9f2f5b2226862ac976566db399a6db350272168c690f8952ee810593204c7594

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba0398f03ef11985cd2605e6e3d22080_NeikiAnalytics.exe
Size

362KB
MD5

ba0398f03ef11985cd2605e6e3d22080
SHA1

b85bec9a5b8740130593b1dd25e9b0de67d3e12c
SHA256

9f2f5b2226862ac976566db399a6db350272168c690f8952ee810593204c7594
SHA512

ea6150ffffc0b36028b5cedc5c169416602a890238d45ae9c7780d0443d4e4008dbdf400968d8fa3fb10d76ba8afa94943a94af92ee9136b16aecc203972bf92
SSDEEP

6144:kieMP9SfmvuOm4tGDuMEUrQVad7nG3mbDp2o+SsmiMyhtHEyr5psPc1aj8DOvlvY:ki1li6tmuMtrQ07nGWxWSsmiMyh95r5z

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	ba0398f03ef11985cd2605e6e3d22080_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe

Malware Dropper & Backdoor - Berbew 32 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000800000002328e-6.dat	family_berbew
behavioral2/files/0x0007000000023429-14.dat	family_berbew
behavioral2/files/0x000700000002342b-22.dat	family_berbew
behavioral2/files/0x000700000002342d-30.dat	family_berbew
behavioral2/files/0x000700000002342f-39.dat	family_berbew
behavioral2/files/0x0007000000023431-47.dat	family_berbew
behavioral2/files/0x0007000000023433-54.dat	family_berbew
behavioral2/files/0x0007000000023437-68.dat	family_berbew
behavioral2/files/0x0007000000023439-75.dat	family_berbew
behavioral2/files/0x000700000002343b-82.dat	family_berbew
behavioral2/files/0x000700000002343f-96.dat	family_berbew
behavioral2/files/0x0007000000023443-110.dat	family_berbew
behavioral2/files/0x0007000000023447-124.dat	family_berbew
behavioral2/files/0x000700000002344b-138.dat	family_berbew
behavioral2/files/0x000700000002344f-152.dat	family_berbew
behavioral2/files/0x0007000000023465-229.dat	family_berbew
behavioral2/files/0x0007000000023463-222.dat	family_berbew
behavioral2/files/0x0007000000023461-215.dat	family_berbew
behavioral2/files/0x000700000002345f-208.dat	family_berbew
behavioral2/files/0x000700000002345d-201.dat	family_berbew
behavioral2/files/0x000700000002345b-194.dat	family_berbew
behavioral2/files/0x0007000000023459-187.dat	family_berbew
behavioral2/files/0x0007000000023457-180.dat	family_berbew
behavioral2/files/0x0007000000023455-173.dat	family_berbew
behavioral2/files/0x0007000000023453-166.dat	family_berbew
behavioral2/files/0x0007000000023451-159.dat	family_berbew
behavioral2/files/0x000700000002344d-145.dat	family_berbew
behavioral2/files/0x0007000000023449-131.dat	family_berbew
behavioral2/files/0x0007000000023445-117.dat	family_berbew
behavioral2/files/0x0007000000023441-103.dat	family_berbew
behavioral2/files/0x000700000002343d-89.dat	family_berbew
behavioral2/files/0x0007000000023435-61.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
748	Kmjqmi32.exe
400	Kipabjil.exe
3052	Kagichjo.exe
3448	Kdffocib.exe
3780	Kgdbkohf.exe
1892	Kibnhjgj.exe
4580	Kajfig32.exe
4088	Kpmfddnf.exe
2776	Kckbqpnj.exe
2908	Kgfoan32.exe
2632	Liekmj32.exe
392	Lmqgnhmp.exe
816	Lpocjdld.exe
3716	Ldkojb32.exe
4156	Lgikfn32.exe
4488	Liggbi32.exe
4880	Laopdgcg.exe
8	Lpappc32.exe
4212	Lcpllo32.exe
1712	Lgkhlnbn.exe
2072	Lijdhiaa.exe
3892	Lnepih32.exe
4436	Laalifad.exe
1400	Lcbiao32.exe
3220	Lkiqbl32.exe
3832	Lilanioo.exe
1652	Laciofpa.exe
3408	Ldaeka32.exe
1944	Lgpagm32.exe
1968	Ljnnch32.exe
3516	Lnjjdgee.exe
4876	Laefdf32.exe
4656	Lphfpbdi.exe
3424	Lcgblncm.exe
2016	Lgbnmm32.exe
4216	Lknjmkdo.exe
2288	Mnlfigcc.exe
396	Mahbje32.exe
4396	Mpkbebbf.exe
4864	Mdfofakp.exe
640	Mgekbljc.exe
1404	Mkpgck32.exe
4992	Mnocof32.exe
1096	Majopeii.exe
4928	Mpmokb32.exe
4084	Mcklgm32.exe
1708	Mgghhlhq.exe
3064	Mkbchk32.exe
4728	Mjeddggd.exe
4460	Mamleegg.exe
1556	Mpolqa32.exe
3928	Mdkhapfj.exe
1076	Mgidml32.exe
2640	Mkepnjng.exe
4996	Mjhqjg32.exe
1688	Maohkd32.exe
3452	Mpaifalo.exe
3528	Mcpebmkb.exe
4352	Mglack32.exe
2720	Mnfipekh.exe
4160	Maaepd32.exe
4492	Mdpalp32.exe
2868	Mcbahlip.exe
464	Nkjjij32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	ba0398f03ef11985cd2605e6e3d22080_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2904	1996	WerFault.exe	160

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	ba0398f03ef11985cd2605e6e3d22080_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 748	1620	ba0398f03ef11985cd2605e6e3d22080_NeikiAnalytics.exe	83
PID 1620 wrote to memory of 748	1620	ba0398f03ef11985cd2605e6e3d22080_NeikiAnalytics.exe	83
PID 1620 wrote to memory of 748	1620	ba0398f03ef11985cd2605e6e3d22080_NeikiAnalytics.exe	83
PID 748 wrote to memory of 400	748	Kmjqmi32.exe	84
PID 748 wrote to memory of 400	748	Kmjqmi32.exe	84
PID 748 wrote to memory of 400	748	Kmjqmi32.exe	84
PID 400 wrote to memory of 3052	400	Kipabjil.exe	85
PID 400 wrote to memory of 3052	400	Kipabjil.exe	85
PID 400 wrote to memory of 3052	400	Kipabjil.exe	85
PID 3052 wrote to memory of 3448	3052	Kagichjo.exe	86
PID 3052 wrote to memory of 3448	3052	Kagichjo.exe	86
PID 3052 wrote to memory of 3448	3052	Kagichjo.exe	86
PID 3448 wrote to memory of 3780	3448	Kdffocib.exe	87
PID 3448 wrote to memory of 3780	3448	Kdffocib.exe	87
PID 3448 wrote to memory of 3780	3448	Kdffocib.exe	87
PID 3780 wrote to memory of 1892	3780	Kgdbkohf.exe	88
PID 3780 wrote to memory of 1892	3780	Kgdbkohf.exe	88
PID 3780 wrote to memory of 1892	3780	Kgdbkohf.exe	88
PID 1892 wrote to memory of 4580	1892	Kibnhjgj.exe	89
PID 1892 wrote to memory of 4580	1892	Kibnhjgj.exe	89
PID 1892 wrote to memory of 4580	1892	Kibnhjgj.exe	89
PID 4580 wrote to memory of 4088	4580	Kajfig32.exe	90
PID 4580 wrote to memory of 4088	4580	Kajfig32.exe	90
PID 4580 wrote to memory of 4088	4580	Kajfig32.exe	90
PID 4088 wrote to memory of 2776	4088	Kpmfddnf.exe	91
PID 4088 wrote to memory of 2776	4088	Kpmfddnf.exe	91
PID 4088 wrote to memory of 2776	4088	Kpmfddnf.exe	91
PID 2776 wrote to memory of 2908	2776	Kckbqpnj.exe	92
PID 2776 wrote to memory of 2908	2776	Kckbqpnj.exe	92
PID 2776 wrote to memory of 2908	2776	Kckbqpnj.exe	92
PID 2908 wrote to memory of 2632	2908	Kgfoan32.exe	93
PID 2908 wrote to memory of 2632	2908	Kgfoan32.exe	93
PID 2908 wrote to memory of 2632	2908	Kgfoan32.exe	93
PID 2632 wrote to memory of 392	2632	Liekmj32.exe	94
PID 2632 wrote to memory of 392	2632	Liekmj32.exe	94
PID 2632 wrote to memory of 392	2632	Liekmj32.exe	94
PID 392 wrote to memory of 816	392	Lmqgnhmp.exe	95
PID 392 wrote to memory of 816	392	Lmqgnhmp.exe	95
PID 392 wrote to memory of 816	392	Lmqgnhmp.exe	95
PID 816 wrote to memory of 3716	816	Lpocjdld.exe	96
PID 816 wrote to memory of 3716	816	Lpocjdld.exe	96
PID 816 wrote to memory of 3716	816	Lpocjdld.exe	96
PID 3716 wrote to memory of 4156	3716	Ldkojb32.exe	97
PID 3716 wrote to memory of 4156	3716	Ldkojb32.exe	97
PID 3716 wrote to memory of 4156	3716	Ldkojb32.exe	97
PID 4156 wrote to memory of 4488	4156	Lgikfn32.exe	98
PID 4156 wrote to memory of 4488	4156	Lgikfn32.exe	98
PID 4156 wrote to memory of 4488	4156	Lgikfn32.exe	98
PID 4488 wrote to memory of 4880	4488	Liggbi32.exe	99
PID 4488 wrote to memory of 4880	4488	Liggbi32.exe	99
PID 4488 wrote to memory of 4880	4488	Liggbi32.exe	99
PID 4880 wrote to memory of 8	4880	Laopdgcg.exe	100
PID 4880 wrote to memory of 8	4880	Laopdgcg.exe	100
PID 4880 wrote to memory of 8	4880	Laopdgcg.exe	100
PID 8 wrote to memory of 4212	8	Lpappc32.exe	101
PID 8 wrote to memory of 4212	8	Lpappc32.exe	101
PID 8 wrote to memory of 4212	8	Lpappc32.exe	101
PID 4212 wrote to memory of 1712	4212	Lcpllo32.exe	102
PID 4212 wrote to memory of 1712	4212	Lcpllo32.exe	102
PID 4212 wrote to memory of 1712	4212	Lcpllo32.exe	102
PID 1712 wrote to memory of 2072	1712	Lgkhlnbn.exe	103
PID 1712 wrote to memory of 2072	1712	Lgkhlnbn.exe	103
PID 1712 wrote to memory of 2072	1712	Lgkhlnbn.exe	103
PID 2072 wrote to memory of 3892	2072	Lijdhiaa.exe	104

C:\Users\Admin\AppData\Local\Temp\ba0398f03ef11985cd2605e6e3d22080_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ba0398f03ef11985cd2605e6e3d22080_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\Kmjqmi32.exe
  C:\Windows\system32\Kmjqmi32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\Kipabjil.exe
    C:\Windows\system32\Kipabjil.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\SysWOW64\Kagichjo.exe
      C:\Windows\system32\Kagichjo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3448
      - C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        23⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        31⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        39⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        49⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        53⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        54⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3452
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4160
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1380
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        71⤵
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2932
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        75⤵
        
        PID:780
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        76⤵
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        79⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 412
        80⤵
        Program crash
        
        PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1996 -ip 1996
1⤵
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fogjfmfe.dll

Filesize
7KB

MD5
a3c5dea3a72288e41edf105cc445ffe5

SHA1
ac6bf943dc221569fb6fbd7b19aa4592647168bf

SHA256
a9a295ebf28a69ee280bcdfcbf29ac2f4392621e4b8f06fbc9f0205c289e5a7e

SHA512
be6aac54cda1f24cd3abdf1a3d0718eaf77f8f987c440704f67492765d7c0a191115a3b9941395eefa079b36ca238802c99d6dd1b1dca163b3f1bdf8fa5b1ee3

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
362KB

MD5
3a51eb1ebb910e53fe0b8ba6959fe978

SHA1
a35d07e861c341ea7bfdc24fa984941e719667f0

SHA256
1a58440366096dac7eb209ac754f831f3d8420f665fca5c4164f0bf2b9556554

SHA512
697424f826a14b68c1e2065fdc59c3fbd37103a6ba4c13fc722887a1fde81fd0c947b1bc969279409d79c235c7e6c9fd8dcabb986b32bdd664b989b34238c521

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
362KB

MD5
54420d8c7dfbfce6a0a52b4e88cebc11

SHA1
390934e601b327f48e82a161f62d487542d7f713

SHA256
e80cbbab30fb4fb309b13ee932075c96b3960f50758e828570228a90b8e02e3b

SHA512
03e76605d7637423931416ddb6e395bee9bba115b6e884bf2319e522b3415f5d63cc68aaf72308b89c76fc7f8fe8930fc6a345e153debe6e60aa5a786a20d603

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
362KB

MD5
57d34b5d6be0ccadec771bae725bf9bf

SHA1
73c1d2924e19f8ace6e13099f473ab358d0dd772

SHA256
da72a16b93923884a3cdf3567325435779093e555cbbc9eebd199461c3635cc1

SHA512
b2ae4d747b06fe3ba24c53ba3baf7ff32c0e89176b3e13d371d2b8b3396c687b79d3591d859d36e9050c886b8bd328b5529ec1871e0bc6a958e61aad3e96d838

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
362KB

MD5
bbb83772783735a66cdcba397397c05c

SHA1
69f99d2198d32dad5734e8d7f1f61d0d4e21c76e

SHA256
a12b5758719c09511cd9ad8700e49cc7d71a876c155881bf48dc3252aea68bdd

SHA512
2b788194f42fb68deb61d6dc0b66315057087b9e04e99daeabaabb81c388573520b3c27a8860b3f85a5bed8c1e7244539e4897a3d429eec12f3e9a9659afcae7

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
362KB

MD5
37494dbf4f09256dda7d5ad20803f99b

SHA1
a6bdbd8224f9694a01bc39766ccc4142ba9ebf90

SHA256
5439e581a3dffa3375777ed1663aa1eff95cd851b3bdbaf955162be746a12da8

SHA512
5ca06bb5313988efcf77ebaf7ba3bf5d230dd525c8e4e6d8997a562d8dce61bd7fd56d3d5f20c9ee696362722233801ea0b750b0ab7a7e62f701f0736c0c4a68

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
362KB

MD5
eb9794c5d21f2fc7ba177e88b80c4e94

SHA1
7b0fc1405339e1746511bfd501f0c4eae89a4b09

SHA256
c3dbc7a0250f9c9064b80c05bbf2573c2e308adc4399fded2660c6c06942d669

SHA512
6a15b8983b6262e06d2cf062ce9cd7ad16e9a6f204fa580af3f9484b88e01b6a55c20a840bb91ac1bd1d02d513caf2669eab571536058579ca371fe62a5cdd3f

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
362KB

MD5
b8029377a12bf0eaea3ca23312f37b50

SHA1
1b915a696c352d40dcf4717498fd4fe2250f5409

SHA256
baa4ddaac1ff0d924716590d1ae0d28a3fe6d1c76175cb2190b985b8c2909b5b

SHA512
3e036c468e723334b17207eba4f279a10ed7f1c75529c8fbf82c3968d843ccfd47bbd2275bf67c17a38c62661f0a9ff96087736281e08a89a980aa9988201392

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
362KB

MD5
28632f011a68168feeca1853864db429

SHA1
b56d33aae79e320553ea5b71ef5bcc3482d79978

SHA256
149f5fc63a9f97e16490a4acbf79d4e9d82bcfe477b5b3071418eefb533824dd

SHA512
28f53db90ba26977fbfa4a49fbd33666a2e1df90c5476fef76f69a3d1f6a139266b86337435a540507f040a0a26b03d643287858a6eb609a2ddc014a52c0d49a

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
362KB

MD5
b07e82ca3405976d05d567a52c1a17bf

SHA1
3b293f5c7a26253a0f6ab813353c7dbac778f747

SHA256
dee91e90d4a3aed358fec155d2ca9cae138d2debe80c7ec7765dcafda5536cb9

SHA512
3763a7eb68adbeacd3fc5da51b405707df7ab7e2758b864e32f5ed024900d5070bdcab41ce7a1180287292c9498e47d6726cd88b161bb6d98500686228dd684a

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
362KB

MD5
0786e055d4863342422b66fef3b21b75

SHA1
959a9e42e7d90015b74832c817f8d6644f930bcf

SHA256
755ef4a591c9e2cc0e18d47f739dd84371b94a4e52db4d655a7df056d1e87e61

SHA512
ee6f27180c06b5ab5641cfb0bdcb46a93b2f6a4ada33ffaaf5b3dc914d48d1037c6783365db7a018c5fe36ad304c2dcd7b9a8cd4d4e1279673aced864b519972

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
362KB

MD5
cfbc52c61236683c12dba1accdf537d5

SHA1
145a8491677cfdcbc7e3e5ab86ad40e9f1ddad8b

SHA256
fb875a97e3b4090d5aeb299abacff28ea8ef8e24bd10654763aa360139fab1b8

SHA512
6a3948843f4c0c7e8c2a5314f27854a4d3c976709f855c69b0cf3298a8c73c88b63627b3d8d7a2a384c9ac9eadf57ac1fe2eb5955679db7e9d0087050f80fa0b

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
362KB

MD5
049ec91f8b3b3d53370c654863c54e10

SHA1
762e76aa9dfbcc3b88abda7660e4fefb4d1f8625

SHA256
f71832af6d405422f788de7174708ead10dfeb7d44b92a157c409db74f31697d

SHA512
c0e2805724034383464f7d7c8417019505cd9bd46da67f2d7103b2e1d77579cd214aa79c96f3824ea16d7e9359ab504152c3f3630acf4d72873a64a03900ddbb

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
362KB

MD5
008f5df1f59b4b2f125d646d0bb2d4ac

SHA1
935644f362a49ab3a9dfcda537de47dc99009842

SHA256
7667402313832acebfe3aa61958125540c9bb2f9fdbb322c35412e4d776aebec

SHA512
db137f0495bba6cca51d3c7b0f78c604cf66a3fc5b6fa4cde0ed6d43d2997c6ef42523dd6e591dff45e088073bfcc6379f086b67935503fd9f25bbaeea159932

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
362KB

MD5
2254305c8639180c1501a5d8b5914bbf

SHA1
dace8627527c6ec7381715ba9bc3df1473930435

SHA256
aef183fdcd8523baf5cace84d484d48ecf9e125e80086b33f13382cfa048cae7

SHA512
82c83ed11b119e9ed92860c99c1e98cd16a20ef64d1001cf3af9d8d8bb4ec6721c35e4e492f787669b82d4de5d6b34965ac0e6b8c422eb2082b80ddc51f7d2aa

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
362KB

MD5
3f54f5e6ac49d790090d94dc88e54057

SHA1
5f0515c5d89b30c8b60e37c3ef3b79490e49fc34

SHA256
56c36e4a8e7bce4f7c1165767d5c53eb0e7c63f061916e07fbb8db8e4d0cf87d

SHA512
75f2b5a2524412b1fc5e13ec9771185d0a1f527d6bd343df1ae5fd666cd1d786aee8732e062e83e3359c54b2e1701d8eadecc88b718b6e65ae3894d82664b5fb

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
362KB

MD5
1afcdb7e9f7346fe8496adb79c0a2795

SHA1
7aa78adfa180c783f1279f4b99227bb3a217e498

SHA256
18661fdd659fdcdf0b80e9359fb980404a069509dd434c916f42d6d5aa78b22c

SHA512
0b6588e98d0289230904941a3ad97b14fe1a784434eeb71aa787f24808b326ad333d1b3b5bc5395d33cd9a446ef39e9830689ea03174d83bf6ab07cbb8f17271

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
362KB

MD5
8aa075dcb59ce352139decb6f16ec545

SHA1
4f1c8c4476355eb6865f239c8047258a187a56d5

SHA256
f346df514211f2c2595b824f7d3d90e8f540c4c74b054ddb051700ecae112adb

SHA512
1e50218d311f02cdaaad7dc8e0fb88245645d0c3c752c58600b6e79b4fdbe3fe53a9f6ea165e1bddc0465101589b1d1b1af39c1a3fe059d02d1ac7ea9c9e9f4e

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
362KB

MD5
7c7b038c3d6913988bea77f1bdb55026

SHA1
7a0d5f9ab4bb8102557d9d80634f8990835d5f7e

SHA256
b761ccb0d915a7743d46a70d00d3b5948b53de53b972a426b148983168e95bd2

SHA512
c964d183c4af7c2608be51608a50673e83a534b178a9d8c8656c64348b7769f30fad32cdcd4c981ee8311f5912c54772defd7ecad8c8f7a1469e1aaca2bd9322

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
362KB

MD5
3b6cec3621dc209d5c07445c5ab2bfbb

SHA1
754ad6e82f4c0d403d421fe4df69b3a72bec8c8c

SHA256
cd9858326293003faa7bc6b2bccd94a38662c38013e5db013c2fed2dab7d9db7

SHA512
a5360dcebfed550623711eda287caf68b533c7403ab303e3c03650cfa917b0c3b0b1a4c484f14a5a96c1a42c402f84e9519fa7195d52d7159260fb19a83942fe

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
362KB

MD5
39e772b5dcb4040fca9724f18a3bedf3

SHA1
4c031ae99326de70d27bd766fba19d3c19e3b60d

SHA256
2e389e8a3bff8f4cd22cceb832f70cbbc2d96cd29b0dd5b4ad79789fd3b77054

SHA512
4cf2c0ab0d7c692be6337b95afa6d92bb67157224fa936331706e9160c4b91eb3b14334d0ebd756a28782b0c9806920d5e5379a92d91b2c820c69495b776167c

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
362KB

MD5
62bdb68ccce06fc834c7259c076ed689

SHA1
329dedc899172e9d649860e9fbe822534d04d16d

SHA256
87ce7783b25cb26153b27ee6c81c02ee4b984dfb9108a79f45e83f70dab6adfb

SHA512
43e060c12d386bd251b0b9601c685c4de1f9eaff05f969ef1062e05d8508bc14c4273abfbdb9866c5362175dee7aa177ce079e666bfc4b9dc19c9a2b3d2294d4

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
362KB

MD5
c1c42a98399f950eddb69ff3d4d57e01

SHA1
aa043292dfccace9a71d63573e430ef2e655f48f

SHA256
73a0dbc9de7a5613f2277dcb6973acc3691f6e7533925c9531ac9aacbcbac537

SHA512
a8d479e23c2b58c9e2d35598721f7d6ff8a7452ad087dbb26830d9f5183cf177755106ee36ce5ea82b34b35b762468db526f4cfb98b54786e5664a9e6a017a89

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
362KB

MD5
fc257f27400336f78d05f20e2d66510a

SHA1
aac170d91949587fcbf2340dfe0894d309d1348f

SHA256
d95bb78101182e21d266399d2c93cb2dc31a104ba6b4dc546a85339f9ca0e890

SHA512
d60185dc5cf59896bdd96e28b30d4e6d7101f6b3b4f41d16d0dadd4f63cb02d8accf90b2368331fa42d932a01f7b87c045d3d985c2e4e93f4f1a2156f3ae6cc1

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
362KB

MD5
b05b21c6af068b386241f56579e1e0a7

SHA1
0d51911a3608fba62b6a8dc295514afdeaac4727

SHA256
b006c5f4e0b0978e1b66c8be91554236ad56cfaddbb3a81636c338b6b4681832

SHA512
00ed6e9ef95c8f4569a1e1554c60b10122984a81e87c22dfa529b31ade73ebcb3a9a9a51817e60d076a91f8da3de616ee8125aeb7a4ce40138af4b365277be8c

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
362KB

MD5
2edfac745296a1d53435a35ec6c566ed

SHA1
6ef07daa8fb2b0bed9507d87460055e25b2d9927

SHA256
54f3f999dab056b84e4e859edad5577966aef1711b67fe10d70c3aa4cd6439c9

SHA512
d99ee26c65f5f72bb2878faf9752965434b5f7938aff35bad2ddbdbace0a51a2ca2525998eb50e770b31de403ca1851cf2a611e7488252cf2a828cd2df612b41

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
362KB

MD5
6cb1c9a5dd1abb6f01c6ad81a7902b4d

SHA1
cbaebe46fbd4013b079892c84e4ac1d9a21b391f

SHA256
ac6b5f15d103a7a1538222da7c4d1021d464da8229d35f744129c55f6c4c56a8

SHA512
1f853aa4447a542c12a4c6046212c2bcffc2fd4fb278ea8696c6828bd54aa719d9af4a0d3ab8d757d72d20e60c1ea2b460e77a779d7b17c1a7ea8bfd112b0e91

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
362KB

MD5
94fe2122ac7ce209925006872d8a6788

SHA1
13f44c23be87ed4639f2d28f02f24ef0b9775b6a

SHA256
030eec1fa41e8aba60056112c0bf241bc6bc0f15933e82c3c510fda9a40ab8b0

SHA512
8df3884ad8444aafbf04ada76b3af23ceb2fa0b9f8d51677bf52c64733ac9fc73b0f20d65ed4ce66109f9f250537e0e306e3a04dd77ffbab8255057e2132982b

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
362KB

MD5
16777f635b432689f448d6fc2ff155d3

SHA1
9baa9149498626e35b06322a91fc2c420cd4da61

SHA256
bc7e147bf844e0a7765bfa528f3950af2aec459a9cacb66ad1ca05ba79761378

SHA512
80eec614a098ea10ae6cbfba9b2269ce46d1323dbd28b2ada2085dce84e0ad64bfcf7d3d4034c1f8cbb8e157fe13d0fa404b8a34d9a8a519361cd832119479e0

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
362KB

MD5
15968502c443df62d2a17fc37a7576d8

SHA1
92f4221a211416a337cd695e90b2c37f81a1280c

SHA256
31f103001d42ffca980e094dc69a33cdd95fc827724359e77a403baca0335aaa

SHA512
8d8475bb15dccb6bdefd0390584c99dd87a65d8e1d28371bb20524cde650aac0798f7a63cfb09e2085a595313c5862ff170d9f519a269b4d0e5757386f7a3f43

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
362KB

MD5
e8d2c52afa889258a96ffcb4084f9300

SHA1
eb0844c79a84f82dc4f51160688dfb3e12c595d8

SHA256
4c6f9d027f946d1e68d18ec77f52f94c57882ff81ca77109f58c4fbbc3a172a4

SHA512
68a861d59a72afc6b3cdb200164cc64a70064e37fedaebc540266949da5b18c8a459d95c31d240f16bc2ff49f076913ee9e1ab6c1dd3d050ea11ada606ec50b6

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
362KB

MD5
6b0d6921a828a6f7596649cdf7015785

SHA1
895e89498068ee7a686a8920adaca87129c15a2a

SHA256
fde24d212f29aff770dd922270fa0c66d2923f6a9f87344c67261a01885c59de

SHA512
01a2fc411e2aee8a5df24e7fb60dcaa57114071d7235c4b70d9fdc94d152046f5d916ca01c6310c22fbfa4d4a27984b553fe1f2ef60409b769bf9315bc8e18d0

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
362KB

MD5
5add8d32bd2a940de1d8bdaa09ff7f3d

SHA1
39b6600c2e390ac7eee9c6ca103d443871a668ea

SHA256
5b2f8a3c5e1686ed943f79ef43aadc8eee8b923b75dfbdcb0a16c20f1c48414f

SHA512
29c597695ed53d7e910ab69932c28cb24df005517e75d95c3c99886667831c965ac47c0e0eb4673a3f19afbf75e507ba018894749c0df041bd082e637b3885c4

Download Submit
memory/8-427-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/392-421-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/396-492-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/400-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/464-518-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/640-495-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/748-533-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/748-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/780-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/816-422-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-522-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1076-507-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1096-498-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1380-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1400-433-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1404-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1504-529-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1532-527-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1556-505-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-534-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1652-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-510-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-501-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-429-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1816-524-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1820-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1892-415-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-438-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1968-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-519-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1996-530-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2016-489-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2072-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2288-491-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2632-420-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2640-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2868-517-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-523-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3052-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3216-521-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3220-434-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3408-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3424-488-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3448-36-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3452-511-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3516-485-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3528-512-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3716-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3780-44-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3832-435-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3892-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3928-506-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-500-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4088-417-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4156-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4160-515-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4212-428-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4216-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4352-513-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4396-493-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4436-432-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4460-504-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4488-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4492-516-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-525-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4580-416-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4624-531-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4656-487-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4728-503-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4864-494-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4876-486-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4880-426-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4904-528-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4928-499-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4992-497-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4996-509-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads