9706ab0bb82d2d12ef4e98bc6a87502099e13fe749b726422e0e3fecb713b322

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43582f326e8bf3ccc14753535904e9b0_NeikiAnalytics.exe
Size

45KB
MD5

43582f326e8bf3ccc14753535904e9b0
SHA1

233cfa95204a727f0c4645e4df7b0a5f7576d05d
SHA256

9706ab0bb82d2d12ef4e98bc6a87502099e13fe749b726422e0e3fecb713b322
SHA512

3f011ac4cdf6f64b0eb9290d99c7cd67b163bb4a05b5be9b8d6a35ab86fd2c0dbf0a8c12c0da8750462d00210c9524de6b47c41c23234031d7e3f5d50813b83f
SSDEEP

768:CVqDEPLga1AjVO1rywyYetWbIJe31TSlQUxccMdXXAphYSJLnV9b/1H5+T:CV0EPEJjVEryVQIJiTSKv9AHfXNI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	43582f326e8bf3ccc14753535904e9b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe

Executes dropped EXE 64 IoCs

pid	Process
5000	Jbocea32.exe
3540	Jkfkfohj.exe
1412	Kmegbjgn.exe
3904	Kpccnefa.exe
396	Kgmlkp32.exe
4188	Kilhgk32.exe
3340	Kacphh32.exe
4984	Kbdmpqcb.exe
1728	Kinemkko.exe
2768	Kaemnhla.exe
736	Kgbefoji.exe
4668	Kipabjil.exe
3940	Kpjjod32.exe
4528	Kcifkp32.exe
3688	Kkpnlm32.exe
2252	Kmnjhioc.exe
748	Kdhbec32.exe
4540	Kkbkamnl.exe
2244	Lmqgnhmp.exe
5020	Ldkojb32.exe
1408	Lgikfn32.exe
516	Liggbi32.exe
3288	Lpappc32.exe
5068	Lgkhlnbn.exe
2032	Lnepih32.exe
2876	Laalifad.exe
3068	Lcbiao32.exe
4584	Lgneampk.exe
2092	Lnhmng32.exe
968	Laciofpa.exe
688	Lcdegnep.exe
2412	Lklnhlfb.exe
3504	Laefdf32.exe
1604	Lddbqa32.exe
392	Lcgblncm.exe
2284	Lknjmkdo.exe
4196	Mnlfigcc.exe
4476	Mpkbebbf.exe
4884	Mdfofakp.exe
3400	Mgekbljc.exe
4840	Mjcgohig.exe
4024	Mnocof32.exe
3556	Mpmokb32.exe
3056	Mcklgm32.exe
4052	Mgghhlhq.exe
1288	Mjeddggd.exe
2620	Mamleegg.exe
2632	Mdkhapfj.exe
1696	Mgidml32.exe
1580	Mkepnjng.exe
5008	Mncmjfmk.exe
5084	Mpaifalo.exe
3784	Mglack32.exe
2792	Mjjmog32.exe
1400	Maaepd32.exe
3700	Mdpalp32.exe
2732	Nkjjij32.exe
548	Nacbfdao.exe
2356	Ndbnboqb.exe
4592	Nceonl32.exe
3916	Njogjfoj.exe
4152	Nafokcol.exe
4400	Nddkgonp.exe
4368	Ngcgcjnc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1652	4468	WerFault.exe	155

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	43582f326e8bf3ccc14753535904e9b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 5000	1236	43582f326e8bf3ccc14753535904e9b0_NeikiAnalytics.exe	80
PID 1236 wrote to memory of 5000	1236	43582f326e8bf3ccc14753535904e9b0_NeikiAnalytics.exe	80
PID 1236 wrote to memory of 5000	1236	43582f326e8bf3ccc14753535904e9b0_NeikiAnalytics.exe	80
PID 5000 wrote to memory of 3540	5000	Jbocea32.exe	81
PID 5000 wrote to memory of 3540	5000	Jbocea32.exe	81
PID 5000 wrote to memory of 3540	5000	Jbocea32.exe	81
PID 3540 wrote to memory of 1412	3540	Jkfkfohj.exe	82
PID 3540 wrote to memory of 1412	3540	Jkfkfohj.exe	82
PID 3540 wrote to memory of 1412	3540	Jkfkfohj.exe	82
PID 1412 wrote to memory of 3904	1412	Kmegbjgn.exe	83
PID 1412 wrote to memory of 3904	1412	Kmegbjgn.exe	83
PID 1412 wrote to memory of 3904	1412	Kmegbjgn.exe	83
PID 3904 wrote to memory of 396	3904	Kpccnefa.exe	84
PID 3904 wrote to memory of 396	3904	Kpccnefa.exe	84
PID 3904 wrote to memory of 396	3904	Kpccnefa.exe	84
PID 396 wrote to memory of 4188	396	Kgmlkp32.exe	85
PID 396 wrote to memory of 4188	396	Kgmlkp32.exe	85
PID 396 wrote to memory of 4188	396	Kgmlkp32.exe	85
PID 4188 wrote to memory of 3340	4188	Kilhgk32.exe	86
PID 4188 wrote to memory of 3340	4188	Kilhgk32.exe	86
PID 4188 wrote to memory of 3340	4188	Kilhgk32.exe	86
PID 3340 wrote to memory of 4984	3340	Kacphh32.exe	87
PID 3340 wrote to memory of 4984	3340	Kacphh32.exe	87
PID 3340 wrote to memory of 4984	3340	Kacphh32.exe	87
PID 4984 wrote to memory of 1728	4984	Kbdmpqcb.exe	88
PID 4984 wrote to memory of 1728	4984	Kbdmpqcb.exe	88
PID 4984 wrote to memory of 1728	4984	Kbdmpqcb.exe	88
PID 1728 wrote to memory of 2768	1728	Kinemkko.exe	89
PID 1728 wrote to memory of 2768	1728	Kinemkko.exe	89
PID 1728 wrote to memory of 2768	1728	Kinemkko.exe	89
PID 2768 wrote to memory of 736	2768	Kaemnhla.exe	90
PID 2768 wrote to memory of 736	2768	Kaemnhla.exe	90
PID 2768 wrote to memory of 736	2768	Kaemnhla.exe	90
PID 736 wrote to memory of 4668	736	Kgbefoji.exe	91
PID 736 wrote to memory of 4668	736	Kgbefoji.exe	91
PID 736 wrote to memory of 4668	736	Kgbefoji.exe	91
PID 4668 wrote to memory of 3940	4668	Kipabjil.exe	92
PID 4668 wrote to memory of 3940	4668	Kipabjil.exe	92
PID 4668 wrote to memory of 3940	4668	Kipabjil.exe	92
PID 3940 wrote to memory of 4528	3940	Kpjjod32.exe	93
PID 3940 wrote to memory of 4528	3940	Kpjjod32.exe	93
PID 3940 wrote to memory of 4528	3940	Kpjjod32.exe	93
PID 4528 wrote to memory of 3688	4528	Kcifkp32.exe	94
PID 4528 wrote to memory of 3688	4528	Kcifkp32.exe	94
PID 4528 wrote to memory of 3688	4528	Kcifkp32.exe	94
PID 3688 wrote to memory of 2252	3688	Kkpnlm32.exe	95
PID 3688 wrote to memory of 2252	3688	Kkpnlm32.exe	95
PID 3688 wrote to memory of 2252	3688	Kkpnlm32.exe	95
PID 2252 wrote to memory of 748	2252	Kmnjhioc.exe	96
PID 2252 wrote to memory of 748	2252	Kmnjhioc.exe	96
PID 2252 wrote to memory of 748	2252	Kmnjhioc.exe	96
PID 748 wrote to memory of 4540	748	Kdhbec32.exe	98
PID 748 wrote to memory of 4540	748	Kdhbec32.exe	98
PID 748 wrote to memory of 4540	748	Kdhbec32.exe	98
PID 4540 wrote to memory of 2244	4540	Kkbkamnl.exe	99
PID 4540 wrote to memory of 2244	4540	Kkbkamnl.exe	99
PID 4540 wrote to memory of 2244	4540	Kkbkamnl.exe	99
PID 2244 wrote to memory of 5020	2244	Lmqgnhmp.exe	100
PID 2244 wrote to memory of 5020	2244	Lmqgnhmp.exe	100
PID 2244 wrote to memory of 5020	2244	Lmqgnhmp.exe	100
PID 5020 wrote to memory of 1408	5020	Ldkojb32.exe	102
PID 5020 wrote to memory of 1408	5020	Ldkojb32.exe	102
PID 5020 wrote to memory of 1408	5020	Ldkojb32.exe	102
PID 1408 wrote to memory of 516	1408	Lgikfn32.exe	103

C:\Users\Admin\AppData\Local\Temp\43582f326e8bf3ccc14753535904e9b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\43582f326e8bf3ccc14753535904e9b0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\SysWOW64\Jbocea32.exe
  C:\Windows\system32\Jbocea32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\SysWOW64\Jkfkfohj.exe
    C:\Windows\system32\Jkfkfohj.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\SysWOW64\Kmegbjgn.exe
      C:\Windows\system32\Kmegbjgn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3904
      - C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        52⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        58⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        66⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        72⤵
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        74⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 408
        75⤵
        Program crash
        
        PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4468 -ip 4468
1⤵
PID:2408

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbocea32.exe

Filesize
45KB

MD5
f3a960e1e9e01f77652a945f389a717c

SHA1
5bdc80fced1a6b5339f116d74d91af55789f3a46

SHA256
cf8315712bff3cc27899fd798f1e1171dad07179827ed4bad38e0bf2dc685eaa

SHA512
a5bdd7968c05e7f653b0e99f4c21d4fca042f94b4d50704765873c1462a54a346ea14d92055e7618d14ae9b1d5ff7d7f086214f5458370fbbccd1be48491d63e

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
45KB

MD5
d98f66c1420de90c0da94c2853e81849

SHA1
39ae4403be8a25353f38e259a71778b4b2cc6e0f

SHA256
490c1cb6d1d0b18bf20e1336f26428873d1a830627c55f2c73b89ce36f9ff7bb

SHA512
aa57f32a8e211d11d1053cc4ce5d456c5d1bf4639b1fd24810561c4957763a22fb017b5e812d9f1848e65b819f4559d9f7dc04ce19bfa784e21b8a064c2b5b46

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
45KB

MD5
5034c9e01ff0adf2ffa9d856c6a9a06c

SHA1
5fd7a8345b2def4ee4bf92f38ef70bb7c9d5944b

SHA256
32280745d8274272b733f251fcb812fe49befdefe5e03bf639f56775fe0e19c8

SHA512
5d528dfd7a85e221b39c92fb62d790107d961c3aea77ba850181f653667a9391ca4d11aba094300a7059c62d22a1a904cd558e8838b3bef31a4e9ac3d6d372c9

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
45KB

MD5
63ab25ae7825d76d37942ce71ceec9bc

SHA1
7e6004711761d9b927c4f4d6c704b6641adfc07c

SHA256
b0dcdd7f8a91771adf0547099691a877424bbe0a0689eb4209abd4eff9e33173

SHA512
cb0b24efb6736d8a7f4a3447f7403e0a7ddbd8da824a3c0dfedca56e17b80f697f44b34428c53cb253c52598903ed3792d1c005b2045a8956f2c1e04a0015258

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
45KB

MD5
25f8615b2f4fa167a14f7cf9c0923b7e

SHA1
8c66a0389311b1881b052269928d209ad6091bd2

SHA256
2138bca56521583c25f508d9b6196f6b0913b37325310eea7d978a7bbe2a3919

SHA512
d7cb48a02bc7d6bcdc92725a8d20090ae703a99df787dab701e71d96466c165bb34c7365524c9f09f090ff3f19c7338204a2e4dc5959576296b9a8d144dbae90

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
45KB

MD5
1aea7805a1a8ac9e4415aa228c44613f

SHA1
7623251dd69e9e035dad0daeb104c7b0f4bf809b

SHA256
434642f79440c9fc0d5b03c53552dcf7c2a2f04afa6b7673752bfde6aaa8b1a6

SHA512
13e9b1ea27502f514304741a9eaad50dcd179f32286fa4780d9ef90d4dcf82bdf23d7bab04b3cc60dec1f12282168e9f85f7b9c12c33d7cbf2390ff378effd22

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
45KB

MD5
4fe1702239e1424fc6bed9a617e2662b

SHA1
3c5731f46799ddf50e3d3a203e25d0d47bd83f64

SHA256
ca78e1c896625bcb24f821520e9c8096520afbebdaea673f54bf34f6446f5003

SHA512
829f97721e4d18d7b4c79e3278729931e09df57fc48be116bdf9a933469da1e52ea4aa3374eae7b60d04ec7135612fab1939280a6f02e0897dee108c042096d8

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
45KB

MD5
7d2499d05add56a810443a7c972c24a5

SHA1
6a3ed886be41be297f2a6d4b0174a40e578f4eb3

SHA256
fe3bcb1b477f38bdc0ea7e8480ef818950bd9751818c645af55d695ccd5bccd3

SHA512
aea4995333d5f58c994855bf6218b88039c6f80bb3cac126865694e51ea5aa54a77fe4931ff27a7e6ff3bad5ead74d4d4dda9ab15a3a6187a339e6e53e3846fe

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
45KB

MD5
85ce8239e62e8ff96479cef79ce86be9

SHA1
639cf9af3a0d8f240d61f80057d03c85c9b412da

SHA256
545222c9e424910829bca3a6c72221ef06fe9438b45fbc26ad0816830debee1c

SHA512
4d952b2a46228a5336ac9587bae838f8fc317814e797508a56c0d5983294a2befa0cdeb5b5e306e35a3ea5840f939ce196d57a622d1389ebea4246df957145b8

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
45KB

MD5
5928389c032180b2193f7320baab988d

SHA1
9291f3b450005296950d2af46c57739f29364357

SHA256
0879e5b77b7efe5ef905d03d8a4fa899f209d6a018080f23b0e48154881750b5

SHA512
5380cdc7c7f5fc720cf433cb49691b1167204ffed275b872708945bef28dbdfe9feb8f08f0d111dfc47763d2bae7d6c231d7cbf98fbfccff7e9fa887a76265dc

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
45KB

MD5
480ceb2d486353f516d1e4173dd2eed5

SHA1
d0cafe444b1900a87f45d40a18ff377d30ac6d16

SHA256
37cab275f1ae5ce3d43882d8fb9e76578263ae869ee48b120f8ee71a32553b72

SHA512
7e1f6e9c12cb7d514b972842bde09d7383eae49e1c7740ef500564b25067e0fd0ea274361a963329f14b7d60f4b68d46d283a09805ee91abfebc7516bd9fd918

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
45KB

MD5
cc34e3bf83dc79e6205a28c02248499e

SHA1
a6861c9768f01b6bbcea62202837afb6286585b7

SHA256
d81dd77073115027c80e3340469688049f59550d3c19c289c259bdd5b401c857

SHA512
997329474ff3d0b66bc415a15695c711fbb631db0ab21f612bc426736e107715a71ba5cc3b6fba56879f98594998a9e0c534652bf62c0e38b43be097786e54c2

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
45KB

MD5
df90a7296908fda20586614b63a84be7

SHA1
2f5c367d03167f8f715c8804b9ef44d9b6291c43

SHA256
b50483308e35e8e3dd4cebe8981d8d8003d4ad690d9ad8947547d6ba7983dc04

SHA512
5548cb75d7b98ebc2f16f34782e957e480df65efd3b16407ad58c81e2dbb48bc2916523bd83a16f72bc89dfbdc0c8745608853b44a0d4e7ba6ed390c68c27d49

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
45KB

MD5
aacf4145d94e8596f844c59e2bccc141

SHA1
d46734d40be6d6c38c5faf5487ba7cf1e4de989c

SHA256
f824205b36adaa8a878c5669d338c0dcfd09de3999c0f3ca0571dd1dde26fb69

SHA512
bf33b730e74e3a21b3bb405ec7c89ac9f608aada703b1dbd9f0c7c2d068f1469cc6b1518db8833c1413d8474c5138de2a974c8d43f30ecdb8bae697a4884b0d8

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
45KB

MD5
7c14b4999536242fda31ed942df3e3ae

SHA1
d09dbc00ccdd0acc6635fd3d2056ca7bc724b066

SHA256
08af4a765fac15e0ee149382d2446df6ac8b8faca4b62f4033cc6ba397ba9770

SHA512
f663841c86d879c403603db02a5b6bb3c305e93964f6388d1c0dacbcc1e693fb0c0a6a34dff8b25db1d7bba51d1a1fe34d882b0f176bb9f29ff7e880b97390ad

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
45KB

MD5
3e57eef09d1dfeee5474707bc129e1fa

SHA1
def737e4ae64bee1ca4fce4953e6071c71729b7a

SHA256
c8a77b5a51e775dfdf8222960ddb6f5b20b5531b648615d412df1bb81c1430d1

SHA512
14b4de7b65406dcae27f8908bd642d4583a73dd8555ef2d41b2efc3008c746f9e1e7ac7267470111e570e9141507773e65ff9acc3bbf56b7001562a039794463

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
45KB

MD5
3db69e1b4d61be4b25a4fa0d0930d974

SHA1
4153b82e948dcc4d9db2102d04f7e4707f9c5879

SHA256
a942a0413ec3af987b1e88e0af26e7b203be9cbd4af09c9ec8ad63cdd362c55a

SHA512
b243e4c58db529ac046edba4beceb0f54aec9e5a80b953ed8c8859679400b0a5b821d673dfc98f24b4d57ff89bbfe7d66dc75046e5b068ac7d8b38ebf06648ab

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
45KB

MD5
6948f904f5da5d56d20e3050defcaa6f

SHA1
a6fbfbd101548c8da9898455bbe66a6145f55ff0

SHA256
714e678d0bb02e487a0f8a52dce10aaf7d9db1c7e6ef5d0dc61718d3dc59dba0

SHA512
cc2d7521f13918b3deab81ac1b2511068f5a3d0ffd4b0a5297a847f2acf6f9d3b88d623328a85d555f1da4f6696d4c59b5eac97461f3268ef89c00636c5e76ca

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
45KB

MD5
a0491aa64fe7e83c08f1e36d5fa1754f

SHA1
93bb97883d3b7ae2aaa691d67157d9567e868ff8

SHA256
f239dab09f98a808e82da2c7449f0fde7501fabc482d5716e625ede7fb87af63

SHA512
7706fa641a8f9ad905850f31af1336b865e04e9f964939236e2195f3ac55f50f22af71762b2818bba3ad252a2f2f0540a281cc9fc34c5c0cce300de0f60c6d4f

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
45KB

MD5
c9617e00148c6ff47803a9cd63b20753

SHA1
6c11ce9e2f10eebf6f80ba50610eba60175c1934

SHA256
5c08b67d10898e7cd07d4e02b259a715b85dabbc634c576e539cf8c8f38f27bf

SHA512
28bc100ca8ba3f1d737eddec21c33ab4600661164a2153277f82150209433fcb89cfe80be6806b8daac3aa7b3ccb698a04a2175c168185444c805b6b9b436a18

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
45KB

MD5
18d343d0b5180d2e097729abf3a07b19

SHA1
4e532c936800d222b82219c23f77b7490e5a6283

SHA256
ebb33cd04f62a71a28853816d2e9781d0d436f56bb98c95014ca1e71373ba04c

SHA512
5a9214547beefcbd4930d029075cb579c620c818558f89d96a0bde8ec9fffcbdbe6562d17f02f61505ff6601498f36deeb4bb418d8fb5229e0181612d851271c

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
45KB

MD5
cd6eb2b24c55fac1f8cc9cd2594b7512

SHA1
7dfdf17476b862718cb881ee9edc666c4b6723c7

SHA256
b7e74d0da708cb1a18d4ad03e522d99e3a2db1d48551ba04bddd90172fd537c2

SHA512
f30ec5609f3748e62241c2ae213475198a5cd6ed313a4743a95222021e6d9162ec22d31511c9703505bcc589861db9ab3e283b0f226a327342da3d6d01c1189e

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
45KB

MD5
ed0378d85bf79c7e2a8403aa250060f5

SHA1
daadceb49f803dfceeb1aaaccb4bbea7f19cf704

SHA256
c20d5651ed3ca738bf936c3cdfbf0487f813e022a0409544b18df8ff12d1db4f

SHA512
c7f303379e0f0c834a3c5803b22a378f5e346a5fcb5fead39957461169c16a03f26f0bd142bf7629a2627e9fe526399cd7c5afdc06eb451b1f54f4a8d8a114e9

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
45KB

MD5
ff158db8ddb66e86014a5a5d754eea7d

SHA1
f0bf4a5ff2d3a8c01c4d2c3d3a7f459859e6e71a

SHA256
051b9d0e04ee51560c3ee3df703fb6ddfd99eabdd52cba86a513d9706d37561b

SHA512
cb46a20ca2ede5dca5d60780402c9e53fe90b324f342dfb275acc1b70c025556e8e3e3bd5ba2bd5e201dd813e37bcc8adbd2109fd1fa438a920a2be7745159d4

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
45KB

MD5
9789bedf79c2f72bbb7fdb35b675e97a

SHA1
54fca123a169d38ac5a27765ea2c79b8032a462d

SHA256
b1f3c0cf8074b4fa6940d48a77c72c1c8037598f20c0d17031c229813766dbab

SHA512
e06603526dcf93e25d8f6022f16d33f410fe97cf56272f2daa6acac038cc83e0d79dde975662d07f712fb699e2c59e390ea5bebcf7ca8f4ec5538c9fdb559111

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
45KB

MD5
a04058bc9a4619efc8d5379643fdef85

SHA1
732c54111a587c15b835faba04d9f8c1fb1b9387

SHA256
6a139b807d1328f9a3b9d7938b023aa880551dbeff7d0906b078d8ea07486eb2

SHA512
b0d2dd374c4b286e33409024c849f73dbf937b41990fdbac0a9c1066c4b0b292e066bcf9efc96e285902f9fc24a9ad2666e3429807f4746996e171b232a84d1f

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
45KB

MD5
8d7cfa13511014efdda8411e68e6a0be

SHA1
964b6bb3e2317aed4702f5effa42dd0b83db7296

SHA256
86b71756b2173594e8c37b7964ece5297f0a4ac7858812aa1446a878d5a6be53

SHA512
25038ce43ce3ba2224c9e33d7181327c92636f31828735d802f9158b07b221834b4941303d077f0313e03f056c0929ecffeae0c4f55abf08994cd29e0e0df7b9

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
45KB

MD5
6a6cc104934688a18cbb3462e69b2532

SHA1
364dc451895947fc0b8a5f162d438e638240595b

SHA256
0b152ce922b1d97d4e64e53a2a527f2152bfa785040116ae354322415de0d6e4

SHA512
57cbf290b48f8665d6e0c149e8658950af8348cdf661543c38d1a8adf854e82e105aa37186cf9ebf891aa3063945033eb92a340e9beaede209cbbe79f0e8f398

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
45KB

MD5
ea764c4a6813ee57670d3601be786e7e

SHA1
a09e034c0a6b57debb72839e738c2ec992e7b19f

SHA256
59ca7a4269a31034bb45418bae4fa0be584025bd9fe38314fcf3b179d1f5150c

SHA512
8909a5cc27330000782d3417e1dd49c477dd9e1bcf57faa2af02e4d4270e067e57713150f82bcd6fc64f9e161701b2f70e4bdfa21f06b4945dbc92d002e36f02

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
45KB

MD5
9c213049cd8011e7c7768b3cff6f44ab

SHA1
289d68a08cf7bb365dcb0c78bc91c560e364742b

SHA256
b9d6d3c59c11776132a102efda879800af799501a9d7a06e6e93330ad093fbc3

SHA512
456cb3aed96aae2e5c244771af6c5a1abc2d688be5d9f60c17ca5ec388a8fff8d5e5c24b3dd457c4e183c9acd2ead36bf42dcc16df203819075542c320650425

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
45KB

MD5
af80ff838344743b6850986219c22241

SHA1
b82561887b2c6c448bd7d0237d1a54d1281954bc

SHA256
c70ecf0456c7405ce49e7b922f40142a6b3f92eba39a9f295171af1ce125b416

SHA512
4accd0aef0dd9c3d75ad354d629ca137f7a0472f1380da0cb15f024c8794ef115a1615c012547f80e18858a9b326854705b9c9f1b3de8026fe787bf3e64e1a77

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
45KB

MD5
65cbe2af5afba3c8168369baf53d34ca

SHA1
588c58928e9d5ceb8714b7bae1c94e44add13cf7

SHA256
74a6d8d8da6467b6740c2d92d24ecbf9fdecbf66e0c239421ca9b880e42a957e

SHA512
69bc0c5a39627c5a5822ccce2bea06daf2347d4874f6e8cd6d4aebfde0d7e5ba317fb4614e8c95950fb8c50f32f86fa079e3854e1724c17b349758a1b2800026

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
45KB

MD5
c3e98776f1415245379658e5c6bc3f19

SHA1
1a3ba091582c3b67f893d8f0ab18315165f39d48

SHA256
38c846e0db35dd1eed364cd086d4ef3f0d2d5b13e29f3bf5559911ae1d45f55c

SHA512
983eff08be2359a19057d438c1b717c0cc1474b483649bd061268291588882076433b9d46b1f09cbf5c9f9aa3994861354ab5ca7a69c63d4eb8d9b4583691f09

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
45KB

MD5
868e2264b21f6b0b101ebe219bfc1733

SHA1
d361a3b3c33ed366519ac4e1b744b993fd2e84e7

SHA256
d3cea964894f348c4d4df1eb7f368ca9fbb2257f2c30680660ee65821160474a

SHA512
c3c729be0c478083de55c7b7fe4a9d386b27077aa176ec44a233136f57662c84329ccac5c43c19f78a3ba2373b1fe8386b285fade99ecdaf68452efa5e66d35c

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
45KB

MD5
2980937f1cc09bc24b918a8d7135e224

SHA1
dbd8d033a191cde4ff9730ad0889741c6093b197

SHA256
a8790ca95a380a36ea47a0be14f1a67a8f70c4dcbe6a76a7cc81cd7cfdf1eca0

SHA512
9bc7e35f56939fca66148fe33f590632acfd67d22f99269d1460d677db02d2d3712d09d7f3931848ccbf7314847074440d82a57f9c18a6c2fcd2f78f3083d26d

Download Submit
memory/392-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/396-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/516-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-529-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/688-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-92-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/748-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/968-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-470-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1236-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1288-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1400-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1400-535-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1408-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1412-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1604-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1684-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-547-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2092-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2244-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2284-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-549-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-531-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-537-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3340-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3400-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3440-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3440-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3504-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3540-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3556-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3688-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3700-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3700-533-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3740-505-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3740-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3784-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3784-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3904-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3916-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3916-522-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3940-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4024-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4152-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4152-523-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4188-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4196-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-517-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4400-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4400-519-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4468-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4476-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4584-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-525-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4668-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4884-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4968-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4984-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-543-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5052-482-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-541-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads