c3cb8e7f10cba03775932d2245226a027ef456622896eabc22f0bc153419d8b1

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd69030bf2710f4eef32097f3a12beb0_NeikiAnalytics.exe
Size

78KB
MD5

dd69030bf2710f4eef32097f3a12beb0
SHA1

8fdd5835089ace124a1003fd13239010b4430fff
SHA256

c3cb8e7f10cba03775932d2245226a027ef456622896eabc22f0bc153419d8b1
SHA512

d1286fe54f36eca27613b0ce07d284cdd5c64d0551d3749eb36725dd5b4fd933238cb87ed444b82a64d1736dfcac24e8a588f954b52359582e324e566bb39b52
SSDEEP

1536:5qTxzLEQ+T4A+TE0z+1EsR/WOKn1zvp10olHSeAsuokIggsJVHcbns:54L/AkE0iGsRuOKn1zvD0oJVDuoogsDF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dd69030bf2710f4eef32097f3a12beb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe

Executes dropped EXE 51 IoCs

pid	Process
5048	Jbocea32.exe
4200	Kmegbjgn.exe
4916	Kaqcbi32.exe
2608	Kgmlkp32.exe
4580	Kilhgk32.exe
3588	Kacphh32.exe
2056	Kbdmpqcb.exe
3564	Kinemkko.exe
4464	Kphmie32.exe
1056	Kbfiep32.exe
2960	Kipabjil.exe
4404	Kagichjo.exe
1756	Kkpnlm32.exe
4968	Kibnhjgj.exe
4304	Kdhbec32.exe
3488	Kgfoan32.exe
3096	Liekmj32.exe
2100	Lalcng32.exe
4376	Ldkojb32.exe
496	Lpappc32.exe
4076	Lijdhiaa.exe
1820	Lnhmng32.exe
4728	Lpfijcfl.exe
3216	Ljnnch32.exe
4292	Laefdf32.exe
2296	Lcgblncm.exe
1572	Mjqjih32.exe
2556	Mpkbebbf.exe
2920	Mdfofakp.exe
4560	Majopeii.exe
2844	Mcklgm32.exe
2936	Mjeddggd.exe
644	Mpolqa32.exe
3188	Mcnhmm32.exe
2644	Mkepnjng.exe
3620	Mpaifalo.exe
1436	Mkgmcjld.exe
2476	Maaepd32.exe
2180	Mdpalp32.exe
4568	Njljefql.exe
2112	Nacbfdao.exe
448	Nklfoi32.exe
4536	Njogjfoj.exe
3472	Nqiogp32.exe
3128	Ngcgcjnc.exe
3360	Nnmopdep.exe
572	Nbhkac32.exe
1636	Ncihikcg.exe
3236	Nbkhfc32.exe
1016	Nggqoj32.exe
3484	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	dd69030bf2710f4eef32097f3a12beb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3696	3484	WerFault.exe	137

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	dd69030bf2710f4eef32097f3a12beb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 5048	1576	dd69030bf2710f4eef32097f3a12beb0_NeikiAnalytics.exe	82
PID 1576 wrote to memory of 5048	1576	dd69030bf2710f4eef32097f3a12beb0_NeikiAnalytics.exe	82
PID 1576 wrote to memory of 5048	1576	dd69030bf2710f4eef32097f3a12beb0_NeikiAnalytics.exe	82
PID 5048 wrote to memory of 4200	5048	Jbocea32.exe	83
PID 5048 wrote to memory of 4200	5048	Jbocea32.exe	83
PID 5048 wrote to memory of 4200	5048	Jbocea32.exe	83
PID 4200 wrote to memory of 4916	4200	Kmegbjgn.exe	84
PID 4200 wrote to memory of 4916	4200	Kmegbjgn.exe	84
PID 4200 wrote to memory of 4916	4200	Kmegbjgn.exe	84
PID 4916 wrote to memory of 2608	4916	Kaqcbi32.exe	85
PID 4916 wrote to memory of 2608	4916	Kaqcbi32.exe	85
PID 4916 wrote to memory of 2608	4916	Kaqcbi32.exe	85
PID 2608 wrote to memory of 4580	2608	Kgmlkp32.exe	86
PID 2608 wrote to memory of 4580	2608	Kgmlkp32.exe	86
PID 2608 wrote to memory of 4580	2608	Kgmlkp32.exe	86
PID 4580 wrote to memory of 3588	4580	Kilhgk32.exe	87
PID 4580 wrote to memory of 3588	4580	Kilhgk32.exe	87
PID 4580 wrote to memory of 3588	4580	Kilhgk32.exe	87
PID 3588 wrote to memory of 2056	3588	Kacphh32.exe	88
PID 3588 wrote to memory of 2056	3588	Kacphh32.exe	88
PID 3588 wrote to memory of 2056	3588	Kacphh32.exe	88
PID 2056 wrote to memory of 3564	2056	Kbdmpqcb.exe	89
PID 2056 wrote to memory of 3564	2056	Kbdmpqcb.exe	89
PID 2056 wrote to memory of 3564	2056	Kbdmpqcb.exe	89
PID 3564 wrote to memory of 4464	3564	Kinemkko.exe	90
PID 3564 wrote to memory of 4464	3564	Kinemkko.exe	90
PID 3564 wrote to memory of 4464	3564	Kinemkko.exe	90
PID 4464 wrote to memory of 1056	4464	Kphmie32.exe	91
PID 4464 wrote to memory of 1056	4464	Kphmie32.exe	91
PID 4464 wrote to memory of 1056	4464	Kphmie32.exe	91
PID 1056 wrote to memory of 2960	1056	Kbfiep32.exe	92
PID 1056 wrote to memory of 2960	1056	Kbfiep32.exe	92
PID 1056 wrote to memory of 2960	1056	Kbfiep32.exe	92
PID 2960 wrote to memory of 4404	2960	Kipabjil.exe	93
PID 2960 wrote to memory of 4404	2960	Kipabjil.exe	93
PID 2960 wrote to memory of 4404	2960	Kipabjil.exe	93
PID 4404 wrote to memory of 1756	4404	Kagichjo.exe	94
PID 4404 wrote to memory of 1756	4404	Kagichjo.exe	94
PID 4404 wrote to memory of 1756	4404	Kagichjo.exe	94
PID 1756 wrote to memory of 4968	1756	Kkpnlm32.exe	95
PID 1756 wrote to memory of 4968	1756	Kkpnlm32.exe	95
PID 1756 wrote to memory of 4968	1756	Kkpnlm32.exe	95
PID 4968 wrote to memory of 4304	4968	Kibnhjgj.exe	96
PID 4968 wrote to memory of 4304	4968	Kibnhjgj.exe	96
PID 4968 wrote to memory of 4304	4968	Kibnhjgj.exe	96
PID 4304 wrote to memory of 3488	4304	Kdhbec32.exe	97
PID 4304 wrote to memory of 3488	4304	Kdhbec32.exe	97
PID 4304 wrote to memory of 3488	4304	Kdhbec32.exe	97
PID 3488 wrote to memory of 3096	3488	Kgfoan32.exe	98
PID 3488 wrote to memory of 3096	3488	Kgfoan32.exe	98
PID 3488 wrote to memory of 3096	3488	Kgfoan32.exe	98
PID 3096 wrote to memory of 2100	3096	Liekmj32.exe	99
PID 3096 wrote to memory of 2100	3096	Liekmj32.exe	99
PID 3096 wrote to memory of 2100	3096	Liekmj32.exe	99
PID 2100 wrote to memory of 4376	2100	Lalcng32.exe	100
PID 2100 wrote to memory of 4376	2100	Lalcng32.exe	100
PID 2100 wrote to memory of 4376	2100	Lalcng32.exe	100
PID 4376 wrote to memory of 496	4376	Ldkojb32.exe	102
PID 4376 wrote to memory of 496	4376	Ldkojb32.exe	102
PID 4376 wrote to memory of 496	4376	Ldkojb32.exe	102
PID 496 wrote to memory of 4076	496	Lpappc32.exe	103
PID 496 wrote to memory of 4076	496	Lpappc32.exe	103
PID 496 wrote to memory of 4076	496	Lpappc32.exe	103
PID 4076 wrote to memory of 1820	4076	Lijdhiaa.exe	104

C:\Users\Admin\AppData\Local\Temp\dd69030bf2710f4eef32097f3a12beb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dd69030bf2710f4eef32097f3a12beb0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\SysWOW64\Jbocea32.exe
  C:\Windows\system32\Jbocea32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\Kmegbjgn.exe
    C:\Windows\system32\Kmegbjgn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Windows\SysWOW64\Kaqcbi32.exe
      C:\Windows\system32\Kaqcbi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        41⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        52⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 400
        53⤵
        Program crash
        
        PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3484 -ip 3484
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbocea32.exe

Filesize
78KB

MD5
8099b7b14cdb33f288ccc8207ea49ccb

SHA1
f5e8afff4b2100dbcf753640a0b25272da3d9cdb

SHA256
148c8eb9e5d9c31518acbb40781e24afaaac963a6ccedd91abca8ea6542c5d8d

SHA512
af791e9ceef3302d269d6d91ab7312db9a5851f2528ee9ecf771a1429cfa9b58d199c75d2aef97b9ce80e085d81e29cf22e4ed6af3540f7570dece547b0cce49

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
78KB

MD5
e019936bc4b9245af10cb92f40e059cb

SHA1
1fab4e7325d996a40850216387ecb03790ecad43

SHA256
518a14258a3468e242208ee7018a3b6a37250d22bfde68eccf9d0c9c0239272b

SHA512
5c1b30d278756456a8f19a05a14dcc9200ab3a83d8effd0725d85030d10b177a2218c75791ce485fd4ec2cc9d4be3a9a95c4624f6e098b6ee17b67c3f48639e4

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
78KB

MD5
cfe5be5eeda73ff81c2d5de79554466c

SHA1
30ae52c24999302f97bdd66ff4d4bc177f37a3e3

SHA256
3954d307b346d3e94691a2733c76378814f9d2bd7c0194eee027620f212db7b0

SHA512
785838f5a5ebf3078e8f52f9c2e10e7deb038b21e1d2e1260a498245e2bb167e8a9a94e7a735bfd7a4f166417b39027ce8d844c01ddca059b597728a95e3e0e3

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
78KB

MD5
2d4aa26151021beebabca512f0611437

SHA1
714f8d00255a7ac7a2be9e935f1a8c6fae80bc82

SHA256
3b7b1dbd87e5541106967abe2b97cd37e701dad7ed8c3037c1cb48ec7bfdc886

SHA512
56031c2326cd5ebf582becf6a9dac48a33eb789a7242ab9312a12b9539ec471d7386d3f8852165489adbebb9880ef4de5dbd8daecfdae03c24b2b0d377f8adb6

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
78KB

MD5
ffee8f63d0d2638ae3b215f13cfdd087

SHA1
f7d2cff4a1f3d6a8dac7110652b19ff4959548ad

SHA256
1ef88d76edd1254e2c2edd46714fc10ee704889083ee34b5507d1eb54a047106

SHA512
24e58f73857a54558c4dfbb76661edcacbb651be77c6998edfd4c384611d064b7caca182141596326f1a2becd2f1a774bf19d10bfc9b1f88e7ce7f9db014a14d

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
78KB

MD5
89fede8ed667b0f68063562d5abfcf71

SHA1
54c00d38bfa07115ea1049dc72c0a127229ee59b

SHA256
3559f8fc4d2e0dafcde9808ddc06a054f303de918d0c006f81a581ff6b68b297

SHA512
0d43ed65f25a7ba09abbfc3df869d376becbce50449fc42e330df7a5922bd94eddae1ac23c23016a66dbea3b8caf81cf38a834d118bce711438d0d19c615f40a

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
78KB

MD5
8932bc9e286532da623d86acc5b2193f

SHA1
00796592acdeed46bd247eba335cd9167d289318

SHA256
6e68cf4eba4148ccf3106c2133db6e43ae9e1bd9bb0b0c132fb31463b4fcb811

SHA512
f26cebb2a391a0276f93d2d6f92ed0929947d401197f1ce5063671de2d3ad68c06deb8d1a069432c290de5583a2f44addeba8b7b03de2e807c834ee87c253c49

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
78KB

MD5
a394d1b93e1a5808654e2f76a0ac1629

SHA1
c4274755b9e407c353a80f12ae1fdec2221b269b

SHA256
6b14cda8b9378c0278790762667f74d586e5677c32f397bb83db5a6137b22603

SHA512
8027280d3b7cee5ec73e282b5417b1d8d2534380bd3ac53e025d45c1c387b9e61ca0d1516ae0561c300d9b3c2b905eb3e4a81332708940701ea5cf66414eacc8

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
78KB

MD5
514a28a7a204e61c2185c34ee76b1c93

SHA1
d2e6ecab404c5cfb5eb73a79beec303608e7ffbc

SHA256
6487095420f35dd8bc6ccf17395be895dbe711cb14f8d06022a4d120c44a6d41

SHA512
b4deba124c44c1e87c2ee2ca7bc124d4f519a90b0850d43827ad07e9ee74f26b78927a76d6ea96b099f82e2fdd551113168e99fffb3b515191462a36f1d5ba67

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
78KB

MD5
c85f6a98c5131cc5666add1d77188c52

SHA1
d77db6fc68f8d4e75c8c6cd9c50599473903a909

SHA256
2711ec611d2c78a181d9d59c6b59ed6cd7eafb44c05417223b6c9aeae802a952

SHA512
8272cd66b357bc28fada7b683591b2579110a45a8c871d528f49ff1e4594aa6be9b927da648b9fab2de9ea1b4fa2e2772ef1526d1dac3a57284822a5b834b53a

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
78KB

MD5
bffc9ee6b64be735b9e4c7a78c311826

SHA1
106693c352aa404c4f239e755c54e8dfece2a98f

SHA256
659f6198d96906effcd9e0a021ad686f73aa9bbd1bf97e13b7c44340158fdd46

SHA512
43b1a3c6a15187f249c887863cd279dd7bb36db1c12825f3054d8ed92130818becb0eaa36aef93de6ffa6d66543a185542efadbb8bd3a15fc62d811a3ace5934

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
78KB

MD5
63282e24b44343def7bc89706222d010

SHA1
5774153dd053250431116b5f2a7b1c44698ab77b

SHA256
8e0322813bf00793f51073360009b0b453a6ac52c888183a0139743fa4606a1d

SHA512
a7e6d1ac13abd571abe5716e6b84bc58665848593f7143e61c2422c57df6f6c6b3ed994a7605335eae7ea52031b2d5e9b961e498ce96139b893f6c9ac929dee8

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
78KB

MD5
98c164e93f69d27594107628f1400713

SHA1
04d127aafee45687395c5f427a2b3b7c14a1023d

SHA256
467535b1f5bc704e1cd22e06669c51d1a639f156ea3faefd4c9ae9658fea79be

SHA512
b7e12dadaf9db33d177b4a48dd577f6e7bf844e9103a0eae86a052aa5d52d05cafe0e032c3e005978ca23dc05ed918d133bf5df75f597ee44f2a75761d68f899

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
78KB

MD5
a5af65c2211190b191cde2d5567ebd9c

SHA1
fb855de59fc987170dde050a30236c099307dd56

SHA256
559afdcf59803451033e6320a96ad547e34ba7542a9e11643083b961a51d29e7

SHA512
f53c1cf6b4a6981a7450974ad3508cfaad3831c05dc19aaed2d3bd69c4e51eeb55c6aa2986fb436143908f1cba8c83f0a49752d6a84f268b2381e16eb92b1ddd

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
78KB

MD5
9355a5fc2fc26d617df9d788e3123e1c

SHA1
42915635e9feba88853443fc43f1fe918618fdde

SHA256
341081f270a8eb310ab86a09b0b902c77f63b69d455aab1e3f7efe2a90896a2c

SHA512
85e391f2e197450a367d2b64e7d145bb8cf41014ded2a0b94a780139887eb8193156ca31a8c3cb5357f6b14473c530134ea7ec30df8e4f38d385a21a4611cd30

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
78KB

MD5
6e4a4bc9222ce8f997121b9076bc420e

SHA1
609fa95e618bac0c2cc5d5433db10a1ddac593ae

SHA256
af74a8b6288c88f6fa6f9d700731cd549f09731a407e872e4c73461e79b8c5d3

SHA512
ff8c243c01a1347007fda2a3f179af157d6c43892b7d2cb958a9bd1db7bc051c7cadfecfef9723197878ff18e575ae2323542e3c4bd8c224089692906a05c91a

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
78KB

MD5
935429285848daa264dd7ba6fa9d584e

SHA1
5e9f638d1c69e626ce2797e778c4c10176d56689

SHA256
e87cd4b22237c20873c0c53fdfb47ffe459bc86a3ff76fff7284bee2bd48e1a1

SHA512
52ffa529828c9b1644d2d922acba8d94f3e0a126a59683ee8b9f4a33af822dfda74b7e046d5f8cfadcd406566829666bb84cf6fa2311962f3864b1959569f7e2

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
78KB

MD5
12ae142810493e28023b7a97fcde7744

SHA1
82d2557b8eeea710352072f03019fcd9f5c23f25

SHA256
09730502ab2f30d885849c53302e0cd707ceb9e8f3d9435f1b32d03222bf409c

SHA512
3e95b33cb7a07a0de6b395f828eb651ae451330040bf8ac446f03340e89d3529da110b357af65859fae717320c66c24de5e9808c98e3f7ff78abcbeb383ee021

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
78KB

MD5
46b27cac8cbf80cdacbc35f262b6d780

SHA1
30cc4336946c43a37c1d797cc9e05791c9cafb23

SHA256
6420a16c624385feacbd846ff4b648c01dceb32d3d30b4f59ef6f5f598f33b4e

SHA512
384d474bea447005cf93bde02953306e985f87f471a21a58efa4a7008ef202ff3997c5ec210c490bf68ef72f0941fdb7a35fb35a83bdb28b811cd77960efdd90

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
78KB

MD5
dd49f10cfe49e82549200bb32aac528b

SHA1
2a6eac498ea06353918ec987cba796b514200151

SHA256
af5ddfe9d73798a200aa956ea9cd2402a97aada38dc7623ebe476a23d3185059

SHA512
1aa25ee4b67dfab75629e690745acbcc89ce41f9810dd811f83c11ad356a54e9819a6fd56822d7a189042aeb95346fb464d45ad5e71448563edc5fa170d109ce

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
78KB

MD5
01bae8bb5d36da704f1ff5d8003bf68f

SHA1
d05a2a92d3abb274d47e348d8472397cecea25fc

SHA256
43e3209efd47385546455130fe583c4cf9b3b1b05a48361e208313db115167f7

SHA512
8d8a0cdef3db50fc57549c7c7f2980666499b2d5eed4074288d999a60bf8067c6fc16056a2c16f42a7a66442ff993e79211d247797e7da6addb2556cb85ad2e4

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
78KB

MD5
79ce1f852c14a52fadfe5ea3961e03b9

SHA1
5a190b3a198f1e4bcc3c820955fc49d5d2bbd167

SHA256
56ce1e50498a81695c3b010f62cd382be2c1378d95cc5127c3164bc2e42b3437

SHA512
ffda3d7e4e7839833e1a1f4f366d54812b67b0ae1ee23fc17802a66019e25432e2ece2b6c96ac5ec5feaa52b13d5a6d176f7c87e1b6957ae268878d557ce6395

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
78KB

MD5
af6a9796ad2f1e588eb685d37ffdbf97

SHA1
138b6ca720392ce3db4809817ad16a9ede7ca2d5

SHA256
868c96bb8a5f9a4f7da38d6c80827010d2d9d1c0e2407ce92e584ebb8abf9135

SHA512
c9555b8008e62f8913427f37589aaa3bb8c72e339e59cd0f9fd846c8f7e903a794dc79d3bf9d2d60cca01b39a0f4a58fd9390d72b3ea3112f114a2f2fe9e9699

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
78KB

MD5
3bd64296b7c5f7a6ffc0f5a25d127165

SHA1
d3fb7dd0491eb3c19e646202d78e0e20d5bc8aa2

SHA256
7cff4f75a08910518bd176bdb85aab06d1254225942796f686d2d9d8d8127835

SHA512
20e250e2a71c9d78c608dbeef9525a085f46aeaed4923374adfeac71fe14124308cf1e29028a14c5b41545b3a27e5884687e0f228fd8cf18441a44acb55ec7ac

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
78KB

MD5
990e4c45a69c351e597912ee7bc231d4

SHA1
2c4d99318d37463dd85193eb0fbad70bde95affb

SHA256
81a086e30bee605dfdca1f9c98b9e427db6c03b92572fbc8c511d1f98fc77dc3

SHA512
61fb9e52374c38f95b3691f0a0204f66f8e2a59ca660d09ab6da4d2dabae24d1af19341ae44648075059ddb4284f708178bccef9eb97630bdf0898dbe93c3ee0

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
78KB

MD5
49a528bdd45b77c6a2f6d4c37812bb8e

SHA1
b9707b734a8520e7331fdb0f4d88f37747108177

SHA256
6d359ef65d5f4caade2daf1675e50a8465c2f3dd3b9c46c43456439a0b7ce29c

SHA512
de674759bfc71f06d6686cba718bc76ed894a7c02bb4c234a94b484325a249bdb0f9bcf51f3367700c6fe7116206aa51fdb96d4d815959f9946d9fca79d098c0

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
78KB

MD5
c00eb9b69d7bf0d53e44c50807767a0a

SHA1
408cd710b117d449689e4cc4913377b78dfd49cc

SHA256
4a94722bdf6015e51f98dd1b2a54c3f3064f38939847c2c76ed3d0c3b60ff92b

SHA512
779440cbb1b9c77921604a757b7f9a4f95980bee402c14aa2dc569e29eb6f6a560b6a23ac1ea3d2480ed54a9330012135186654270c0096981fe7e767c8794ef

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
78KB

MD5
63974c86a1110d67242672eec6890a83

SHA1
5e6a1eacdeb63644a222cc7ed9225e73e01c45ea

SHA256
48606293e4b805d507aeb38ca2cbbaa343da59029dc8255660336c9a8f66734d

SHA512
2eb7eabe201074ff828ca6657c4cfb9cf57520262a002e1034b6fdb6bff97feea4a312d9d158b7f155ae9d5948fe3832a5d2ffc0238a9512ac3f3761825d66cf

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
78KB

MD5
2964ce766bbe0bdd6b01d75f2e2b5986

SHA1
22d450fa9b03fb1c8aef87c26da5174a6ccb01e3

SHA256
ebe594c676f8ab228ff62a621997ca4d102b530069301daf80c9c8eae534944b

SHA512
0b8c6b8606ec66e9a442073f2b4ddb9648dbb150d03d1f2c7a80358dff884d303f5f9bd6ece10a6ea3ad56bbd0dffd972175ab94a4dce7aeb7504b5d8f964aab

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
78KB

MD5
df0e54338edf2ca9c38283c227801ea4

SHA1
5aedac4704cf4cd0ea4e71e2b769db6c2df5dd68

SHA256
73de937159c04e59aea066f38a12059ded5b680cc513e61e241631cbd71c3997

SHA512
5cf10521bb463403efa5334c51de9defcf1cf428fa98b56372d005408b9806bd7e7d0a0f0cb5f3b9ed3b370860eb4b49f7a70ebf9289eb64ea0da548d2e6bbe5

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
78KB

MD5
6ef952664de79c665de53c246e5ec4cd

SHA1
9abc00d0bdd2a530ac105fc2d286fdcf85b455f2

SHA256
95ce893f415d04db85af96b6d4416f24ba7577668b6ba6d67939a034250aed76

SHA512
bff1b7bd713608c410382fffb8f745d7095dd7d89b90cf8d1d7a7f696f95409c23daa01ba17f9c5b0ea2745d8d0b0ee4671abfd8b5806df8d6a953497c886577

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
78KB

MD5
0ef0109f9872aa48eaa71efb779b5eb2

SHA1
2353d30485753473c40a1d03217406d176bd4b77

SHA256
bd5ec04db7f743de761922c1f254c54cb250e4611f6e2ed75bb6e035d5ed35b8

SHA512
b679132e9e91bdf047ff2e3c66223d5971d11d7ac9773005282df52b6c971dcdf796a2b12a4ee7c0ba5028e9bcacbbcc5fb6f736dfab0eaf367a3778f48d4545

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
78KB

MD5
ad1962582fb257ebaf1cba1c6bc17044

SHA1
4ff1ae947809024b81da931b04ad3a48c27b55f6

SHA256
249df4fc0cfa7edfcfa7fe37a5dbb14014d4b7c3e9b60affe6e7e1d50a160826

SHA512
613a0a5098e6126c4da1a85ffb8d111b520d3c8eec2a027e680343ba874b9839a6bfda61053144fd29e6400130802fdcb4219bb2c29be39532e9c8170347d9ce

Download Submit
memory/448-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/496-172-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/496-259-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/572-381-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/572-413-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/644-290-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1016-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1056-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1056-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1436-380-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1436-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1572-238-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1576-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1576-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1576-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1636-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1636-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1756-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1756-109-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1820-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1820-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2056-57-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2056-148-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-154-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2112-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2112-408-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2180-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2180-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2296-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2296-226-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2476-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2476-387-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2556-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2556-319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2608-33-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2608-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2644-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2644-366-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2844-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2844-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2920-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2920-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2936-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2936-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-91-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3096-150-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3128-414-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3128-367-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3188-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3216-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3216-212-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3236-395-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3236-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3360-378-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3472-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3484-409-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3484-410-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3488-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3488-225-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3564-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3564-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3588-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3588-49-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3620-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3620-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4076-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4076-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4200-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4200-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4292-217-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4292-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4304-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4304-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-163-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4404-189-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4404-100-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4464-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4464-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4560-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4560-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4568-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4568-405-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4580-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4580-45-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4728-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4728-289-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4916-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4916-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4968-118-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4968-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads