eddafea5666282b799e49ae07967c1dea163e814834474fee11f75eb72387cc4

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15c94b46de4dbeb4db2c63d25b866830_NeikiAnalytics.exe
Size

89KB
MD5

15c94b46de4dbeb4db2c63d25b866830
SHA1

1f759d5b62047ba72364964bfc3186a9977319da
SHA256

eddafea5666282b799e49ae07967c1dea163e814834474fee11f75eb72387cc4
SHA512

9ce464b5ea828db479132c10e2d5d171e898bb2459ac0717ef5b57882b4af2eef40a52ad6fe31c0d3b0ab92b815ff5ad5088780a0955921b37c1827057976071
SSDEEP

1536:wQnnlUj+fVGyalAC9J0fWL+OagGGfgWCcXlExkg8Fk:7nnejwqAGJ0f+wUfgWCcXlakgwk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	15c94b46de4dbeb4db2c63d25b866830_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe

Executes dropped EXE 64 IoCs

pid	Process
4600	Jbhmdbnp.exe
3340	Jpojcf32.exe
4516	Jbmfoa32.exe
4532	Jmbklj32.exe
2684	Jdmcidam.exe
2628	Jfkoeppq.exe
5016	Jiikak32.exe
2008	Kaqcbi32.exe
532	Kdopod32.exe
2780	Kkihknfg.exe
1556	Kpepcedo.exe
4468	Kdaldd32.exe
3368	Kkkdan32.exe
2264	Kaemnhla.exe
1344	Kbfiep32.exe
640	Kknafn32.exe
1424	Kmlnbi32.exe
1780	Kdffocib.exe
680	Kkpnlm32.exe
1004	Kmnjhioc.exe
1552	Kpmfddnf.exe
2552	Kckbqpnj.exe
3388	Kkbkamnl.exe
2356	Lmqgnhmp.exe
4900	Ldkojb32.exe
3832	Lgikfn32.exe
4528	Lkdggmlj.exe
4336	Lmccchkn.exe
2844	Ldmlpbbj.exe
1228	Lkgdml32.exe
4960	Lnepih32.exe
3128	Lcbiao32.exe
2988	Lilanioo.exe
2764	Lpfijcfl.exe
540	Lcdegnep.exe
3416	Lgpagm32.exe
4452	Ljnnch32.exe
4636	Laefdf32.exe
5028	Lcgblncm.exe
3796	Lknjmkdo.exe
808	Mnlfigcc.exe
4432	Mpkbebbf.exe
3172	Mciobn32.exe
3584	Mkpgck32.exe
548	Mjcgohig.exe
1244	Mnocof32.exe
3240	Mpmokb32.exe
1588	Mcklgm32.exe
1508	Mgghhlhq.exe
1652	Mnapdf32.exe
668	Mpolqa32.exe
3768	Mgidml32.exe
1476	Mkepnjng.exe
1900	Mncmjfmk.exe
4192	Mpaifalo.exe
1396	Mcpebmkb.exe
760	Mkgmcjld.exe
2096	Maaepd32.exe
1680	Mpdelajl.exe
1332	Mcbahlip.exe
4108	Mgnnhk32.exe
3840	Njljefql.exe
724	Nacbfdao.exe
1488	Nceonl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	15c94b46de4dbeb4db2c63d25b866830_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	15c94b46de4dbeb4db2c63d25b866830_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kaemnhla.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4388	2524	WerFault.exe	160

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	15c94b46de4dbeb4db2c63d25b866830_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	15c94b46de4dbeb4db2c63d25b866830_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	15c94b46de4dbeb4db2c63d25b866830_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 4600	3100	15c94b46de4dbeb4db2c63d25b866830_NeikiAnalytics.exe	82
PID 3100 wrote to memory of 4600	3100	15c94b46de4dbeb4db2c63d25b866830_NeikiAnalytics.exe	82
PID 3100 wrote to memory of 4600	3100	15c94b46de4dbeb4db2c63d25b866830_NeikiAnalytics.exe	82
PID 4600 wrote to memory of 3340	4600	Jbhmdbnp.exe	83
PID 4600 wrote to memory of 3340	4600	Jbhmdbnp.exe	83
PID 4600 wrote to memory of 3340	4600	Jbhmdbnp.exe	83
PID 3340 wrote to memory of 4516	3340	Jpojcf32.exe	84
PID 3340 wrote to memory of 4516	3340	Jpojcf32.exe	84
PID 3340 wrote to memory of 4516	3340	Jpojcf32.exe	84
PID 4516 wrote to memory of 4532	4516	Jbmfoa32.exe	85
PID 4516 wrote to memory of 4532	4516	Jbmfoa32.exe	85
PID 4516 wrote to memory of 4532	4516	Jbmfoa32.exe	85
PID 4532 wrote to memory of 2684	4532	Jmbklj32.exe	86
PID 4532 wrote to memory of 2684	4532	Jmbklj32.exe	86
PID 4532 wrote to memory of 2684	4532	Jmbklj32.exe	86
PID 2684 wrote to memory of 2628	2684	Jdmcidam.exe	87
PID 2684 wrote to memory of 2628	2684	Jdmcidam.exe	87
PID 2684 wrote to memory of 2628	2684	Jdmcidam.exe	87
PID 2628 wrote to memory of 5016	2628	Jfkoeppq.exe	88
PID 2628 wrote to memory of 5016	2628	Jfkoeppq.exe	88
PID 2628 wrote to memory of 5016	2628	Jfkoeppq.exe	88
PID 5016 wrote to memory of 2008	5016	Jiikak32.exe	89
PID 5016 wrote to memory of 2008	5016	Jiikak32.exe	89
PID 5016 wrote to memory of 2008	5016	Jiikak32.exe	89
PID 2008 wrote to memory of 532	2008	Kaqcbi32.exe	90
PID 2008 wrote to memory of 532	2008	Kaqcbi32.exe	90
PID 2008 wrote to memory of 532	2008	Kaqcbi32.exe	90
PID 532 wrote to memory of 2780	532	Kdopod32.exe	91
PID 532 wrote to memory of 2780	532	Kdopod32.exe	91
PID 532 wrote to memory of 2780	532	Kdopod32.exe	91
PID 2780 wrote to memory of 1556	2780	Kkihknfg.exe	92
PID 2780 wrote to memory of 1556	2780	Kkihknfg.exe	92
PID 2780 wrote to memory of 1556	2780	Kkihknfg.exe	92
PID 1556 wrote to memory of 4468	1556	Kpepcedo.exe	93
PID 1556 wrote to memory of 4468	1556	Kpepcedo.exe	93
PID 1556 wrote to memory of 4468	1556	Kpepcedo.exe	93
PID 4468 wrote to memory of 3368	4468	Kdaldd32.exe	94
PID 4468 wrote to memory of 3368	4468	Kdaldd32.exe	94
PID 4468 wrote to memory of 3368	4468	Kdaldd32.exe	94
PID 3368 wrote to memory of 2264	3368	Kkkdan32.exe	95
PID 3368 wrote to memory of 2264	3368	Kkkdan32.exe	95
PID 3368 wrote to memory of 2264	3368	Kkkdan32.exe	95
PID 2264 wrote to memory of 1344	2264	Kaemnhla.exe	96
PID 2264 wrote to memory of 1344	2264	Kaemnhla.exe	96
PID 2264 wrote to memory of 1344	2264	Kaemnhla.exe	96
PID 1344 wrote to memory of 640	1344	Kbfiep32.exe	97
PID 1344 wrote to memory of 640	1344	Kbfiep32.exe	97
PID 1344 wrote to memory of 640	1344	Kbfiep32.exe	97
PID 640 wrote to memory of 1424	640	Kknafn32.exe	98
PID 640 wrote to memory of 1424	640	Kknafn32.exe	98
PID 640 wrote to memory of 1424	640	Kknafn32.exe	98
PID 1424 wrote to memory of 1780	1424	Kmlnbi32.exe	99
PID 1424 wrote to memory of 1780	1424	Kmlnbi32.exe	99
PID 1424 wrote to memory of 1780	1424	Kmlnbi32.exe	99
PID 1780 wrote to memory of 680	1780	Kdffocib.exe	100
PID 1780 wrote to memory of 680	1780	Kdffocib.exe	100
PID 1780 wrote to memory of 680	1780	Kdffocib.exe	100
PID 680 wrote to memory of 1004	680	Kkpnlm32.exe	101
PID 680 wrote to memory of 1004	680	Kkpnlm32.exe	101
PID 680 wrote to memory of 1004	680	Kkpnlm32.exe	101
PID 1004 wrote to memory of 1552	1004	Kmnjhioc.exe	102
PID 1004 wrote to memory of 1552	1004	Kmnjhioc.exe	102
PID 1004 wrote to memory of 1552	1004	Kmnjhioc.exe	102
PID 1552 wrote to memory of 2552	1552	Kpmfddnf.exe	103

C:\Users\Admin\AppData\Local\Temp\15c94b46de4dbeb4db2c63d25b866830_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\15c94b46de4dbeb4db2c63d25b866830_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\SysWOW64\Jbhmdbnp.exe
  C:\Windows\system32\Jbhmdbnp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\SysWOW64\Jpojcf32.exe
    C:\Windows\system32\Jpojcf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Windows\SysWOW64\Jbmfoa32.exe
      C:\Windows\system32\Jbmfoa32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4516
    - - C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
      - C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        30⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3796
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        43⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:668
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1476
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4192
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:724
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:788
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        75⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 424
        76⤵
        Program crash
        
        PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2524 -ip 2524
1⤵
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecppdbpl.dll

Filesize
7KB

MD5
478957694de9f490660fee0cf71dc82b

SHA1
34f3a50ddd2421a435b46f0d52eb4e62715e13e6

SHA256
66312f42fc0afbd82575b075a7615eeb3d1fb8a125d73c95266dc79144067dcd

SHA512
a83a26f312404568372cc63f4730ed602a1e4b4054a436e1e75d6e066317179639a8a9aadd9f31e59115c73cf0f35cc3c15b0f6dc55c4a997a5d34324ad202a3

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
89KB

MD5
374def7f3e0839206800eaa43c6b2e36

SHA1
7e444bf51739ed89bbc22e4c4e4aa7d4b42b1fca

SHA256
4bfb3e556d13bdbf630f6ffd4f88806563b73b899feab09d8750f422cafa65f6

SHA512
fadaf135bb4577a539845d1661eef5398e1ecad73ae3ec490986241e1b1c9e647b531799df3bc4e9421338b4d1b48ddaca1c8d9643b999e9fe62721bce46d25c

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
89KB

MD5
276f87316528f0c6303ce8eda7836cd7

SHA1
ab6ce6ace3bec2105e07dfa8b1446297aca3b49e

SHA256
4676cd61eaf5ebc0fb0553e5b51b0cb9ee9c954a7fe245ffdf381dd094b89ea6

SHA512
fdaec9bd16d309a1f8b6c8e18e85eaf43f7bbb829b29c1db7639b9a10f35487ba3b577375b00a37e0ccfc10389d0937b40c0a2a98ce4e7b4daaf4eb702a48015

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
89KB

MD5
5ced36c681d245467e4a2b7e89c4bf2f

SHA1
7f3f6a6a8e36a069cf70a9002902bb3b43a8429d

SHA256
22b07e79a81d7844348259b316c8791e34d5e715ff9872292ea991b9e07bd60c

SHA512
28632e8208ef63a2f81ba661f3b0de5c16a10621a9eaa42a6de7852a10c29de68ba3e88203a9f41dcd5467a165e39058e2b838c207b7abd82316a53e358f54fe

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
89KB

MD5
6f9085598396d866c8f808239df705e7

SHA1
5095c9fd7cd3a462e55f27a9dc35cee2b7de3cb2

SHA256
561e604402336f966ee25e47a6aa746aedb1889e73225f42c8bcaf698c629d38

SHA512
c3f4a08e9ef50cfec06894157a5c130329618b3bf5c2231718c86ea8db151a34bca1b653f1e98431ac6418036294842e7ef6321bb946c4dfd01bcdd1dd5c3f73

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
89KB

MD5
9f17284bda90ccaeda90b769dd9b4562

SHA1
1464d8833e0fdb879d76ac3a250bdc13f7f5e4cb

SHA256
35f9eb617ac5698433f516a923e15dad59bbdf0c8dde4a4b8bd8e771a6d88099

SHA512
ff456d5456750c629e41849056f3507fc9669fd9672852437b8c2c2a44384239d5f0c5c6668eb743bf8bcaa7765209386009aae83924ec5ddb89c470c6104580

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
89KB

MD5
dea0c477728f112e6fd346cff60921b0

SHA1
6d22f102f2bae0f0fe66b53839847a8b521a9c37

SHA256
aad2255e23ad1660ad3037cefc72f2e6723303ce5b849281cd923b2bc5f41515

SHA512
9b6d75413704c88af7c352891eee1089e8f47b25c30cd813cafdedb1cd2c6c0a6f0bab994a668950360f6f4319603625e638703dfef1bd8b05eb8c997be09483

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
89KB

MD5
07c3ef3dead335f8155385bde9e1ef6c

SHA1
93b4aea9502cd2af42820095e99525374dbab0fd

SHA256
6f374e3a4b5c0f34990a2e9b2f6203fca80e01c3f5c1bf7f93b077c089746b75

SHA512
48c3562886970527e2874578b0dfb05ca79345e73b47ffde50de8614c92e8a24f43a3aed7df722b6c1d32e0dc4d183e0d06594498e6bfe1561fa5d2abdee20d9

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
89KB

MD5
803e503f833cf9302c1fe520a992eda0

SHA1
6d9eab2514733abb46122cd0157f289b38a213ad

SHA256
fce84feba087ecdfa88418acca051b41268e2a4fecee5eae34764aa2068ca0c7

SHA512
232ab8dd4b36bdc55938d0e7921d0fbce6adc24ed318d4ebe9ae86ed49af3362dc606f3de3d85aa49ee5b06a6d0b2a738e137ea612b862e325e45bb904296765

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
89KB

MD5
94eca695e06b0a6b8a8c33a9d114dde7

SHA1
e65a70cbb8e6c9cb3ae83c26aee9b38ed24f5539

SHA256
d889061fe4492e76bcf7088615c0a9d28326f13f31b05f081e79c587b8bd0976

SHA512
4805fee2ab4ce8535cbec6011e348973b779bc21fbe70319e47eddc83fcc2be1dfb857c8bbf6dc7a2dcb5148df6d7bc76401af434f18c1127eccc07e40afe0cb

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
89KB

MD5
6dfc689aa5a1586c21b1708f8f58bd95

SHA1
831d24e27036e0c4e4dd4d2e63cf23431ee0d53e

SHA256
22045ad1feafddfdfdccad8d021403997d9d1236e3ab4e66283e7af0efc07eb7

SHA512
c421d3438b5250acfc408673cfeb0cc7b0144088e7311376aa8d9fbfdb0bd480c8999f0eb608abff55d805b72024fd748f3c0dcd48707e4bd2c6778d55338555

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
89KB

MD5
f495d80874a31ce0d7eaefddef5ce03d

SHA1
cc4d066356d8c9ce39de4ef2e71357682b027301

SHA256
712f96a534dc58eca27b3d5d335779f04ee61a8e635555829919d3aa4cc839b3

SHA512
16a4763153c84ed98b034ea9fe52ecab03156e71acbc0ea29ac19393bfe12c5578944f95f1e994c7359248a3fe9e21a5b1a97988bf20a054eab908d9698c5708

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
89KB

MD5
95957251e6448e3b35b0bbfb7885f071

SHA1
8c2c30efeccdcd993a2b3ab27ab3c9b39719002a

SHA256
079732146c1bd72c690d759148adb4aa3c7f27758fa4b3e35863ba5c7646b001

SHA512
30e202a4cf6b24707736de61a160beda069b62acc1616d9069ae263fdeafa3ff83e4f2dea61975fd0d04b9acb9e76efc229b6cb4948eea4774a3cae448373d3b

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
89KB

MD5
3eaa0b834499e7cef5214d07079b57aa

SHA1
95b2feec32d69209f8f88cbfdb17f8a8ffe92fc9

SHA256
81018f4852022b53bde32d7c999cccdbe5868b896bb1cbc1c4eb7e5309585cf4

SHA512
75bd5e2415486b17c4468010bc5e43443193c24778b8cacb7729b20424be7e4024af9ea3be3b6ec0787355329e0d6ea1190dffb410862739229a10fdbd15d9a9

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
89KB

MD5
c987bdb4663f607c50f22f057b059609

SHA1
feb4f373678a60f522cbab804a698f670aa71891

SHA256
d36bb948264e40e3e52475cd557961606574d375ce54a1e871c1deddefe2c7c3

SHA512
2273ce6cbb85b269d61f2f21688848a50d627ed3635b055633d1d9300338c1c12a194baa39d5f9ab890d03210923cdff7b1a798a30decd864cace18d53c97adb

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
89KB

MD5
5ec3c56af23f7c1df4eca791d8776288

SHA1
6c5b091adfb89b6bb9792f45fe3f9786290810f5

SHA256
89d0037e4a8b1c442f0085d711d3575ba33f3f1eebbefad95bcd95477c85c0e0

SHA512
b87ff9a655db00ef48d9711af3b328ce316ec4f2a87a2ae97e681406d3e6068e491bf7d64e1edee1cd070de62613ddafe224ba1662c0b1a712a46cda1c8062ce

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
89KB

MD5
704a586ba6abfea9a3442714487c7817

SHA1
6fd123fc7560a83caae84e15140966a9d2b45db3

SHA256
81a280a759cb3d968f7bbf8193ceb27798d4b2c49bbfcf627f4513c786d927fc

SHA512
af5b3a12f2d556d804b682004d720a1cbdac9d4587849c17d2bb07c5be7143751d8c27a388ddb0f8141c58384b3841ba9f74eaaad8497438bed5650d05486f44

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
89KB

MD5
a396e583e6cb2bdbc7ff86949d193ed7

SHA1
0b85f4447916775ea9afba9e635483b7e9245d40

SHA256
de2a60f62886ba538c11d9dfc2d9d75a845e862317858bafbc4b01b105aea825

SHA512
a55b995ca5096599a59e43e7db9b725c9810c3cca7688a9505d0b1048cc2019b38f614e502cd5f50c8084e85d7960cbf4fcbf823ef5a2a3d038bbce56f0ad583

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
89KB

MD5
d972993b9e0932f86aa937dfbab6c745

SHA1
68e8c5ff928a78c8958ddf72207c5d45ca839718

SHA256
c2c06f7e4a298257d1eb1dac6c151667361c0be337a3466407f305bd84b35d79

SHA512
8569b071e509bc8d1c9cf61b916ba3b63164e2fbf39aba30ef136b84c36482ec654fb529a16137ce47d57b15eb7d6ccf93378cf3e9ac447cc137841ee2b0d7b8

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
89KB

MD5
255dc5f3c53b75b2d632f203e66631cb

SHA1
1b91bb15d0c41b9557253ed932f7807f98baf7d5

SHA256
97f673223c4381808c4fafad3d180945aebca67165129104a2ac781871ec078d

SHA512
da158c157d9e75a035375cb6bd65fcc92d53db031a569e13a564739d4c2feba3b0ca3d0093ef46b8503e22e90bd0ceca24dce0d6e294f0704cc69e57306630f3

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
89KB

MD5
620d31cc86709f0367fc11abdd52b899

SHA1
b8389ddd1016dfe39751c5a521064d11f5c876c0

SHA256
f9a8d69d331c89993e90062f8f5dc06b7b86e3b880e2ee6a0c029826b74325cb

SHA512
a621caae1518fdccece67b9602837ddb39484fcfca2517aa9a0cf1f3b0dae92bdd834f83175023f87f99317dfa999706aedd977f8e13f76912069d537283ab39

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
89KB

MD5
a0cfe7bcc76e30bc7c8ab1322b0962a2

SHA1
8836421d9156b855dc9df5e109b49043a8e8528c

SHA256
442950e49bfe454460180a252f7947e7489c967ea22f8c0c780b505963c14a41

SHA512
6f5965641b4a7fa0fe2d8e079574de0cc5e37c48bf36a3dd366ae61c8e50ce457687a0025dc0b2b9a33206fb4082aa31a8c19fa00372e39ab4729f7af592608c

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
89KB

MD5
dd1cce9906f099f81d1ce219dc1e83d3

SHA1
910715e853ac43474d0d3c6b3a5bfdbc0ed5b534

SHA256
a69e736132d5bd550c7fb720fd6cd3ac5697f3e67533bf287b645bc5c8f3f7c8

SHA512
bc6c19809b920cfd3acd2a68d45526b94aae2fedc410a755c9e442cbadd328fcdd99b0b796b434eac8be0d75780c6f1988e558ae705ff57b17c0058922f9eaa7

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
89KB

MD5
89cd449a8057ed1320b464aeaede6419

SHA1
66b7d1b56263e99d786f2934c7b416159428238f

SHA256
53f3e932d752e95f20c1e17d1e86c36a47b0416360eadd461139aef30ac61324

SHA512
773341fdf9f375e1d53876b6e4b03825c4154cb841c2b65d99b4d1822e843f2a4d59cf0a6c4deb9d850051a40b00e0ad1b22d03d60cce33942e755cfb3f92325

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
89KB

MD5
97c473643faff63539083850d9eb42f1

SHA1
182bc12590afa4026fbf84d1f80331e701c028e6

SHA256
ec27cd61f7774478bd28bfabedf04babd54e7d9855d009ad93923ad0ac2e1954

SHA512
3740657e6788b11e0fa0099eccd7204a043b47ee76a51c4c97b48c6c43cc4b41d8ed8eb9b64f5987ae92b0ee9de88b3a57c4751ac31b7cd7a51e66daf9cc7fea

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
89KB

MD5
b7f748ee4c707ff8d2b9366a04d52838

SHA1
20ea479c86f086aed34c607e87f1acb1415cb7f2

SHA256
3d9969a9d5afdd73d66fd4a596bf68e706792ea956b718f9c2796cfa2aa9686a

SHA512
3315d465e8592a7935de930fab0b59e0565d4c5eaf3d476be0e1d5eca4209bb998ba2c6224ffd85aa47eb96032a7488feedf3aa8d0efdf75bf8c7fe96f2dde6d

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
89KB

MD5
77d706412a2c9ac04aa171c852ae4cc6

SHA1
1daa57e7cce859e2cd4ddebbdf02e4404c36e65f

SHA256
79ac1f1c5db8bc06870eba1dd0a5b10d765bb2abd9143f1da28bf9eca1994e49

SHA512
8655a432ff57d90dcecdf2877d0d5fb056dcee6c948f76452750959648ea3f0d925ed3e531bbba6215be1426a07e69458c6e6326604a86f86398c8c191c50a5d

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
89KB

MD5
8b3c1a216cf0a74b158cea5b29bf4c89

SHA1
a694048254e51e3b6e23dcc5e0e1ae21a0865c4c

SHA256
f51fdb3666f98e030fa73e64a4066119c715bfbc8c4053aa1c7f164e0fd7e235

SHA512
10f67b2014aab86d3183a0372d372d54532cc1172b6b40fae22c66831899308bb1f87258c8ede916663221ff2e7e68dc27ec785294280094f54318013f02f8cc

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
89KB

MD5
e416d15f286bee447bbf823353194720

SHA1
692c26975fa2b74b138ef90e2f054e9647fcd44a

SHA256
e622ccc6bb6342de29113826e198bb2217b75b94ae0b718f1909cf8b34a217ec

SHA512
4182e0663a821f77c91cda0ba8e312d8ebfa58d639f2429ef7a7c14c1924f956dc005568147d0feb182b5a170468379b725bfbc68800055488dbe10d58abef88

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
89KB

MD5
6a2f6d97a287385127b2a06307da9900

SHA1
fded1086bad2537fcf9004cda1f00f6c256f047a

SHA256
28657306dcde456601002b2117fa57304a1207c4e368344d08ea310219769f62

SHA512
f025685c80b8654f005b6fbc5e5e1121d9589e0be7e13c303f41d00d7a81a30d3423e540dc813e960c6f760b3d3ad89ca9044492ac0891b53c9079963bc674e0

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
89KB

MD5
b84e711a277f80d20df13bff3d333937

SHA1
adf36f31ce3c937ba4f9d483196974cbb4be85b8

SHA256
8b3ebc6f5635305202d81aa75a13b8ae78eb8dc3105c4f1e2e4fe6b5c6de4820

SHA512
f316285556ed6d27039a18e535fe3ef8b4da632ad82779f7eaebf27bc9411536c92164d10e09617d7b4e25768042845d4bc1a7bc5591f059cbde31854f1cd002

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
89KB

MD5
a8d6f860d280cfac023d5f6212605688

SHA1
a8c939a08885b29575df046c0ab03973c4ea38fa

SHA256
ce8b959f734dcc7ed01d2cd5f983e5816c733ea2e72d4c37ec5f9bd4740cb2a0

SHA512
da9c9fadb0d7139e462b17380a5ed74c45b8b49ef4347900806c3ce7913a047a8e1c3ad79c35fe6715458fbac34267321fba625e715a6988bda8f7393c69a8cf

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
89KB

MD5
bf77e22e0f5c0f85743d6ae6c477f6b4

SHA1
6d34f2df8832d76c023507477ac4a18b13b7309b

SHA256
0c35b15d41d80c2dcd979590bfc9d4c29c77c290264fc9f06fc8597c572e0f91

SHA512
0d490d15722cd8273a015a3a1df6d0f77fbe90a66ea76210ae9c8848244aa95531f4ae6ace222dcde3b066f267cfac5bb07783866ba26eb09e8c8c6a14850a08

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
89KB

MD5
51ccd7992431060d088a4315dda7c3aa

SHA1
a6f2fbe911604cbe5aa323f13221cce5f3811fc1

SHA256
2823042c3fde4f1bf96f5c109e3711202c21afeffd6ca35a044f049765371ee9

SHA512
7b60d1db014facd5c5678c002cb3536a5436a26d9de02bd0c111f17841ff73fa76db6c98e14c441f1460d451ed6c0663567e9b05256b32f87de665e48c7132bb

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
89KB

MD5
a8790583c1e2a0c46063009c368f8489

SHA1
dc5e4ce0cf4061408db3fc7d8d7bbd745694ce13

SHA256
44a72b0ae7ea4ec232930349dd25a224b59f7ed1dfcc8dfc697aea6176195036

SHA512
e6158a0cacd662ec48c48ae952f0c567ba32fd48fb657496fc5c352b2b8a6da347eff6937241779ae636c0637a598fac039bb10d276b730dcf510a0471729989

Download Submit
memory/532-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/668-525-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/668-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/680-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/724-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/724-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/760-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/760-519-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/788-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/808-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1004-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-502-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1244-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1332-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1332-518-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1396-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1396-520-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1424-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1476-523-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1476-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-452-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1552-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1556-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-528-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-526-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-484-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-513-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1780-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-522-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2008-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2264-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2356-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-508-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2684-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3128-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3172-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-529-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3368-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3388-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3416-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3620-512-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3620-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3768-524-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3768-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3796-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-511-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3832-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3840-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3840-516-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4088-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4108-517-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4108-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4452-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4900-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4952-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4952-514-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-510-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4960-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5016-60-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads