20ce486afe800652dfdcc7be872a8489c64dbb779f2aa19523ae384b1a9dba26

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c80df0f6479ce2710251f15eccee0440_NeikiAnalytics.exe
Size

108KB
MD5

c80df0f6479ce2710251f15eccee0440
SHA1

4211b2320474e529e1d0cd0a3ad9b85d3c76927d
SHA256

20ce486afe800652dfdcc7be872a8489c64dbb779f2aa19523ae384b1a9dba26
SHA512

604c1dca485d3ec73f674441acf922e8451dc4aea228c1dd1c304d12a20b47b39b03595cbe3c54ee40cf7085955aef585551ddba7640afd5e48772b2f50cd2e0
SSDEEP

1536:dSCr1YBeMidWpYl0cRKdvsAj8BSHaoHB3B41BFcFmKcUsvKwF:drrGORKdNjKS62B3CBFcFmKcUsvKwF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c80df0f6479ce2710251f15eccee0440_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe

Executes dropped EXE 52 IoCs

pid	Process
4548	Jiikak32.exe
5100	Kkihknfg.exe
1936	Kilhgk32.exe
4764	Kpepcedo.exe
2368	Kkkdan32.exe
4316	Kphmie32.exe
2396	Kdcijcke.exe
2184	Kipabjil.exe
3036	Kagichjo.exe
1056	Kcifkp32.exe
3896	Kkpnlm32.exe
3020	Kpmfddnf.exe
2448	Kkbkamnl.exe
840	Lmqgnhmp.exe
4192	Lpocjdld.exe
5024	Lcmofolg.exe
3096	Lkdggmlj.exe
3760	Laopdgcg.exe
1376	Ldmlpbbj.exe
4368	Lijdhiaa.exe
620	Laalifad.exe
4076	Lgneampk.exe
2708	Lilanioo.exe
2068	Laciofpa.exe
4088	Lcdegnep.exe
544	Ljnnch32.exe
4292	Lddbqa32.exe
1604	Lknjmkdo.exe
2232	Mahbje32.exe
3248	Mgekbljc.exe
5104	Majopeii.exe
2572	Mgghhlhq.exe
2652	Mkbchk32.exe
3816	Mjeddggd.exe
4948	Mkepnjng.exe
1760	Mncmjfmk.exe
3980	Mpaifalo.exe
2856	Mglack32.exe
644	Mnfipekh.exe
3188	Mcbahlip.exe
4908	Mgnnhk32.exe
884	Nacbfdao.exe
4580	Ndbnboqb.exe
964	Nnjbke32.exe
3452	Ncgkcl32.exe
4968	Nnmopdep.exe
4692	Ncihikcg.exe
4796	Nkqpjidj.exe
4616	Njcpee32.exe
4184	Nqmhbpba.exe
3996	Nggqoj32.exe
4400	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	c80df0f6479ce2710251f15eccee0440_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
932	4400	WerFault.exe	136

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c80df0f6479ce2710251f15eccee0440_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	c80df0f6479ce2710251f15eccee0440_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c80df0f6479ce2710251f15eccee0440_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 4548	1384	c80df0f6479ce2710251f15eccee0440_NeikiAnalytics.exe	81
PID 1384 wrote to memory of 4548	1384	c80df0f6479ce2710251f15eccee0440_NeikiAnalytics.exe	81
PID 1384 wrote to memory of 4548	1384	c80df0f6479ce2710251f15eccee0440_NeikiAnalytics.exe	81
PID 4548 wrote to memory of 5100	4548	Jiikak32.exe	82
PID 4548 wrote to memory of 5100	4548	Jiikak32.exe	82
PID 4548 wrote to memory of 5100	4548	Jiikak32.exe	82
PID 5100 wrote to memory of 1936	5100	Kkihknfg.exe	83
PID 5100 wrote to memory of 1936	5100	Kkihknfg.exe	83
PID 5100 wrote to memory of 1936	5100	Kkihknfg.exe	83
PID 1936 wrote to memory of 4764	1936	Kilhgk32.exe	84
PID 1936 wrote to memory of 4764	1936	Kilhgk32.exe	84
PID 1936 wrote to memory of 4764	1936	Kilhgk32.exe	84
PID 4764 wrote to memory of 2368	4764	Kpepcedo.exe	86
PID 4764 wrote to memory of 2368	4764	Kpepcedo.exe	86
PID 4764 wrote to memory of 2368	4764	Kpepcedo.exe	86
PID 2368 wrote to memory of 4316	2368	Kkkdan32.exe	87
PID 2368 wrote to memory of 4316	2368	Kkkdan32.exe	87
PID 2368 wrote to memory of 4316	2368	Kkkdan32.exe	87
PID 4316 wrote to memory of 2396	4316	Kphmie32.exe	89
PID 4316 wrote to memory of 2396	4316	Kphmie32.exe	89
PID 4316 wrote to memory of 2396	4316	Kphmie32.exe	89
PID 2396 wrote to memory of 2184	2396	Kdcijcke.exe	90
PID 2396 wrote to memory of 2184	2396	Kdcijcke.exe	90
PID 2396 wrote to memory of 2184	2396	Kdcijcke.exe	90
PID 2184 wrote to memory of 3036	2184	Kipabjil.exe	91
PID 2184 wrote to memory of 3036	2184	Kipabjil.exe	91
PID 2184 wrote to memory of 3036	2184	Kipabjil.exe	91
PID 3036 wrote to memory of 1056	3036	Kagichjo.exe	92
PID 3036 wrote to memory of 1056	3036	Kagichjo.exe	92
PID 3036 wrote to memory of 1056	3036	Kagichjo.exe	92
PID 1056 wrote to memory of 3896	1056	Kcifkp32.exe	93
PID 1056 wrote to memory of 3896	1056	Kcifkp32.exe	93
PID 1056 wrote to memory of 3896	1056	Kcifkp32.exe	93
PID 3896 wrote to memory of 3020	3896	Kkpnlm32.exe	94
PID 3896 wrote to memory of 3020	3896	Kkpnlm32.exe	94
PID 3896 wrote to memory of 3020	3896	Kkpnlm32.exe	94
PID 3020 wrote to memory of 2448	3020	Kpmfddnf.exe	96
PID 3020 wrote to memory of 2448	3020	Kpmfddnf.exe	96
PID 3020 wrote to memory of 2448	3020	Kpmfddnf.exe	96
PID 2448 wrote to memory of 840	2448	Kkbkamnl.exe	97
PID 2448 wrote to memory of 840	2448	Kkbkamnl.exe	97
PID 2448 wrote to memory of 840	2448	Kkbkamnl.exe	97
PID 840 wrote to memory of 4192	840	Lmqgnhmp.exe	98
PID 840 wrote to memory of 4192	840	Lmqgnhmp.exe	98
PID 840 wrote to memory of 4192	840	Lmqgnhmp.exe	98
PID 4192 wrote to memory of 5024	4192	Lpocjdld.exe	99
PID 4192 wrote to memory of 5024	4192	Lpocjdld.exe	99
PID 4192 wrote to memory of 5024	4192	Lpocjdld.exe	99
PID 5024 wrote to memory of 3096	5024	Lcmofolg.exe	100
PID 5024 wrote to memory of 3096	5024	Lcmofolg.exe	100
PID 5024 wrote to memory of 3096	5024	Lcmofolg.exe	100
PID 3096 wrote to memory of 3760	3096	Lkdggmlj.exe	101
PID 3096 wrote to memory of 3760	3096	Lkdggmlj.exe	101
PID 3096 wrote to memory of 3760	3096	Lkdggmlj.exe	101
PID 3760 wrote to memory of 1376	3760	Laopdgcg.exe	102
PID 3760 wrote to memory of 1376	3760	Laopdgcg.exe	102
PID 3760 wrote to memory of 1376	3760	Laopdgcg.exe	102
PID 1376 wrote to memory of 4368	1376	Ldmlpbbj.exe	103
PID 1376 wrote to memory of 4368	1376	Ldmlpbbj.exe	103
PID 1376 wrote to memory of 4368	1376	Ldmlpbbj.exe	103
PID 4368 wrote to memory of 620	4368	Lijdhiaa.exe	104
PID 4368 wrote to memory of 620	4368	Lijdhiaa.exe	104
PID 4368 wrote to memory of 620	4368	Lijdhiaa.exe	104
PID 620 wrote to memory of 4076	620	Laalifad.exe	105

C:\Users\Admin\AppData\Local\Temp\c80df0f6479ce2710251f15eccee0440_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c80df0f6479ce2710251f15eccee0440_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\SysWOW64\Jiikak32.exe
  C:\Windows\system32\Jiikak32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\SysWOW64\Kkihknfg.exe
    C:\Windows\system32\Kkihknfg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\SysWOW64\Kilhgk32.exe
      C:\Windows\system32\Kilhgk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
      - C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        36⤵
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4184
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        54⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 412
        55⤵
        Program crash
        
        PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4400 -ip 4400
1⤵
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jiikak32.exe

Filesize
108KB

MD5
369634c7a65075236abb469ec73332ab

SHA1
878dfbfd9445803e061f58f7f8c0d51efdc182ca

SHA256
c205b40d6b4c86b5aa7ee0a3c5625767cd676da9bbdc99ba4d4fc8ba37532e92

SHA512
6557e1c1be68080f8122e908599aaf2ef087576e378e044773119edda9383e09813cb2d2525ad0caa80be6138ce8c3315bfe5b312f14c12f21b11b2bd80028bf

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
108KB

MD5
d23b2c38268bacdcfc7cd6094f4ab305

SHA1
734b3503c1f7f56576e9d9d05c5eeeba6c55d650

SHA256
a97c922fd2bfac9cb7bb20209394122cc40463c4829a771e9fd4675974da00ca

SHA512
088d2facef24b40e7178ac4b603b0a87fa47ea68eb5659c3a3a67c53008de41ce3426139aaade9a5bcb9697d3ba5706774e0a9d922df5ba00a576cdd95898698

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
108KB

MD5
1564e3ed24f2f4f23b8645b331dc74eb

SHA1
3ad4b07d441e9dba97fae4593f7c12a6219288f1

SHA256
9e25079e90d54e5fe600e4c74fb92284610c0a639dcca2cfa240841db9beb8df

SHA512
a603cf57cc6f72a3a933c55db2edc8904d9346f9d187b887fd77d1434ce8ce4aedfd5bc03af022cf80f9bd76aee0ee94b3c4e9abc5892f7ed97b408a6e9a4c36

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
108KB

MD5
71c4c103f0ac40f05db51fbb93ce2a5e

SHA1
b02ecce0ed7d7761e264363f247a93907c14e16d

SHA256
df9df7741c12f0af919324d922056055fac1477fa393a2d5ea2a281130312a31

SHA512
82cc31b0d76aae85c056d2534af9d22b08128912a40efcceb4f6340f2bf3f489a3ff58f7c81be597c5f9092a9cadbaa59b85341f188b19a3f18e66b264fcf2a3

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
108KB

MD5
0ad69d75c417be72f2754e97be5643a2

SHA1
255c7731a959622aaf190e5365c282c9b0c0bfa2

SHA256
52f3bd057f6e682e7dc7a65f082ec4484c33995821a0d9b9cd1075db6e03db9d

SHA512
cd180663567aae6fab9906b61857c6ea0eec314040133a71d91eb2044ef11121cd3ab4bd4eeada642af3e4cfd5861804e3340cec08f09a8eb6d25f18bcf66bb4

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
108KB

MD5
15e19efbe92e0c0727b0d8c0a0d1b968

SHA1
fd330c3646d9abc63661cab6afda9ad7304d7da5

SHA256
963a51ab778ba9d88c6d20d3853545844fe2bbadf382dfebc0ddc04f9f2d4ba4

SHA512
49f88bea7c0e15d138cfc4d15d197b9da1f5af1608448108622888dcd035f33d1d084ef15a430efbe010846e28a84541c1dea4b283f395924bddb96698cc0b91

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
108KB

MD5
68437d77d875155756bd21f807f226c0

SHA1
51583cec8fbde5296ec6b90b2862a1cc9926a9f4

SHA256
d4ecca7fd50b22802109655e094a1f48515e04c0bc8b3f7c712d34b4a2b7cdec

SHA512
f7ead00993fdffa2e35ba1ac0d8e7e31cb8733a17cf022e3ef1a12047a801e90edb66d4ede5402cb311b917bc040d0c471ff54ef3631be39e32231b6329c48a2

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
108KB

MD5
765b30241068f48e0ea3cde1823d0e11

SHA1
aa3d0f1779556a1942a2a1f8e3ab5c05f940530b

SHA256
42ceeed86cf9fb3b75398f1f7f13a59dad58e8ea88abba23382343a73056b1d4

SHA512
18ed91f49c369b4dfac52376ce4f701dacf0654ded21da1462ebec2fbfaf3461b2a444a5534b73f0bcb36ff434c7fff58d2f5d0fceeaa5794f8752dbcc30dabd

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
108KB

MD5
c35d3b6de3f0366ea8fcf5bf0b5a0788

SHA1
d17d2d66c1c437cb2db3de60e4e53deea6950482

SHA256
da546cd8b313c774441506500faea825f1015194820dc80f165c7194614c0a1f

SHA512
c30882f621700cded6dc04afaca2f657329b6480db1a481426bac5a06f734ddd18ad1da39ff8562e8c7b69dac3fa4a2874e8550ea0c1951ce48217d5073db78a

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
108KB

MD5
d6ae1ba957383aebfe00ff6410b0a412

SHA1
2fa2235da74baf7c7e93fe6f170d3c70a923a920

SHA256
46ad07472beb3d0bd15e6761c91744c9ac1b8daa8fb17f6fb9137cfde4c77de1

SHA512
799f57b938882a4200c233465d9826070dff1abb517a85ff6c8252943a30cda305e9713888a249efbe9fad125f61d16b2e99d05f524c2ce60f4f05005dd62deb

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
108KB

MD5
ecc9fb571f865aba78aacc58dc79a415

SHA1
103478acbdbc678a17245f199816fb9e84eace10

SHA256
3dd0fa567ea5b9c218f86ad436f95fbf136ce3ebbeb4d2c839393d74d6d21f5d

SHA512
67492ebdb8fc7be409a3dcb9b77806d70b0892290aadd50a2401febab76605bf9d1b43425fd201b487393570d53bfb7cdfd3671608f7fda9fbbe8175146ba203

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
108KB

MD5
86e0d3501bba32cac649fb17f6401fed

SHA1
62bfe45424a61e5067739bea07571457e59ba2ad

SHA256
88e2092c1841a5321810d45f9424face1f45af2f8e56b1902928795c8b13d3a6

SHA512
06dfafb6549b63cde603bbd9c2125f8e4c8895a58ecc5f471775175a7ed5852c2313fd54fdea7c422719ad2f73862820c5b7386bcc8ccd288f306d35d89dca19

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
108KB

MD5
a5c346490647bbd60759231482153b2a

SHA1
423e4fc325b821c1c5dce554bfb9cc92a212024c

SHA256
5b2d7cc72bc939cce14b2db244ff87371aefaf60d092d274f03e34c840c378f2

SHA512
63921602a95b12b795002c67360b7ef3216df9b2e5f89e75c3d211fc8c148a83d0ea0928a4022a7a487bafe502fb0d4ccb4619ef0d3f743f1fd933fbe6ba6e7b

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
108KB

MD5
24addb746f53bf9d5dabc9040846d451

SHA1
89a68bd939032330062a65acbdf2cb3988af27da

SHA256
cd6a8dd86da47f0eeec26444e6d3083dfe43e57d9b42513aa757c947669458d0

SHA512
4c77e1b7fd63082b2ec0bc0b793e64edb23db9f3de222375abc9e9896843f5caf710d6cbc562437f075d1a08656fcd9051a70968a19c50868da64184f7a872b1

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
108KB

MD5
8901e05c4ba8f330259d0bf91b3f5cda

SHA1
f0469c479de18210dc36a05504ab378e2c592d09

SHA256
c43bb0239eef38194ea9d8e5a94533badd1101581faa3c759ba4f91d901041e5

SHA512
e3af642972ff6beee8183350cf887a70beabfa8583c784ac81ce92dbb446ed97f04c4d6a0d57672d1947e244445ecf076e51f4bf1bee75865af3812072e07668

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
108KB

MD5
bb0eb708eb996326992a983265a91d14

SHA1
de21d4cfa9479e4b8d0d037ca544c12b52ab1c92

SHA256
154fcf0e11c327daa4cead0d14c1585544749dc9c5f3682897afb438351d57a8

SHA512
f14a71953fff3199545f65a618991c74d82fb559c58243319ff2c651b3fe4035da1d8e8844090cc15a50a72dadac7d1704cfd7f2d6d153ad1c7082390d52884a

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
108KB

MD5
1f2ce50b1bb3081852ffef711cbf6edf

SHA1
9985fcd0c1449204d809cb49497cc31817e77e0c

SHA256
84da570f973b8053bfd5ddf64534aad6c373aafb8598d3bff429b25101266a7d

SHA512
cf84de14d72a29fb5b0bd5991791e7908fa7113b226dd24273df3632db4296330f8627d07f915f401468ca15b37076eff25d7c44152af6614eba2cb21713906c

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
108KB

MD5
11bc17504ae6871cecff8047238dabcb

SHA1
478a1332b8d2d9ddf60360a8564544d35cf0323d

SHA256
a81b86e7f7ca2dac716eeea6299fd2fca3fc67e6d7b956f1d799fd23b4d656fb

SHA512
a44cc40dc5c33c983cb983077f7f40cab0fc8d3ee4a7712484a3a394d8b421f43ecaba382910e8bb94605de5a3a2071f33828d279d6dff12068aa947a0c0a931

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
108KB

MD5
9946704a834006aaaa7e42a6091d5f47

SHA1
01d740ba0601060817efbcc1c5f7a264cf951fa4

SHA256
596ab566482710cc9ce37d05d479f9a55981b9f67948348f6cf5db0e4bb930c9

SHA512
1acfa6644742eefc6a663b5e0a4033e0e70143b15b4a9fb6acccb91bddb656b94687120f9f7f6d04f3dff825c162150f00efebc1c65b32052796f80c3797b81e

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
108KB

MD5
c3bce1fc1086f4b0fa8b65a282925909

SHA1
8b89789710822681fb8e3771432f5b79e22ca1bc

SHA256
426ed89f14a6aa98e674c18f84ecb0369be54ad74b73edbe1b9bcd0e8394dbb8

SHA512
8c238f37f22decbbb277432a118807648ba3d4588d1b66a41b6272e5be7922e4e948811db8f667f2e185467638110ab502e8d46c1daede3a5251336247ad6acc

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
108KB

MD5
b9f0563611c03db8a35bb5c93112b8db

SHA1
dc557fc3116203834e56645c6438672e72c9398e

SHA256
e617a4d200eadddfc720236666b214e4291421673c979489d116ca0762eb541c

SHA512
6653cdabf261aed020ec215084a52a3c9eb011218723363c0d7a93b51f05a786b177bfe1ae61739cdc66b39dd38d81c747ffd231d3d9421b8836b634d5a5b657

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
108KB

MD5
c42da29e5a4fe20057f73d3ba20e1155

SHA1
5f7b0952bfe75cf88bff95d871bbadacf7940ae0

SHA256
691197cce92932e2e3edf53d8190ff57fb3b02980a1acf4a99c66aa570efa444

SHA512
71c204ac9a5cf76ee06e16ad88dd9feeadf6808cf2199a7028f23ab8ca2f72bb82b435ecc65e0bb3b55448cd935712c6dc7046915293ee6db2b3e69fd410d73f

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
108KB

MD5
b8f829bf71cecfd852f57f39950a7795

SHA1
a139cf8b64ceee19832268b5b18c82a49c6e7c2f

SHA256
29b041d91ebb507f1c6253487eff6188f2cffed384e72a2518f701d550b9094a

SHA512
b9fd4b9e0f9fe2c6a0690243ba7c301a2b2bae544566c32a6413f3639cfffc3161218e99105d30f75a8aa6933a15c7f870b5d5f2e5ea9cf8cdbe1d2ba4308ff1

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
108KB

MD5
0804fa8948cdd41c49fdfbe0c023139e

SHA1
e3a8fb10f345d42fa70a08077cd52155e5d4c2d7

SHA256
91c2c1d27a121815cd83c6dbd8fe9c411931b10236faee23987c220e0433430e

SHA512
e4d0fd97303af3ecf0733c2eae8d3bd6c76357c381a81739aaa5cf29c481e7f2e2e87f4b5e44c5e59b991a71a407051068f83afa5963b3de3cd2a89a40ca31e7

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
108KB

MD5
383f04c1c5f3818562041cfc105b7827

SHA1
936495767c9ccf6d75149334bb12c006f5829daf

SHA256
5c3b95a24b1a64c12ddf60863b768b911b615523a8d57b6dda00c1c19c0d6ff1

SHA512
71d656ea724fe4a31f7142a98212b75cc907fcb7ebd6fe64ee49bd3627072f7c6000ceb86a9e131b92b4e9b593e43664d97bab046016354483bb1abe400b23a0

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
108KB

MD5
31d7e9eb01d93a9928450724d9318c77

SHA1
77ef7f59750005553ecde08a64a70766d3ec25a8

SHA256
0372e40b45d84fbb5433b3372636b4b4e634c44cc7ad460726421798d9e8edf4

SHA512
1926661308b0757aa1d5f584c588e86c0d9db808405041bc990292454bdf4e84c08e6ffa67794b9110bbb2cae302adffb3dec0a07d0807c51fa2cbfc08e53945

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
108KB

MD5
882791ae1bffa7cde4d03f6cd5cf4e78

SHA1
31d375fe579c33c13457071692bab86982df7b04

SHA256
18703febefbf4b858097beeca7a3032e01265c453d8c3f9d55abcd66a75584f1

SHA512
57cc39b0eb6b5d5d3dab366c874bdb9dd6beeeb7807318fec68081758bfc1cff5e38bc2896036b9651e23163ae81338868d43d8fe04762f15da661b9786dde55

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
108KB

MD5
f82f89729c82429bae90a71165647156

SHA1
7b9eaa2c55181afd23bcc182ad25a4c7772623b4

SHA256
5e8478322715eb27544f2af29035b223261eaf0434f439bebf5b9a09a819b0df

SHA512
cd51619a66f99538ed65ec75352ecd4ab7f3d53e05c3cb5c1b65d9260279fc6f3e7ef4eb6f5013c79e45d18e467dfa276bc26d6fb05aa4832c197f42574294ec

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
108KB

MD5
5c54c262a33cb72d1593f125f07b6391

SHA1
c32e689eacb2ebf482af89da213f73477b7a0b24

SHA256
ef19aa1287e435765ae49905877a923365c074b1d3c98bf224e08afcb7db31c7

SHA512
4cf2b7f61f731473d049a820c8bf17ba0539131d79fe896fe8122cf4b8cdd0da71cbfb39ee604ea40053be195421555b6ee4b7e1ca21ee6c64dae9056c0700ba

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
108KB

MD5
d8011549e1835a700185549c1e73f4c9

SHA1
4544c209d6b0cec661c9a3953876c9ad87acc33f

SHA256
4da324bc1357513b5e9999b985dd5d27e5f6b8bcd590962da0aea46b6be10fe2

SHA512
6a1560965c22d4ca975040fabce3a10e77afa0defa99501ff51d22908dccfae5d6fe19984efc0efef6f3c142fb125761bc0a072c01db893cc655b64433f236b7

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
108KB

MD5
816860e1a33b9d788d0de6376bc6bb83

SHA1
2d4e9bf64a1e7f1b5ec98b2edc2ba2a6919c8276

SHA256
675754e317c82c918ff64f225d0af0afeaad0f33580ad6a8c3d9518c25e8921e

SHA512
fdd9fca9d6807381bb8f343362eb3fb38ec8279b8a6360d4d2b0f18b3773783d0c82c4050510f04c75129c7716acb695478bf85caf1b484d0f9c2e62d03fed6d

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
108KB

MD5
0c2c03a8396ef9e862f86dc30188a041

SHA1
70a3b740b80ebc132cacf852e409a2d217faa0a2

SHA256
832ba4ea72b300a878625c378f9e8bb760ef7f678edad675f725b348427fc159

SHA512
7ed042a6d5e004f5bdad3350fa2eef7f281a69579316da54c11a48dda6d729ba8dd84b2e2693c50891de69ee257cfc700090082e76df57340c8486448d6b0a31

Download Submit
C:\Windows\SysWOW64\Mghpbg32.dll

Filesize
7KB

MD5
451ba2f9eeec7aa0ceacf9389e82c2bb

SHA1
d4f8014cf18fb57e954c2f17e27f9b5482af7f27

SHA256
73cbefc4d243a32a900fd309ce822d59df0a8b47e42490231865b4d3684442d2

SHA512
ddda269bb1ef0a5bd52b6a7739fc5237016f752d76f776da60501ece914529586a4654404a0caadae03505c2f0313033e3726c804b0135ba3bb1d6766639afaf

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
108KB

MD5
fa4de2643ab54b2ca37053245944841d

SHA1
3b7012af91598247118d5cf9d8d99c56826d7aaa

SHA256
a40262ce913435088543aa874ebe4a8c1f831414bf403ef40d1ba714057b7485

SHA512
5282e2b4a8d7369f01b7cf6ad0eb69e3886a3f18299f520112c69894e51dbddd6ea27f71cf29834a298ff8953022aa2e88c662b61585c9815779a48ffeb6151c

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
108KB

MD5
5751e253fca33d68ad988c8bb7a9d2af

SHA1
9019a63dff95e41fb4a2a1d4be9b4ed3e89e9b68

SHA256
7b7aee8c20df5f1376b335483726b47c63ba3c619fce51589babe820ea3dab5a

SHA512
0c93867070faa68b33fb469bc2cf5aa15dd1e539af33e13ae1f910956215c62fc063dd688b68aa578dfc35279027d533744fdcc734ab3a20bb541912074d3147

Download Submit
memory/544-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/544-431-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/620-166-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/620-441-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/644-297-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/644-403-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/840-115-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/840-455-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/884-315-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/884-397-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/964-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/964-393-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1056-463-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1056-84-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1376-445-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1376-150-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1384-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1604-427-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1604-222-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1760-409-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1760-279-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1936-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2068-190-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2068-435-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2184-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2232-230-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2232-425-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2368-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2396-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2448-457-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2572-254-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2572-419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-264-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-417-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-182-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-437-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2856-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2856-405-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3020-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3020-459-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3036-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3096-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3096-449-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3188-401-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3188-303-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3248-423-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3248-237-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3452-391-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3452-333-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3760-447-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3760-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3816-415-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3816-266-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3896-461-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3896-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3980-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3980-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3996-369-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3996-379-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4076-439-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4076-174-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4088-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4088-433-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4184-363-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4184-381-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4192-453-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4292-213-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4292-429-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4316-52-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4368-443-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4368-158-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4400-377-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4400-375-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4548-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4580-395-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4580-321-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4616-357-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4616-383-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4692-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4692-387-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4764-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4796-356-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4796-385-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4908-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4908-399-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4948-273-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4948-411-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4968-389-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4968-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5024-130-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5024-451-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5032-413-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5032-267-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5100-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5104-245-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5104-421-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads