0b18cb0242a59d8eac409876d03f9f02c6d91180feeab09b411452ecda8e2996

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b920587c06c67ba79ff9c69a9473bbe0_NeikiAnalytics.exe
Size

160KB
MD5

b920587c06c67ba79ff9c69a9473bbe0
SHA1

f1a3f94f2efa31e040a81f1c3a2882ec85cb96ee
SHA256

0b18cb0242a59d8eac409876d03f9f02c6d91180feeab09b411452ecda8e2996
SHA512

4d1861870f3b0a08c7fa991ffc44a5649b3f044b4b1c69b8e62f165a977eb66d27cf961bf070a084e4d4c003f4cd828b6417ad257a0ab06eda484845724eb1ac
SSDEEP

3072:oCG8yVh82PVj6+JB8M6m9jqLsFmsdYXmLZ:vG8F2PVj6MB8MhjwszeXmF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b920587c06c67ba79ff9c69a9473bbe0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe

Executes dropped EXE 54 IoCs

pid	Process
1288	Jdmcidam.exe
712	Jfkoeppq.exe
460	Jiikak32.exe
1232	Kaqcbi32.exe
4916	Kpccnefa.exe
2460	Kacphh32.exe
1356	Kbdmpqcb.exe
3092	Kkkdan32.exe
1952	Kaemnhla.exe
1796	Kgbefoji.exe
2216	Kmlnbi32.exe
3924	Kagichjo.exe
4708	Kkpnlm32.exe
3968	Kajfig32.exe
1776	Kgfoan32.exe
5084	Lmqgnhmp.exe
1720	Ldkojb32.exe
4116	Lgikfn32.exe
1080	Ldmlpbbj.exe
3996	Lijdhiaa.exe
2108	Laalifad.exe
1500	Lilanioo.exe
1368	Lpfijcfl.exe
4384	Ljnnch32.exe
772	Laefdf32.exe
932	Lgbnmm32.exe
2784	Mjqjih32.exe
3132	Mahbje32.exe
1752	Mgekbljc.exe
4288	Majopeii.exe
700	Mdiklqhm.exe
3816	Mkbchk32.exe
3936	Mcnhmm32.exe
5048	Mgidml32.exe
1436	Maohkd32.exe
4772	Mpaifalo.exe
2604	Mglack32.exe
2380	Mkgmcjld.exe
3564	Maaepd32.exe
3416	Mpdelajl.exe
4008	Mgnnhk32.exe
2984	Njljefql.exe
4756	Nacbfdao.exe
4424	Ndbnboqb.exe
2204	Ngpjnkpf.exe
3096	Njogjfoj.exe
3252	Nafokcol.exe
4368	Nddkgonp.exe
1652	Nkncdifl.exe
2708	Nbhkac32.exe
3948	Ncihikcg.exe
452	Nkqpjidj.exe
3504	Nbkhfc32.exe
2416	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	b920587c06c67ba79ff9c69a9473bbe0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4436	2416	WerFault.exe	139

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	b920587c06c67ba79ff9c69a9473bbe0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b920587c06c67ba79ff9c69a9473bbe0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b920587c06c67ba79ff9c69a9473bbe0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1288	1224	b920587c06c67ba79ff9c69a9473bbe0_NeikiAnalytics.exe	81
PID 1224 wrote to memory of 1288	1224	b920587c06c67ba79ff9c69a9473bbe0_NeikiAnalytics.exe	81
PID 1224 wrote to memory of 1288	1224	b920587c06c67ba79ff9c69a9473bbe0_NeikiAnalytics.exe	81
PID 1288 wrote to memory of 712	1288	Jdmcidam.exe	82
PID 1288 wrote to memory of 712	1288	Jdmcidam.exe	82
PID 1288 wrote to memory of 712	1288	Jdmcidam.exe	82
PID 712 wrote to memory of 460	712	Jfkoeppq.exe	83
PID 712 wrote to memory of 460	712	Jfkoeppq.exe	83
PID 712 wrote to memory of 460	712	Jfkoeppq.exe	83
PID 460 wrote to memory of 1232	460	Jiikak32.exe	84
PID 460 wrote to memory of 1232	460	Jiikak32.exe	84
PID 460 wrote to memory of 1232	460	Jiikak32.exe	84
PID 1232 wrote to memory of 4916	1232	Kaqcbi32.exe	85
PID 1232 wrote to memory of 4916	1232	Kaqcbi32.exe	85
PID 1232 wrote to memory of 4916	1232	Kaqcbi32.exe	85
PID 4916 wrote to memory of 2460	4916	Kpccnefa.exe	88
PID 4916 wrote to memory of 2460	4916	Kpccnefa.exe	88
PID 4916 wrote to memory of 2460	4916	Kpccnefa.exe	88
PID 2460 wrote to memory of 1356	2460	Kacphh32.exe	89
PID 2460 wrote to memory of 1356	2460	Kacphh32.exe	89
PID 2460 wrote to memory of 1356	2460	Kacphh32.exe	89
PID 1356 wrote to memory of 3092	1356	Kbdmpqcb.exe	91
PID 1356 wrote to memory of 3092	1356	Kbdmpqcb.exe	91
PID 1356 wrote to memory of 3092	1356	Kbdmpqcb.exe	91
PID 3092 wrote to memory of 1952	3092	Kkkdan32.exe	92
PID 3092 wrote to memory of 1952	3092	Kkkdan32.exe	92
PID 3092 wrote to memory of 1952	3092	Kkkdan32.exe	92
PID 1952 wrote to memory of 1796	1952	Kaemnhla.exe	93
PID 1952 wrote to memory of 1796	1952	Kaemnhla.exe	93
PID 1952 wrote to memory of 1796	1952	Kaemnhla.exe	93
PID 1796 wrote to memory of 2216	1796	Kgbefoji.exe	94
PID 1796 wrote to memory of 2216	1796	Kgbefoji.exe	94
PID 1796 wrote to memory of 2216	1796	Kgbefoji.exe	94
PID 2216 wrote to memory of 3924	2216	Kmlnbi32.exe	95
PID 2216 wrote to memory of 3924	2216	Kmlnbi32.exe	95
PID 2216 wrote to memory of 3924	2216	Kmlnbi32.exe	95
PID 3924 wrote to memory of 4708	3924	Kagichjo.exe	96
PID 3924 wrote to memory of 4708	3924	Kagichjo.exe	96
PID 3924 wrote to memory of 4708	3924	Kagichjo.exe	96
PID 4708 wrote to memory of 3968	4708	Kkpnlm32.exe	97
PID 4708 wrote to memory of 3968	4708	Kkpnlm32.exe	97
PID 4708 wrote to memory of 3968	4708	Kkpnlm32.exe	97
PID 3968 wrote to memory of 1776	3968	Kajfig32.exe	98
PID 3968 wrote to memory of 1776	3968	Kajfig32.exe	98
PID 3968 wrote to memory of 1776	3968	Kajfig32.exe	98
PID 1776 wrote to memory of 5084	1776	Kgfoan32.exe	99
PID 1776 wrote to memory of 5084	1776	Kgfoan32.exe	99
PID 1776 wrote to memory of 5084	1776	Kgfoan32.exe	99
PID 5084 wrote to memory of 1720	5084	Lmqgnhmp.exe	100
PID 5084 wrote to memory of 1720	5084	Lmqgnhmp.exe	100
PID 5084 wrote to memory of 1720	5084	Lmqgnhmp.exe	100
PID 1720 wrote to memory of 4116	1720	Ldkojb32.exe	101
PID 1720 wrote to memory of 4116	1720	Ldkojb32.exe	101
PID 1720 wrote to memory of 4116	1720	Ldkojb32.exe	101
PID 4116 wrote to memory of 1080	4116	Lgikfn32.exe	102
PID 4116 wrote to memory of 1080	4116	Lgikfn32.exe	102
PID 4116 wrote to memory of 1080	4116	Lgikfn32.exe	102
PID 1080 wrote to memory of 3996	1080	Ldmlpbbj.exe	103
PID 1080 wrote to memory of 3996	1080	Ldmlpbbj.exe	103
PID 1080 wrote to memory of 3996	1080	Ldmlpbbj.exe	103
PID 3996 wrote to memory of 2108	3996	Lijdhiaa.exe	104
PID 3996 wrote to memory of 2108	3996	Lijdhiaa.exe	104
PID 3996 wrote to memory of 2108	3996	Lijdhiaa.exe	104
PID 2108 wrote to memory of 1500	2108	Laalifad.exe	105

C:\Users\Admin\AppData\Local\Temp\b920587c06c67ba79ff9c69a9473bbe0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b920587c06c67ba79ff9c69a9473bbe0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\Jdmcidam.exe
  C:\Windows\system32\Jdmcidam.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\Jfkoeppq.exe
    C:\Windows\system32\Jfkoeppq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:712
  - - C:\Windows\SysWOW64\Jiikak32.exe
      C:\Windows\system32\Jiikak32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:460
    - - C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1232
      - C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        25⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:932
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3096
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        56⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 408
        57⤵
        Program crash
        
        PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2416 -ip 2416
1⤵
PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
160KB

MD5
64f982625d9a33c04417dc0496c44f6a

SHA1
cae06e77551f3297178d00972d362e11f80a9003

SHA256
b24a7b03ee38523ba8838223d126333fdcd91e7580225c70d18ed2db5f7b6a57

SHA512
3a8bb6d6327c8aba7b7ecd9cd21b9fd3dcef68bd32c9db10c15bf5ac21cf33bb1685c3c7833dd4c3fcb7d93c8e2d314f42cd2bc5d0a2e54e849c9fba058d6fbd

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
160KB

MD5
7251d7d1bf5f993498ec2562455ab778

SHA1
79470b184005a28fb952277d9e39917ff0230cc0

SHA256
68998648197321a1e7ac0fdf00e0edfb8ab5af3b5235086fa3f49ba00f5868a0

SHA512
e8e9cfe4b1a31dc1895c476517215a3ed15c164bab4cb073cb00bd3f063567be3e6639422a4232fdad26f07805552f0a017165000c2ea82efbdb3d13737a3bd5

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
160KB

MD5
02146d7f93007add7cd66afd149fbb00

SHA1
99f80b803b2dbdf6c3ceb1a9eb6cd4290aa3d08a

SHA256
b86c0d418fd873443728ceaebf000c940acfe1978d63740ae7a298133f1f7598

SHA512
0fe8cc5f207f988ea58f91bdf36720bb01cbeb344dc40c78eb1cece75be2a6c007626064d6bbc6e7e7b7eb7f5458d49915da65fe1a81aa089a91665cb0d9bb08

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
160KB

MD5
e7619fb7a49d40d9e12525bc12aded14

SHA1
d90b9597158b99cf24e2df3195f3fec6fecababa

SHA256
813c3abaae91a0a8aa75fcc80bd0e8d18c8da7d53a7e1f832228adf249630f62

SHA512
63864de010324cb03ee4e5ebf496981b466d4583266edefd0bc7fdb06942136633e26716246ecdd6b37dd4be266f7a3013969b7b9eb6971515365b46344526f7

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
160KB

MD5
c90de8a2180a1265c7b0ffd459c74a82

SHA1
b774a99c86170750b808b9fc1549461b523a3862

SHA256
2332c77af3fb35ee432e1f16408b7e3b78914802eea00c19801d301d6ce0256d

SHA512
35260ef6ff0581e827e3bbb3d92a15761486cda1b103ec349d4d2bae8fced6e9d9441ce316feb8e70923e3b84784d55d9430f739c5bcab3782ff29dc28046516

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
160KB

MD5
032ae8e2693362d5bd5098e821d767de

SHA1
96bfe6f926c7bc8e65160a3e89ad71aa766e698c

SHA256
eca9d514c34d50e118342014baf81b860dcf13923dd1de06cbb5ebb9f3dc748d

SHA512
b15ab86ab40533441db6d0331f53a198a40aa679fe6edd40646fe9b2c29c3c7b4beebe09c2349bb907e7e954e40d4b2d4fe0ef85955556385b18f18241e8a5ac

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
160KB

MD5
6f0764103aa942d091c719801aa376ca

SHA1
73401430cb3509cd0fc85d16e57040e9b602d4d7

SHA256
cd380b9915575b5abe15d3c722ddd227757fff221291d4ffb138536fe246f883

SHA512
473308c71a1857f2bd10a864ddb2f16ed7221482cd81e5fe6a8b00339a879beda61f5048dfede8febc1331e287adfd607db63210448fa623acc74ab1679240c3

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
160KB

MD5
a817e7ca71c1980443a677ad183dcf03

SHA1
b5fdf1d3f380b104967f6ee0058b3a63804585ee

SHA256
155a54d7fb6fba664e2cdf609639769035cb26811487fa46db4422edc7d1cb41

SHA512
16413b308c6000284258a6fcb151d863908676a4899290b6697df68c87950678cbf57dddcf048ed38808f36617a61a6bd9854c1276393c914d53bb183a141392

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
160KB

MD5
e8171c7ab3af8829a62de4637a561cf8

SHA1
5fde5a414c012f358ca6d564b9e4ea8fcbd9f3b3

SHA256
0d6ccc9e1a356a025e25cfce807d56a61ed669a43add1cb3dfd7c875cef3eca5

SHA512
bdacbe01679b61fed480249e5094dbca35504bf85164f7a9dc1fefe35ce198a9940eb20bc9d8b61205927b3321049287743c84669b7cd2e2eb6bd92d88760743

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
160KB

MD5
6b2fcfe1b1343fd323e7cb20ccd9133a

SHA1
d99d01b8122c44aaf28aa1fab6b02d6737b1e9fc

SHA256
fced32db795ec8c114391fb9dd8a70d8ab935756364a2abefb3391bc56b0e2cc

SHA512
90a373efad523da65aa89e7ed0a408c7a988def89ebcd5addd91a5d8a3ef4875bfedeecd3e0f01cce158efb25f2d7184c9c7484fb1ba7bd1e1af6048daa83916

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
160KB

MD5
557f879a5466502ba97470c21e446e00

SHA1
290863169b0dc66df290dabc71b969b735421927

SHA256
7e501575eca1f05b094c4e274662555f7c2d23d37faa191dff7134ecc1ba3026

SHA512
5f62010aad2687cd7fd36212c0f52b20d98f2a787f52a87ac8f0b6d82b71306dadcdac9f6c57bc0ec2b2c22e7b45c6852271a1a845bed5db534c239e7f2c9db9

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
160KB

MD5
e55e6649992eca8811b258e216b1300e

SHA1
6067dc75b3d8dcb914baba6d69e8e31c609069c0

SHA256
f5c67145214c430fbe57dff4fc5ae231e75eb7a35f8b132009ada32909645d12

SHA512
1781b5ee842be345a184bb45d5d812fe2bdf63d1e0a8bbf0a172c4b13702e6c6f34e917912129d5e0458ff27c89579d589a676d64eb9577b2fe2235f579ed232

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
160KB

MD5
251943540fb46b9b389ee81050bc9111

SHA1
ea7b6659f46616a0bf7833b83ebc96c30ad487a3

SHA256
e59e9bfde38bd274c470a153d4a1cd3aa24b6bebae42ac00f55a62c5bcfa2dcb

SHA512
6ba470299a2c761f94b058aef744093dc020dd3cbe26445e59d76fb6f5a44a923507bf71b5cf03c2f5e974d7ccc0df700f134818788652bed6fe1df89fa2a8df

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
160KB

MD5
51e33cc5f7eac0eec57e20dfd1149b19

SHA1
59f3e3e6889b70fe29545f0db5b1e5e253b107c1

SHA256
c0f2982fdaea0b928bb5ceec7cdd3103eba91442610814cc28f5b6b41638df88

SHA512
03b6fa7fcafe52eea3812c0bea5c58b34b276d9e2038330f0e21872ddda9eb598987222f2cf087b6ab3ee0cebddef0b1c9b3bf9893450fded645ce5d37096e75

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
160KB

MD5
1db1ccee4ae78162cf85bf354ef12d8f

SHA1
12f31b42056231934c1995df83e1c0af1be9133c

SHA256
1b8d19863fb3d369c8dc07be2592c96aa20d090830b1d4d4744cbe5eae51a1c9

SHA512
520d9eca6928faac80c71427e4cfd0e887e7a417d362a9aba75556bc638852441a512801ffb7f0693c099dbf1518f0a8e7ae4a37123492b6b0b1a784b8d5c951

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
160KB

MD5
75b4b14fac6fbfdef9413cc719a9b12f

SHA1
b18eb2bae5a0c5c16c09226a1171cdab210bf78b

SHA256
adf39f8edba0daa93ce800e28cd6eed221b933a3aab231ad79f6382edc041897

SHA512
34acbad92856560cf67ccd505e6204718ef5b4434f55c702a38dfd9740611603e4843bca199c8db6dadcb86894ad32a5f57b23773c2c89c29fa696ddf6fbdc8f

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
160KB

MD5
2e25102cd6a9e4085805697b07e2a9e3

SHA1
bf131f2738380ae99f126213cc0941ca84f8071b

SHA256
1207d4b15aac94fa419ca6f331293d43803ce105171737903400758dd2881862

SHA512
990ffb704f18e136c1cd324591156eae1bdcdba5c676b04c1ded43868dc44068ad5930d8bc8c4280d25219de164a33aa854f9dad37617279df8b1eda8d615f4c

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
160KB

MD5
858363e9e15892e0153fbc4566986d5b

SHA1
fe140ed2c14c01dc1695c737a46460868acc15d6

SHA256
d0310d51d1138e60b85effc050528bd99d74a7e135a80e5b9394ad84a6c2bd02

SHA512
286717583ed5b9d6f02c44ef07e74f3dc136d0faa1cbefeb0886ff0d72fc4abe9960ac4b3df02600f42ec00193b2854ea8ebb068565e7f91218ecf57269b023d

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
160KB

MD5
8bd72685ad7980ef8d3e9fb6af1f58b1

SHA1
b29d1fc70bb510f9229b5ae7d9ad8c21c22c324c

SHA256
788321a28676bf1d562eba9ee3411179871da3de4773e1b08ee520e1a44010a1

SHA512
a695b3e2b4906761a0b0548f276df3a1aa3f61c8b2239805a7c01638f4e4ccdba93f8c64c430e459ccb01695ba559f316ab0ccc576ddfad5637471023c67454c

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
160KB

MD5
5c122756c7b78a291c9cb1e74a2a2ee7

SHA1
f447ac37c8688ce23c9f31faf6d90810476f67e0

SHA256
587ddc632ea3999ccb4786b4d016000915a91ca94e513100c0f3c882907e4570

SHA512
96a5231164339479e0df86a84289f5f8ed40b45d2efca3ccbae8a61a098dd4155aa6cbb67662d19dee24e9ba27b8edc89873acd868a5e5cb7fe194d078c1f4ea

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
160KB

MD5
515b6028b66cfac5d04dd3a66dd160ec

SHA1
8bf4d7234e2e2405aee5397a02b0c1a5329627c7

SHA256
611d396ddb9473d0e01ec866925a4032ee568f9ed5552ff9106cb0f200013e64

SHA512
f3b68190a833d21aa9a9200a6fd846f06846c92bf493a554d3d9d1d5ed4e8fd082236b8c41debf1ed3acfe58f302c91d263b5b65258d3efb0691fa48325a7817

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
160KB

MD5
b903f3fe2f40ce38440506384c6c19af

SHA1
f8047a4703690195d55aff2172ac0d64b84a81f3

SHA256
b6d5d80ccd02dda0262577cc4e0cd5598011537d1d8c04b2745999f48c1dfb14

SHA512
9137e024885e5603756c101324b3953e61a68c2f918245151b05d4c87a8e6764242b91a52c9c378a669e9b09a23fbc0dfa5bf116c243a5430e19678b721bba90

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
160KB

MD5
d86510f0ef2378a31ab0ae173d014715

SHA1
c83d5441725b1482a49739a1de26b1f826c46785

SHA256
41b589b250a892809b82ef4a8d67f7d2a6cc10f798e1f5bed64ee50f7516384d

SHA512
9312dd96294046ac1940374ec4a96c49dbfad7bfcd67a3d5437ad02f5c29b04c6573ed6f5a904060f731c09f8164248b56f462a99c76ac92bed82d4fe677db4d

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
160KB

MD5
d70b17dbf3c9ef0f0641f30d753fbd26

SHA1
14949a02f0551b621caf32cdd77846f5d17e8db2

SHA256
7e17dcdbececd953c27c831173ffa02ab96ac681213ef57c9cc4ce6b342ce0d3

SHA512
fba26aacdeb31b92b773b99e6757623b0a80f54efa0902b054e80d7a62ba6761f59ebb6b796b6186330e6952cf8e1d077842004e81a0f006982557d0ba0f7bc8

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
160KB

MD5
bfc73fa9dba71e4f01054343e5f3ea28

SHA1
dff637dcb633eecad23d91a508c8ea45f011c0b1

SHA256
f20bbda25383ee92c8900b5d9727bbcf95eef48288daa19c8421fe6e9f6b2cef

SHA512
56e00c637bffa9a4252c58bd0c21848c752da653f261d0bdb698736136d5d0dd750dcff67c4072b219704e44f5db48c62f976c20b0858fcd48161ae7954335c7

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
160KB

MD5
8a6a603c8cd7017b87c07c4bda0f2edb

SHA1
28b3a7a2e97f32e9cbd9a627cd6e980392d17bee

SHA256
6a1772ed941e51219626ee0670bbd367690695d53db8435b6e6b082b7f2fd723

SHA512
dd3aa7b9e0ca05bad7fbe6fedfb098e4a39f53b0d4cbb321b98000f4489565273e0411d2f81ddac67b2a375cb7db803e30b127bf591cae7323abc64fabf9ffab

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
160KB

MD5
b17680d458666b64de3a77f100ca81fe

SHA1
14d8b7a0e4b8ba86030fda4add3af9d343a7adc7

SHA256
a22a2735e2d3fa7049b155279063eaa7f2e771e83f287fcff3a168e22491c5dd

SHA512
2ecfc4b0dd9944c978dd4a8c817fa9d33de9cc1663ab42fa2dbfffab725299fb2cb91561431ffdeb9a250c91b158003d6b0bfd143dc73d8c19fa143e171bfd00

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
160KB

MD5
18396bbc607a84f765f6d67ea3ae6c6d

SHA1
026da49966dfa3f2ecab4449d2d528a03512c68a

SHA256
506a081b203fd0210a3adca6e43a0a8f3ae65354c689d3eafda38a59d3db12ca

SHA512
46127139bdc4c7bbb6a02599422e4dc5291507e67f452a4592f4c42b631dbcd68bc0a98d0874e6278b59b0f2bfce83f4b116935daf3b27a327ed35cd14f59661

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
160KB

MD5
b63fb3ec8d6dd0342d56a14ccfde20f9

SHA1
b982c013869e55303ad9017e9c169cf35f75cce8

SHA256
67720c82441907834d6264e56af03fd65bf4a035ac96204d0a87bb829644f51b

SHA512
b77e91ccf98791a0c3153a5007746fc34d4d7ec013659cc66fbfc8a34f4cb9572d98a822e07dc96d5aeeb5083db60c5a869ef959dc8f1666c58e551c7df02fd8

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
160KB

MD5
880ffb63647651b2bf4edf4f1fa91353

SHA1
62c3de3d3fb5152547b6c236daca8f4a9a0a73d3

SHA256
2045636b4bc8e2a3b15e73991dad450ab5b2f1fc3eac96f63072612deaaf02ab

SHA512
0b401d130976d95146c3d881c4ad3c80e5fc7ca3ef41447efbaeaccbec36825350c53b42fb79d184246bf1ae40bae5305ebbc592fb901e48d1fbec0628660dfa

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
160KB

MD5
4b256c4213018a592c9303f65b6a439e

SHA1
b412c785618569112f29841ae9dc3c518a375f05

SHA256
25c30d9caa3140b01ef5e9df1a800481faf68bd7eab86af4d8ff89adbf2d5ff6

SHA512
02edc3c2ac5709b4f514554f565691e0838297f6ce5d2177c63ee4f59c7b4e6b6921a3afc03bbf07841efa158a1dd872b11f5a7949c3984a927b7c15865dd514

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
160KB

MD5
401c37a21a298268e2a11151b6653e21

SHA1
a9dd472e6be94cf872cbeed3236e4b1223374eeb

SHA256
11d6b4b3711dc22e456e197de8c589ca61561b5db7c5c7c9d4ae42605bfdabdd

SHA512
9729100932780747e5aae0b8031dbd976a48c9a375ba7bfb8fe473fa8fe4082bb83d98d17ad08bb4029aa568495473bd000088743c48b5178cf1da8ff78e7d5d

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
160KB

MD5
47580f72379e9406ff20d133dd4ba565

SHA1
61d193bf94ecc6079163928dcc4a6dd4801274cb

SHA256
20555379168f4a15fd0b6a499eba097b839a147e03804c71a356a2c459e1ae7c

SHA512
e0c122cd442b10f46d76e818a0c3ce885394617557bfd73765a6f74ffbdbcad5897e87f6661c82adb7d1c05f5608d8e287eec4e4d701f732669ddc4e1f376e7c

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
160KB

MD5
248fc3fade0918fcac934ce54c29d897

SHA1
27354245ab35a3d6dfac2f682f979c18f18504e5

SHA256
39dc09cac4cce50e6257c663dcfd50bd1af1d5ffbd04e483d2c7494e4385972d

SHA512
6d7c97185bf6efd88d62211ca1278d54610a4e42f1cdae8eab5e157816f01535b6f4045ac93e89f11852d60a36aaa1c8e7dee4207216018b3db7829d4310e5c3

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
160KB

MD5
fb7674906461884b04874f1347587b99

SHA1
ab4c53438dc02556fa71b397fe70b2a3e1d1e5ee

SHA256
b20772e8161021e99a3b72a78de54a3001c361ec1073080701cd3fcb3a78f7a6

SHA512
a8be0c10f4bcac2730e96e2fd2f78583d3007384f6ef28a0e827ed7997e6d5542b8cd912f33247537800e4a60b11fe98bb909b6c8a6057ca862a23a7733fcc55

Download Submit
memory/452-378-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/452-391-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/460-29-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/700-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/700-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/712-428-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/712-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/772-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/772-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/932-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/932-409-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1080-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1080-415-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1224-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1224-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1232-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1288-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1288-429-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1356-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1356-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1368-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1368-411-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1436-402-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1436-276-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1500-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1500-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1652-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1652-393-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1720-142-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1752-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1752-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1776-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1776-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1796-423-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1796-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1808-404-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1808-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1952-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1952-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2108-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2108-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2204-396-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2204-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-422-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2380-294-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2380-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2416-390-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2460-426-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2460-53-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2604-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2604-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2784-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2784-408-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2984-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3092-69-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3096-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3132-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3252-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3252-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3416-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3416-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3504-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3564-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3564-399-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3816-405-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3816-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3924-421-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3924-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3936-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3948-392-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3948-372-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3968-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3968-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3996-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3996-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-397-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4116-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4116-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4288-246-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4368-354-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4368-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4384-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4424-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4708-420-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4708-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4756-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4772-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4916-427-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4916-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5048-403-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5048-270-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5084-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5084-417-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads