a776bc3c5168fd28fe84e2a3d318e78063d67c75ff6fa115d85c2d7df58ffcb0

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54cfb5dca0cae941eb05367d54212150_NeikiAnalytics.exe
Size

56KB
MD5

54cfb5dca0cae941eb05367d54212150
SHA1

b40f4f9f0cdcea0c3313ca36a9ed37854b04ff0a
SHA256

a776bc3c5168fd28fe84e2a3d318e78063d67c75ff6fa115d85c2d7df58ffcb0
SHA512

7cf0fd2026b01acc9829574ef0650c13d052119a8f0b79be7d0bc6f6c11de6d41dec6e564bdee864ef2bb7922f8ea9a553854464e8a6cf29efc27bf0a9f52a9e
SSDEEP

1536:+8b7EmttWW0tF5jG0CqxSvbZpAsVmHOWBVsRj:5QA0KOWbZpvVM1kj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	54cfb5dca0cae941eb05367d54212150_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe

Executes dropped EXE 63 IoCs

pid	Process
4368	Kmegbjgn.exe
4028	Kpccnefa.exe
396	Kkihknfg.exe
2568	Kmgdgjek.exe
4384	Kpepcedo.exe
3996	Kbdmpqcb.exe
1544	Kkkdan32.exe
400	Kaemnhla.exe
3052	Kdcijcke.exe
3748	Kknafn32.exe
816	Kmlnbi32.exe
2720	Kdffocib.exe
3268	Kgdbkohf.exe
4272	Kibnhjgj.exe
3012	Kmnjhioc.exe
2244	Kpmfddnf.exe
8	Kdhbec32.exe
2512	Lmqgnhmp.exe
1616	Lalcng32.exe
1296	Lcmofolg.exe
3564	Lkdggmlj.exe
3016	Lmccchkn.exe
5036	Ldmlpbbj.exe
1720	Lkgdml32.exe
1636	Lnepih32.exe
3432	Lpcmec32.exe
3044	Ldohebqh.exe
1004	Lnhmng32.exe
668	Lpfijcfl.exe
864	Lcdegnep.exe
4036	Lnjjdgee.exe
2576	Lddbqa32.exe
4564	Lgbnmm32.exe
2872	Mnlfigcc.exe
2240	Mpkbebbf.exe
1212	Mkpgck32.exe
4044	Mnocof32.exe
1768	Mpmokb32.exe
4808	Mgghhlhq.exe
1372	Mamleegg.exe
2852	Mcnhmm32.exe
464	Mkepnjng.exe
4504	Mncmjfmk.exe
3372	Mpaifalo.exe
1280	Mcpebmkb.exe
1428	Mglack32.exe
3164	Maaepd32.exe
1300	Mdpalp32.exe
4848	Mgnnhk32.exe
3304	Nkjjij32.exe
5096	Nnhfee32.exe
2796	Nnjbke32.exe
3568	Nafokcol.exe
2424	Nddkgonp.exe
2652	Ngcgcjnc.exe
4512	Nnmopdep.exe
2692	Nqklmpdd.exe
1272	Ncihikcg.exe
3340	Nkqpjidj.exe
2768	Nnolfdcn.exe
3384	Nqmhbpba.exe
2168	Ncldnkae.exe
920	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	54cfb5dca0cae941eb05367d54212150_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
232	920	WerFault.exe	149

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	54cfb5dca0cae941eb05367d54212150_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 4368	3968	54cfb5dca0cae941eb05367d54212150_NeikiAnalytics.exe	82
PID 3968 wrote to memory of 4368	3968	54cfb5dca0cae941eb05367d54212150_NeikiAnalytics.exe	82
PID 3968 wrote to memory of 4368	3968	54cfb5dca0cae941eb05367d54212150_NeikiAnalytics.exe	82
PID 4368 wrote to memory of 4028	4368	Kmegbjgn.exe	83
PID 4368 wrote to memory of 4028	4368	Kmegbjgn.exe	83
PID 4368 wrote to memory of 4028	4368	Kmegbjgn.exe	83
PID 4028 wrote to memory of 396	4028	Kpccnefa.exe	84
PID 4028 wrote to memory of 396	4028	Kpccnefa.exe	84
PID 4028 wrote to memory of 396	4028	Kpccnefa.exe	84
PID 396 wrote to memory of 2568	396	Kkihknfg.exe	85
PID 396 wrote to memory of 2568	396	Kkihknfg.exe	85
PID 396 wrote to memory of 2568	396	Kkihknfg.exe	85
PID 2568 wrote to memory of 4384	2568	Kmgdgjek.exe	86
PID 2568 wrote to memory of 4384	2568	Kmgdgjek.exe	86
PID 2568 wrote to memory of 4384	2568	Kmgdgjek.exe	86
PID 4384 wrote to memory of 3996	4384	Kpepcedo.exe	87
PID 4384 wrote to memory of 3996	4384	Kpepcedo.exe	87
PID 4384 wrote to memory of 3996	4384	Kpepcedo.exe	87
PID 3996 wrote to memory of 1544	3996	Kbdmpqcb.exe	88
PID 3996 wrote to memory of 1544	3996	Kbdmpqcb.exe	88
PID 3996 wrote to memory of 1544	3996	Kbdmpqcb.exe	88
PID 1544 wrote to memory of 400	1544	Kkkdan32.exe	89
PID 1544 wrote to memory of 400	1544	Kkkdan32.exe	89
PID 1544 wrote to memory of 400	1544	Kkkdan32.exe	89
PID 400 wrote to memory of 3052	400	Kaemnhla.exe	90
PID 400 wrote to memory of 3052	400	Kaemnhla.exe	90
PID 400 wrote to memory of 3052	400	Kaemnhla.exe	90
PID 3052 wrote to memory of 3748	3052	Kdcijcke.exe	91
PID 3052 wrote to memory of 3748	3052	Kdcijcke.exe	91
PID 3052 wrote to memory of 3748	3052	Kdcijcke.exe	91
PID 3748 wrote to memory of 816	3748	Kknafn32.exe	92
PID 3748 wrote to memory of 816	3748	Kknafn32.exe	92
PID 3748 wrote to memory of 816	3748	Kknafn32.exe	92
PID 816 wrote to memory of 2720	816	Kmlnbi32.exe	93
PID 816 wrote to memory of 2720	816	Kmlnbi32.exe	93
PID 816 wrote to memory of 2720	816	Kmlnbi32.exe	93
PID 2720 wrote to memory of 3268	2720	Kdffocib.exe	94
PID 2720 wrote to memory of 3268	2720	Kdffocib.exe	94
PID 2720 wrote to memory of 3268	2720	Kdffocib.exe	94
PID 3268 wrote to memory of 4272	3268	Kgdbkohf.exe	95
PID 3268 wrote to memory of 4272	3268	Kgdbkohf.exe	95
PID 3268 wrote to memory of 4272	3268	Kgdbkohf.exe	95
PID 4272 wrote to memory of 3012	4272	Kibnhjgj.exe	96
PID 4272 wrote to memory of 3012	4272	Kibnhjgj.exe	96
PID 4272 wrote to memory of 3012	4272	Kibnhjgj.exe	96
PID 3012 wrote to memory of 2244	3012	Kmnjhioc.exe	97
PID 3012 wrote to memory of 2244	3012	Kmnjhioc.exe	97
PID 3012 wrote to memory of 2244	3012	Kmnjhioc.exe	97
PID 2244 wrote to memory of 8	2244	Kpmfddnf.exe	98
PID 2244 wrote to memory of 8	2244	Kpmfddnf.exe	98
PID 2244 wrote to memory of 8	2244	Kpmfddnf.exe	98
PID 8 wrote to memory of 2512	8	Kdhbec32.exe	99
PID 8 wrote to memory of 2512	8	Kdhbec32.exe	99
PID 8 wrote to memory of 2512	8	Kdhbec32.exe	99
PID 2512 wrote to memory of 1616	2512	Lmqgnhmp.exe	100
PID 2512 wrote to memory of 1616	2512	Lmqgnhmp.exe	100
PID 2512 wrote to memory of 1616	2512	Lmqgnhmp.exe	100
PID 1616 wrote to memory of 1296	1616	Lalcng32.exe	101
PID 1616 wrote to memory of 1296	1616	Lalcng32.exe	101
PID 1616 wrote to memory of 1296	1616	Lalcng32.exe	101
PID 1296 wrote to memory of 3564	1296	Lcmofolg.exe	102
PID 1296 wrote to memory of 3564	1296	Lcmofolg.exe	102
PID 1296 wrote to memory of 3564	1296	Lcmofolg.exe	102
PID 3564 wrote to memory of 3016	3564	Lkdggmlj.exe	103

C:\Users\Admin\AppData\Local\Temp\54cfb5dca0cae941eb05367d54212150_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\54cfb5dca0cae941eb05367d54212150_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\SysWOW64\Kmegbjgn.exe
  C:\Windows\system32\Kmegbjgn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\SysWOW64\Kpccnefa.exe
    C:\Windows\system32\Kpccnefa.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Windows\SysWOW64\Kkihknfg.exe
      C:\Windows\system32\Kkihknfg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1372
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3568
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        64⤵
        Executes dropped EXE
        
        PID:920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 400
        65⤵
        Program crash
        
        PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 920 -ip 920
1⤵
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
56KB

MD5
00291a2b22865fedd65c74b4e73b3513

SHA1
7f0dce1627b6bc28495906ae61062af946931245

SHA256
ca1986274f095305b1563379b2a80246867734f421a1a3fd5710df690672a30a

SHA512
c5ee44800f8e79e38900a45327b1c86a82ac4cc34373238eebcd86fcf09cad449f3a09bc34cb23375d80e8dbaad434b6c5c5306320f8020566a7effe8e7459ad

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
56KB

MD5
a95f5ec91c1751f18ddb28bfa4ddb23e

SHA1
9a9b05204b311807eb786e28b26b98e70da9c34c

SHA256
7fc0149bf1ed7efb86cdbb4ac33c5bd7175e44a2735703d44f50bc3421b803c6

SHA512
25ebebcba991f8b365e901b28ca73aa07c96587b122e96dfd1af58fd4fe560083b9f099b8d3b8ec9fbc3e86db05096a0717570626006c885746d2613fa7cd968

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
56KB

MD5
67fb930660ceb5eeaf5618f7c5925d9f

SHA1
60acb5843936d989170717e375943b1417967a93

SHA256
b0b318e0290edbb024865b645fa40fb60b7c85a453b9d107d914ebce47dbab27

SHA512
379bc357f5aed96a7148e4c18ae3bda9cf23deea218abc850a81df8165a079d25910da2d5fab297efbde77979d55b7ae9b8ad4611cb26b539f0a979426205b1d

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
56KB

MD5
c11102982c5284afbdff9fa06b73753e

SHA1
935b07e16d3239be989767c35f3a8bc379cdb035

SHA256
4083d84e08d844e763376e2fe5f66278b8cb8b262a454a77869b76ad55ae1a43

SHA512
408f7c9347085d8d9171d7267a318c67190a521cbcf7eaf7e58d112e7ae597b16e2c34e4fd3bee65f4baad0465047a2ef35f0da394ff2f3bce0f9f932b528e2b

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
56KB

MD5
2b18767163d18ac75b909a925550b9ab

SHA1
5107e398c7ab8f8ba4c8cbcb06efbe59fcd0dfd4

SHA256
b143fa0d3aaac8c37e947cdfa6809102d30a56bb928ba6497a349b72316c5ea7

SHA512
e3119daa0cc0c5a97b13956d65bd91051c6bb7ed681b756996209b1b8347cfb0bfd4fe7871e6f51f6310c4a226ccaee352843e4c044b23034310747123678b67

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
56KB

MD5
dca949faf023c242053f222d8dc77173

SHA1
72d86bd9e2f621206a20eaf9cd1282bae03036f9

SHA256
5fe87534fb836da8b8146832820dab25c803233d694323abfa7d1eed58c235a9

SHA512
c4f2cb306912edd69cabf9bac30631248b6eb3e9cc85977554bc936f1201aa43d0b1753d25a2ca5251b9faa0e21541fc68dfc5f5e1baa669549ca49074764ccf

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
56KB

MD5
d49f8358e6f2d19d704b63b6083d68a3

SHA1
9b6c9df2c87ba299436dd4e6f751b426814ca9c1

SHA256
29affb233b3b5cd3f63c5453c00852cdfbb926dc1c9745349cb8b28c559e2f6e

SHA512
2fe186ce282ac8e9a36e7042787e21761ce334fd4d491af234ba28614f5daf52df3d6aa6c1ac0d23211450666c865080bcf904a912631553dce3ee0f63dbaf30

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
56KB

MD5
b07f2a2db72317c05e6c43e640dca85b

SHA1
330277a5eee31b8a1795f3de376229fca4f81a96

SHA256
3750858a35a1693838ba989f1076450b0298d80efe2ff3ea685baf15c08f5914

SHA512
08a1c5a963a368887f60c9723d3adecc6ed3a9b82dcf653232e946df3e826c92b6667fd121431ad43f4bed18ba465e44f50793d02fb1f2a89c1b8b011e4f8ba9

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
56KB

MD5
84255800efb12affea74d02a4c462d8b

SHA1
8eac5f14f266ae369bd37689976f22ddc65b2ee5

SHA256
422d203ddf508e9e805a0bec8761a0d4e8ea46c34f078bee745b8cdfdea29e5e

SHA512
b67a2c2733ab4d4d4354f0f94ba856b9061575aa7ff3bb2eb737d67c05edae2baeea4e49c955383ec8e8a165ef5b77e4335362fd7ff46a98a68a3810ed6702b1

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
56KB

MD5
f6f295be8bc21a3add7517493d74a80f

SHA1
af546617c13d92dc69cef22d6229d3098af2a6dd

SHA256
9856a1f6f484d9929ed7f071b33f0d27c5cc0f3f2d294df3702800f582dffaac

SHA512
ae5f63aac4fd4a7981b353f744d882494e326cd425037855d9adc6522c3290648afdecac9bdf83f9083f5366227fc7d5f9313c9e46a70e06523c343d9dde9fea

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
56KB

MD5
2820c220961eea5610b52dd2cbfcaa4e

SHA1
f2b0f719e9700c74ad849e0a19f0aaa0c0c12ffc

SHA256
cb77ef372e236cff89614d241ddd998852bc39114730d0df5efc38e014ac6586

SHA512
8c6c8eb31749a043bc7c7ef44a7f09c9ff0f37e61b017f35f7f92ec645d73091bd180b7af9784c89b68700645b64beb093dd93d21f66eef69dd9f5ad9943efd2

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
56KB

MD5
77d4b0da80c36fa5cc12cc6264af1ba9

SHA1
786fc3a844b1785624e0645f377f9318eb8679fc

SHA256
8ee745465955f095eed0cb0a1002b4d24ff656f682619d46df1cfcf7614e7717

SHA512
3d323e77d6b24e25520f5643b9b54fb45075cdd2c92a72480cd90faa0f051f17ffbec421b8951daec3552f50492e728f884135c9d13e95b9d052f9602a4b306d

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
56KB

MD5
647ce5fa4c341c53a6fc2f97ca48841e

SHA1
2d36b256e5b6b85bfc901b0341355ee594489e52

SHA256
4eb0fdb4ed6c306c86481f8c385eff00887b086ed483fc0bd52eed18a6ee0312

SHA512
ec2918cd1aafcd32a59b717d9d18ccb834c1e9fad3da4f12f320c7866c701e40d2d44578f6564b9f6d0230922d2e260fa965df1d40394ca8190da49a0f1e1a34

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
56KB

MD5
75745436f1336fd64e43601abf7e6b61

SHA1
3cb019d86a66206e66da2736ad44b0e84645aa7e

SHA256
9da6a7cc9b0644fe2482666f47d771ebc58fb9bf7fbd5c62b4075412a2a18df4

SHA512
ca7963ae4f334e499de56152e4f0a8da26a5fd425c51e5d8931c58dc9052badf6e168ab633237824ce86fca543c693310373a83fb55c03ed9d1894c776b4bca8

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
56KB

MD5
c611be4af77ca55560315f6ca942326e

SHA1
673efeb298a6730f54df1871bbf32709594f7280

SHA256
9bf4345b2ef2d58987bbdcfacbeb1f152c09afc9fa7a36f6af37c11d0a7ece15

SHA512
61fd434ad704051b38c9a7525211655d179b92ab1558b53f80de9529a1507bb482dae5247aa935019fd24a7996eab58be51f0527a201e5f1392277327b0725d7

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
56KB

MD5
72d1c4908f2af57dc6a78a1722b98a8c

SHA1
9799f92d089b5b8fb44d1e8b0bea38b15060a83e

SHA256
434b198f6b520d4c224f79ae63175d5240bdd4416ee8ee00e8c019e22d4b86d5

SHA512
ddf02872d775f7700ffc6b27b32a7778989609f78b1cad7fa6dae8b8ec56bd429ec533491da8d4341c40d0d53832692b180615ec31817c93da2c86401433baff

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
56KB

MD5
7f270e01cba4187a83fae18797eed7fa

SHA1
29e82e187e8ef7470a85dcbae54b2038ab164f48

SHA256
1077026bcb2904fc89f972a0d9f3054d8ab496afee80e7ebeeff4a10cc92adf3

SHA512
e755196661eed420c8704c4b4f138a43df05bf0d9b52ed8b14b5f26e1762be1182de9b762627d306d418de0b1685dd2d31cdd546f247924b0e7e18dc45759283

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
56KB

MD5
77d16a4baab7ec80c4795cb67fee8318

SHA1
2bc66ab4cfe39588b63e2ed3c0d11d917f1f3ebc

SHA256
7229fa5badd58f2ef1c934b66f27ce4e59c1b13b2e342b41b62cd22aa7daa15e

SHA512
5a60df6e14b760a10172123ca53dfa17da21ab116e6a4922c66a122e4e1946fe2a4c3dfb27ced535b8bdeb330e2ae85d1b1d1e32a4c9703b6f45f70b01659032

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
56KB

MD5
7363599aa9b5e498fe3ef2e1aaf314bf

SHA1
b99cb0514c499523eae9d971cd2a6dc9a6a81f40

SHA256
59a8950f93091215ca817ea1666b6e3e40420564f6cbc8796e2d933986e17e34

SHA512
3ef0c91a516ca8a552e6321477079b772c77786d8d1c2a3d483cba7522cd1fb426f2f9b603654a9ed4c6982977908395d9b8d07394b09c22d08197745e15785d

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
56KB

MD5
9e01d060a486baa690ac5f1bfeec75ea

SHA1
84b312ea383af8c82efbf340ecd875371e7d6310

SHA256
c8dfaf7a95aab1427f912d72c19a0203bb459d63f80a45d3718b378c994de4ce

SHA512
2ca9da1306ba9d3909ba66d64d12055679454be9ed0ca9a46d7ef59cd83e17b2330f6cde657c9d6b515abbdd30753563e20feb53a6d81466b9e2480aad719b83

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
56KB

MD5
294999aa9457a8877acc2e8265c13950

SHA1
a6f22ef8c902c2f918679d8e82763bce1555eea8

SHA256
0a0d200072d183e7379d1790174ec8729c737fcaff2a660bbeda37c15b7b96d0

SHA512
abfda94980127aa0921f58e882eb133347d32ed18c04ec62a34c5c48e007f5d7f1331a532456c9a8bad4910e36d324c205bf2f16d195495416f663bf54b64c6d

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
56KB

MD5
968d06f8fa74eef045a68b14d560fb13

SHA1
ed0319067eab76bd944d9e242df457175636f9cb

SHA256
413c3cfd69876e1b4dcce9621e6a856019d73551e9f6c3f3ee73a94c3d38f67c

SHA512
4985081e088066fff10c02a57a6eecad123c09dd1a427389e9d3f275ca7a68758ebb0ae115269ab1aebde22910e39e8e7b15b8aba5a4c367f334f78758ea3f05

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
56KB

MD5
49b9e0b8f8791fb06b73d22661e9d076

SHA1
8aea4eabb3304e1698e8d6a833edbdf7d2971fbf

SHA256
39ba0517698b85f07da23bd007f5936f9a64fbae57437220892b78a2b43df64d

SHA512
b406b0a2818cba706e153c0eaf630cf107d1d16fda23142244e5a5440090f8798c00950e886b42b4b47e6b4dcbb1b1154dfc9eea7a100eec029e036813ac6f2c

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
56KB

MD5
eec3bb9e4fadfe4a4496e25107a72c3f

SHA1
6d82552f0dfc3b957e705f6ef1b284237e77e72c

SHA256
ce6697fb8706091db8db092aa653f4465e4af58cdcd2f369956b7695e5b508a5

SHA512
368eb397f1400b8c9c051f3e17e72b28a50bb802728634a5b4297c130a43041246c47a70128158fe66e0c306fff325032a4af8837258d440b7403c74f307e7c4

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
56KB

MD5
76577b0e4fd2c5a525c66ce1de966053

SHA1
5a9e6f8efecbb7c0739b111c6fe6ed584a035def

SHA256
ebd2d0a57adac945fbac3160cb05f833cc5ef5d639534df2856845591d7e7102

SHA512
c8169275a31c933c4affae5f16ff526fa5ca7904ecc14efd3d38bb4ad2c2ae2881853417c808e0d72f738e35f7af28c548d7d0b8105cd454e2c9694a2a297d74

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
56KB

MD5
8925e2d964f6b8d6828ff1ba114e7e25

SHA1
3c3c81dcc633c09b7b08e4c6063bd44b4797f393

SHA256
79833d1dce2e9023a2fc291a8c4991aaca35ebd3d9a32aa4c37470bee5de561d

SHA512
3ea2257f46f7d9ce8173d0ef9d00edbe70cd77e4a6c7208646a7f4171f3e6b4b451ce743585119d797e1fbcdf8471128d2c93da2274831c11cc43ee5a6a9eeeb

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
56KB

MD5
019583a4471b386200eae64a3f168c77

SHA1
d331d322db35a88225a0022734b98d1eaa823d7a

SHA256
839f2f3b2afedc246911deae57923951def19d7805c6078078450ef39e6fec5b

SHA512
12c9edcbff66c45b87f110b7624171c35614c3ab51816939f58d91d6aca09be07e5cc97dc50192168e334432cba71aedd2f027f6104ed567b7a24c9870e0242f

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
56KB

MD5
f0a50dd56c8b93ded956dbe6904d1522

SHA1
b59b5c8236fda9fdefc9e3d6f31b53c99348f25b

SHA256
bfcf02aa9f0052419a6f7431cb4480e8c101531d185a9f52eb4d1754a60bf71b

SHA512
4ca470489897ea857536a0cc63c8026b7c351bf617b06b62d3d5fff2a84ea9dd6965cb28ccc4ca0ac5d0f581c266e7d3b9a7d8fbef3e8f763f5617b8393eaded

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
56KB

MD5
616cab50e8df1142e33c24147be0d996

SHA1
5fb39d037317c3477c480c5092dbb15254782a6b

SHA256
454f7cf7e71ee96279b433433f90ee2bc7cc938956497a21b6c965319804fd66

SHA512
2ce732dae6cee9ab75f2605d16f6053616b4254ae58239db671d3111c363db6af2bafabd59e3d95b8a11c459ed188a37d9c5af4204e0cc082c21dc42df535678

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
56KB

MD5
6b5f696ed9b79eb1ad6304a64af6d64f

SHA1
9928ba868e73c645e5027ed6bedc211370576d54

SHA256
6047ae1f05f38a526cc303cb891d06d80d3190adaf3c7f67fd604bc26a245952

SHA512
b5522b8fe02ad746000fc23c94a56489348c16c36063d7c992a5f959768dfb30442cabc250818277c5c88874420e20dcc5a59fce2c6e40d07781ac21d8b7dd8b

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
56KB

MD5
42f2bc60573c16237dd17d40218d3397

SHA1
bc752ccc2fefe123ab118ed76ddbf51072a9a993

SHA256
d3bf1280c9172453ac4ae4cfe9905df20a35e56aecc1400e853a8bf1e2878e8c

SHA512
0a80a0efc09e97377488ca4bbea7f977faaa997698dff12c6a11ebf51c5626cee0d7e537b07b0fab57d8f6e564c2f86a39b0057c7444ed9dd49506d99b0cbc02

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
56KB

MD5
5b9bad64e599a77f4da55d73d0e30193

SHA1
b631c7836b8602d42e615fc2d58823773f8355e6

SHA256
f58404202844d46dfe0081813a43ec805314004859ec44a080eae4e3dd52b8d5

SHA512
be324464252197a9cd6b097842a86ef08bb91fb28697586639a726f9cb245c0f0dc4dc8bc9284281415997ee5e3045f4fcb415199c5cdaeb5527db933bc84a7c

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
56KB

MD5
b35e58fefc4b1095fb7726f4678322ba

SHA1
768b397289f0fbde9ea61311deab732a93ed2e19

SHA256
1c99760fb44c758d500f1f730d6fdb11d2d133b52211bd8f3e3f6e003cd25f47

SHA512
e655c93b76a1a5afe85fe66f91473e86830cf97caddf7cdf32b0e134be31add40475ed41818fd7f4d84d581799a032a7603af2a14a370d2371c670cda7aa3cf5

Download Submit
memory/8-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/8-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/668-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/668-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1004-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1004-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1212-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1212-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1372-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1372-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3568-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3968-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads