36628100a380e483e11d0cdf67fe4270d1304cf37a87618594fce72a87b0bbba

Analysis

max time kernel
142s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 14:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e211ff10a72cd458be6e9fd12856aaa0_NeikiAnalytics.exe
Size

55KB
MD5

e211ff10a72cd458be6e9fd12856aaa0
SHA1

23851d807446e34eddde3f85fdf591ce1b326c8f
SHA256

36628100a380e483e11d0cdf67fe4270d1304cf37a87618594fce72a87b0bbba
SHA512

425a797dab88cb15427ed63ed415f906b283a42d5ffa6b983006fb502f19eacb26b010545c52987150601d7ff62a528cd8555e5db83ebd7e45d7c116dc9efa70
SSDEEP

768:cpPlNCEQsW9FMJ5Vp/IsC0joOntJtV/uWFZTuhXxd/LhU0+RQhTZJfJZ/1H59Xdh:cCEQDbuValWoOtJj/uWbitXzhx51t

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e211ff10a72cd458be6e9fd12856aaa0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e211ff10a72cd458be6e9fd12856aaa0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe

Executes dropped EXE 64 IoCs

pid	Process
4200	Jbmfoa32.exe
404	Jkdnpo32.exe
3296	Jmbklj32.exe
4208	Jbocea32.exe
1680	Jiikak32.exe
2484	Kmegbjgn.exe
1132	Kbapjafe.exe
2404	Kkihknfg.exe
1272	Kacphh32.exe
440	Kdaldd32.exe
3524	Kkkdan32.exe
3132	Kaemnhla.exe
2080	Kbfiep32.exe
4888	Kipabjil.exe
3212	Kagichjo.exe
4708	Kdffocib.exe
4724	Kkpnlm32.exe
2536	Kajfig32.exe
3568	Kdhbec32.exe
4532	Kkbkamnl.exe
4996	Lmqgnhmp.exe
4156	Ldkojb32.exe
2588	Lkdggmlj.exe
1844	Lmccchkn.exe
1988	Ldmlpbbj.exe
332	Lgkhlnbn.exe
1180	Lnepih32.exe
3048	Ldohebqh.exe
2272	Lilanioo.exe
3408	Laciofpa.exe
4596	Lcdegnep.exe
1832	Ljnnch32.exe
752	Lnjjdgee.exe
2344	Lphfpbdi.exe
4704	Lcgblncm.exe
3572	Mjqjih32.exe
4448	Mahbje32.exe
1028	Mdfofakp.exe
2208	Mciobn32.exe
4676	Mkpgck32.exe
2296	Mnocof32.exe
2168	Mpmokb32.exe
220	Mcklgm32.exe
972	Mkbchk32.exe
4736	Mnapdf32.exe
3668	Mpolqa32.exe
2248	Mgidml32.exe
4880	Mjhqjg32.exe
1768	Mpaifalo.exe
116	Mcpebmkb.exe
3764	Mkgmcjld.exe
512	Maaepd32.exe
5000	Mcbahlip.exe
1748	Njljefql.exe
3628	Nacbfdao.exe
5072	Ndbnboqb.exe
4512	Nceonl32.exe
2956	Nklfoi32.exe
4036	Nnjbke32.exe
1764	Nqiogp32.exe
1340	Ngcgcjnc.exe
2104	Nkncdifl.exe
4552	Nnmopdep.exe
1392	Ncihikcg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1428	3552	WerFault.exe	153

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 4200	4524	e211ff10a72cd458be6e9fd12856aaa0_NeikiAnalytics.exe	83
PID 4524 wrote to memory of 4200	4524	e211ff10a72cd458be6e9fd12856aaa0_NeikiAnalytics.exe	83
PID 4524 wrote to memory of 4200	4524	e211ff10a72cd458be6e9fd12856aaa0_NeikiAnalytics.exe	83
PID 4200 wrote to memory of 404	4200	Jbmfoa32.exe	84
PID 4200 wrote to memory of 404	4200	Jbmfoa32.exe	84
PID 4200 wrote to memory of 404	4200	Jbmfoa32.exe	84
PID 404 wrote to memory of 3296	404	Jkdnpo32.exe	85
PID 404 wrote to memory of 3296	404	Jkdnpo32.exe	85
PID 404 wrote to memory of 3296	404	Jkdnpo32.exe	85
PID 3296 wrote to memory of 4208	3296	Jmbklj32.exe	86
PID 3296 wrote to memory of 4208	3296	Jmbklj32.exe	86
PID 3296 wrote to memory of 4208	3296	Jmbklj32.exe	86
PID 4208 wrote to memory of 1680	4208	Jbocea32.exe	87
PID 4208 wrote to memory of 1680	4208	Jbocea32.exe	87
PID 4208 wrote to memory of 1680	4208	Jbocea32.exe	87
PID 1680 wrote to memory of 2484	1680	Jiikak32.exe	88
PID 1680 wrote to memory of 2484	1680	Jiikak32.exe	88
PID 1680 wrote to memory of 2484	1680	Jiikak32.exe	88
PID 2484 wrote to memory of 1132	2484	Kmegbjgn.exe	89
PID 2484 wrote to memory of 1132	2484	Kmegbjgn.exe	89
PID 2484 wrote to memory of 1132	2484	Kmegbjgn.exe	89
PID 1132 wrote to memory of 2404	1132	Kbapjafe.exe	90
PID 1132 wrote to memory of 2404	1132	Kbapjafe.exe	90
PID 1132 wrote to memory of 2404	1132	Kbapjafe.exe	90
PID 2404 wrote to memory of 1272	2404	Kkihknfg.exe	91
PID 2404 wrote to memory of 1272	2404	Kkihknfg.exe	91
PID 2404 wrote to memory of 1272	2404	Kkihknfg.exe	91
PID 1272 wrote to memory of 440	1272	Kacphh32.exe	92
PID 1272 wrote to memory of 440	1272	Kacphh32.exe	92
PID 1272 wrote to memory of 440	1272	Kacphh32.exe	92
PID 440 wrote to memory of 3524	440	Kdaldd32.exe	93
PID 440 wrote to memory of 3524	440	Kdaldd32.exe	93
PID 440 wrote to memory of 3524	440	Kdaldd32.exe	93
PID 3524 wrote to memory of 3132	3524	Kkkdan32.exe	94
PID 3524 wrote to memory of 3132	3524	Kkkdan32.exe	94
PID 3524 wrote to memory of 3132	3524	Kkkdan32.exe	94
PID 3132 wrote to memory of 2080	3132	Kaemnhla.exe	95
PID 3132 wrote to memory of 2080	3132	Kaemnhla.exe	95
PID 3132 wrote to memory of 2080	3132	Kaemnhla.exe	95
PID 2080 wrote to memory of 4888	2080	Kbfiep32.exe	96
PID 2080 wrote to memory of 4888	2080	Kbfiep32.exe	96
PID 2080 wrote to memory of 4888	2080	Kbfiep32.exe	96
PID 4888 wrote to memory of 3212	4888	Kipabjil.exe	97
PID 4888 wrote to memory of 3212	4888	Kipabjil.exe	97
PID 4888 wrote to memory of 3212	4888	Kipabjil.exe	97
PID 3212 wrote to memory of 4708	3212	Kagichjo.exe	98
PID 3212 wrote to memory of 4708	3212	Kagichjo.exe	98
PID 3212 wrote to memory of 4708	3212	Kagichjo.exe	98
PID 4708 wrote to memory of 4724	4708	Kdffocib.exe	99
PID 4708 wrote to memory of 4724	4708	Kdffocib.exe	99
PID 4708 wrote to memory of 4724	4708	Kdffocib.exe	99
PID 4724 wrote to memory of 2536	4724	Kkpnlm32.exe	100
PID 4724 wrote to memory of 2536	4724	Kkpnlm32.exe	100
PID 4724 wrote to memory of 2536	4724	Kkpnlm32.exe	100
PID 2536 wrote to memory of 3568	2536	Kajfig32.exe	101
PID 2536 wrote to memory of 3568	2536	Kajfig32.exe	101
PID 2536 wrote to memory of 3568	2536	Kajfig32.exe	101
PID 3568 wrote to memory of 4532	3568	Kdhbec32.exe	102
PID 3568 wrote to memory of 4532	3568	Kdhbec32.exe	102
PID 3568 wrote to memory of 4532	3568	Kdhbec32.exe	102
PID 4532 wrote to memory of 4996	4532	Kkbkamnl.exe	103
PID 4532 wrote to memory of 4996	4532	Kkbkamnl.exe	103
PID 4532 wrote to memory of 4996	4532	Kkbkamnl.exe	103
PID 4996 wrote to memory of 4156	4996	Lmqgnhmp.exe	104

C:\Users\Admin\AppData\Local\Temp\e211ff10a72cd458be6e9fd12856aaa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e211ff10a72cd458be6e9fd12856aaa0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\SysWOW64\Jbmfoa32.exe
  C:\Windows\system32\Jbmfoa32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\SysWOW64\Jkdnpo32.exe
    C:\Windows\system32\Jkdnpo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Windows\SysWOW64\Jmbklj32.exe
      C:\Windows\system32\Jmbklj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3296
    - - C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4208
      - C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:332
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4736
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        69⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 408
        70⤵
        Program crash
        
        PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3552 -ip 3552
1⤵
PID:5016

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
55KB

MD5
3fb93553855f4a6d26abdac82a2bbf1b

SHA1
6719bdee6164106fa4a81aa2aa1ee1efe8f125db

SHA256
9c45f14ea8e74cd429fca5d2ce1e5fdc81fb75bc49211a6468accee26f667bfd

SHA512
a93ff02365cac237cafe80fdf061a6fcd2e5e152191c9c36bbabdb551bed16647a2a76391656249beda92fcfd7726ecf91b2e50aaf6863efc2333bedf0635f6e

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
55KB

MD5
05cba8f526dc54f5d9f1a8b4b8babddb

SHA1
95a2dfc4fb16d42406261b1d3c3a1246adec793e

SHA256
ba1b989936d5ca9e129f0ddf27e093d409064bf7c32dc86f079c7ed80cfb211f

SHA512
dd34278903efcba2f6244d92c3c0bb76869261ffe54f5f8966b18c5274313a183cd9d57f572bfae96fe9f644753ad172a78e551bc54dcd90eff4ec0c6d7dee80

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
55KB

MD5
a1039cc0fab4dc94dbd860367852b4ac

SHA1
4e6eb648e212f41274c3cbbba166a69fbcba7ad3

SHA256
4eb2c1f8e8b925260a53d246edcfe9989ddc3d96ee20de4ff8b206191bb2b8b9

SHA512
5390a4290c4b6b3b43ef87c5f2e9a4a77da5a528e81aaedc8dc75bdb2c6610f6efad61d7025219503074f3ecf8ea110dcbe50d2801b9e42538160623cce57f0e

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
55KB

MD5
905c29b651c6ffb4f57c59382edbf748

SHA1
5847470222bbc15651c85501837621c20219ebfd

SHA256
cde77e3c166679141b3407f33d7b94cdcfad44fdd825ea1d950a1b61da379ea8

SHA512
14b1c34fa4420d3ae12c36c4e60d0fb02da5342e2901feaf9ba0f5c66eae4dca4b91b38e4577a62bf20d5c3729eaa2870a462c107c9c263c9fffa672473d39b5

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
55KB

MD5
ea1a10d24dd581461f5de648096b51a2

SHA1
cd3c7c2a3dfd2e7c38b2f129ab29fb2621f1545c

SHA256
f31cb2ed334237612eb84b476fd983f4c5cf1f2bc546078031a093bde03f2b65

SHA512
226fc0246a334d9382d9863ece2a07ce8f5ecfeda20491be713bf59b2cdd998cc771535ba874b76d7f4939a8b3d4c02cbc935870e2da59eab8c74476c5833ead

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
55KB

MD5
85b325315773c8d7fa0a323eb7447588

SHA1
08e6692ebe39aa06c310fc76d47c0ce84f67b06f

SHA256
b39abfc09ddf6b35f3861c3aae05f906fa400aa1754e0a65ab4c92585f5306ed

SHA512
f9aa6d0b161e4dd8133f0196a898dd40f8e76c8a02625b4c9893fecc46a357217ee35e2d3851fa8625a67a4b4ce9d12cef367a019f307a832ff22167ca9a2da2

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
55KB

MD5
79c44dc0bae76a89642749a9734dc507

SHA1
62325d91d394f80260721ce15e2cc16225756f90

SHA256
f20ffa2e33a7d4f77c073b7a09f9e54eb8ef8da8310b2e6ed41412410016190f

SHA512
ffc0839da33ccbe4aca9e6a3080f811157e25daf52795de60f825865f23f904c874807995fe098c63d9e475dd311ccb41ef68e4f07ab4da566f3199bf7e4b689

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
55KB

MD5
05ec1c4236e59d7828b1c82895dc63d2

SHA1
d912b94906227ef9f4d20e93f6e761ea80832670

SHA256
f6e390f9bb3e82ba5b1df79acad64c4aebb07b46ee58b5d9e31518ee5856b2dc

SHA512
59f8492ac4d3d3399bbe011939367c08659d02bc80bb9add1e012fd5125c16ccdc9256eb93654e5cee7c85ebf9a5da6ba07156f6a12fd89eca9c2b461619ea58

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
55KB

MD5
57f8ddda58ca82a7dca37f95c00cd1b2

SHA1
730368ed9ff2cf10f518be849f954b2baa7d40a7

SHA256
9e23de216ee7d79080275086ebce5fd5b658572c57082b2ee1b27a36f8e7e9b4

SHA512
86568a1699f0f515ae0c6b0ab52027656766e209cc3655b84309411a02c7ffecbe3cb7be28b8c1e0d6c09e8d4a4a869ab848a13b889b095f0f3b463cc9758d17

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
55KB

MD5
39ae881adcaa2ebb4f578417c38f00e4

SHA1
8c85d100137106325f6bd172402638f7c03f9ab4

SHA256
2d379e5d0bb1936e3f8916d7d8802e2666ac1337f6d40505bbea24697050fd9f

SHA512
7cb8130b4cb04fd075b266e591424bfbc08baac57b33753801b02c8c81ec5c9cb3d81db9b3dd34dc5336e39589aa8ac50dede0dce069fc878e348388adf75a72

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
55KB

MD5
c1a1c1dabd2b36a50fb4bca930ee7162

SHA1
301f0fac8fe8283dcd611b0e81461b79f97afd89

SHA256
4c1ac7792fad0e51a89f54e3a0b47278c187708c806db3d5ed6c161b1645ba28

SHA512
badb64b7c012d10bbcf56a35907ae723c47d2548bf7f31f034e316ea168cf7a68581a6b124450dcf247c38ed70ae4cb5ecc05eb5793329cef7e6b062d06dbbf6

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
55KB

MD5
7f620499c21f6715d2bd908ace4dc70f

SHA1
c9e9914f2cbd0e8ccd12f5d7cdd6246dbc99f5a1

SHA256
3f4c4b73f45ebd4c57753b57f12d82ae0402fd7cef00564a12f2220b46ff4542

SHA512
4cbecbf8de2b45c38ed061d1343a3b2c4730c4023fad15bb5fd390c36097469641960b0f0f88aa1f69547e0083a58953b1d36d73ab0715b8d042b0a7fb38484f

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
55KB

MD5
b5e91621f12762946660b09ce1238894

SHA1
b8b20ab971a2f8a5a7efc9ca5c3d6c5587041f7d

SHA256
7884adbaa7daca949939dd44cf84a8d83a2aa6e85147c0bac6bb817d00773d72

SHA512
a52286809c562feb6201bd9281aac0287bd944c6c7975c22e75117acfcb61fbc9bb456c30d8a3f6702dcb7cf802a28699223aa213e95f0ded8965797ecfb46cb

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
55KB

MD5
cda21c051339c3085c82bc171700014d

SHA1
75471323a39b54b32633b48555efe1fa5e5ab2af

SHA256
81df6c63d3388e778529a15dabd874bdee99f6e8ee1f75fd825d894c0750ca04

SHA512
1b431ba2f3c4492327afd277b7fb1db8f2e9b9a3ec76976e20522fd1e43ceeda16f94dd0b4dac6d07ec38bc0c6c48d9ad63b02eb325ff3947aefc551ffa6cbad

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
55KB

MD5
ae5112a2cb4ad8280f4cc5486c59456a

SHA1
d7de23a5e2ac637b7aa693bfb9d987fef604d4a1

SHA256
e7319ba511f6cb0c8aadab2c2b0b1eaef8c88433ffc8fe9a7d8ef53474e037d2

SHA512
82fab29c3d5f89889de499a648ed9ca96b7667c12a93173ed9474e22b2b04f4546c50c98dfebd1d691cf4e2ac9ec66a23093f2e40b8712a18897c45f0bf77dd1

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
55KB

MD5
a78f4efad809bcf5387d6b0c13d6be27

SHA1
eaffd9da3ec7dbab6eb945506f04d46fc49c0e6f

SHA256
d20bb9fcb695ed42ba57af3c1a7135dcbcad53bf6bfa21801c14c9d67c8fadb0

SHA512
322918f77b884f696c99389219f3dc9e7716652a7616985af2b8ffb8240936274aa0745ad5ea078192c5ae0ee55dc442e6b065b2cfcf41e8a9529193d4d42d46

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
55KB

MD5
21d55b1ab7603389d592246252511136

SHA1
37f1dab0521db3c6ae34314b8f1c6c8871e1a601

SHA256
aaccfcd7e767e3f6e378a30cbfa45058f0378b10ff3b4cb5b1c143af325ba194

SHA512
2ee91830079f89ca718b14dcd832809b97dbd618f124dba589ffda606f25d0209a3bc434c639032a3afad325b3eee39136c44b99f475c4e90a3f39dafce430a5

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
55KB

MD5
80ffd09a1f57371942fd86006fbcdcbf

SHA1
7e7c083e4f31653e263ca17158c1a77ad7c6a3fb

SHA256
6332563dbb8b0e0d7a206bbd5662a8fc42893cab322dac298b957417ecf57bab

SHA512
a2f4331cfdb49ed746c96d09601a2b81757ce8ab1da175d8ae5df4f744b856d3a4798f10bbaa772b422dc7e2610c5af5d8d68b68cf3508deac55a90911007400

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
55KB

MD5
0445987299d08744f341157d3f052321

SHA1
bcc29582cb9a179c95c1faf90ff5ee2956889494

SHA256
da44397c667bdd29c4722bf71efc820b5b7715722ff9c180bfe1471094efe2c4

SHA512
64a65ebca0aff0264d9fa12f33cc48f99474a9988fab374e6760cf22cfc7fabaa4dabe7f4167ab41d9be67d6cea4157e0ac221eaaa7140e0b9f2c1e106cc4806

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
55KB

MD5
378135959e969f41e0be6bedd0eb91b7

SHA1
3fd958bc0495cb0d9dd770a5f0c9adff0b027ba6

SHA256
ea5b1f8719699c03802da9d5e1518469915069fe4c77ff0aaff4553c70f0ad62

SHA512
cff5ce6ad1aa8db671d9dc4696a5aa0a5ab293c553ceaf8523c841a4a26393ccced7f56de75d1cb7b01a61aaa64aebc267d89f192bf4f7a03bdc841a6ea64447

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
55KB

MD5
7000077a3b53ccbff6c867bd599fc1c6

SHA1
3b0fb0321d6a8a605410fffad773915c9277998a

SHA256
8a454a47b6d42da6b1b9f22201108993fa2d89368aed3c73ce5709650c755f13

SHA512
4cec51cf198d0b602e39aa72e9932357b0ea97aa4136c0392e4d5d0ba436434481416f12ecd5f00d3f2bc822f03490851806cf6ecfc127ef6cde85634cefdd68

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
55KB

MD5
392ee34c459528cd3ccd744784fd8507

SHA1
be5de1848f8c4ab5c25bacc5b2ab970ad591c1e8

SHA256
cae9557a634cb437f5f1b2c7fd34afa2d80894b9d27e676ec85a6b2edeb99efc

SHA512
f79c0f67aad70990d8148c9432d42fb2bffa3ab676e4af0f638fd80ea71c1cfa3ddb7d6ab32699477d2253c63ed6b9324db831f32b0764ef34a4a386a88a4d67

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
55KB

MD5
f7ee26badc00ae133bd580ad02cfb7d5

SHA1
82b4ebe60400edc4f17aca285deb146ac0e4c490

SHA256
8093623294f9f1a33d0d5c012db22e3844c96201595d59022f41634483923c44

SHA512
4968551e7f2a1e6c87d08925c2e4ca1ae3db1eb5541d027d7cbe778ec2af0ccf2d41e14528786422539c01bea48797c2bbca62c04901600842794329740525d7

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
55KB

MD5
e64a617217889fd6799040ad963ce470

SHA1
4bf6b239d684c9e487cfd7b829d1d0a31e0ee2cb

SHA256
9d4107d6292561f19e74fcb1baaf81afe2070c6734bfbb277639e359137093ea

SHA512
ad93ad02e2829cb563dc7c3388d9199684e279595b5eae45fa926af447ace48272c0b9124681e65ddb98481d3e42541e5673705a4eac33b4cc065403ed040459

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
55KB

MD5
3599c9a26d6f3e9922ca163370dda230

SHA1
d4475a86f721768933830abde5b82bf3b293c218

SHA256
449b9f524402d9b1eba2c7865dcf595b739b442cf33afd2e065f7ff9bd3daeaf

SHA512
1264dc45474fbba76349cdf5a6f0954dec6703f7e3acc611afaea224f6bab509eba679dd2e90dc13dfd5914e31a5100d7eba13469c7bb22037076f3b4a691329

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
55KB

MD5
e67a1334a2ac880ef6113a799fb5d34f

SHA1
5ba5b25f517b3f222e09ff637848ad979d8df58a

SHA256
e291b05221f84577deacb679af7d598a70766b24d297085ef1c5474e2a3e2efc

SHA512
b3b5611ebf0e685115db72a4fbf75cb7d08e2fcc86fb5225aad7977d40ac46fa123c6411fd6af3575db71660bad922d7d660d6c78df5422e36a57b5670f98a2b

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
55KB

MD5
a81d38226ddb607a35625f0ab82bff6a

SHA1
27a3ad0b4f6e197d15dd2775a18d616442d503f1

SHA256
dfe25859a18785bb12d680347be74044574bd11e915d3146df5d145f4839dac2

SHA512
13236073e2d401ad846502dc7368e0c3084fa29edb4ab042545d1a9150893a21d4755e8d88e363e6974c570bdab3e2f56cdffea4dea86a0510b9f31587c77fcb

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
55KB

MD5
459bea1508bd95c582bb12dee07a0a37

SHA1
25d52478b4ece074744f1d0c14a4a07b652b781c

SHA256
017c6471b9f4f8d6b30989b2b8e35621085e6a066db5b2fbd3e9be8f2e78067d

SHA512
a376310b3685bcf25922accead1f8405074ef33c5c7b6ebccd92ec6332396b05eb2fb6fa2b3596244667f9d9c44eef93a5b39d767fc6a87f5f5e77435dfdab41

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
55KB

MD5
f93d87512434420543398fa77e707e3b

SHA1
0cb0a5f17194af83e53bb88f69f8f1e5adfeaea9

SHA256
63ed874d25d962dc8a626e61795c664eb48499631ac8b8c3324f6fb8db444630

SHA512
6a2bc559410995999dd297ce97c34aa9eb61e05506d01476c633b01273aa688b2a7366d412d16b8e7d497547a713e3f82bad9cc15e0797ddabc894473433c365

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
55KB

MD5
e08ad8370cec23553fe0dd5b9bfb6b04

SHA1
df22c2bf09e69be16561c74ccb2d480ff219fc40

SHA256
3756c92c0366e5e28918e27b3d6cf5bf387cde1b6fc3e5cb5d4a632fd294295f

SHA512
83c8f4fa8be25b87c3dafe0734f1471f44067e3759fe49d762ccc1981a55f05841adc47f8cb18a802a74a810a85e1a575ea3991307f312b090ff97502f825917

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
55KB

MD5
94f41ec70e6809321f62df306ffb63e5

SHA1
ede0b4b02348751472925051a143c8ca69b2e246

SHA256
54fc4f58038761569e51982b54f5ed788a1a1021b536e9981d115a934caa5511

SHA512
2e4447d3364ed4f6752a683adfa5cc8f9f812ede32c946e4fd7efeaae4d2d97b388f36e27367b88a165d753cd4215a8212dd878adde165368bab6569d7562440

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
55KB

MD5
f985351dcf783d7518b72f49f43e5858

SHA1
df503f9b482b35ca4686a31dc2af37a327174100

SHA256
01fd9042300bbaeb8323c513f4002d1803f86a50bd9ab39bb90ee9914f35e26d

SHA512
edbbee83c51555f27e3c4f6ffdeff1f8ebec61541a964b49fb77a7be756592fae5ecc0c661c8d15ba37fc2c0189a97e4195f327c3ce97954593e38adab8e074f

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
55KB

MD5
ae66affb8141490f6d781ae99632b2a0

SHA1
198b71a546990031d2c1209ae426eb8c1a288057

SHA256
bf5b3547c6f53a780fb7d017a15a1f13488348e8b0d5da0e6991fc39f156791e

SHA512
d5f69bfd9ded00e9ba0dea848e9fa5c589a640d3c74efe098039d0db94233c2699049c9eec31efc8674cb5917b335387cbe85fc84f7b2ab0745605fcad58a46f

Download Submit
memory/64-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/64-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/332-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4524-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads