4b79b7980f4cf12faec24e4c81815dd3243f222f6d7749006127dbff33932e16

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90ee7b37546dd29fcbe6a8f9518c0f90_NeikiAnalytics.exe
Size

64KB
MD5

90ee7b37546dd29fcbe6a8f9518c0f90
SHA1

7a2dbd5238a5a16e7a23f5646e353d29df14103b
SHA256

4b79b7980f4cf12faec24e4c81815dd3243f222f6d7749006127dbff33932e16
SHA512

85e3295c3c3d42782b3a6db7524aaeca67b169d51d9fee0be76ebf75d0132b6e9e33d559736ab899c39105c9c1482d1c5602f2246003a9277c7eeef7904dc851
SSDEEP

1536:bHUIQ91HfWfIUearMzNgiAxcrLCJnzDfWqc:AI21ufXEz6FJnzTWqc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe

Executes dropped EXE 56 IoCs

pid	Process
748	Kinemkko.exe
4028	Kaemnhla.exe
2696	Kdcijcke.exe
4620	Kgbefoji.exe
3056	Kagichjo.exe
4324	Kdffocib.exe
2208	Kkpnlm32.exe
3944	Kmnjhioc.exe
5000	Kpmfddnf.exe
2632	Kgfoan32.exe
2028	Liekmj32.exe
380	Lpocjdld.exe
3508	Ldkojb32.exe
2012	Lkdggmlj.exe
1364	Laopdgcg.exe
4068	Lcpllo32.exe
1492	Lkgdml32.exe
2932	Lnepih32.exe
2972	Ldohebqh.exe
4436	Lgneampk.exe
764	Lnhmng32.exe
4600	Ldaeka32.exe
3996	Lgpagm32.exe
3764	Laefdf32.exe
2748	Lddbqa32.exe
3704	Lknjmkdo.exe
448	Mahbje32.exe
4492	Mpkbebbf.exe
2936	Mkpgck32.exe
4968	Mnocof32.exe
2288	Mpmokb32.exe
4424	Mkbchk32.exe
996	Mamleegg.exe
1660	Mcnhmm32.exe
2448	Mkepnjng.exe
1000	Maohkd32.exe
2332	Mcpebmkb.exe
2776	Mkgmcjld.exe
4044	Mnfipekh.exe
4728	Mdpalp32.exe
4348	Nkjjij32.exe
2800	Nacbfdao.exe
1572	Nceonl32.exe
4212	Ngpjnkpf.exe
1496	Njogjfoj.exe
4632	Nafokcol.exe
1680	Nddkgonp.exe
840	Ngcgcjnc.exe
4888	Njacpf32.exe
2744	Nbhkac32.exe
2912	Ncihikcg.exe
4724	Ngedij32.exe
3424	Njcpee32.exe
5076	Nqmhbpba.exe
1788	Ndidbn32.exe
4512	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kmnjhioc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1968	4512	WerFault.exe	141

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	90ee7b37546dd29fcbe6a8f9518c0f90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	90ee7b37546dd29fcbe6a8f9518c0f90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 748	1620	90ee7b37546dd29fcbe6a8f9518c0f90_NeikiAnalytics.exe	83
PID 1620 wrote to memory of 748	1620	90ee7b37546dd29fcbe6a8f9518c0f90_NeikiAnalytics.exe	83
PID 1620 wrote to memory of 748	1620	90ee7b37546dd29fcbe6a8f9518c0f90_NeikiAnalytics.exe	83
PID 748 wrote to memory of 4028	748	Kinemkko.exe	84
PID 748 wrote to memory of 4028	748	Kinemkko.exe	84
PID 748 wrote to memory of 4028	748	Kinemkko.exe	84
PID 4028 wrote to memory of 2696	4028	Kaemnhla.exe	85
PID 4028 wrote to memory of 2696	4028	Kaemnhla.exe	85
PID 4028 wrote to memory of 2696	4028	Kaemnhla.exe	85
PID 2696 wrote to memory of 4620	2696	Kdcijcke.exe	86
PID 2696 wrote to memory of 4620	2696	Kdcijcke.exe	86
PID 2696 wrote to memory of 4620	2696	Kdcijcke.exe	86
PID 4620 wrote to memory of 3056	4620	Kgbefoji.exe	87
PID 4620 wrote to memory of 3056	4620	Kgbefoji.exe	87
PID 4620 wrote to memory of 3056	4620	Kgbefoji.exe	87
PID 3056 wrote to memory of 4324	3056	Kagichjo.exe	88
PID 3056 wrote to memory of 4324	3056	Kagichjo.exe	88
PID 3056 wrote to memory of 4324	3056	Kagichjo.exe	88
PID 4324 wrote to memory of 2208	4324	Kdffocib.exe	89
PID 4324 wrote to memory of 2208	4324	Kdffocib.exe	89
PID 4324 wrote to memory of 2208	4324	Kdffocib.exe	89
PID 2208 wrote to memory of 3944	2208	Kkpnlm32.exe	90
PID 2208 wrote to memory of 3944	2208	Kkpnlm32.exe	90
PID 2208 wrote to memory of 3944	2208	Kkpnlm32.exe	90
PID 3944 wrote to memory of 5000	3944	Kmnjhioc.exe	91
PID 3944 wrote to memory of 5000	3944	Kmnjhioc.exe	91
PID 3944 wrote to memory of 5000	3944	Kmnjhioc.exe	91
PID 5000 wrote to memory of 2632	5000	Kpmfddnf.exe	92
PID 5000 wrote to memory of 2632	5000	Kpmfddnf.exe	92
PID 5000 wrote to memory of 2632	5000	Kpmfddnf.exe	92
PID 2632 wrote to memory of 2028	2632	Kgfoan32.exe	93
PID 2632 wrote to memory of 2028	2632	Kgfoan32.exe	93
PID 2632 wrote to memory of 2028	2632	Kgfoan32.exe	93
PID 2028 wrote to memory of 380	2028	Liekmj32.exe	94
PID 2028 wrote to memory of 380	2028	Liekmj32.exe	94
PID 2028 wrote to memory of 380	2028	Liekmj32.exe	94
PID 380 wrote to memory of 3508	380	Lpocjdld.exe	95
PID 380 wrote to memory of 3508	380	Lpocjdld.exe	95
PID 380 wrote to memory of 3508	380	Lpocjdld.exe	95
PID 3508 wrote to memory of 2012	3508	Ldkojb32.exe	96
PID 3508 wrote to memory of 2012	3508	Ldkojb32.exe	96
PID 3508 wrote to memory of 2012	3508	Ldkojb32.exe	96
PID 2012 wrote to memory of 1364	2012	Lkdggmlj.exe	97
PID 2012 wrote to memory of 1364	2012	Lkdggmlj.exe	97
PID 2012 wrote to memory of 1364	2012	Lkdggmlj.exe	97
PID 1364 wrote to memory of 4068	1364	Laopdgcg.exe	98
PID 1364 wrote to memory of 4068	1364	Laopdgcg.exe	98
PID 1364 wrote to memory of 4068	1364	Laopdgcg.exe	98
PID 4068 wrote to memory of 1492	4068	Lcpllo32.exe	99
PID 4068 wrote to memory of 1492	4068	Lcpllo32.exe	99
PID 4068 wrote to memory of 1492	4068	Lcpllo32.exe	99
PID 1492 wrote to memory of 2932	1492	Lkgdml32.exe	100
PID 1492 wrote to memory of 2932	1492	Lkgdml32.exe	100
PID 1492 wrote to memory of 2932	1492	Lkgdml32.exe	100
PID 2932 wrote to memory of 2972	2932	Lnepih32.exe	101
PID 2932 wrote to memory of 2972	2932	Lnepih32.exe	101
PID 2932 wrote to memory of 2972	2932	Lnepih32.exe	101
PID 2972 wrote to memory of 4436	2972	Ldohebqh.exe	102
PID 2972 wrote to memory of 4436	2972	Ldohebqh.exe	102
PID 2972 wrote to memory of 4436	2972	Ldohebqh.exe	102
PID 4436 wrote to memory of 764	4436	Lgneampk.exe	103
PID 4436 wrote to memory of 764	4436	Lgneampk.exe	103
PID 4436 wrote to memory of 764	4436	Lgneampk.exe	103
PID 764 wrote to memory of 4600	764	Lnhmng32.exe	105

C:\Users\Admin\AppData\Local\Temp\90ee7b37546dd29fcbe6a8f9518c0f90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\90ee7b37546dd29fcbe6a8f9518c0f90_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\Kinemkko.exe
  C:\Windows\system32\Kinemkko.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\Kaemnhla.exe
    C:\Windows\system32\Kaemnhla.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Windows\SysWOW64\Kdcijcke.exe
      C:\Windows\system32\Kdcijcke.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
      - C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2776
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        56⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        57⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 400
        58⤵
        Program crash
        
        PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4512 -ip 4512
1⤵
PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
64KB

MD5
ef70eba135a4cb219d8fceb497a48c91

SHA1
cc936383994ef14bce3264d931a64f3e54604503

SHA256
752f8c9eba39c4d0829ff19822a1a45606d9c9963b806eda725cfc17d5f541ab

SHA512
3f30aaf1a8bc447941a41ad36442d964f55323adc21f2c5f292ff1dd0551ab0cbd50bfad684c3ecd7f9e0b946cf0fd3c341ac45ca7bb46307eea59c9f854b8b3

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
64KB

MD5
a75f0558ce37183e2849759a3461adfb

SHA1
53933dddc24a3185a5971a3bde7dcfa89657b029

SHA256
9fe9d055bce2dfb165e48d06ff7d48cf3380e5bcd1a71d02f56df81a6d3d6213

SHA512
7073124511827646c90bd7b120c9857b626099c9ab722ea55d2449dcebfb140b1fbb2208dca96005c68d32fc4e772dfd15227e899e98db80031199e96d89ffb6

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
64KB

MD5
d910ef3ca62025f08e3eb3df61f36790

SHA1
e995e156c3754e61f471f089ed2154d853172c25

SHA256
b99dc2645f8f58d08d92753978ada8a40da3e752bbffb46cd3e485c3bd38df74

SHA512
2749f78f8b2553bfcee9c7bc9aae559854cc98e22349c465e2547d6e85e03d9b55ef39093c84110f7c8f1021404c5f4dc0307d7813b9e14ef3afd3ee97afd42d

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
64KB

MD5
26b42471d5988c519d1be563f3dae7c2

SHA1
0340ad8e46a4b61afb6f6d9b69cb58b8d99a98fa

SHA256
7348933fa6cd48c18a6882ec3e1e0de439b5f9426083bf92512d9c5490e9919d

SHA512
5a11213d1b4fe15069e7e48efac112b0f8a52e1a344fb94ab67c336fc4ac8e5ca9985ab177e462ddbed60987ce7a46964de27e9153c9ada0972a6d6866a78dfb

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
64KB

MD5
3db0f936ef8e9800fa5e69015af90ec3

SHA1
64c7d2a50f1aedfdca53d3ccbed731efffbe8712

SHA256
652fddba2d2b49f00173042ff2859c1d123337241f1fd938691d74baf55cb5f7

SHA512
730342ea5222744082c9ebae601aa3a2c0608111e1cb8832aaaafafc31b30d66c5990ca8942903cd99fae1c5510675b20564135e76c0a9028570e2770dc28121

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
64KB

MD5
064cabee3ba2c43dd953c79e06c9a7b0

SHA1
b5d311eaa979ab68fb1c0ad7bcffe66d20d339f5

SHA256
d9f11c23f73255945fd6a38dc055e74f7e5185005eeb1b6a1d078c831baa38d3

SHA512
a7de869e997562bae2a06a2b14b6131e2729118bdf6ad310727053005d47c81b5f0dcdc4e55c84b7fa1ad7175d5756f8e20aecdd5cabd6593c564a12e86c5ab9

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
64KB

MD5
c1ac06ca77e13bc32b88baea3bceb75e

SHA1
fb03cc58d497b84724488b8aec71a33441045b0a

SHA256
ae1cb924fdb0dce7ccd904f6357a73bcc1f29214ed36fc0429669db78268fae5

SHA512
64a46a4161a9f8ef4a59b9e9d60de0e8da12502507035f7dd605e391d0f5393faa8584244fd3b4b08b1e8f2d98a0c3e7e458e72e98b846dfa079988b07a15696

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
64KB

MD5
d45a2630a27b1d5eb97e59a4931c04a8

SHA1
b8e4540fdc0ddcf86acc67b4962b330ff9f32848

SHA256
14d5451bb5fb533b410db1c1a033312d79870cf6469529175ea03061d0936a98

SHA512
80fde56c2ecabe7a7038e2b1227a187d0387a163ea1af3424454c83d010cc9794e9e927048ae9f1340cc1540d4003fb473f43008cf36d6c2c560e64374b70720

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
64KB

MD5
7ba686f56a20ed19b7940688abed2857

SHA1
ac0aa750aa883335fd01c5a7d22f9e83356026ef

SHA256
554cf55584a850cbea793fbd43a246d931f2307aeed66ce21c6c6fb975aee354

SHA512
a8be3362ebe5b55a674773ad28ae7bb3686ec85c76afa698b248709ae27b769fd9b89069468f708cd01653b47076f20b3169781e66a7f1bd2e1b6368b6519513

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
64KB

MD5
b8d0663f0c4ba7514ac679696a7cdbee

SHA1
64daaede2d83b99da5bd27912342c5616f177e3f

SHA256
f7063aa323141e393ba9ab9dcd2e6135fb2d972b50408ed5bc4889f7e2905670

SHA512
df5894ddaaec04ee7c5eb3a1e5b16c7a449f7e1d3ef52620fc4380561fdafff07a418b7da699c05ade85459241fae314f97db5e268516898cfef3601de5ac6c4

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
64KB

MD5
c063b007d06be5940c2032d71742ee26

SHA1
897ac244528947f6e599cc4448425238b974bdf2

SHA256
4b425a20930a183e8914a796936b8968ad68dc4d9ed8eb8a7ad2e99df0b996d8

SHA512
17450295107f25ec9ad9fb3a02d7efcdf70b669997acbe96ac844f6f8dcbae41075519210578e11c14e3ba2a4a2f1c7be48443d8e768d784ea73169ca7c1fa2d

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
64KB

MD5
b354bcb0f41c30255d5f79160b8c1d28

SHA1
18d74dcd09c3dd88dda7fd13167b232f781b62f6

SHA256
9ed76f50a0876d869e49af6f70a113f5e504b436c249fbe001faee426fda018e

SHA512
d40e0d76d768d741ed01646c5dfea0fcd058b293ceaec81304880bbddce194ade5c8a418b87cb82a0837d3e66ffde053a8878ccc0b00f696a81d5eafdd9673de

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
64KB

MD5
807f09cb29bbb55a805231268a6c1d0a

SHA1
f122e5a4c65ecf2bb1d0356000c1552f924d041c

SHA256
00d872337a34303baef118dd5cf5ee6b5dc24b8ecdcc8a23275f5ca1dff5bb7a

SHA512
1e5dad89f7964ca2d7a46b24d8a22ad6f917bcabbfc108a95e691f9cdab639f530960c4425a8b2ba8698bf109ccb354db54efd0686f55b0a4eba78a833c2a532

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
64KB

MD5
116ea9c98cbba4b31abaa89d4869f2ae

SHA1
5104ad27140db85d21daed3d535a0933871b0380

SHA256
581f5986c0ed50782e7c5ee3cdad4c983d4a53cc4c8de8acb3bae5b713ebf41b

SHA512
53f04d06c604599e4f8409a3ac6026b40ac8431837793259ead195fa8426214966e579c811915f61965ede5a2607d4e5dbcf6f728fba43762c6971c2405e6411

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
64KB

MD5
e707a9655704beb4cb496b8cc43d7575

SHA1
842ce60182c6703bccd0618ebdd9fbc41c654214

SHA256
7d48b719fde657f55d57da69d4afebd5e52dcc8394f3c039438302fff8e58a5f

SHA512
814666dd9c5cc61460778d0cd974d904dc435c4d7ad964b2b666af7a80b80451af90babee934f9b1fa6b083b115d78e3374c8f41b3587e080c5d4ee5ebdeba78

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
64KB

MD5
7acd3e3ffec66617353a4ed4e0fd5337

SHA1
cbd015d6122b6a4b5312b7c0750369ea4dac409a

SHA256
e6a3a19bf1ed56e1edbab6565b493a2f8f55e84ee2c60c0b204271c8ecefc505

SHA512
a5c52b32f61f05ad56be55e09410df8a1116b254f5c9bc6bf2d44075458023dad2e3b4b914983d5d5ed4f05f6a929fe030fc1be5cad9cf5664a4a38119f2cd4b

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
64KB

MD5
0ded433fd84a4d987e6e49400a01b42b

SHA1
2a1b86593a765cdb603143e637a05cdb9c2cf97c

SHA256
6560cd1aa6308d59ed8d24227346b13bcad506e93440d1ef466fe18436dd1dab

SHA512
8b5189d8231162d3227f3ea5c3880c5e3d1a49f27f6fc5131dff1e09300b745c5e1e784295412451da6e6472643463699f58d1bd941a18f7eb863e61eabd61e9

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
64KB

MD5
2527905ee259c31c8d33e290fffa1f56

SHA1
d8f4a4ae1a4af491f9560831bdacc79b990408df

SHA256
6377b5c8bd8901851a9e8f0aad273a3b5e594e8ca275a6513127b8c6f72bfcdd

SHA512
450d314fa68370f18d02add38b774da29a87476d0c24f96e9a37a0ea1982b7935e154ba32c1fdc3f21422fc95f3068615341301cf238375db720411c303e2e4f

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
64KB

MD5
c842d30db1dfbf8a8a33a22d8ec189aa

SHA1
de8cd3ab05f39e78c5ff26f5a6f4c1b81f059896

SHA256
edfb8ce4ef70905f668e508cde43b262ed328f697c2f45978b1a5a633874edee

SHA512
9e5479acfdb648a21048c35d149bb697d2dcc8d87eb12051ee5e6f4f08298d221c10b6296c437580050bd4880b1495a9ece1f8aaf77763704af2d8713006dbe4

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
64KB

MD5
ddc521eec3a86e3d8513f511d2e602e4

SHA1
efc619ddc164cfc4c3e16eba303457e27f30a74d

SHA256
c27abe8a152c88b4bd6cc6d4033fda96c9dee67728c2275ddd86752a9a397ccc

SHA512
914c154bbe5fef7586b1b3c4da0163f05e5bedb1dc8a7eb6a3f4d040cc0f89c3c1e7d25f4487b8d01c5d59deb43d69229a24a9fc236adc74a3b134569a8cdcc5

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
64KB

MD5
6cd368b4124c65d97d395ce1cfe8c24f

SHA1
d427a12b4834b3336248310703f408e7519f9335

SHA256
2542dc6557190f64b479337dc7f754caea47c5ec1fadefec30dfb8dbf46e2fd3

SHA512
4a6b078e960b459ae3d76953cc71bd771334406f0c9c335e722ea3999c44b52e155e7845d650a4f251dea52383d5c13dad1d5680078c73f0817b69d2ffcc681b

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
64KB

MD5
6b301165e5fcbe0fa752c16e4179265f

SHA1
272092dcb64779edbd9333d8364f6ba4bc8ace06

SHA256
f1a5bd681e0551c26cc955fb78927a2fa06167cd71b9d74ee0963d5d75116f37

SHA512
32d3f621b3af2fa0d9504cfccfe6a0cdc67c7dba295899ab7c9e1ccc620ce8453983c486141f7a15ef6698771dc68dc5b9772cc0b8f850f4a9f80316e28817e9

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
64KB

MD5
7684194621fd16bd100dacf274807fcd

SHA1
deecdd0e1c867d03aa956e839ceb47ee8a83ea94

SHA256
12a1ab62f0d419c026ef34f0ed861645aefe2c8dca1e1b83e4e2766ae743a8f8

SHA512
9b6fcb6d99fe9e479a4faa606a103b11f66f03f41b7e5b5d9fc1d57203df196c8b955da4455ec3b2e724104033760391b59c4327ee466f719973be036d5b5326

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
64KB

MD5
80dea4a62246a7d138d517a096d28bed

SHA1
83d00ec7982f171d54dec6c5c90ce5aec1289c16

SHA256
521174054a45d5167ef42cbc8dc15a2f61d849b4644510618d296469ae2eb0a8

SHA512
5e9a364aaf6894cf7d5c756403720fc1e1c95917f841a86b820bff5ea4a79962ce722e2814582d0ad5f4a6624c32954409ee96123684807b0b078709820d56b1

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
64KB

MD5
208c241168b46272450f41c9fa6ecfce

SHA1
813f1b68f929a2438811dccc3857782179d626e0

SHA256
0ad7fdf5dceae3d415b387a03b9b244e8249b4ae45290c2462a82a69bb8ce7fa

SHA512
2395452c5cbeae372b43ea7d88ae2a0e4a5fb8eda965d5fc9fcc4fb136f6b7f81def866e7897a31f35c8a3e5d9039b8072e6cd4ef437f6ab9b2af39582dc5f84

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
64KB

MD5
8583b0b82781592f1b80f65c8a051aba

SHA1
505fce8f0e82cb1c1c61c6dd4e4600b6caac1fdf

SHA256
bc87253cb71f63c23cb621c3bd95c0f10da72d39506d9546f0052809136ce3d0

SHA512
0b0f60e3522ac6a2e845e576ba6cd508adaf02ca9cdeb81980823d257302caa2d2ef711b4b7dc973ff90f0e0000c21eae96859cd65dc13f6604e86875599d1b9

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
64KB

MD5
eaebb50dbe8863fa3f0f9378308b631f

SHA1
af40111ca1c5bb56469cee5f8725cc7ad1ab3974

SHA256
53a92cf70bd43444a36674fb5455be68a3bdab67e1217abd9ea30f5612b07ca8

SHA512
753b853659513e295fdb8cbcb96b188376c650212098064174b1e9f6c78712892c085acff1b12b950b9c36edabea2d8b33d25593de82d924e7e536c48a5fd8c1

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
64KB

MD5
8b9bde89950740c97fb2b2ce9884ce08

SHA1
d9c7ebb18719223ddccce1cc4ddf8d7e11b555f9

SHA256
ea057080324f4cabe0e396ca7fd9455723358df57a7f1d7a1b3e64f0c77f765b

SHA512
50364a0170764a5fd41302cdb5c7f5691d0e6d0cd916f1245aab8bba3fd1964dbb43489add767d1e62837f29a8a50f2b8425e09fe91e28486156219ed54d4d2f

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
64KB

MD5
0d74865517575fee2b0a0ca2cb700b09

SHA1
658632f739fbf2b0a1dfe32d57df29b87f76a0bb

SHA256
cb1034ffda30e5a9b6929658f2a973620685de06da8d19f89869548bf072c762

SHA512
d400b1f116b51489b2f14d59d439ded8da7a5299d95bb0551da153a222df344067f235800f430a55f649d40909da4322603d4fb31451ad2be6166e8da0e11584

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
64KB

MD5
7826e5ca743814beb9c94b2cc435f07d

SHA1
53155116a47de90f2101de0852c36b79e898734e

SHA256
2451ecfaa178cda4f18a413e39a110fb3d91158866f9c8e81ca5d5715a1d56ab

SHA512
f9ce8e2387cd0316bd034ec67632ef611580fb107978aaef47d7b4c30bf904ce2ff0e3ea3cb6f832ec88104b1befa48cb85ce74fd8a49690b53983ddb2ba50fa

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
64KB

MD5
3375b0ff37c863850de40cc19a9d8ea0

SHA1
805098d6d466000e73078ec582d0a6514f0eacc8

SHA256
f0f156d5e6544618f7a71435aef26f08dceeed63c44f8ecc31f76ad2d0d892cf

SHA512
ef67f66ae7a9aa151b5f1f5176c622a30a20b7ae181b84f1ef6c89e150545520ad81176ba8fdc12e1fe6f2fcb3c306883dafdb1bd63b9c6d311d9928d72309c0

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
64KB

MD5
cc4d71b22cdcc874b926d8bd0d7617f3

SHA1
637e9f2cc20ff731ee0c61bb625ca70ecb1b67b4

SHA256
36575711b8f70c73acf4fe2e6e19ef33771395f2001fa671090d5c954bb469b8

SHA512
e8d2f7efccefd01f90c0969de4c9c0ce5a20e61c0907e3f67cd3dbd823d4baeebc5645794b59a324c84f3eddf8d5ecb330510b6a25c3487c9e760b24d708aa56

Download Submit
memory/380-101-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/748-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/764-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/764-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/996-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/996-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1000-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1364-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1364-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1492-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1492-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1496-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1572-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1572-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1660-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1660-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1680-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1788-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1788-403-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2012-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2012-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-433-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-254-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2332-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2332-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2448-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2448-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2632-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2632-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2744-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2744-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2776-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2776-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2800-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2800-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-375-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2932-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2932-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2972-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3056-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3056-439-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3424-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3424-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3508-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3508-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3704-213-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3764-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3764-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3944-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3944-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3996-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3996-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4028-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4044-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4044-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4068-131-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4068-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4212-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4324-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4324-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4348-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4348-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4436-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4436-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4600-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4600-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4620-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4724-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4724-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4728-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4728-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4968-246-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5076-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads