SHA1
38d0865bc3d801ae44f0f700561c8af07c2acee6

SHA256
27b9c08a72bb3f8e3b3debaa555fb5b34d8deee639db8adec06b5d4acd95b70e

SHA512
3d0355ae8539c90f34ee135ade984984710546655135cd667aed534882e99fce5abe0a9cad8bb5b8f8cd21378e16415399f450e4d25ca457dc3522c9a85d0796

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
470KB

MD5
e6103f316495cdae6080ea954955b15d

SHA1
1463f442331581cdc6cbee66b1f085e8d1370ab4

SHA256
cc68950364ccc3a2774f81514ab436094a891a4198b6627d5751ac4799e306a3

SHA512
476e44dfde406106f1eeeb3935376f80b5fdfa0abe7258a7f768eb2225099ef8dd4af5c4a95d2db56ef2d995ec4cced2d2d7e0da84109e770ad35df57ac8c7db

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
470KB

MD5
837ac5b3c227377bb88b9017c9550718

SHA1
f556dc47a064e6e636e4825e9052623d4077bcb0

SHA256
30dc1d38025b41e962e63d742542f815ce9f5f2e5cc265882aaefdb584c9b1a3

SHA512
98557475bbd4b0fc91172afd119e662c828fdda14482c0122a69b5f23467a123e565ff0b8bf14ee52b468a0fe80afba4dc32f813b9774aa5edbad2604029c2b0

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
470KB

MD5
ef97cd97a6e2a10d9f6632dfc4c0b24d

SHA1
785d6f23a8796579ba7a12c79a160e738903c147

SHA256
e57506148e724cd9942eaaeea8d1e71d883bfd3261f5306e21ed3a544fd7878d

SHA512
a896a797a8321e057be104357b8f1871a54eab88c963a3fba37b0c1d7f92c31f41986043b971135f6c7cf6cbd4aed5acfe3d1b223b7849f857bb6d6a6213d7e4

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
470KB

MD5
c7ee3514b11a88e68a1d840093bf8fcf

SHA1
279b3578592b1947c969486cbc32a8f9d2a6f2da

SHA256
283479f2a97ed08716b2deefb1e7a052e20b3019c87d04026b3f1b9f7bee076a

SHA512
aaa5501fb484c7a697974151aaedbefdc1b25b272e657bca620793409e6b23a7631a9314ae46c978e124c8371c5e753dc0adb048c40c4d0edbcd0d19c3e61e07

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
470KB

MD5
69cfe7542fafca7dd099b8d57104d50e

SHA1
10269775d864c98844383a167b87d0034db58825

SHA256
79a1298137cf610d7ef1ab76233e685c1835927fa4c323067608dc1cd11fa9ab

SHA512
fae379b6383f2506305f6f5fc6c1308de661b8f8bf86802367020505207c601224ea9bdcdbf21705b6870e1991f530be36c1626996e539b84683eb3bcd236a36

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
470KB

MD5
fe70ab12bde14f237db593d674336246

SHA1
590988269bad05e977e9ffaf176d89cf69c9470a

SHA256
e4226c991db1fdda9dd8dca25b115b6e1f768f13597bf081c6883ef97696e48f

SHA512
d8dfe81a628c0af04b859e495514241eadeb194ef4c8741e8322b2cb7d7524e68154f528025cf453627e6c8f40f326ad15a9ebc085d45006edce958dd6ae3542

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
470KB

MD5
b6d1eaf3527b93b9e61ca104067f29ae

SHA1
6f3395b5fe869db66fc42777f3b418cecbcba984

SHA256
f3a8becbf172716064eeebc15731dfb9f3bbc1cad9593aebcf4a6775a5ed4e45

SHA512
f3bc81ff79c334c4e4493a1b155e031215200cd032268a7f84e057b3199bce946df5476aa83164c33146ed0ac5dc7e9f7e430179ccdb857d33cffcbd2fef62cf

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
470KB

MD5
6db26029bc88945763abc468562cf117

SHA1
2661c7cf6a64e3bb857eecba6a8206fa1370e63f

SHA256
f81b22cf478dbb4700a53ec16dfb95883ea0d1e510d39d9ce91dc543b0e3ea1b

SHA512
252d8bc966fe0850bc2479375bf0d4b6cb872dea3be7fd06fae4b1927f04c6a47dcf17185070857fdef1b1f16b7a0d20ba5ac85fd5bd87e8de8501d201e1111a

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
470KB

MD5
c57215160ee100607517303074247421

SHA1
c45937af955916c65dc019369ceafc7cfb8807f7

SHA256
fbd90d9580a072af0af66fef18e187e209da676389ab69c5a1fce87a6e1eb80d

SHA512
73b4c4810e0c6ecafe67daec14a13d516e3f9dafb3b0a935d57b322a096b45fe208086fcc20e85908588523096350dabf06595373591ddc89dcb8e8a72c624b7

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
470KB

MD5
dc46e33e5e5b22b1232d771f099e9b2e

SHA1
d90e1077e663bc54565c7f5989e3495c4f759b02

SHA256
84d9e477135a5a7810adf64ddefc6c905d4b03e7616bf17a33afdb1653e42c23

SHA512
3cc0a5ca945f5ed6deb605c1841485f6052493d1238f6485f789d116f1c3446b3d5418065f9457c2af8a059b25febabb9bd42165d6f251a0e5520bd0949496ea

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
470KB

MD5
6b9a3d46d15f05d7b87aa0c7afee6f3f

SHA1
bc658d43a1d8d024fd14634cfe9b62ae5fe40e31

SHA256
ff23036d8e19af7754fbd1e855bd90ab05a97281bbbf015371b771e9ae5487d3

SHA512
6fb9bc4c74c396fd8e6c089de366131f6f49d6e71fc191b3c6e377caf148c47c765e64ccbe4887974287c93f7e476b57236b78f1d753c5868c1fb69d02138120

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
470KB

MD5
7a794c622383e56122bfbea024815293

SHA1
fe2892158e2c4c55d10591a6e75c1c8b32bacfcf

SHA256
f90de8d0db386cddffd97a52d478af284a26a991cd51e46fa6004052ded07ee8

SHA512
04bc154d29691eccfead72a127ad127d0543f2466c79ae4a5f027168cb312ce7f4c539dde626cd890adb9b1aa34008393d294e54cbb30ea8a1ba225ae7f18d37

Download Submit
memory/376-433-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/376-547-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/632-481-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/728-469-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/756-513-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1008-422-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1008-569-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1124-23-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1168-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1196-535-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1240-491-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1268-442-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1268-477-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1304-427-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1304-559-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1388-465-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1400-474-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1424-475-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1500-467-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1532-61-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1592-439-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1592-523-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1652-549-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1652-432-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1704-425-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1704-563-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1808-553-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1808-430-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1840-448-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1848-483-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1880-531-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2096-472-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2132-452-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2196-423-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2196-567-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2244-489-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2308-20-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2324-485-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2336-497-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2460-420-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2472-521-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2472-440-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2508-487-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2820-59-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3044-455-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3168-7-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3184-517-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3188-515-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3228-44-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3288-438-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3288-537-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3328-519-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3328-441-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3460-446-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3460-443-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3568-529-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3596-458-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3600-505-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3752-495-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3892-555-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3892-429-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3916-507-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4012-453-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4036-499-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4060-493-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4064-436-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4064-541-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4112-525-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4204-527-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4432-509-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4460-511-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4480-501-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4500-533-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4504-428-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4504-557-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4572-565-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4572-424-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4580-437-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4580-539-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4608-561-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4608-426-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4648-462-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4688-31-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4700-463-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4704-450-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4712-545-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4712-434-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4720-435-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4720-543-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4760-431-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4760-551-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4876-460-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4924-479-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5080-421-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5080-571-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/5096-503-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads