7be1405d4fec7ff11155746f95be2033c55ec5f6c2531ac9664bf528def782d3

Analysis

max time kernel
140s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ade538b68f5a9bfb9905123deb025f90_NeikiAnalytics.exe
Size

80KB
MD5

ade538b68f5a9bfb9905123deb025f90
SHA1

8b97bf1e33efabeed1471d9afd7188568aaf8322
SHA256

7be1405d4fec7ff11155746f95be2033c55ec5f6c2531ac9664bf528def782d3
SHA512

3b7b458e338d9227d8d04a4b522fa8f30b7d802feb95b7e71a797bbf9123830e1fa307c44fb02edf7945ffa6fa04ba6d2990c6483fd75b67678c0e82287b3cb4
SSDEEP

768:I3QRMnMChdAu6Fjh7xXjYmOsxZZMyfIvGR0zHQgzwG2p/1H5sXdnhgYZZTum80Z7:jSMCbARF17FCsxnYh2LMCYrum8SPG2

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ade538b68f5a9bfb9905123deb025f90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe

Executes dropped EXE 64 IoCs

pid	Process
4856	Jkdnpo32.exe
1408	Jmbklj32.exe
4528	Jpaghf32.exe
4044	Jfkoeppq.exe
2136	Jiikak32.exe
908	Kmegbjgn.exe
4772	Kpccnefa.exe
3912	Kgmlkp32.exe
4936	Kmgdgjek.exe
1248	Kdaldd32.exe
4740	Kkkdan32.exe
4468	Kmjqmi32.exe
4500	Kbfiep32.exe
2376	Kknafn32.exe
4508	Kagichjo.exe
1544	Kcifkp32.exe
4248	Kibnhjgj.exe
4400	Kajfig32.exe
4084	Kdhbec32.exe
1636	Liekmj32.exe
3984	Lpocjdld.exe
3224	Lgikfn32.exe
2580	Lmccchkn.exe
2440	Ldmlpbbj.exe
5100	Lijdhiaa.exe
4836	Laalifad.exe
2384	Lcbiao32.exe
2268	Lkiqbl32.exe
3428	Laciofpa.exe
3700	Lpfijcfl.exe
228	Lcdegnep.exe
3980	Lgpagm32.exe
4848	Ljnnch32.exe
3572	Lddbqa32.exe
2952	Mjqjih32.exe
744	Mahbje32.exe
840	Mdfofakp.exe
1352	Mgekbljc.exe
3644	Mnocof32.exe
640	Mpmokb32.exe
4780	Mcklgm32.exe
4564	Mjeddggd.exe
1652	Mpolqa32.exe
4388	Mkepnjng.exe
3624	Mncmjfmk.exe
1124	Mpaifalo.exe
2632	Mdmegp32.exe
2300	Mkgmcjld.exe
4164	Mjjmog32.exe
3516	Maaepd32.exe
4416	Mcbahlip.exe
3584	Nkjjij32.exe
4852	Njljefql.exe
3456	Nqfbaq32.exe
4488	Nceonl32.exe
3484	Nnjbke32.exe
2548	Nddkgonp.exe
2628	Nkncdifl.exe
2340	Nnmopdep.exe
4744	Ndghmo32.exe
4232	Njcpee32.exe
3184	Ndidbn32.exe
4572	Ncldnkae.exe
4052	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ogijli32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	ade538b68f5a9bfb9905123deb025f90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	ade538b68f5a9bfb9905123deb025f90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4336	4052	WerFault.exe	150

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	ade538b68f5a9bfb9905123deb025f90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 4856	4168	ade538b68f5a9bfb9905123deb025f90_NeikiAnalytics.exe	83
PID 4168 wrote to memory of 4856	4168	ade538b68f5a9bfb9905123deb025f90_NeikiAnalytics.exe	83
PID 4168 wrote to memory of 4856	4168	ade538b68f5a9bfb9905123deb025f90_NeikiAnalytics.exe	83
PID 4856 wrote to memory of 1408	4856	Jkdnpo32.exe	84
PID 4856 wrote to memory of 1408	4856	Jkdnpo32.exe	84
PID 4856 wrote to memory of 1408	4856	Jkdnpo32.exe	84
PID 1408 wrote to memory of 4528	1408	Jmbklj32.exe	85
PID 1408 wrote to memory of 4528	1408	Jmbklj32.exe	85
PID 1408 wrote to memory of 4528	1408	Jmbklj32.exe	85
PID 4528 wrote to memory of 4044	4528	Jpaghf32.exe	86
PID 4528 wrote to memory of 4044	4528	Jpaghf32.exe	86
PID 4528 wrote to memory of 4044	4528	Jpaghf32.exe	86
PID 4044 wrote to memory of 2136	4044	Jfkoeppq.exe	87
PID 4044 wrote to memory of 2136	4044	Jfkoeppq.exe	87
PID 4044 wrote to memory of 2136	4044	Jfkoeppq.exe	87
PID 2136 wrote to memory of 908	2136	Jiikak32.exe	88
PID 2136 wrote to memory of 908	2136	Jiikak32.exe	88
PID 2136 wrote to memory of 908	2136	Jiikak32.exe	88
PID 908 wrote to memory of 4772	908	Kmegbjgn.exe	89
PID 908 wrote to memory of 4772	908	Kmegbjgn.exe	89
PID 908 wrote to memory of 4772	908	Kmegbjgn.exe	89
PID 4772 wrote to memory of 3912	4772	Kpccnefa.exe	90
PID 4772 wrote to memory of 3912	4772	Kpccnefa.exe	90
PID 4772 wrote to memory of 3912	4772	Kpccnefa.exe	90
PID 3912 wrote to memory of 4936	3912	Kgmlkp32.exe	91
PID 3912 wrote to memory of 4936	3912	Kgmlkp32.exe	91
PID 3912 wrote to memory of 4936	3912	Kgmlkp32.exe	91
PID 4936 wrote to memory of 1248	4936	Kmgdgjek.exe	92
PID 4936 wrote to memory of 1248	4936	Kmgdgjek.exe	92
PID 4936 wrote to memory of 1248	4936	Kmgdgjek.exe	92
PID 1248 wrote to memory of 4740	1248	Kdaldd32.exe	93
PID 1248 wrote to memory of 4740	1248	Kdaldd32.exe	93
PID 1248 wrote to memory of 4740	1248	Kdaldd32.exe	93
PID 4740 wrote to memory of 4468	4740	Kkkdan32.exe	94
PID 4740 wrote to memory of 4468	4740	Kkkdan32.exe	94
PID 4740 wrote to memory of 4468	4740	Kkkdan32.exe	94
PID 4468 wrote to memory of 4500	4468	Kmjqmi32.exe	95
PID 4468 wrote to memory of 4500	4468	Kmjqmi32.exe	95
PID 4468 wrote to memory of 4500	4468	Kmjqmi32.exe	95
PID 4500 wrote to memory of 2376	4500	Kbfiep32.exe	96
PID 4500 wrote to memory of 2376	4500	Kbfiep32.exe	96
PID 4500 wrote to memory of 2376	4500	Kbfiep32.exe	96
PID 2376 wrote to memory of 4508	2376	Kknafn32.exe	97
PID 2376 wrote to memory of 4508	2376	Kknafn32.exe	97
PID 2376 wrote to memory of 4508	2376	Kknafn32.exe	97
PID 4508 wrote to memory of 1544	4508	Kagichjo.exe	98
PID 4508 wrote to memory of 1544	4508	Kagichjo.exe	98
PID 4508 wrote to memory of 1544	4508	Kagichjo.exe	98
PID 1544 wrote to memory of 4248	1544	Kcifkp32.exe	99
PID 1544 wrote to memory of 4248	1544	Kcifkp32.exe	99
PID 1544 wrote to memory of 4248	1544	Kcifkp32.exe	99
PID 4248 wrote to memory of 4400	4248	Kibnhjgj.exe	100
PID 4248 wrote to memory of 4400	4248	Kibnhjgj.exe	100
PID 4248 wrote to memory of 4400	4248	Kibnhjgj.exe	100
PID 4400 wrote to memory of 4084	4400	Kajfig32.exe	102
PID 4400 wrote to memory of 4084	4400	Kajfig32.exe	102
PID 4400 wrote to memory of 4084	4400	Kajfig32.exe	102
PID 4084 wrote to memory of 1636	4084	Kdhbec32.exe	103
PID 4084 wrote to memory of 1636	4084	Kdhbec32.exe	103
PID 4084 wrote to memory of 1636	4084	Kdhbec32.exe	103
PID 1636 wrote to memory of 3984	1636	Liekmj32.exe	104
PID 1636 wrote to memory of 3984	1636	Liekmj32.exe	104
PID 1636 wrote to memory of 3984	1636	Liekmj32.exe	104
PID 3984 wrote to memory of 3224	3984	Lpocjdld.exe	105

C:\Users\Admin\AppData\Local\Temp\ade538b68f5a9bfb9905123deb025f90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ade538b68f5a9bfb9905123deb025f90_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\SysWOW64\Jkdnpo32.exe
  C:\Windows\system32\Jkdnpo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\Jmbklj32.exe
    C:\Windows\system32\Jmbklj32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\Jpaghf32.exe
      C:\Windows\system32\Jpaghf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4528
    - - C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4044
      - C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        56⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        57⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        63⤵
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        65⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 400
        66⤵
        Program crash
        
        PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4052 -ip 4052
1⤵
PID:3156

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
80KB

MD5
f91901a3e34fc55f3ed8ab66f6a646f5

SHA1
19814b2764a5ba1e26b557b790968f61c963fdfd

SHA256
7ab16b136b7faa17c22dbde09b302f7a2c2fa6c7a0b594b132549d7167e78de6

SHA512
fd87075748542541e0929616585e31c96a1f740bfbdcb1514b9ca94dfc3cbf93ba0c013d79987a9eee86b68829a6faf6e4c06b6d878dd7a972e3521ace9648db

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
80KB

MD5
15d8b1cb863744da556e522657ff0980

SHA1
126974a7822782d7e2af373065fc7ccbe8d89b5e

SHA256
a1e83b9355de2356d0de905b837df657464967e5fe8a83a0cf108970af19f386

SHA512
c8c9b9d1d3c2c1a7cf58e610da28c9567e74c7cfad7b8ddc4ec559edbc1282d9aefde7fdad4486694e9b250b632f95f912c8cb193affc38a1469e231c6fa3360

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
80KB

MD5
f62960a49c82843ec404d7c92082462c

SHA1
d4a0158a8a0e23123e8fea93285628afca6f8b05

SHA256
db7da2c1a1bdb3e826f1a78f1f7a560929c1cf283d2e3be827d21bbd7add0bcc

SHA512
ec7bb6738bf7c1d90ba5338e503fefbe08208d62644ac43fb09b84b9069f7efa7ad64c4e154c7d220f187450db0b5be2279f760fb488e41e37212b8e1859d31b

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
80KB

MD5
b8e79a5deb40dc1e9d77cca11e4763c6

SHA1
20d74420ed90c6f98a3fcba36a6089668bafb761

SHA256
a41c4cf19889875db2e05e9a2092c7170850ba055576ed43cfc00fb60650f794

SHA512
2e1009928a213bb7c3ffbedfb9752472b09fa401ecacec6813cb67ccb76353ced163fa5dc10983ace26e670df8de6aa646f2df5bf96fb52a3deec7d4e4e02c0f

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
80KB

MD5
032b7da1bc2d9924ac6ecd71bcfa944b

SHA1
bb4f5202e56b621386f9040c2a2e3caf9c33017f

SHA256
4615abade830f185a0c508014b303a55b2852d7865684794173d66b7b7c40db7

SHA512
c0bb5363e38c4e52c22f7fbe8ddb1787e47ba3358ee9fdbbb71b8f3561ba9f0745b712fa6f3cbe8007fe69369691f9050ea5de896354a0bdb43eebec2407cc00

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
80KB

MD5
a609c9259df51c82799362db7c2cbcda

SHA1
27b3b4d53bcd5bc3638917a7f20e5f4d48c3e9ee

SHA256
a1012395aa4d52453ba2ad25851aa607643bb584802391da6d21fc25fec30b2e

SHA512
c26bf908002f9315a8c1c99e8360efa7fc81d86fe79a31c17b5be5dd2b85cc4e2e28d9724b99da9920ac4dc4d5d24fbb4dd34c8f40fa47d011ede1d2dff13e45

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
80KB

MD5
bfb55ea865275214c055edd11e62b4b4

SHA1
1eb4ddf0da5329ec6593fceca9ad0f182b7c884c

SHA256
3213ef0e2f241c4cb1032424d994d0ce820bc9268feecff7554687e602f0bcb6

SHA512
4466a724046b1d6b25a13e82ab8978cd74a8e6493b31cd1ad60e31890109286cdfb66906590847ac8f68833e006c3e92f482a414e58f944cde2984eed857453d

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
80KB

MD5
d2469a6b7ba486aa424d8ee643920b50

SHA1
800e712a6d0c6a99e12c304399dff4aee502e5d8

SHA256
baf85bbed52f6494aad1c71b7c7c177324bd6ff955c89aac3ea74ae5e805b28b

SHA512
48a1be094258aff042f7317fca6c32fcb44f8ebe9977499f84ebfa397f58a2d4e07f035f28e123c8c154286e3bd29b01f4b33988cf223993a24c93f72e127536

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
80KB

MD5
5122f31b0a852741f049a7b3a5f2cb9f

SHA1
42827f6322e74b02112d59f09e60a0399f098c8f

SHA256
4a5b46f65559b10ca4d77d75f0c2987ea4ae42517bb3e2380b085e38cb77f4ae

SHA512
e2ba63f4f40163b22f59063240bb7805b47badd6c25fb4da3c85359c67aba9eeb112aef2fc8a496b55afebde0d84183b56eb2d7c134bb63a7cfbfd592f784a5c

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
80KB

MD5
909ee3c5e8e107b7f058dbf04c2cf107

SHA1
e036f90c0afd6a4b0971cb4bdde7f3efa675bb5f

SHA256
9c1d6c8ecb78ea086d6cb68ad3b86f8397fa7c277ef39bb6157c1ffee907c420

SHA512
b05dce6ec255db41e7a9029f47a4ab7528aac90062bf7013efd852abff4345f4c400c5d1a88354ce64edc0f1345c3ce7187e86a0882a53d8d862aa524ab29648

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
80KB

MD5
9b960c9fcd5bd8d4443064f423335e49

SHA1
55a008b9ec322c24676f473bf012605b52425dbd

SHA256
86a1624c89debdf76bea282f590bf312516c306c6afeb257a7c00af7bb2acbc9

SHA512
c5bbea5dd44c9c4a1953c403051a77ab77afd78d70eadb86d6e3703f460fe33cdd2c88bdaf8381c4ab76ff5d4ac779e965ac56e932c7688772081096e5a40078

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
80KB

MD5
2293c95b4660087d6cb7eac7da499aac

SHA1
54f81007f4ed0243e2cb90ccf07b76071d1ca033

SHA256
6cd8894d19a79afbb391139d75d205c4ab539421ce3b090cae30e8947c78be14

SHA512
45be531c7350f55b86904d19313468988590882fbc7ae8d25ca228c086299fbc93d763bf2da6086ca69d4efedff3d18ede74c40042283afdff5e74a861379871

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
80KB

MD5
ce442d83bdf3255517560711aef7e9da

SHA1
84f7c7c9d0361938a4c30ab2f59ed71510716b04

SHA256
6cde84813183dfbdb14aea7486b1ea04771a97382df5307d29bf904fba33bdff

SHA512
9152d76d7fb739433409f54e42bcb6e91f67a019e9ef52703bc668e61a5b0ba55a381ff0249ce1ba63be8bc367c43008c46c24fd19ba9271c7d20c635588923c

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
80KB

MD5
90c31aa3f3feb4fd9e68bd64828d0431

SHA1
43d6b212ef0a8770ebddaf2f35a62fe393fac60b

SHA256
f127bf74ccbc1e0a03137ad9a869a9c832f07904e6de3fe7a867ba5e530ad4dd

SHA512
27054537e2087ee680e5d73cbd2ba562d43f6545525839b8dfbcb539c6a107ba3cea2f657fdb06db982246847285d6148f2e8e9394ebed5881a895ac5597eb81

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
80KB

MD5
20125b355ebda0e2ba6c560e6864aefc

SHA1
b6a7ac27e4f9d326ba047665def0bd1a9a5da700

SHA256
5e6c7b2af3f0affc285d8ca23180e0008b6008cb05a5248cc123bb49869d34e1

SHA512
22ca58223d9df329a4783f300a84a47ecfd7d0e09f71dae42be0eb795591824ed580dabca624ede9cc3a73d8fc343e2e4f0bde4658b64ebd1771a0ff1dd5f610

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
80KB

MD5
3a835cca70e63439ee94e26f6ccad611

SHA1
dd674e0e134842456e560f675e350ddc0e9e3247

SHA256
00742156e7f7632033cadb54a5d1de5b7ee6a9277d99f0e1cf042d6750cf4218

SHA512
b33fc890622aa69bfe0859150d176f7473794da5ce5d3a661efa347b467d3c3181f0ee9c7bc47602a09bdbda95caf884ae4d5acc70030652b3b7f61d8c9ed18a

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
80KB

MD5
629fc2904dca2e8f937b777909fad0fa

SHA1
4da6cdd8d22633363e7304c5bd4bfb706de9ffbf

SHA256
a3f7b76eb3d7dc62dbac258589cc140ec1c64cccdd7ddcc2c110b7ba71f3be20

SHA512
8a88e3ecf15fb751ef6e9e4364d276a2be96ce97808ce3b4ec5b184c2cbbd73d682af09b162f27d045182516663ecbbb557da1785dab892a906ae67ff238e2b6

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
80KB

MD5
d7c0d5c978ec9a9ac8eb61bf401f9390

SHA1
e0d578533676aa81861fcdac2efe6e515ae26f7b

SHA256
3daf40cb8c2fc14b3186cea1d1f8c45c80d3a40bdd37b3165870f0a444f0a01a

SHA512
70f68a70ff0ed1f4e8610a29c67a6ead77b2fbe003f7a5d9625d193653927be977c8e3ba928f6d26198c040f619b37e22c6d83f2f4ff6159a6ece9cd0892f245

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
80KB

MD5
6edeba4ef93297a8c20386aedb3db31a

SHA1
facb310bec00b0e50a8b106d07e33eda0af88d41

SHA256
c844a697ab035c065f4c9332196ce531f8d78c61652c6bdb665c05a4589b9bb9

SHA512
3107a255aca705ba9330a43109569317352ae2c1ada1c9645bf6c219e4babe60a582ce83426673227211733e4a1ab3c6c319d9349b006865a81df767077782c0

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
80KB

MD5
662a7d902a685c60c41f25b8e38966de

SHA1
22809fe19faa40f207d07e2d233252209e6173fb

SHA256
832f9993368eabe02962fce702c604517e3c7ce863b7cdb49397c7109f08be89

SHA512
24863fea0277b6f3215a03df7b03effa3327ad9d1470e9546f1791e4620d8c404c8103091f1ed255afdac3ac3764c85fa41cb36cfb1ca3e3534e419a46452727

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
80KB

MD5
0ad31ca5baf7f5fa2f79dcb698fbba58

SHA1
087e9950c159ef60233579fa2dfd1d1b6da1b142

SHA256
28d8c02da81abf8af70c8ad356c4fee7792b919c01dcb775ff0f9bd0acb2e6ff

SHA512
dfbb8c03d8e1dc7bf20a10f1a4cc6390ec408eccde7e9b6d40edddf98909b571c762bd0af585e74bafe0ca38fece57b60ea9b82f559a20637fe920e074c00a7c

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
80KB

MD5
e2f0baa7681f4fdfa2fb807b4fc07db0

SHA1
484c8f6462af3183e9e1723dbb2bcbdd9bb02daa

SHA256
6cd931e204dbe9a3c8bc9f62ff72aa0d38589b9e2ea36b39e9323b640b705a60

SHA512
9e899dabd0815ae6ad73e2cdef58fed68365fbadfd86f31e458f07a5582fc3b3165fee0c0b60c89291381acb50674c26bc070a3c48d2e46273654866a38dd0e8

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
80KB

MD5
5e497dc10ccb24de617f961eae0a6d19

SHA1
d71e893cbb3564bc64a8dbc8164247c7fbb91767

SHA256
2a0365fa9089dbac7972b81eb4b758eda2ab38ee6322bbb64bba8333ab1f97f9

SHA512
fa1ea8440c781fa72f46b446d660f7686983a01e03bd30b6b49cae27e52f21122c6304049e34e4f9d3fc57136303034789f579ded2870ccb6ce1b5697e4f000a

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
80KB

MD5
a2f38d31bcc99ef6d9b51ccc97a4e01f

SHA1
f5510f8831628f3ed22ae2c3aaf610b6bff7b334

SHA256
e9cc680e9dd40e77645f573b91090a28e064366f451909227cc3803bae6292c0

SHA512
57693bf232617bb2a6a040006ebe599ed340a4d99e5eaecdf6631b94b9a42ac041f7c6a279bcdc88b67da3e0bb37f39fd1487157ef71294e880aace65b0e4b9b

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
80KB

MD5
22c71c8b9b73ecdcc44a97b4a6aed2ae

SHA1
1e64f2f5ace72726fdbaae4769a28fa3c15f4eff

SHA256
9b915f0a387c23fcf4249dee086ea472c875614f689fab552f9edb4bb6ae054a

SHA512
81d259a619d7800b3827d6bfb5be158439368d4d7e74dfafe387772549d477ebe1d8415d95c240c065e4a3871bc74a1f0474648566f52332c63aeafb1b91ea71

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
80KB

MD5
eb7d838de83bf8729fcc9ee6fd3a3614

SHA1
7b6e087eeca51ba458a7ef180b03c18b1eb226e9

SHA256
23e22262497d50837297935603294baa65140251dbb71c3afe2fa8901a7cc6dc

SHA512
e0b88e4ac292619b25d1e5901c9ff230eb0be1596a01767b1d1135cf4de621360af4204cb1043e6f69d7d2f1e58998b0d1afeeb6f5775f50d1c819b1213778e0

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
80KB

MD5
1c1455d10ce0b31b15ae9e70af8c93f4

SHA1
e85588d21dbcf941f83ba804af2b45a5243ef30a

SHA256
a8bf4b865b6bbe61f9770fb70c8ede818dc47d9310ba7874c89bb0e58309c985

SHA512
d7efbc8a3ed82ff4818bd00c2da1adff00804115841e8c84f9fa74824fcb46136545f5573d7b41040a9542593ee98e66d21a01620bc7b47234b6b891f52df032

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
80KB

MD5
3d38ba7d1cb2c1e28422cb62f689298b

SHA1
008a715ce25da8faced21d2822c23c6c37faa6a8

SHA256
3d06c32fd31ca98e4cad326dd27cbe71b8c9bfd91069f3fc2b27c48c9dc3b0d3

SHA512
f1151e635977ea782b78cd79b008ab4784f39afa795b02302d1f6f50d9d5d7d015a351d787e89c7ed9d5a96083b8d611cd01151c09c779f015670518a1a0a4cb

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
80KB

MD5
c8410727b4313783187691c9534a02cd

SHA1
b0a5a5c9dcfcb4e805501ea9bf0430f23a78ac6c

SHA256
706db178bdd2012149fe8f3b109966b1dcdb093c019b2a4287c77cfa87a59eb9

SHA512
79d117f9c687630526b7d019526a12a7106ac25f9fe0bd48c3b96e33e2ba72bc1114d6286569944d7d655bcf58758d0026dffb1a0adaf38619064237006698b6

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
80KB

MD5
483bad7886c022aff83e7aff3f2f0cf5

SHA1
fece9e42275c89a619d2cbb03b2385a86b38ffff

SHA256
efd7fa7fc08881a695d82fc2ab230cb993b499c87e977cf19da0fb787fe4b99c

SHA512
ac3df04c5e54a0284100fb5523c4438aec7ed55a9285a3a558fdc745e0ee14af83ad3305409b34a88b28fbacc86f32be1abdd3efb253bee7f32b6ec6c28cd740

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
80KB

MD5
dcda6eec88c680f5a4d415755bf82de8

SHA1
9b0a089fdf797cb9bdf0b840f6a91a49ec3c491f

SHA256
cc405f404feb5b5c1a783be4f44e598465860e421f8301c45bf6ce33b0361a6d

SHA512
201e8be1b4199219f6fde0eea074e40a944d7d494541cc84d73c50e1c1984afe3dc16d3ac2795ca7657daa0db36168563db2896a648a850a33d2318f5beb2279

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
80KB

MD5
963ca2ca6aebaab3ba824601f67b40cd

SHA1
9e7e8cf0611bfb10c5a5e079b542dece73d667cf

SHA256
7c8b23276f2fc51603b690c5a6f124065fccb1f23b18519d8db982154f68e3b5

SHA512
404bffbaa5494ea65676bc53ecb96e5be86f21a5ec7b514efff091b637a5ff710098bc97685017eb4b574006f8e293761c83944a2ebcddd4e22bb0bfd914b0c4

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
80KB

MD5
37b0f1ed9f4fa18cac28ed977f2a1155

SHA1
aab296418d974149a3f31607307a968ab36385bf

SHA256
750b78745979395ce654631bb81a62dd34cfff91326fe7ca76d13b97951abff9

SHA512
096dc1c0bad8b9847b4dde0e09066b91089cde941b78f408b9fdcbbf33168f40436f4e13d9a658b9ecc1cfae5522d7399251e27fa5c3dcea48e41a0b483bfa38

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
80KB

MD5
25af81aff13d1a4a5283010f4bc51ecc

SHA1
643254d1e0268e84be4cd81403c9241fb73a2223

SHA256
632990c811f646dca8fcd41d6a028e617d9247c01e40593fb6028e875239935a

SHA512
388d5f43d5e6ba9102a394dcd6b03d85d944b27b97c3b9ec4284887dbdbebdac30967c9597ae964a4b4f4ef30e22116f450be278692744c3aee2e24bbf133729

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
80KB

MD5
22faec749115af500b024664a59fdde6

SHA1
85a346bb25aa6b5205147bb484ef79abeaef244a

SHA256
43f3968f55501dc0a8c778381d39da60ed792af5212c1db8e18c5ce1b4a48fb9

SHA512
072ac0ed10e039f2e9f43d89818113d9a2b6f43537285f5f6ba681031fe9da3459beb73a3ee4f00e3c32f8688814458bac4232c03d9a1cfdbb84de56b86685d8

Download Submit
memory/228-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4168-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads