32d32c252d3e41016a882bddd0421e3794f5ee7a4091ac6af6e81068f1c7a512

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 15:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

14eeb2902bec6b2b8b99a4c4afef1690_NeikiAnalytics.exe
Size

56KB
MD5

14eeb2902bec6b2b8b99a4c4afef1690
SHA1

a1cfccbdcc2077b57c466a13c586a137733efa32
SHA256

32d32c252d3e41016a882bddd0421e3794f5ee7a4091ac6af6e81068f1c7a512
SHA512

ffc7315f1b93eb356e851b7f5c77ac27a614e7a5d1d4ccfa20bb42deb1b7a4753c9ff1d2d8f49b72d989fee3f4c885df59d846673961cb364a517d55346ba78d
SSDEEP

768:+c+gepn3HPnfn4llcohODXJscnGLklvRHYuV9BY01Iqu/1H5aXdnh:+c+gWn3Hn4cohYmcGYsuV9C01IqEm

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	14eeb2902bec6b2b8b99a4c4afef1690_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	14eeb2902bec6b2b8b99a4c4afef1690_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe

Executes dropped EXE 50 IoCs

pid	Process
5024	Jdmcidam.exe
3344	Jkfkfohj.exe
4080	Kaqcbi32.exe
3920	Kbapjafe.exe
3320	Kilhgk32.exe
1088	Kacphh32.exe
2368	Kbdmpqcb.exe
2592	Kinemkko.exe
756	Kphmie32.exe
1832	Kgbefoji.exe
4500	Kmlnbi32.exe
2460	Kdffocib.exe
4740	Kmnjhioc.exe
3324	Kpmfddnf.exe
2524	Kgfoan32.exe
4516	Lmqgnhmp.exe
4624	Ldkojb32.exe
4764	Lkdggmlj.exe
1532	Ldmlpbbj.exe
5060	Lkgdml32.exe
3904	Lnepih32.exe
1844	Lcbiao32.exe
3824	Lnhmng32.exe
2828	Ldaeka32.exe
3816	Ljnnch32.exe
2216	Lphfpbdi.exe
2236	Lgbnmm32.exe
116	Mnlfigcc.exe
1336	Mdfofakp.exe
2988	Mjcgohig.exe
4384	Mnocof32.exe
2408	Mgghhlhq.exe
3944	Mjeddggd.exe
3032	Mpolqa32.exe
3376	Mjhqjg32.exe
4224	Maohkd32.exe
1920	Mjjmog32.exe
4544	Maaepd32.exe
1944	Mcbahlip.exe
4744	Njljefql.exe
4792	Nacbfdao.exe
1568	Nklfoi32.exe
4768	Nqiogp32.exe
536	Nddkgonp.exe
848	Nnmopdep.exe
4228	Nqklmpdd.exe
2316	Ncihikcg.exe
1496	Njcpee32.exe
3708	Ndidbn32.exe
2964	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	14eeb2902bec6b2b8b99a4c4afef1690_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5020	2964	WerFault.exe	134

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	14eeb2902bec6b2b8b99a4c4afef1690_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	14eeb2902bec6b2b8b99a4c4afef1690_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 5024	3448	14eeb2902bec6b2b8b99a4c4afef1690_NeikiAnalytics.exe	82
PID 3448 wrote to memory of 5024	3448	14eeb2902bec6b2b8b99a4c4afef1690_NeikiAnalytics.exe	82
PID 3448 wrote to memory of 5024	3448	14eeb2902bec6b2b8b99a4c4afef1690_NeikiAnalytics.exe	82
PID 5024 wrote to memory of 3344	5024	Jdmcidam.exe	83
PID 5024 wrote to memory of 3344	5024	Jdmcidam.exe	83
PID 5024 wrote to memory of 3344	5024	Jdmcidam.exe	83
PID 3344 wrote to memory of 4080	3344	Jkfkfohj.exe	84
PID 3344 wrote to memory of 4080	3344	Jkfkfohj.exe	84
PID 3344 wrote to memory of 4080	3344	Jkfkfohj.exe	84
PID 4080 wrote to memory of 3920	4080	Kaqcbi32.exe	85
PID 4080 wrote to memory of 3920	4080	Kaqcbi32.exe	85
PID 4080 wrote to memory of 3920	4080	Kaqcbi32.exe	85
PID 3920 wrote to memory of 3320	3920	Kbapjafe.exe	86
PID 3920 wrote to memory of 3320	3920	Kbapjafe.exe	86
PID 3920 wrote to memory of 3320	3920	Kbapjafe.exe	86
PID 3320 wrote to memory of 1088	3320	Kilhgk32.exe	87
PID 3320 wrote to memory of 1088	3320	Kilhgk32.exe	87
PID 3320 wrote to memory of 1088	3320	Kilhgk32.exe	87
PID 1088 wrote to memory of 2368	1088	Kacphh32.exe	88
PID 1088 wrote to memory of 2368	1088	Kacphh32.exe	88
PID 1088 wrote to memory of 2368	1088	Kacphh32.exe	88
PID 2368 wrote to memory of 2592	2368	Kbdmpqcb.exe	90
PID 2368 wrote to memory of 2592	2368	Kbdmpqcb.exe	90
PID 2368 wrote to memory of 2592	2368	Kbdmpqcb.exe	90
PID 2592 wrote to memory of 756	2592	Kinemkko.exe	91
PID 2592 wrote to memory of 756	2592	Kinemkko.exe	91
PID 2592 wrote to memory of 756	2592	Kinemkko.exe	91
PID 756 wrote to memory of 1832	756	Kphmie32.exe	92
PID 756 wrote to memory of 1832	756	Kphmie32.exe	92
PID 756 wrote to memory of 1832	756	Kphmie32.exe	92
PID 1832 wrote to memory of 4500	1832	Kgbefoji.exe	93
PID 1832 wrote to memory of 4500	1832	Kgbefoji.exe	93
PID 1832 wrote to memory of 4500	1832	Kgbefoji.exe	93
PID 4500 wrote to memory of 2460	4500	Kmlnbi32.exe	95
PID 4500 wrote to memory of 2460	4500	Kmlnbi32.exe	95
PID 4500 wrote to memory of 2460	4500	Kmlnbi32.exe	95
PID 2460 wrote to memory of 4740	2460	Kdffocib.exe	96
PID 2460 wrote to memory of 4740	2460	Kdffocib.exe	96
PID 2460 wrote to memory of 4740	2460	Kdffocib.exe	96
PID 4740 wrote to memory of 3324	4740	Kmnjhioc.exe	97
PID 4740 wrote to memory of 3324	4740	Kmnjhioc.exe	97
PID 4740 wrote to memory of 3324	4740	Kmnjhioc.exe	97
PID 3324 wrote to memory of 2524	3324	Kpmfddnf.exe	98
PID 3324 wrote to memory of 2524	3324	Kpmfddnf.exe	98
PID 3324 wrote to memory of 2524	3324	Kpmfddnf.exe	98
PID 2524 wrote to memory of 4516	2524	Kgfoan32.exe	99
PID 2524 wrote to memory of 4516	2524	Kgfoan32.exe	99
PID 2524 wrote to memory of 4516	2524	Kgfoan32.exe	99
PID 4516 wrote to memory of 4624	4516	Lmqgnhmp.exe	101
PID 4516 wrote to memory of 4624	4516	Lmqgnhmp.exe	101
PID 4516 wrote to memory of 4624	4516	Lmqgnhmp.exe	101
PID 4624 wrote to memory of 4764	4624	Ldkojb32.exe	102
PID 4624 wrote to memory of 4764	4624	Ldkojb32.exe	102
PID 4624 wrote to memory of 4764	4624	Ldkojb32.exe	102
PID 4764 wrote to memory of 1532	4764	Lkdggmlj.exe	103
PID 4764 wrote to memory of 1532	4764	Lkdggmlj.exe	103
PID 4764 wrote to memory of 1532	4764	Lkdggmlj.exe	103
PID 1532 wrote to memory of 5060	1532	Ldmlpbbj.exe	104
PID 1532 wrote to memory of 5060	1532	Ldmlpbbj.exe	104
PID 1532 wrote to memory of 5060	1532	Ldmlpbbj.exe	104
PID 5060 wrote to memory of 3904	5060	Lkgdml32.exe	105
PID 5060 wrote to memory of 3904	5060	Lkgdml32.exe	105
PID 5060 wrote to memory of 3904	5060	Lkgdml32.exe	105
PID 3904 wrote to memory of 1844	3904	Lnepih32.exe	106

C:\Users\Admin\AppData\Local\Temp\14eeb2902bec6b2b8b99a4c4afef1690_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\14eeb2902bec6b2b8b99a4c4afef1690_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\SysWOW64\Jdmcidam.exe
  C:\Windows\system32\Jdmcidam.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\Jkfkfohj.exe
    C:\Windows\system32\Jkfkfohj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Windows\SysWOW64\Kaqcbi32.exe
      C:\Windows\system32\Kaqcbi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
      - C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        51⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 400
        52⤵
        Program crash
        
        PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2964 -ip 2964
1⤵
PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
56KB

MD5
3c7c02e8ebde30c54cf5601ecf9e5e85

SHA1
a2d4cc53beeddce5b25ab40ef702ad539e47da7a

SHA256
6686afd666d04acc4b4895ce67fd6b5643c837411444da613ef928048d741efc

SHA512
21f27dc0c8ab5a4ec7a84c16051fad4892d72a06e661f54138746685ac26cc484a8f25d03b5c27a15836a95ea332b57430020232b6ef59dfeca2266fe7ad8dc2

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
56KB

MD5
9e2f153da8cb0ba7c8fa381893ad2e55

SHA1
f084104d2d8cf145862ba5a5741434717afc5dbc

SHA256
c0f78ccaf9a2455a14635c413d535bc900e4f38d5eefc7bc9017d8e0c22ffc2f

SHA512
7d0f95d54863a095a160b5cdc5328c00ca0539e9ce7b253fb6673b5b5a87ed182684809bf17395a96b815d592a435796a6348460e9169115190c3f331fe04f8d

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
56KB

MD5
b13bda0f1b41c8fe8386fa2f4531311e

SHA1
132886ceb962d1c22e3ba3d4a8b06278f4e1d398

SHA256
a3f908a12dcfbb7d51cfe08b47312b5232649540d166b3620a0a5994c6998483

SHA512
a67546d2506d3ccafe7e488dc0a67f409eb2a45c54d38389e66c2a047413b9facfa651e64b48fc05cb8db81010ae7de4a1a3af41e8c499a9af2a62a7a9a00cc9

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
56KB

MD5
b94f2ad0ea0df7fa2ac4798777e7ed3b

SHA1
e71b8544c61814cbe7a3e53021dc7c7b5a11b4e0

SHA256
25fcde51f212d791442b009def5244e48a05827e931536fed7fca02cdf745628

SHA512
7a29ec2608a658161e4389343eaebc5933167fb28deb19b5b4fcf40b75333d50442e75a5c53c12985a8481f69854d5cede09a933d6262eda7ab6c4692a396851

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
56KB

MD5
c82a1e1dee461d3f8c226ecc0bd3adf6

SHA1
27ee2d17b1de0a643051ef345083818571e8e551

SHA256
12796eab4678025debca2ed282c4c964d915e873cf9634ea768d03f79f4a3cc6

SHA512
87be8cb2676b64fa657b0e0be35c4a830b132a92bae5064829741273b1f2dcb0c33316426315278225fd6e2eadeb30ef244dd6980f890aa887d5297505a6e137

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
56KB

MD5
a95f5ec91c1751f18ddb28bfa4ddb23e

SHA1
9a9b05204b311807eb786e28b26b98e70da9c34c

SHA256
7fc0149bf1ed7efb86cdbb4ac33c5bd7175e44a2735703d44f50bc3421b803c6

SHA512
25ebebcba991f8b365e901b28ca73aa07c96587b122e96dfd1af58fd4fe560083b9f099b8d3b8ec9fbc3e86db05096a0717570626006c885746d2613fa7cd968

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
56KB

MD5
c11102982c5284afbdff9fa06b73753e

SHA1
935b07e16d3239be989767c35f3a8bc379cdb035

SHA256
4083d84e08d844e763376e2fe5f66278b8cb8b262a454a77869b76ad55ae1a43

SHA512
408f7c9347085d8d9171d7267a318c67190a521cbcf7eaf7e58d112e7ae597b16e2c34e4fd3bee65f4baad0465047a2ef35f0da394ff2f3bce0f9f932b528e2b

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
56KB

MD5
5d09cdc935c52e10e29d361e0ba6ed82

SHA1
d57db9584a2b77be4a8579c7d13eba939142677b

SHA256
49755d408b9084791676deaee97aaa0f60ddb3c8f972ab200cc14812d7341511

SHA512
4ed5c9762dafaa765fd79d3a643627a5b14cd4f539ab2a740dceb9ba49864204ec967b837e1469a784bb46c3ebc1710ae4514d02516e770bd24904e41df1a3f2

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
56KB

MD5
5da6e1a6f0ed40ebfdd5c4786be2e981

SHA1
fdf7ad1dee1b2ec3fcf1bf22bb2edfdf85841c20

SHA256
6e3733099d3fcad67eed5dbda07aef0e9c5388ec45a156c426899792d47ad723

SHA512
d22605a02f41b505dc61cfaa99c840938291448eb2930e45b3f89c2a9880d26127229119ba74c2db8516289da3986225d8d7d58aa3538af0ce4962af10ea5e1a

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
56KB

MD5
7850e07c2a562f6feb497a83be01e92a

SHA1
8d653a5f077fbbc5259272aabe6885704234290a

SHA256
b176deb439ae1f3f67b3ee05f89dabb27084a95d6a07fa542c35680bd09774a6

SHA512
c5fcf9c9900e96ad3b14207315ef6a5252408dcb7a1fab449c729850d10f8788fd544498aa2a9c0222d00a85afd827a56b856654910117b899ef472253b7c30f

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
56KB

MD5
7e960c4ffc0c961961ccff21734c5030

SHA1
6c4b16574ff4449a5ca7c0da791afc06f83d59de

SHA256
fb58841e3a671589cb8036a52026a9c6e1e29324df946697038a9ad3eb01797d

SHA512
3f70c46d48cab82c7bd3c0e6808902c80c3179599e24a32eedb8ce1132fc9cf248452f63edd975f2eaafc9aa61feef7721dde05380aa2af072e8ec036c7611d3

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
56KB

MD5
53c580a82b97c1d370b7b3ebd08eb282

SHA1
ae424e4ad6b71b8801a8df6c31038efbce916993

SHA256
9804cefc30b4d9e71acec6c9f3b73e73bc07ffb779633bb6738f35a064efeab2

SHA512
7c2686666481f143dfc327b369c04111ef102956e3543ce744c2ca4fb8a5765513f08962973cecabbb41bfc374dc992e97c18caa575d73e04a6a3da4fc9334f6

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
56KB

MD5
5ac4a569b85eb1bc458522ddaa67c584

SHA1
72afecb32a5f0e0b7cf5510055838cb63c7d3d14

SHA256
d77af351ce506cc1b4fdc5c2bbedd90a70a239aa47f247395156becc8ede813e

SHA512
96e80c0691ade4b48324dc1e99f123029b2275633a6ce9500601697a06c04350652a00ebb2164d3a8c699dc702819ed49e4e32b0ee0ba81a5b14d3869208b5c2

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
56KB

MD5
59754420da32a448407f5e3b8c0994ce

SHA1
80070f79eea3d4f496a9430a6b5f3e2f94e6076b

SHA256
69727c2b07818760ea004d28605253dc7b33042984fb3bd4178da7adc3e5e12a

SHA512
d6cdf3e33f0c025f1fffe642ee1047021fa4495033a3eed7a9b1760fb134b49546313912e75983b5be95ade71be0a09c982564d21de4faa8b17e3e4bad5c000f

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
56KB

MD5
681b26ae760882c22a8cda0e8e9cee27

SHA1
2d7ceae039b874f63a437fa5a55a16e45b653a1c

SHA256
e1b07a28c166407d882fe213faa941d8f0b4fca23236cfdee9b81b936b03d83e

SHA512
d212af0ded10abc67e3754d991c08f34c5660579e175ecf6f401817cf894faf7e41b70f48f501824c32554c155e3f2f6f94b485ced4d6d43cbcd488ef398f93c

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
56KB

MD5
9bf6e44c70f70b68c9fcd086252b927b

SHA1
120a6f84352032604c8b1aff12622897d6f4e5fd

SHA256
ae851720f7d64102f58003dddb82f8d147c4e3967f7ec622e8531a9a920c8b08

SHA512
492728b338992617d3817506c4a39ed570e549eb099ee78ccac56e8996097606193808859de111b86ef49bb69bd4a36cf2b94b4f9ae8237a794dcc9007a2620a

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
56KB

MD5
d4503c30ca9c99ab07a87bf29c9fdd53

SHA1
4fda0acefb7dbcdabaa17b0902ead536331c714a

SHA256
01a3acf27c95df43c9c150c3cf10dca77439ceac7d68d7ae790aecff96651ba9

SHA512
d8f09cfbbe15a6b73d1a95c1cc91c2d49f8b6f13b45b2fe6109856e48c5e18248d68ccad47846df09583e75db4224554932456c28ccd23455e53e669c4d9f12a

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
56KB

MD5
05686dcccdfdcdbf53d32d3090cece07

SHA1
e569c40397473b377bf834edfaa802496ddff6b9

SHA256
38cc3ce37ec10203fbd2d824314929eb4a8393ae1907052123c2f123bcf765d6

SHA512
d735c2f875c5f52f58e4735d8c03433b547162c767ae87e2ea8453cb6a1e546ea0f3186b85d53bad85f5bc8b3d1b719d38dbe57fdced34be04c58f42c2e0b9d9

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
56KB

MD5
2e2d4f0190101a06e29916d06f21c420

SHA1
2675fdd09af9241262ca466535a50af2c47ba96b

SHA256
1dfd377a9edb1f8e8d5d2d0268d8fc41718950b9680f00963a2abcd5f6b30e88

SHA512
33ac46b903faffe708b66bacaa3364023ed861d56cec7026a32f9300b3a7aa129a85c6776f5d77ab1f4795595c049f49aa2fdbab32344d93932ce3eed5d6a56a

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
56KB

MD5
1179b199b455bb45d199f9c5ce2518e7

SHA1
ff2f6b11058ba80a9b0f66778bb547fa3ff60f3d

SHA256
57e85a52496af854658a1bdc13213e550e279316685a1189ac2d9df33a64f305

SHA512
335dbec1e596e09ff7003addb157a1fbb77b458f8f397d8dac8a2f78298688d59c6da8556e76f988e749b0cfb5b2747f426183efd2a5bb2da2d872fbba10e059

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
56KB

MD5
a8579b6a013d63d8975f07b4195564eb

SHA1
f5902647c8111b934a8fa9b35a186cb85220c814

SHA256
4d766aa2f743d7375cc63dfcb7458fcc97eae2d99add62cb43bfbfec88a00817

SHA512
f45e559ffd93e4ed34902c13cc25659618dada133ac927b19cefdcc63b2611c1ab5ddebe0dbac212c965c8ae616830f8838677cd31debf44f478310d80035dd7

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
56KB

MD5
f49039689f6d6893bfdc104ae78841f5

SHA1
0d6701eb57d95fa29993840f757719d15a309ce4

SHA256
69f9063cc3eb6eb5294a56e81a0b1eb174d07f3447e2b41228586f2e795df76c

SHA512
7969175e52acca1d8fa082acfc1b0c951fa0164a9475dc2cdd2f168a87c9fffbe87904b215952fefe54d8c4a82eb73a1e6b4654c8790aa5899ed46f3beb360b2

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
56KB

MD5
d9053d44b44f9d28bd2c9d812e97bd35

SHA1
c8084826f7207cc0751ee91b4e0bab47195a2d8c

SHA256
e6deccf1261292ba8e81ddf80fe25830ae902c30066357f4e85b3584bcf05db2

SHA512
4faadd64e55ae026b9350f7afce56795c629348f6b6cd67b9cc023f026b654ff05dc60219b7d2f734af11a48d5f3d9a07fb9d252f00596121b68df7aaee9f677

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
56KB

MD5
e00e64b35bdaf135b59aad3fdb674e86

SHA1
eef46c44dd808fc78bcb015396ba78893928adcb

SHA256
08adadd1fc6e7392726646b6e53cb88de5aa47d5a3d6bd4f6a7c5e16a53ca536

SHA512
41a8d595514f5e339367482cd55ff3c08f69816f23066489863a705da180ddd8b8c1656e1913cc24346a3296419253c04bf86e32b90e168a5b46fd2b19d515aa

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
56KB

MD5
f0a50dd56c8b93ded956dbe6904d1522

SHA1
b59b5c8236fda9fdefc9e3d6f31b53c99348f25b

SHA256
bfcf02aa9f0052419a6f7431cb4480e8c101531d185a9f52eb4d1754a60bf71b

SHA512
4ca470489897ea857536a0cc63c8026b7c351bf617b06b62d3d5fff2a84ea9dd6965cb28ccc4ca0ac5d0f581c266e7d3b9a7d8fbef3e8f763f5617b8393eaded

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
56KB

MD5
099ff7c80e4c71b13ac1b2dbaea66d8b

SHA1
bde60415260936c1a54311ed31f80dade8b99483

SHA256
94cff60f36b19e791155466afe578bafd5a422680f34fadf2803f785f3ff1ea6

SHA512
02fc703e4313dbd7a1bd33a9cd72432203d2f9163731eaa773119a8977268d549ce4d1d8e0db91f7a4d8374e0960e42b26c29335de462bf543f41d59bf9a584e

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
56KB

MD5
07e9a56c472b5272a37b15c3a61050f5

SHA1
deed114ce0b752e9bd791481f6a608dd0be062ec

SHA256
500df20ba3f508d3b4c2876401e7ede94180b5111581d53ae0cfef4d301dc141

SHA512
c3a175595b02714d32244592732ede8e025d87163e554ae10428fed50ac138a6cab4a00de624f80cd6738eefff5cec9c512cf05705de956fd44697cc98641bcb

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
56KB

MD5
edfc53f0aa63915e341307d4b4ef5f05

SHA1
298eddc3812c157535f4a0fc3a6115557c33fe1d

SHA256
d5f687a4ec4cc8818fa3090a99e453700b017d664876dcc72ca4073eb08cfd7c

SHA512
b944a48b1f42dcd7b257f3112c5a72cffcd2de7380cd2fa606b815f55dbb52dec08eb98c39dc01c6033a0d1f786faf78c8a0cb691e4649e6e9347e85f74dc41e

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
56KB

MD5
d9ef0a62bc1e23e5fd172494e1dd6f57

SHA1
430c7724c8b73c758f444e4bcae2a79272153e8b

SHA256
7b666794936166cacacc25d2afa5d732f7f279265285c75f761a593704dce37c

SHA512
b68cd5faa7e6443e2316b38e1fe2a04d22bd3f06e6a0997d577f1abd4e4ba8e736e201dcf8e08f65ce822c5f3567977e6a3cafb1b459e98c21bf602b3a50a1df

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
56KB

MD5
8b0a09f9f0b6654c48a537593d3b423f

SHA1
e39aa8421afa454693d6dd75211254c6d37c4f37

SHA256
c6aaff01235bbcecfead8bf76f548cb8588c30de4405a8342b6975bbd2ecbb36

SHA512
01a90e43365a71c6484dd641c9ea3b29dcb42b3acd74704ec1ebc50f980027e57424b8666d33871c49b9caf60b57df1b220bd43b452a495ad1518955b45d7bcd

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
56KB

MD5
8d472d627b76b9dec1f994b26eca278e

SHA1
4ef65b3463a58e59881a829fab39ef9d2734d001

SHA256
4ce6ee181b30a7736fbb1168d2d677e0ad0f65b8d34d4763690a1662335c13ba

SHA512
a59166ad1e0a777833aedb4be33bd009cc6d8faab64c0cbd946e9824964837574b09839add514812e422cdd75a27e2dc504d3ab358a71c240a292497880e4122

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
56KB

MD5
d20e806f293f7526c34c6eb12fb8cfb0

SHA1
81d1ca4e722ec3f36f3f87e286681c36e4a76641

SHA256
ca58dbac9abe13e03f35b3c924311b7e594255a782fba9dfa527d8f58bd56454

SHA512
a5db278270dbaf35d7b444e611b72056a51469eea6ac80d72a902dc994a14666d0bae7ab9e9d877bf620aa4667e693ceec10f4560326538b94da9ded90732789

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
56KB

MD5
27a4cfc72803ce14d9e7d9751501f9c2

SHA1
d92aa7ea01909dd94ecd5497da22e0c35b9edd74

SHA256
1c05329e7a69a7a239e41aa56ca7d17c8b74de73dfa82ae9ca6c7a74de0582be

SHA512
20588e53d964b42d5e5d1377aa17fcf95c0f348081edb439dc090c18bf8f0456edd588581e26dc1acc2533f92333da183afa98a7878d62acb738418ca6d52abf

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
56KB

MD5
fd23a1158f72426867d8df7e23622c24

SHA1
25c8f4e958aaf5fcbc2d412bb46148db5af1151e

SHA256
8e8a75202316b850a70db8e024575355712adafe754ac215a9525c5646c9f232

SHA512
0552dece55195ff3518a1188c58c1440db776d7f08d589c8ee44088cbeaa27eaf03ce2b81953278292083f31789584ef05a8c3caa5d7af02140a09a169df0e10

Download Submit
memory/116-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1336-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1336-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1832-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1832-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3320-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3320-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3324-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3324-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3448-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3920-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3920-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4624-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads