f08502a3a0bd26a2c1790a6fdcfe6c7729fe03f9c6fc2e9b325cc742602a0420

Analysis

max time kernel
140s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9739375ca903c72332f97cab7bff8fe0_NeikiAnalytics.exe
Size

87KB
MD5

9739375ca903c72332f97cab7bff8fe0
SHA1

e6ab4b0ef459c03db6ce68da461f68633b8e8148
SHA256

f08502a3a0bd26a2c1790a6fdcfe6c7729fe03f9c6fc2e9b325cc742602a0420
SHA512

53abd3760ac1ebed06f00247c40de088400202169446402b4d870ce0615232d8817b6e6b96578ec545729a4f4fc19c756b56b04bc3139f0b23da0de4286cf6b0
SSDEEP

1536:OQmmw6VSjZwNCTlXhOW4dlw12pyUlvdOoRQ4VRSRBDNrR0RVe7R6R8RPD2zx:fQjMCTlQW4du12wqeoAnDlmbGcGFDex

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	9739375ca903c72332f97cab7bff8fe0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe

Executes dropped EXE 46 IoCs

pid	Process
3224	Kdaldd32.exe
2728	Kinemkko.exe
5112	Kmjqmi32.exe
4776	Kdcijcke.exe
4824	Kknafn32.exe
4288	Kdffocib.exe
4736	Kkpnlm32.exe
1600	Kajfig32.exe
428	Kpmfddnf.exe
4084	Kkbkamnl.exe
2144	Lmqgnhmp.exe
3212	Lpocjdld.exe
4272	Liggbi32.exe
1932	Ldmlpbbj.exe
3600	Lgkhlnbn.exe
976	Lpcmec32.exe
4888	Lkiqbl32.exe
728	Lnhmng32.exe
4428	Ldaeka32.exe
2880	Lgpagm32.exe
1748	Laefdf32.exe
2120	Lcgblncm.exe
4752	Lknjmkdo.exe
4572	Mahbje32.exe
2492	Mciobn32.exe
2496	Mkpgck32.exe
820	Mpmokb32.exe
4144	Mjeddggd.exe
3932	Mamleegg.exe
4260	Mgidml32.exe
4232	Maohkd32.exe
1760	Mglack32.exe
5036	Mjjmog32.exe
1960	Mdpalp32.exe
3520	Mgnnhk32.exe
4924	Nacbfdao.exe
3640	Ndbnboqb.exe
1380	Njogjfoj.exe
1564	Nddkgonp.exe
4712	Ncgkcl32.exe
1340	Nkncdifl.exe
1444	Ndghmo32.exe
1720	Ngedij32.exe
4304	Nnolfdcn.exe
2448	Ndidbn32.exe
2176	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3776	2176	WerFault.exe	131

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	9739375ca903c72332f97cab7bff8fe0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 3224	1928	9739375ca903c72332f97cab7bff8fe0_NeikiAnalytics.exe	83
PID 1928 wrote to memory of 3224	1928	9739375ca903c72332f97cab7bff8fe0_NeikiAnalytics.exe	83
PID 1928 wrote to memory of 3224	1928	9739375ca903c72332f97cab7bff8fe0_NeikiAnalytics.exe	83
PID 3224 wrote to memory of 2728	3224	Kdaldd32.exe	84
PID 3224 wrote to memory of 2728	3224	Kdaldd32.exe	84
PID 3224 wrote to memory of 2728	3224	Kdaldd32.exe	84
PID 2728 wrote to memory of 5112	2728	Kinemkko.exe	85
PID 2728 wrote to memory of 5112	2728	Kinemkko.exe	85
PID 2728 wrote to memory of 5112	2728	Kinemkko.exe	85
PID 5112 wrote to memory of 4776	5112	Kmjqmi32.exe	86
PID 5112 wrote to memory of 4776	5112	Kmjqmi32.exe	86
PID 5112 wrote to memory of 4776	5112	Kmjqmi32.exe	86
PID 4776 wrote to memory of 4824	4776	Kdcijcke.exe	87
PID 4776 wrote to memory of 4824	4776	Kdcijcke.exe	87
PID 4776 wrote to memory of 4824	4776	Kdcijcke.exe	87
PID 4824 wrote to memory of 4288	4824	Kknafn32.exe	88
PID 4824 wrote to memory of 4288	4824	Kknafn32.exe	88
PID 4824 wrote to memory of 4288	4824	Kknafn32.exe	88
PID 4288 wrote to memory of 4736	4288	Kdffocib.exe	89
PID 4288 wrote to memory of 4736	4288	Kdffocib.exe	89
PID 4288 wrote to memory of 4736	4288	Kdffocib.exe	89
PID 4736 wrote to memory of 1600	4736	Kkpnlm32.exe	90
PID 4736 wrote to memory of 1600	4736	Kkpnlm32.exe	90
PID 4736 wrote to memory of 1600	4736	Kkpnlm32.exe	90
PID 1600 wrote to memory of 428	1600	Kajfig32.exe	91
PID 1600 wrote to memory of 428	1600	Kajfig32.exe	91
PID 1600 wrote to memory of 428	1600	Kajfig32.exe	91
PID 428 wrote to memory of 4084	428	Kpmfddnf.exe	92
PID 428 wrote to memory of 4084	428	Kpmfddnf.exe	92
PID 428 wrote to memory of 4084	428	Kpmfddnf.exe	92
PID 4084 wrote to memory of 2144	4084	Kkbkamnl.exe	93
PID 4084 wrote to memory of 2144	4084	Kkbkamnl.exe	93
PID 4084 wrote to memory of 2144	4084	Kkbkamnl.exe	93
PID 2144 wrote to memory of 3212	2144	Lmqgnhmp.exe	94
PID 2144 wrote to memory of 3212	2144	Lmqgnhmp.exe	94
PID 2144 wrote to memory of 3212	2144	Lmqgnhmp.exe	94
PID 3212 wrote to memory of 4272	3212	Lpocjdld.exe	95
PID 3212 wrote to memory of 4272	3212	Lpocjdld.exe	95
PID 3212 wrote to memory of 4272	3212	Lpocjdld.exe	95
PID 4272 wrote to memory of 1932	4272	Liggbi32.exe	96
PID 4272 wrote to memory of 1932	4272	Liggbi32.exe	96
PID 4272 wrote to memory of 1932	4272	Liggbi32.exe	96
PID 1932 wrote to memory of 3600	1932	Ldmlpbbj.exe	97
PID 1932 wrote to memory of 3600	1932	Ldmlpbbj.exe	97
PID 1932 wrote to memory of 3600	1932	Ldmlpbbj.exe	97
PID 3600 wrote to memory of 976	3600	Lgkhlnbn.exe	98
PID 3600 wrote to memory of 976	3600	Lgkhlnbn.exe	98
PID 3600 wrote to memory of 976	3600	Lgkhlnbn.exe	98
PID 976 wrote to memory of 4888	976	Lpcmec32.exe	99
PID 976 wrote to memory of 4888	976	Lpcmec32.exe	99
PID 976 wrote to memory of 4888	976	Lpcmec32.exe	99
PID 4888 wrote to memory of 728	4888	Lkiqbl32.exe	100
PID 4888 wrote to memory of 728	4888	Lkiqbl32.exe	100
PID 4888 wrote to memory of 728	4888	Lkiqbl32.exe	100
PID 728 wrote to memory of 4428	728	Lnhmng32.exe	101
PID 728 wrote to memory of 4428	728	Lnhmng32.exe	101
PID 728 wrote to memory of 4428	728	Lnhmng32.exe	101
PID 4428 wrote to memory of 2880	4428	Ldaeka32.exe	102
PID 4428 wrote to memory of 2880	4428	Ldaeka32.exe	102
PID 4428 wrote to memory of 2880	4428	Ldaeka32.exe	102
PID 2880 wrote to memory of 1748	2880	Lgpagm32.exe	103
PID 2880 wrote to memory of 1748	2880	Lgpagm32.exe	103
PID 2880 wrote to memory of 1748	2880	Lgpagm32.exe	103
PID 1748 wrote to memory of 2120	1748	Laefdf32.exe	104

C:\Users\Admin\AppData\Local\Temp\9739375ca903c72332f97cab7bff8fe0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9739375ca903c72332f97cab7bff8fe0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\Kdaldd32.exe
  C:\Windows\system32\Kdaldd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\SysWOW64\Kinemkko.exe
    C:\Windows\system32\Kinemkko.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\Kmjqmi32.exe
      C:\Windows\system32\Kmjqmi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5112
    - - C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
      - C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        47⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 412
        48⤵
        Program crash
        
        PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2176 -ip 2176
1⤵
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ihaoimoh.dll

Filesize
7KB

MD5
c0ca5843485923437e4ed08e223f2a2b

SHA1
e6d825231bcd9d380e02208337e77e0398e287f2

SHA256
247da3c38e2ca8ca24fae7d386672f48fd4e6c9caa87b9ee6c3e7cc1aa1f6d6d

SHA512
030d5c6801ae6d9a54bfa1e3709eeb8c2b57af89d57e490ae4c8815c5b067e08b28e85b513e6ce309689e49553d2df5ade0972043e9f8cf674d9fe7027568d8f

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
87KB

MD5
a5b4eea6d25f23fcdfd2b81677191dba

SHA1
b30b1216b03bc8bdcb444c5583618468bc0149ea

SHA256
950702c2a75c5cee2900f5fb275642ab31886d95d04946ce75587c04885a4f5c

SHA512
c59584b9d2363e7d62bb3850efebcef883ce752184df3f97c594f6d687a52bfbd731562d7e9ce64a387bd93052e7a9acbcca2f9f4c0b295e1766fe47d0acf8d7

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
87KB

MD5
922ab4859dc2d82f91f58d851055a0e0

SHA1
cf224f4ebee461c9aa16df517c5a1b2b8fc49532

SHA256
cc84cdf12a0ea1226efcd3264950743c03e31f5754ad96800d207f410f00633c

SHA512
bdf410c1c03e92a8d5f1cd283d387669a03c96e4527a50c3f0cee8ef8a1fecf88d1938fba2b32abeca5838b9d55b901eab80fcd43f87b2f6dc9899a574700aab

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
87KB

MD5
c8b809b074110bc2e95175d0ed353a8f

SHA1
c817310557671c277d387f3e8db2e1b412dcafdc

SHA256
5d7a80e5c8c685ddf38cae1f30cddb8ae88cdb151e12471fc4f7d975ef923968

SHA512
a3775d3a8722ff2b2a763a2bbcd6504bd1da578266b127c6791bac6ec7b5dbf6ae4c1b3baff17ce9b2a3e23a09d58c4b7bb26635056db8c93543e359cde313a5

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
87KB

MD5
032a8ea5050577dfa2c714b9b42062e6

SHA1
94b6905b96b9272896552389143b3e040fbf1a28

SHA256
0344542512b2c1b33a6da5644964c7487cbd30623dd4846a0f486eed2843af0e

SHA512
76215c9d6cb699dfaf5d70f0e5b8d09e75b9f5576ccfda398b189a4b87240c3c84cdfecfbc4e9db5ae107fe9bf06a294cc2c08108b9370b2619b65ab1a170e07

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
87KB

MD5
1d0214e2d55c1464ef6a7749768483c5

SHA1
deacc061ddf98d62e719a58e6de45550d4db67fc

SHA256
daf89d40bdb9aada1b1615aa446d214aafd9983678180e2b8165cd2efe2bef38

SHA512
38c64f432a62a672f042822b4556b239690fa3a4f04504d36943b72ed097b45d97f33f81e9dc75cc05bcafc921938471472ba011cf364074312c3844f5dcf704

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
87KB

MD5
e4bee428839eafa16bb28dc935f2cf12

SHA1
153f816bafee6a008a9def6bcfd6f79d0bc4f51e

SHA256
0ac4f1cc5f3d36069ced9e52b3fa7cc48613815a5194354e59c445fb071eeaf1

SHA512
48e7a01000e280ac88921adf7c3b7d39efe52fa5baf599684c6d3eef6051d2fb03715e389de733ab53cd8bfa07b4064b20979764dcc7fe35c322c97e3bb49258

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
87KB

MD5
24f511226dc5939bbd4d830b1e7c2ac2

SHA1
e8c7019189c22044ae5e8ddbdc26805997860ebb

SHA256
3387d59e183f63a93c09c8383d4b244ef4735e9253c3937bac1cb4e465ed4dad

SHA512
0e7a67b1cb40e996d4eedbd8abb03004d9b1132a68a497bfb2cec16ff56f6740b63160f4d28ed4b4e59543d646d0816d4b0f77c2981a37c54b4d3aabb7f38c2b

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
87KB

MD5
24f7e0627685c752422d5278614461ea

SHA1
f878abc64dd8c8b6298c3fe34238ad37dcde1f06

SHA256
8190659e22aac0c55f968209f45c9d4d9feef89667c3f293a552e3938d672e41

SHA512
eec9d7f44f63efaccf1749b6cf539127efaa9b495ab08832513b3a328c984741f60cd2962b8bbabd67cc5193aee7967a6a43714e1e77dbb4451285038e92baeb

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
87KB

MD5
8ce8c127cb110502cb1b2488be698f9f

SHA1
ace6412b24be6a540f6b2ee08e996b0f092a5c77

SHA256
be89503a9495e223c58fc0080f51e032ba890d58b89561d832aa03fe3e67d75c

SHA512
a4ba72d40d74c5b381a6161f70f05e44de2566bd83f376f2eb4a06e60dbfbd43ad32c3045755b7e482fd78c6820d20fce5c13873fe920e9a71f4e4ed61577ba3

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
87KB

MD5
18985f8781a0cff2259dbbcf09f8adb9

SHA1
54c9c3cd9f4e4aae2d2aaad44ce24b2b524b0e5f

SHA256
286d93e603ce6b90e23008ca673f109a120fe91b58bf11cba9886710bd2239bc

SHA512
4995d51a82af79880a779f339d36eaf106fe6cc36757a81cb3e2baa22bb7c2795157a98cee1b6c94880554c58aff18e1117a8de1f3bb3de44e0831988ddd1883

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
87KB

MD5
c539eb3a1d400fab0fccaff2dca6ae53

SHA1
58f6344d990af3850731ba546e891b7011fa95d7

SHA256
055c746e96c8d60ccfa98bd23ce1b97f52bb43bd2ac07803ea875a64f34002ff

SHA512
50989d1ac29d3106abc4fa78b6c916973395db8db3c720d225e464ce8e175d05b306be241f02212e9b776033636b47a190d8b3d8c09b26842f627fdb6666efe2

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
87KB

MD5
3f3692a73e0d8f39c2e4d61f13861147

SHA1
1fd75c2271509cf8cb19fd1e285de654189d822c

SHA256
fdae66484eda5e8b1b3660bf9928d9b29e66d49a911a00fa2c49bc109d2b1482

SHA512
2da53754d2678ad31f2a4342cbdb5c77688764625c1510e6d10f33a50c3107bd520c0e1b4d1536ef4da66ad5e919f673030722224c27eaf47b0c8d16a875791d

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
87KB

MD5
2119bc6c09a09ca2c5ded900706f4a75

SHA1
a01b9e76c0159c2b2f2aec0c00976a380f76e413

SHA256
7862d8d6b37952ba3ff5c2275aa40b30452df311adb34fde82f4fe23b3d0868d

SHA512
a79d09d1fada5d3e693f0aa18047336a1af318d8a40590f803f45bfa8ebde8fdfd3202365f290864227593a3cc7386132a5356d07770b76aa47f1e05321fefc8

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
87KB

MD5
048f591ba8593e6a88f0eb4566b9d76a

SHA1
45cf81dc6f954cc6c4f78829c7bff02082b68f50

SHA256
ee0feb6c812707bf7a7ee233dd40b664832be11d1910411e60fa2cea780680d6

SHA512
5b80065eb74a5b135840250e8b7cd8695d3e5e90c889ae1bf931ff52d000a70b31dd226973d16e51d4bed3dae14c89febab86890139e5b6db1031a24cfa417bc

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
87KB

MD5
9e4598326222c76e99c37d85bb7fd543

SHA1
ad0200729cde8f7f05837bc158228397ca47119e

SHA256
951e1cb8abb137af8ce7e372986ca035f487864c334555693da25b14fde412e2

SHA512
0813cd54db32c23ec8dafe0978173cbe9297491a795942371fe7954c53f92f7d1e9558163a23a687a43758f5fc11cf8142269b1ad2dff18b1ef8b9f7fcc9280b

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
87KB

MD5
81395590e2805949b2a336feb4dea868

SHA1
74923014ffbb64e7b0a6dccb2a64c012edcc1464

SHA256
3637a7e7374d3d5e904d5ed12d968f6742936e214a7bb8686ae6ad2b7cf66293

SHA512
0707ce86441ec3255cf105251e374620521e3d1dcca688829c445cc3e32b6d68264e305206590ca83af6501616974a5bb8a98dc4071bdf212aebdaeac9ebcc48

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
87KB

MD5
b966129c4918a268ca9568888466c6a8

SHA1
708f9ef718638a870812f16b3c27a6a2b7b8b6c1

SHA256
dba3cddbd9da633ad19b88093dbad4e0c8b10e5b94917912721ee6475b4d5d98

SHA512
ef921f3d2dc3efe2ceb68776bf34e07f0e5581c21221eb9b0d7715aef0a2dcba01aa3d05c03cc1712179bcc9c534f26907cf357fe343ae6d0fb1b6010f03c796

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
87KB

MD5
4196cc601f4bc0133716080a0436e4af

SHA1
3743504ca2669f16bb071aef655f212f25cb44b2

SHA256
29dba657926d52718456b1c415e02fd89a4880b67711d202aea6918d8c677fdd

SHA512
d273a5ffc27ded4d985cce8f0a71e052a076508e236a52cd97139ea932f737c79689a7309a737707f98933cc8f85d20e731c40afa3072ce55e8cd21a0cc97f4e

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
87KB

MD5
c50417f67da543b2cfc6534529dda1ce

SHA1
96219d42a9cab192ef130712f8ae1dcfb6219a00

SHA256
42ae0150fe00ffcb6b572ec1e44717aba672ea378ffd2077f2cae39a50b7c74e

SHA512
5bde8185f0c96ed7ad9e594fdbd509549333cf3e1ecf74fcb051d195a4835405ac96a2385a252e618ef147d64e3ce88e6ad8c342b8000420d9da94f77719390a

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
87KB

MD5
6f950fe212f7b91f45b4710fb03deeb8

SHA1
b48d8ce3b747b570ec432f6254a5a87db041ca1c

SHA256
5a366067cff96f97c2c6aa36e87657d0f759df680cdc47f98b12c92933516cad

SHA512
dd59064586857b121578a3342cbea8cff721ec4ea981f98ad394c9ea0d4c911a0136256050c5b51d7604fcd6830e6d767114efbaf7700c267a3ccc00319ffca1

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
87KB

MD5
fc16a2833efe178e7e78460dff3edfdf

SHA1
2003dc1113839c2d0bb8a11ef2f9e92fdb0a52ca

SHA256
f970f2dd5b8bbdd315c1c494768479bdb45f6023bfe53d5a855fefe92cf14a97

SHA512
507afc7c37a8182eaed7fd966278cb608c730eee8b0ce248b5c544a16555c3f8b32196b88b0178067fc1e655a65882db1d96cb7d3cb002f2ae559a14a3b5ef04

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
87KB

MD5
76a407caa0ae3c1205cfc83709941150

SHA1
87e02d0bd95ae8c725d0d6aa06417af35fe06152

SHA256
6380b4f7ab9a28e899f07beabed0f6b82e3f8fc5ae922c17315de9e4ef5264b0

SHA512
4c01561604f1ffab655a43019829eafe11a58596c2aec6c424687caaec3beb29e436f4fceb192f89f105c68497a60b4fc3b582aef0c2d4d009a1111094ecdb1b

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
87KB

MD5
c82576348913e409a01a728122d9ff00

SHA1
62977a2c23cc73e6e77388d4966ef74fe77361f2

SHA256
bafb723932b4f6356372eb832e12bad1a0f5673bfcfc109919b7501a565004b1

SHA512
08796b4fc81fce7bb1922f93ba8b53311a811d4e6a4ec985f6a3e5898b33ec086d1ad14246f1e90cdaa745fae9531b12e5a9832c71441cc90581c21e58b80eb4

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
87KB

MD5
3e7e06c348abaae5bafbb21ff8b60cfa

SHA1
d755d8a691ca0e99080c1219f0be42df7b92e85c

SHA256
e586c6e3f1a9fd21ed0b24e1d3c0f6631f64426502375052ecc7fc53901a6d59

SHA512
7ec0346c0d58d80d80c743270d86ab84852d07941b00e87e6fe4a5c787d702bd221c8172ff44b045ac0db5b7958cb29159de934e575c500786d79ef654382036

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
87KB

MD5
7f69ba700f7ecfc11dd3b32b357fcaa7

SHA1
3b8c8d8a4aa03a28bd8fb2295847160c083106c0

SHA256
0dd6eb2590ed807439554ec0f3d916f629febe5afca42f08cdbd8335b4a3b420

SHA512
edc2a662adb7af33561d3f1f4b628a32f31d12cf8d748123c1263e87cd5e7fa91d79426bf8d3a4131da7319807e4bc09dc22141d2ccebf14ebf8a98cbcda0b82

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
87KB

MD5
5af6bc618bbf740acfd0f558c73e11a4

SHA1
97c3e4576853858e3bb7ffd940a1be3a5e799120

SHA256
d14795cafd512ee04e9f408dedcb28765a44797a2bd5a0889ce21d6c7fda9647

SHA512
7716a96063bf9453caab7743ec817c7c58da9c72cef1568231652336f366014dbe77d5f32ab57290b78d7bb74418a2a4ecb69d130e8ec98c5b54785ac3e5da2f

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
87KB

MD5
be6afd2845fbd349b60375266208956e

SHA1
20c3e5a6c429a7c65f631d356f807c250412d797

SHA256
91ad2bf16fc6d1eb91cd10ae522b7a06d0dfe5c9e8465b99f612173bd46eda8a

SHA512
86ee808b793e1660825ea31ecaf286e7e09783b19e8d50c65a51a825b1f44097506de5792d0dc4fe40d81f24753bec65c8f7f92ca98783e72a2ffd7c39283852

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
87KB

MD5
dd7d7a4de077337cd7d8cf7544bda516

SHA1
71ce85e96105f4731509210372260b06ae1fa6c5

SHA256
ee8defdfbd82755fb2dc2bbce8435656d8a5c81003b41ac55e7c784b5c67d246

SHA512
b59773d7e97d4a201b3fa5612b389895b331bcb7a670be3c6c7d46b9779e16a896b970d3a4c9a5cd0142365b0f97b4b0e901d445b2ab629ca73f43f7d91c6cca

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
87KB

MD5
cff649829a4ca37949c6fda218a112aa

SHA1
c2e2e67dbadc77a87af5674c5ee5743e4d0ad1dc

SHA256
11f2683778cba7295cbc28318f32767fc0e2fabe3d3304b9348e4bd418390cd6

SHA512
6dfc4c94df156b531761509975f52ac2c60fcafc24e6f7a5bb9c46d58298c68c8ef6b9094732c07013d918134f1171457bae57d3294b07d30cf58e02d614d125

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
87KB

MD5
e16787e6750d4333d36d848fa68176a1

SHA1
8f079b56396170189faf054b0bde3bf9294acad4

SHA256
6bf2588040b3a9be9aea337166a9e1c0f539e74127d681c634a040e766992c2c

SHA512
1841bd81064ed2bdb813d3cdc8035034c9438e011a85949cce4c5fef9c28c6cb6d6912b7e7f18b3a931ce0bc014d382069ceccb5c85a57155335b48a10de3e38

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
87KB

MD5
8020011e562815d4810aa02226de1149

SHA1
74e9d1dbbbf83a8042a536a700e43095a2d6941f

SHA256
49ec392f7c9820301f5fc0043199616c972492a9b643abc37eb55a5ad5df99e7

SHA512
f575650d7f4ff7789e4123ce5b75745b7c537c03e77712fdc5e3dfcc306e1a5ccafc724c558695e01f48ff524b283ca7eef50c90c4ea2162b6a270f479a7278c

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
87KB

MD5
f2a0c2271fccb815fb95d09d1fc81296

SHA1
92f8f2ebc55e222d3076d3e5ab8729efb47b9b85

SHA256
714ea2709f205bda2700396c05f4ca81144460dd0c57142b126b6d8873dc34a7

SHA512
085907a97b877931b372443c6e866c0ce19b3efa6bf5bcfff8fb464065e8ac1db6bc4f5d4b524fd2a9d09e393045bd0679148ce99317fd3141999c3436b6ac36

Download Submit
memory/428-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/428-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/728-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/728-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/820-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/820-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/976-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/976-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1340-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1340-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1380-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1380-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1444-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1444-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1564-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1760-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1760-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2144-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2492-218-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-91-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-379-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4144-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4144-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4232-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4232-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4260-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4260-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4272-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4272-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4572-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4736-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4736-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5112-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5112-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads