d3d01bbf11574164575ab3d3903cab27b8c79f7db72d86527212f7d5d19a22c3

Analysis

max time kernel
136s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a119153166b3eb07a56b12188192ef80_NeikiAnalytics.exe
Size

512KB
MD5

a119153166b3eb07a56b12188192ef80
SHA1

201a249ddb5f6efe87bbb8fe6f109803dca744e1
SHA256

d3d01bbf11574164575ab3d3903cab27b8c79f7db72d86527212f7d5d19a22c3
SHA512

80d639edd748057a7fc9b94d95a6186de74e3fe5ae38c54ee9485680a20122008095fad3bb7220745e41e792dfdbcfeef468693577bc2e49924ee801b26c06eb
SSDEEP

6144:LwRu+o5SIDNwt853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZ:LwMrUQBpnchWcZ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe

Executes dropped EXE 64 IoCs

pid	Process
2952	Jjbako32.exe
3432	Jaljgidl.exe
4392	Jmbklj32.exe
1164	Jpaghf32.exe
5108	Kaqcbi32.exe
1508	Kkihknfg.exe
1964	Kacphh32.exe
2140	Kgphpo32.exe
1792	Kaemnhla.exe
4588	Kbfiep32.exe
4064	Kknafn32.exe
2360	Kagichjo.exe
1152	Kcifkp32.exe
1456	Kibnhjgj.exe
2212	Kajfig32.exe
3216	Kdhbec32.exe
5076	Kgfoan32.exe
3424	Kkbkamnl.exe
2752	Lmqgnhmp.exe
3456	Lalcng32.exe
2528	Ldkojb32.exe
1468	Lcmofolg.exe
1944	Lgikfn32.exe
3700	Liggbi32.exe
2588	Laopdgcg.exe
4012	Ldmlpbbj.exe
4496	Lcpllo32.exe
2792	Lgkhlnbn.exe
1636	Lijdhiaa.exe
2756	Lnepih32.exe
4620	Lpcmec32.exe
4744	Ldohebqh.exe
2912	Lgneampk.exe
3132	Lkiqbl32.exe
2568	Lnhmng32.exe
4368	Laciofpa.exe
856	Ldaeka32.exe
2536	Lcdegnep.exe
1320	Lklnhlfb.exe
3944	Ljnnch32.exe
3600	Laefdf32.exe
4680	Lphfpbdi.exe
1740	Lcgblncm.exe
2100	Lgbnmm32.exe
3880	Mpkbebbf.exe
4412	Mdfofakp.exe
2576	Mgekbljc.exe
3444	Mkpgck32.exe
2040	Mjcgohig.exe
4580	Mnocof32.exe
1312	Mpmokb32.exe
2456	Mdiklqhm.exe
1248	Mgghhlhq.exe
4996	Mkbchk32.exe
3388	Mjeddggd.exe
4440	Mamleegg.exe
1592	Mpolqa32.exe
3408	Mdkhapfj.exe
5068	Mgidml32.exe
3780	Mkepnjng.exe
4348	Mncmjfmk.exe
2516	Mpaifalo.exe
3940	Mjjmog32.exe
1656	Mnfipekh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	a119153166b3eb07a56b12188192ef80_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4468	3704	WerFault.exe	162

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a119153166b3eb07a56b12188192ef80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a119153166b3eb07a56b12188192ef80_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a119153166b3eb07a56b12188192ef80_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 2952	3496	a119153166b3eb07a56b12188192ef80_NeikiAnalytics.exe	83
PID 3496 wrote to memory of 2952	3496	a119153166b3eb07a56b12188192ef80_NeikiAnalytics.exe	83
PID 3496 wrote to memory of 2952	3496	a119153166b3eb07a56b12188192ef80_NeikiAnalytics.exe	83
PID 2952 wrote to memory of 3432	2952	Jjbako32.exe	84
PID 2952 wrote to memory of 3432	2952	Jjbako32.exe	84
PID 2952 wrote to memory of 3432	2952	Jjbako32.exe	84
PID 3432 wrote to memory of 4392	3432	Jaljgidl.exe	85
PID 3432 wrote to memory of 4392	3432	Jaljgidl.exe	85
PID 3432 wrote to memory of 4392	3432	Jaljgidl.exe	85
PID 4392 wrote to memory of 1164	4392	Jmbklj32.exe	86
PID 4392 wrote to memory of 1164	4392	Jmbklj32.exe	86
PID 4392 wrote to memory of 1164	4392	Jmbklj32.exe	86
PID 1164 wrote to memory of 5108	1164	Jpaghf32.exe	87
PID 1164 wrote to memory of 5108	1164	Jpaghf32.exe	87
PID 1164 wrote to memory of 5108	1164	Jpaghf32.exe	87
PID 5108 wrote to memory of 1508	5108	Kaqcbi32.exe	88
PID 5108 wrote to memory of 1508	5108	Kaqcbi32.exe	88
PID 5108 wrote to memory of 1508	5108	Kaqcbi32.exe	88
PID 1508 wrote to memory of 1964	1508	Kkihknfg.exe	89
PID 1508 wrote to memory of 1964	1508	Kkihknfg.exe	89
PID 1508 wrote to memory of 1964	1508	Kkihknfg.exe	89
PID 1964 wrote to memory of 2140	1964	Kacphh32.exe	90
PID 1964 wrote to memory of 2140	1964	Kacphh32.exe	90
PID 1964 wrote to memory of 2140	1964	Kacphh32.exe	90
PID 2140 wrote to memory of 1792	2140	Kgphpo32.exe	91
PID 2140 wrote to memory of 1792	2140	Kgphpo32.exe	91
PID 2140 wrote to memory of 1792	2140	Kgphpo32.exe	91
PID 1792 wrote to memory of 4588	1792	Kaemnhla.exe	92
PID 1792 wrote to memory of 4588	1792	Kaemnhla.exe	92
PID 1792 wrote to memory of 4588	1792	Kaemnhla.exe	92
PID 4588 wrote to memory of 4064	4588	Kbfiep32.exe	93
PID 4588 wrote to memory of 4064	4588	Kbfiep32.exe	93
PID 4588 wrote to memory of 4064	4588	Kbfiep32.exe	93
PID 4064 wrote to memory of 2360	4064	Kknafn32.exe	94
PID 4064 wrote to memory of 2360	4064	Kknafn32.exe	94
PID 4064 wrote to memory of 2360	4064	Kknafn32.exe	94
PID 2360 wrote to memory of 1152	2360	Kagichjo.exe	96
PID 2360 wrote to memory of 1152	2360	Kagichjo.exe	96
PID 2360 wrote to memory of 1152	2360	Kagichjo.exe	96
PID 1152 wrote to memory of 1456	1152	Kcifkp32.exe	97
PID 1152 wrote to memory of 1456	1152	Kcifkp32.exe	97
PID 1152 wrote to memory of 1456	1152	Kcifkp32.exe	97
PID 1456 wrote to memory of 2212	1456	Kibnhjgj.exe	98
PID 1456 wrote to memory of 2212	1456	Kibnhjgj.exe	98
PID 1456 wrote to memory of 2212	1456	Kibnhjgj.exe	98
PID 2212 wrote to memory of 3216	2212	Kajfig32.exe	99
PID 2212 wrote to memory of 3216	2212	Kajfig32.exe	99
PID 2212 wrote to memory of 3216	2212	Kajfig32.exe	99
PID 3216 wrote to memory of 5076	3216	Kdhbec32.exe	100
PID 3216 wrote to memory of 5076	3216	Kdhbec32.exe	100
PID 3216 wrote to memory of 5076	3216	Kdhbec32.exe	100
PID 5076 wrote to memory of 3424	5076	Kgfoan32.exe	101
PID 5076 wrote to memory of 3424	5076	Kgfoan32.exe	101
PID 5076 wrote to memory of 3424	5076	Kgfoan32.exe	101
PID 3424 wrote to memory of 2752	3424	Kkbkamnl.exe	102
PID 3424 wrote to memory of 2752	3424	Kkbkamnl.exe	102
PID 3424 wrote to memory of 2752	3424	Kkbkamnl.exe	102
PID 2752 wrote to memory of 3456	2752	Lmqgnhmp.exe	103
PID 2752 wrote to memory of 3456	2752	Lmqgnhmp.exe	103
PID 2752 wrote to memory of 3456	2752	Lmqgnhmp.exe	103
PID 3456 wrote to memory of 2528	3456	Lalcng32.exe	104
PID 3456 wrote to memory of 2528	3456	Lalcng32.exe	104
PID 3456 wrote to memory of 2528	3456	Lalcng32.exe	104
PID 2528 wrote to memory of 1468	2528	Ldkojb32.exe	105

C:\Users\Admin\AppData\Local\Temp\a119153166b3eb07a56b12188192ef80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a119153166b3eb07a56b12188192ef80_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\Jjbako32.exe
  C:\Windows\system32\Jjbako32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\Jaljgidl.exe
    C:\Windows\system32\Jaljgidl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Windows\SysWOW64\Jmbklj32.exe
      C:\Windows\system32\Jmbklj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
      - C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        29⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        46⤵
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4412
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        51⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3780
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        69⤵
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        73⤵
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        76⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        77⤵
        
        PID:628
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        78⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 408
        79⤵
        Program crash
        
        PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3704 -ip 3704
1⤵
PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
512KB

MD5
8beaa21f460d2b67a114c7548370155c

SHA1
c099803c18217908767025cb0064f864076991de

SHA256
3cbda669b516588fe1b0b72e28f9148b25b74827f443d94aeb037a7b98ca0b2f

SHA512
f0766856ee7dd1d6475f9a56e422db642ba1d460cd233e592088609c6e40c14224666780e67e75195b3d0aedbc9ae3d773facddbeaac0d6bf1760e9ed3110a13

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
512KB

MD5
79192ec6ce94d945d1e4dcd9aa8193ec

SHA1
94fbf2e6a4df981b342ab3c23429ca5c7b843ef9

SHA256
bfc2f9d5b4cb3e8cbd7cfdb61174dc19b5e4c2f8e37d3e763ebaaa3cf56921c2

SHA512
d69cb064a709c921c485b3f0810f5dd12eadb52e4863bd40b592e6f50e84248d2222867692282896c14ca065b829b0e1a2a26ae9e74fd2633707e70f86bceab0

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
512KB

MD5
ef61fcadea3aa024a4144a70153fbb57

SHA1
8800db0d92de2808cd9f065eb95fc1d3ee63e014

SHA256
be8f57033201bfe831e6f04bbb33d10e00376d0451b896bf016cbdff85667efb

SHA512
46b022053c80ba816d3fd85c85245feee17e18901ba5b970faed33a9f7354053d2ebc0c55d6c45c1b3cb02848ccea648ec42ed7139b35664f1cd82b05fae658d

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
512KB

MD5
6abc83107fc8892bfbafbc19ae37de40

SHA1
f9598142283c5bfed9193f8079b3816e2a037f5d

SHA256
f081f4a70b017a9904906b322b0150c34449f6672d5d4513061aec0cafd0db04

SHA512
f5332707a9148d949231f36a7c3325a8d7660b91dbefb3a22fdd2fb27eb64fc17964866b33b1d950b9e1427947fa76a3bfd6073264871cad82c3965412464b15

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
512KB

MD5
f5a9a435da97ba0c6996cf07ba322dc5

SHA1
59c867d69ab51d1de110ece02957907cb6005a1c

SHA256
f2bdd186fef9cad1dbb087610df44e5c429868956a4bcc2ffdd58092127c9be9

SHA512
bad0abc4df5aebb0430707339de1d941acb33316d97682a03d539f8aa523d065ede676d31bc09406b28b6e1a0465e01e0d6066169f90908a7e14c8641bb96463

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
512KB

MD5
594852b2db8eac1793437e9dd3b51656

SHA1
e68ecd300424dece8d95be2f33626ebc4e96b286

SHA256
2e2dc5cacbf45706e0a6e702493c8ac611a981fa37c836385cdb80175061f4f7

SHA512
c785f67d3617d4e934875f5b702028239d065b3d161b5cfe7e212747a3221c2c1dda98c920477771451bbe3ac3d6eaafe4a26c9d4f827d264844ecf56a55b551

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
512KB

MD5
208913bb5d3c350ae9dceba9c757a0f1

SHA1
5e49f261b8751e9b40ba42693effb22be622a3c6

SHA256
69ad50c1ece962cdd5deea5e518b0ffc0c0bf484ae9d22b367b2ca01a4bc3fa4

SHA512
7ff0fd405e5390dde734b658b8f3cd7252c94504048fc10da81e4158a3351d3a9dd9e11c35fae16d58ed4d59dd3e7b4ec907399925d1a836d470d416f24ba8ae

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
512KB

MD5
121b6faa66754c41b482d152905e77ad

SHA1
e1c31c1034be2cc27e8249f7e9a04258196124ec

SHA256
090e5ec65cc5f24c5070023219963dda0df2d71856d1f20348aabff3bb1f4d2f

SHA512
9f7161fb13f9c1fb871079faeb600f5f5fac3f2ee0f02f0e150cf4330f07fa097dc3c8b1d3055d8651af77bcbf0c1b175b85d11d1e50c282ffb3d22dc50e6556

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
512KB

MD5
94ce1f12905b8356a0bfb70a1dd85ddb

SHA1
1c0284621319aeacb9b17373fd2aabc31cff3ed0

SHA256
c6337bb31bdcfa6e89fbe09864baa5a0f42369ef01bcc28872f4a11f6d1a429f

SHA512
51ecc250f34396f7c5608d7f32803c6687fd1160417dbe4c977465434d2a163f216438685b82a92426ed4cda35932a16ecaf87326223f5a6ed41e7279669be68

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
512KB

MD5
a38aa24e1867d757238040eb7cc5d9e4

SHA1
4e3a90f4ca9e269b4b7ffcb115ae33cbb771116f

SHA256
332b302622b81e588b8747d357150923118bc4c0b92cd391daf37119c23eb9ee

SHA512
970892497d4c9291d3d1304dbd630bf68e67cfdc9df50836bcd2ddb3a5c3d294047b833725a23d28b05afc88f3ca26f4bcda8b8e145cebaaf5e8d9000868e2a1

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
512KB

MD5
8626c4a5683199add7841aa493a457a8

SHA1
fdea5037bef1ca6fb4383fce8e195bef30509c9e

SHA256
27a9918541f2a15ba7dc4bfec8a6eb2e762c7ef9c09d1ff4b0c74a64aafa941b

SHA512
42a23b43b67c089645e422fc3bbfe82d8ef7435c97978066a1302118c04524e8bb426c7cfec311033ba6d72c9fd317695cb9623fe9cd44809258f7f12d6d7b9a

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
512KB

MD5
0c7240740513a4b41309d0dc17b1f789

SHA1
bda1d9ae5ef19133fec935ee24ca61dd1c430247

SHA256
868c0f80bf8044eb5fcfb8e93d0f1070d55fef8116aaa25d2a7ebdd5ccf1e111

SHA512
88a6e2f8402ab494f9286324464c3f33c8a220de898f0c19de106788bc8612fc0e5b21d063689254d39c1dda44f18ccec77c703d8534c9ce7f60ad83f1369a8e

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
512KB

MD5
9b93b414d3a8804defefa7d3af18446e

SHA1
cf38ef0b89cdce7f510230250967bb810a4cf6c6

SHA256
7a163b191b509b512b32b38fa90931e44c1a2b809755d8160eaabf7fce680e36

SHA512
abf975bb7d5f1b158565858a35023c891b9284797fed67ea2566ee20e08699fd8961209ed53c788180f0193236d3d547d354e0c148901d4f5ee6a259e11505d6

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
512KB

MD5
e589429579e1c7bcde0a5dd59b43c07e

SHA1
ac18e098fa95295445bd2583e333c2f3b37952c2

SHA256
79fd320d7641621e7a9159186ecf3e8a54eacc054273414dad96fc6db192f8f8

SHA512
c6c23d436e4895a70958178a2b3e025eec3ff5cd5e4130908a1a40efdfb79f423aa80fcc6451478d1af13ce7bf1fee832522e1ab8ba76f1fe71e967ee85462e0

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
512KB

MD5
18bc933e327a0a5fcfe5f7c84cbec5b6

SHA1
4696cb35921a4d28c6fcf8aed8b2091104958061

SHA256
0702324930bae1db143cfd5f3404cc80fca97ba5d6827647a6b535a8f406386d

SHA512
1c9dd0ea8a000f228d5ae474348246550379dd8979ad8eb8214a174c743677317214a373644c19140fc6b7c7bab1d9a21b24d06e3bf726b6276de7ac951470e8

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
512KB

MD5
d0f8d6d75342972f462489de22e6bb80

SHA1
fdbe45dce157ab345646e2182a8832b77df549f4

SHA256
efd0bc70327c0834da3610381d00ec2659c6a6eb520b232687bec05a958590c8

SHA512
bd8721a428ec340ce784ddb4bceebf64b5d52895779347537dbac9c1805f0a96fe56cc89322c993546d5509a669e4ae3b265aba8131902d4653ff1d3efe66b12

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
512KB

MD5
9b59d6e87f25963f62008e8c75f1d000

SHA1
40d4384c19d77ab156889ff68d1019b7defdfb2d

SHA256
25637d578f262cf90b5c2c109281ad999fe019b09e18a789cfb158c3d7d44171

SHA512
24d7e8e5f8680b7eb0b8bda47f7a49945a3f1fbaba30603f770eac828855c2bb1737ef1df01dd065324f05a7d75934732cbc81912920343a203f181abaf54af6

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
512KB

MD5
373e76dc11353c9b2151bc164d87a8e9

SHA1
12b8367213b87da71795c9aa056fa644ddfc94a4

SHA256
4e5ef41620e125b3bcaa8a3013c59dcd687498af7f6d670c83eaa7b514989d82

SHA512
248f371d02047283623beba329b907a244ca10280ad5132b331ad266274b43826f181fc69aafa6567e989db1a6cb7738fdb266353d6c578e4adccdfa3eb83999

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
512KB

MD5
71e993868f7d55e24ea61e4228a7abdf

SHA1
b370623b6f41da1811bd59dfa42ddfd22923b850

SHA256
6f2ad68ad3a8483f930a7fb560924fd902a50c01c0f756e943031790654cdfe9

SHA512
587fce6536f975be7ea8141c6c65e2754606a645c3fa4a5755bcda527ac923103e4a6b02621adbc300be56ae78f9cda8b497baf966b0ca79b02e223062f437e1

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
512KB

MD5
c4bc561ae31263cfb63b09def86259b1

SHA1
57570966e0d714e79d5446644869d083dce95e11

SHA256
b1fc8904ea22ee11c41fa1714ebc6fa58a1b5433977e36d52fca80266a0179b9

SHA512
698f8f6327a2ac49b4572506c6d9622f476b21c61203ab3fb69169cc93a850d5a1a8c5c17c5c172646e8b5d375cd0dad23ccc8da5a2a608f0f0cf662776ffbbf

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
512KB

MD5
0ed29f153129fe3c43b44fe9dc15bd35

SHA1
70e918a80af26f86940bd89954fb02a11860b9f9

SHA256
b0ef3dd95cbb04f3740943a31e69fec9183b4b1b1e1ac046c6285626de8df62f

SHA512
01a42c44da8a1297a2ed32f8edbc6f365bfbd0a0bb1a21d0e16b78e87497c549c18588fa8c281dc70635a706322da6599df508024b4129e63f43e7dda5015240

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
512KB

MD5
b41874de165c9787898d319e6e345784

SHA1
da231d91cff3e25df40a0544631a1889e0f353fd

SHA256
412762dd52dcf80d60e0b3b5c095bfa2d8d8944fbe9e7ec2a5f66b4c2af3cc28

SHA512
88417c6790bf245e6c73aa66888e8f3101ab722e0b47927ea255ef10578aa29cfc6721978f425dffb6f4a4c1d8dc6c78240eb8cabab5ab5247cd1e4be6ed9b1c

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
512KB

MD5
54b210f32bc2b7a47697814ed0dee61f

SHA1
7cf3b48e536e364f6c407465c9e2560cd059962b

SHA256
a7016bd354242cf867c70621c606412b2ecd00362826224358c577f19ef8c129

SHA512
c7a24cead73d4479298cd46dfe9c461ea3d35ffbbfd13eefbc62b4eda4d981f0e7d7c262a83e7d7d991325a886906952acf0f778a96e38c3974187356697b428

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
512KB

MD5
cc6bad57ed94832da046e20430be12a2

SHA1
d60a5cdf21320bbc168e386f8fabd5441653f962

SHA256
7f2f7219f4ff899d8291e9d884b4b6ab8db6432685ce05d52b0a9efb0327554b

SHA512
e4958f193b07037035ae7d6b5a91fe2a083991aa25ac115391ef135345da7d2cd2e487a6683a6b1db19d46dcbd9b17e14660e97efa8204fdde6d74b1f5c5c66e

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
512KB

MD5
ff1033df20cde68b9b0ad788010eb725

SHA1
459c23f234dfa3a434ee0b6ded74ea82190f8296

SHA256
a1e8382f1e3cd6354e3bc882ef939b1ca1907dd7d1b5e04177008fb0aa24f5a3

SHA512
1e39f14b29767bd8ec3afc2baff6514b15bf7dad8cf852caa39ecec8d53b889ee53e82c5f9418e4fa293b8397c572ddc9034bb7f85b9e167d768a2367d61a48f

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
512KB

MD5
8475414170ba533b8c5b8dbe6bc45418

SHA1
30e96b92d0f3cfa340ed87a607034319ae38243f

SHA256
410c910ad2e46d059a25166feec94dc18ff6081aeab58b160e5dcc23d01ad19c

SHA512
ba8187ff033a788275db89dd2fd53fdd8134046581d1448747167573e9ad3adf57e691b9570262ae19ad0b08993598c4810bbdfd9e58ee1cc6fbb603c2b7ebaf

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
512KB

MD5
a226354c7da789397859caff09fdafd0

SHA1
83f261cd54e2c24bcb46aabe0523f04f78d7a381

SHA256
d1dd3f60b64573bcdd8ce3e2f9aa3299f4152bad2d8d04ec106164177c76a1b8

SHA512
4d9bb42d89e3dca465a272d981a0370392c71daea19865d7fd742222c2426c27152f91467dc0f880efc0096099c0c0c5a7dd483cca43d4b7d120fe12a1a084c0

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
512KB

MD5
7097b40fc8e2f4dc1fde77a165d057aa

SHA1
c0aa16542840136d83da3c44e09887b9fdd5fdf3

SHA256
3ad719694f26862d7d7291f5fd41d8f6e83a1e5043fb4cd82ebeb7b9a10b0ff3

SHA512
36c8e3a1f3537bb0af341a9e5f05e111cbd66308a5430dd9e8f1befb3f5648df8957fde64f965d6d06668da6e3102a7d095bd18593a609e553f69400f970d805

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
512KB

MD5
9deeb469fe609cc22a9215adf0a83c74

SHA1
e678c7592997b26ce8bb3d4366de669f870cf072

SHA256
1caa83a4868939704be9c945384e911c5774a54e64b1c955a41dafea39974d35

SHA512
6886157f052a569b4c6487c9e8361737d7a96d3f85fda20052e75bf625eb897a529f043488bacd01ff6c29588af35a04af624626e03627ecbdaefd96a6c0d194

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
512KB

MD5
28d524a7874bda8f25c7cfb2d801830e

SHA1
5f4d68182e182056ee64cefc61e5f5666c6dcb5c

SHA256
c08825c5022ea33d3932f8c3d8d7dd587b2e7e825bb8e0703023b766e5d6c431

SHA512
563282d26ec5209e82149bbd9b3b1c0de884f1e54bd069ca4a5df205f7bf812176d20a3b93cd5be026949fc4b7738f92572fd241dd3f6a80928ad4551f83c222

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
512KB

MD5
f12e89c094c2f51d19dbcd367d1db82b

SHA1
0110757b8c3ad4dc8696af302360e2cc847faa15

SHA256
220642f5e344d87c900ff39a90da84e34409b04c1466038bf82f111f46555199

SHA512
b00200f9e8e41f92c2753817d4058c339546b113c6ef25849bd27ea3ee0608d1999822f42484a5a73eb0df8f677c49e601d55cc916657cc4c1a8fa4fe58f09aa

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
512KB

MD5
0968f13d37806268267f587e20538bb5

SHA1
564980adef18173513c2c7e384798723e9c4b2dc

SHA256
6147d9767c5426dbf2f3c86ba72ac1943827182ffa16ca98a7b76f0ebc3da5b0

SHA512
25233858ea6720066cb73c214587adf4aac5283d8fdada78e610ad5f95b923c805dc9f26e75f88575fffb0fd3d3115fbeda8959f8d1b9232d11be87bfb9fd640

Download Submit
memory/116-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/628-530-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/628-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1248-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1312-469-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1320-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1456-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-392-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-528-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1636-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1656-481-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-498-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-397-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-488-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2040-465-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2100-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-511-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-129-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-547-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-499-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-517-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2456-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-391-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-462-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-542-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-405-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-403-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-408-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-93-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3132-409-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3216-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3232-482-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3388-474-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3408-477-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3424-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-463-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3456-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3496-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3496-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3600-417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3700-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-536-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3780-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3844-549-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3844-494-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3880-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3940-480-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3944-415-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4012-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4064-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-411-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4392-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4412-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-475-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4572-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-85-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4620-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-457-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4744-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4760-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5076-387-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5108-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5108-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads