0dccc36dcb45743e2d032968c438026b8f7795bf7b344f8b1791c5526a8b178a

Analysis

max time kernel
95s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a92dc47333476eff31b33cd7b70dea20_NeikiAnalytics.exe
Size

448KB
MD5

a92dc47333476eff31b33cd7b70dea20
SHA1

1c5aae1b4a63c97b288c4649464684f68ed5423b
SHA256

0dccc36dcb45743e2d032968c438026b8f7795bf7b344f8b1791c5526a8b178a
SHA512

bccf80072224dd7dd5651fc7c22c6a0a09c4dc430e34a7005c02bc0645f31363f753e89986ab9c517ec0e95027220a5ce9f39be4acd3fedd9f18e1280c850c69
SSDEEP

12288:J8RXhJgCbsSW705kWM/9J6gqGBf/sAHZHbgdhgi:L7pB9/f/saZUdL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a92dc47333476eff31b33cd7b70dea20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a92dc47333476eff31b33cd7b70dea20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe

Executes dropped EXE 56 IoCs

pid	Process
64	Icjmmg32.exe
644	Iiffen32.exe
3252	Iannfk32.exe
3920	Icljbg32.exe
4428	Ifjfnb32.exe
4692	Idacmfkj.exe
772	Ijkljp32.exe
2136	Imihfl32.exe
4812	Jagqlj32.exe
4988	Jbhmdbnp.exe
4412	Jibeql32.exe
2508	Jaimbj32.exe
4040	Jpojcf32.exe
1960	Jkdnpo32.exe
1540	Jdmcidam.exe
1536	Jkfkfohj.exe
4728	Kdopod32.exe
1300	Kilhgk32.exe
5116	Kdaldd32.exe
1680	Kkkdan32.exe
2396	Kaemnhla.exe
4496	Kmlnbi32.exe
4760	Kgdbkohf.exe
3524	Kdhbec32.exe
4996	Lpocjdld.exe
1980	Lpappc32.exe
1716	Lkgdml32.exe
1072	Lgneampk.exe
100	Lklnhlfb.exe
4784	Lcgblncm.exe
456	Lgbnmm32.exe
876	Mdfofakp.exe
3048	Mkpgck32.exe
4976	Mcklgm32.exe
2944	Mkbchk32.exe
4872	Mdkhapfj.exe
2036	Mgidml32.exe
2496	Mncmjfmk.exe
4540	Mpaifalo.exe
5084	Mcpebmkb.exe
556	Mjjmog32.exe
896	Mpdelajl.exe
2612	Mcbahlip.exe
784	Njljefql.exe
4360	Nacbfdao.exe
3076	Ndbnboqb.exe
4332	Nklfoi32.exe
5100	Nnjbke32.exe
464	Nqiogp32.exe
2952	Nkncdifl.exe
1932	Nqklmpdd.exe
3768	Ngedij32.exe
4492	Njcpee32.exe
216	Nbkhfc32.exe
4312	Ncldnkae.exe
3664	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Icljbg32.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	a92dc47333476eff31b33cd7b70dea20_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	a92dc47333476eff31b33cd7b70dea20_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kilhgk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2828	3664	WerFault.exe	141

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a92dc47333476eff31b33cd7b70dea20_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a92dc47333476eff31b33cd7b70dea20_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a92dc47333476eff31b33cd7b70dea20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icljbg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 64	2992	a92dc47333476eff31b33cd7b70dea20_NeikiAnalytics.exe	82
PID 2992 wrote to memory of 64	2992	a92dc47333476eff31b33cd7b70dea20_NeikiAnalytics.exe	82
PID 2992 wrote to memory of 64	2992	a92dc47333476eff31b33cd7b70dea20_NeikiAnalytics.exe	82
PID 64 wrote to memory of 644	64	Icjmmg32.exe	83
PID 64 wrote to memory of 644	64	Icjmmg32.exe	83
PID 64 wrote to memory of 644	64	Icjmmg32.exe	83
PID 644 wrote to memory of 3252	644	Iiffen32.exe	84
PID 644 wrote to memory of 3252	644	Iiffen32.exe	84
PID 644 wrote to memory of 3252	644	Iiffen32.exe	84
PID 3252 wrote to memory of 3920	3252	Iannfk32.exe	85
PID 3252 wrote to memory of 3920	3252	Iannfk32.exe	85
PID 3252 wrote to memory of 3920	3252	Iannfk32.exe	85
PID 3920 wrote to memory of 4428	3920	Icljbg32.exe	86
PID 3920 wrote to memory of 4428	3920	Icljbg32.exe	86
PID 3920 wrote to memory of 4428	3920	Icljbg32.exe	86
PID 4428 wrote to memory of 4692	4428	Ifjfnb32.exe	87
PID 4428 wrote to memory of 4692	4428	Ifjfnb32.exe	87
PID 4428 wrote to memory of 4692	4428	Ifjfnb32.exe	87
PID 4692 wrote to memory of 772	4692	Idacmfkj.exe	88
PID 4692 wrote to memory of 772	4692	Idacmfkj.exe	88
PID 4692 wrote to memory of 772	4692	Idacmfkj.exe	88
PID 772 wrote to memory of 2136	772	Ijkljp32.exe	89
PID 772 wrote to memory of 2136	772	Ijkljp32.exe	89
PID 772 wrote to memory of 2136	772	Ijkljp32.exe	89
PID 2136 wrote to memory of 4812	2136	Imihfl32.exe	91
PID 2136 wrote to memory of 4812	2136	Imihfl32.exe	91
PID 2136 wrote to memory of 4812	2136	Imihfl32.exe	91
PID 4812 wrote to memory of 4988	4812	Jagqlj32.exe	92
PID 4812 wrote to memory of 4988	4812	Jagqlj32.exe	92
PID 4812 wrote to memory of 4988	4812	Jagqlj32.exe	92
PID 4988 wrote to memory of 4412	4988	Jbhmdbnp.exe	93
PID 4988 wrote to memory of 4412	4988	Jbhmdbnp.exe	93
PID 4988 wrote to memory of 4412	4988	Jbhmdbnp.exe	93
PID 4412 wrote to memory of 2508	4412	Jibeql32.exe	94
PID 4412 wrote to memory of 2508	4412	Jibeql32.exe	94
PID 4412 wrote to memory of 2508	4412	Jibeql32.exe	94
PID 2508 wrote to memory of 4040	2508	Jaimbj32.exe	96
PID 2508 wrote to memory of 4040	2508	Jaimbj32.exe	96
PID 2508 wrote to memory of 4040	2508	Jaimbj32.exe	96
PID 4040 wrote to memory of 1960	4040	Jpojcf32.exe	97
PID 4040 wrote to memory of 1960	4040	Jpojcf32.exe	97
PID 4040 wrote to memory of 1960	4040	Jpojcf32.exe	97
PID 1960 wrote to memory of 1540	1960	Jkdnpo32.exe	99
PID 1960 wrote to memory of 1540	1960	Jkdnpo32.exe	99
PID 1960 wrote to memory of 1540	1960	Jkdnpo32.exe	99
PID 1540 wrote to memory of 1536	1540	Jdmcidam.exe	100
PID 1540 wrote to memory of 1536	1540	Jdmcidam.exe	100
PID 1540 wrote to memory of 1536	1540	Jdmcidam.exe	100
PID 1536 wrote to memory of 4728	1536	Jkfkfohj.exe	101
PID 1536 wrote to memory of 4728	1536	Jkfkfohj.exe	101
PID 1536 wrote to memory of 4728	1536	Jkfkfohj.exe	101
PID 4728 wrote to memory of 1300	4728	Kdopod32.exe	102
PID 4728 wrote to memory of 1300	4728	Kdopod32.exe	102
PID 4728 wrote to memory of 1300	4728	Kdopod32.exe	102
PID 1300 wrote to memory of 5116	1300	Kilhgk32.exe	103
PID 1300 wrote to memory of 5116	1300	Kilhgk32.exe	103
PID 1300 wrote to memory of 5116	1300	Kilhgk32.exe	103
PID 5116 wrote to memory of 1680	5116	Kdaldd32.exe	104
PID 5116 wrote to memory of 1680	5116	Kdaldd32.exe	104
PID 5116 wrote to memory of 1680	5116	Kdaldd32.exe	104
PID 1680 wrote to memory of 2396	1680	Kkkdan32.exe	105
PID 1680 wrote to memory of 2396	1680	Kkkdan32.exe	105
PID 1680 wrote to memory of 2396	1680	Kkkdan32.exe	105
PID 2396 wrote to memory of 4496	2396	Kaemnhla.exe	106

C:\Users\Admin\AppData\Local\Temp\a92dc47333476eff31b33cd7b70dea20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a92dc47333476eff31b33cd7b70dea20_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\Icjmmg32.exe
  C:\Windows\system32\Icjmmg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\SysWOW64\Iiffen32.exe
    C:\Windows\system32\Iiffen32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Windows\SysWOW64\Iannfk32.exe
      C:\Windows\system32\Iannfk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3252
    - - C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
      - C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:100
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        57⤵
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 400
        58⤵
        Program crash
        
        PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3664 -ip 3664
1⤵
PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iannfk32.exe

Filesize
448KB

MD5
31cd32c48460669a3b918b16ec08ba6d

SHA1
4faa8c6ebc59b36227fc61c8b8d526936f7e8f22

SHA256
eaffa11a354ccb1e1d93020df05e28169d9688b1aee1192c3975a413b45850fc

SHA512
a543977c5b77427df0e2de8d7de17d9c9e222ec2e6adb5d81fe989173857ba9bc96fa31d4470542834480ea7cb0bdf3d14d1ebc6bbc8b444fb99146e7ae60ca2

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
448KB

MD5
95dbfec55142a369a7f3c46bafbe9d40

SHA1
23dd1dd153643abdc9ae9f54b59f05a9c593267a

SHA256
0ac45e422a82f8fc79e176f2efb5b6c0f58f00a4f8d0bc8711915c7847d07f21

SHA512
0310ce88fc66a7ac68ac98977bc2285512d109e5e5976ade4eb0145b4eb2717d50fec13ad66b718bf5150d7b26a57e1f43eb24898e4a7767baa65e82ee125172

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
448KB

MD5
024c3849197de3d31da4d06d77413ed1

SHA1
13ba2486ef8e8548d74727e38e4e37cf76bb96b4

SHA256
f7ee000ed6e2a84dfa0d049582a7d854173d0ad330f4552854de2aef9846369c

SHA512
2f8fa4fdd01b7e18be3078be9cc4774ab00520cd9f21a9cb446e3ab9af705b6688469c9fc6df648c64e459af4dcf6a6d93416a65e40203da26ad14f1da4af112

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
448KB

MD5
b6883595f2bab2f4b05ea378256b0704

SHA1
983b73f7ca6147479671bbfb26e814993f529d39

SHA256
a65cc7208a6d384730f0f7cebf476b8429ff430d620d8f84dc7d15575958d1b5

SHA512
d55bce02b15f29e5b4f8e3667c384c59916b688bf9fb2cff1ef17f76498cd3eceb24b294dd39fee41ddb66371637492c4a4339e357b4edda9f362fa5796cf1b1

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
448KB

MD5
d25f096001bfc2c2c5729ec89cc93ef0

SHA1
5044975b82d94b36c180a2f1141788687a26de85

SHA256
aae14a15498cbae3b87f75a45c9d7fdd36314f26cc680d02cdb8a6362bc9aad1

SHA512
e4d1504d090c5be7f148d1c000260d64187fba16672bfc05979ff2195d12abd91ad7f0ca2c1810fc10979c91771b72857674a39a0625a1e7850664a882067410

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
448KB

MD5
d8be2505f732dacc12b927d28162c371

SHA1
65f23f0f507365c0b2cc0afaf1ae2ff37734a4da

SHA256
17fdc4c9f7dee83ce350f0f1b09579ccffc6b36bf5de8b56b1dff0fcdcd440d8

SHA512
4727cac163e4fa616b3d642aa2e5f56ec4336f59871c5f5a73dac9909cbe1d3af05c51fa70f3c51face3911d447d67c31cc228361ed25b0d6ba26f7ede086232

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
448KB

MD5
1efbcdeda4e5f04c0c37f3541ef88ad4

SHA1
b40ac155f46db7bc13abf70b69518645e0a8946c

SHA256
fd649e5fd24daa19a00001d68c5f6a796fc55745ec55729a3e7277d359b61b17

SHA512
3c0abc71846a11df1f31a6658e7b74ca5dc422eb15f59901718d2ee8a3bd855020f82d360e67f42fc3e6788cd0bf6e2fccc30a062d5c872e3eff2a15e0789921

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
448KB

MD5
be6421055fb74873bd267648e363e984

SHA1
8c49a1ca57120562d70c26a41ffa3383c0b1a2a4

SHA256
a7b3a09129b38bf7fabda6b78b3cc384fbc699db12896a94812178315d01db49

SHA512
36a1ef3be4e707cb289a7b16a898f95162648541e10bddbcf76362d274837d8c26f9f58369f5d884902301fb01a9eed268f8b462bfa92bc223f3a04c70cdc587

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
448KB

MD5
e77cf9bc28bb83e1b4c5dffe5c6aea1e

SHA1
9dae4031a52c2e7c09ca11c776673990e283f12d

SHA256
c40ffbe01eb4ba8fa41c8a93aeb1df24de4e56eba8acf94c307d69065eb58fdf

SHA512
37ab8c2a8be511d8429b21824cdcfce984865f55374ed2defe68c47ee476cd101498c7abda2fa6c4249b4e72f3cd0c37a8bf5ec435c4462fe9e3525c517b66ee

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
448KB

MD5
9944dc61fcc68d73f70dfb54d2f89f55

SHA1
13f93b10841283f8ffd070f75bf24623f5bb6d14

SHA256
4ec5e9ba34612bad2a148f6bed8dc4f203ee80f82c62bed0d61960d30b1d9311

SHA512
22e324a08e225f4b5b603d6d119049b4377cfd42525e3a9d614436405d39f46d288c1b6059db5c0b47fcdff99060d3668c0aa4d25fc5629e49a424c450fb5117

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
448KB

MD5
901802570ffd7d93537f14ee6ffdb9ee

SHA1
2ef53a528550ccdd682c0a6716ff7d99ceabfa02

SHA256
32704b66a2ddd34efdd5f0ca81c91b80364719315e2376c72513821177e529c6

SHA512
15463eec48b308489dff89875f1bfb24a0a45c742d49787f2ae91fe71c4020f6e6ab914131ac1dd9f77f0168b046eaee6cdd42b91420fd7313cbc39341a36d32

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
448KB

MD5
8c1a2470be94ddce30df4bd1cfebe809

SHA1
8cffab162857afc67d4e1f03a402461fa1af2734

SHA256
f6480ce736da0d0dcbf082f19dafa80ad0a4aef65d237ededdb2f9edeccaf95e

SHA512
0676134cd077cd017df0c271db1f0ebf6fe5057f273083ecebfee8651b37fa406d33ccad6068c62f50c0b2ac296f17412791a68ed0be695565155e335aa0f9ee

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
448KB

MD5
1334075632e6fb08d8c82538fde8b504

SHA1
820140b10f5e94fdbddfe7505fe6668a18129ee0

SHA256
668d7def397948892a302a8594fa3295c064491577b5b4aac71ea3fdf22a1d0b

SHA512
db42634f0236e94608d332dc8df90702931499be7c132186f0aa3247ab81025f7b28b9042e45e59283ae419c577ea16eaa51d77e8442ca61e92f1c8688812db2

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
448KB

MD5
d4ee3e010941586ead07da03bece1b48

SHA1
21f0a3b4ff9a303c32c98486de6a1dd7064fc91f

SHA256
6e4a2d6c14fc3c4e34ccab7f022d9df5a798974b1f5055170f9769e4d31df2b6

SHA512
c4695899373ee837e5fa0877aa5372fba2849a89cded5710104cb01a444240301e7d8b9a64192019339bee353e3fe14e33d2280213c91b21feafa4cef8da9efc

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
448KB

MD5
54e299e6c5b7e526458046977d40ef3d

SHA1
5ef1f7e0ad8b5b014f52d8f34d2630be3f89eff8

SHA256
1a3fc6dfe8e6c9ab18769e863170a96d026f67abeb31a9b74f9c2d88db3ec2bf

SHA512
ef1be4aa04cf477f7597945d622e91c2b1b7d3903f898bd1ef57abb628e0e6a6161806d16d3ed78be79b8ffe089cf546a62f1c218d23eb199f49d2f9f5864ef7

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
448KB

MD5
88188544e2f6e1c001e989435b34bc4d

SHA1
eba1a43e141a7ddda6274360254c98af324d1857

SHA256
505e165c74a4490481c0790688cc3e944f2f189a6fda75b65d1f6f8db8e501fb

SHA512
f6e307505f4899636d11fda0702f731f09c482890b9a238adb02af345e09bfd77c717c6f0d3a9d0111c870427f98e6e47a423eeb131fbcb2ebf9efe9a983c651

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
448KB

MD5
74bec73abf91b6ff92b4114f3098317f

SHA1
50ac0fa0eae6afcf09cc72e405cd0768c18364bc

SHA256
e99e7beccd7e9480806568eb505dd3232c67507baa6fc747fc29e65807c2ab61

SHA512
6f0ff860d907e31171dfacb5a71a20be4f8f459fe2d95b8b9c5700c51b2708dd4623db8a67b3b283da177ecb9d4cab60f11f9f8516fa629ddec9dd9f1814b280

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
448KB

MD5
18b02279b271f9fcccd8b1b256d3552a

SHA1
182a4c67c4b5d80e81d26c9c142d3a569f971213

SHA256
b811f19073587cf04de2a85ac5c258d65625a85afeaf45549012c61a52716d71

SHA512
223dec8b34a6fc522bca5e569fdc5b784a0125c27fc100c19f0833d6afe73be23f546bf0ba6937c2254bcbfd16abcb10e37d10ac3e03ce7a1285c58aa9066d28

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
448KB

MD5
309b31b128e8394bd1a83b944f71b479

SHA1
b09acd83e9afcaa6c04cbaab81fc8a6c37e73e69

SHA256
acbada9ccc4028913568762cfbc308f5ef33c73982c7883b2b161d6e2578ca13

SHA512
e0faef203990c7d5b04f37a6aa70f89a81831c2fdcfade02ae5adc0d2b93bb276a159b701fd528f848a702103f4ec02f0f05e20773f3bca2a4889fdeb41b136c

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
448KB

MD5
50e9cbf3a1fb1545f66c308d2d56f684

SHA1
6e792b1d0cabca0549c52775f2b008db5418e59f

SHA256
f138e0ae2a8863504f90a002fac13d898588b3a31340548353562565430e2452

SHA512
02cf4b6288ef907182616c716274e1ac7d493b342655688535bc40c832247433a22f8d8c9bbe8500bc95903bb4079114f70e06f585bb64f8e3bc7ab6328f2750

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
448KB

MD5
247d1808bcc05ad683eb512b068db63e

SHA1
55c1c79f5bae7669b125604719146a38218c2c85

SHA256
31c423e57e79a9154fe44060fd6fbc3ee7ce01e3156e179343e4de1fa777bc79

SHA512
7c0d7313b3239876acec47141667755aace845e78b395a5eb25886f580e9e7fd734e639eb00f24faa5b2e55606e38074695751b20ec3fb99dcf07b4468c94e85

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
448KB

MD5
1b36dad255d401f7be21d61d3b32c54a

SHA1
cf8a192de7be8e1379857e2a0a78af9d45a00d3a

SHA256
4e4dd4df90d3cc30613d2be85285212a0921fe9b8f03de086d8a5c8630ba2139

SHA512
a1e7d2dbc21673d2061e56325718006bc51801196c9175459563a07ab0812083268c8fd65e2a1ae4d187446a659c3396f2334b5c211c4d1eef41593a6c161182

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
448KB

MD5
10cf838710f4bc388729721d736a3363

SHA1
ce6785b6b60361a36526db423bab91cadca7bfe8

SHA256
2d5f742648b35ecff382d322bd4ec46dc12a8c71ce62553f6f04ebcb963365b7

SHA512
e51835c5ab018bbe687a2dddbf9e6acd0d729b3f42deb38bed049d7a2f1bc8cad0d6500efa44ad966987089113f454f35da4e367ea56eb4f980faa120d508725

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
448KB

MD5
e02e523922557a9835163993c2a4f94e

SHA1
6d7fbbe8672f40a88867ce91e30fe28a3db83121

SHA256
6de457c0d4799dff36eab045a86f07d2dae5775014cfaaa0a0c9aed5deb98011

SHA512
c0ab38150d1a6a3f1c43bf689ab0416314440e2b98b7e11010b76c3b6ea47338cbd1abdcab2d981ab795955b87dce09c1ff9ac861c18a3fe9d3ee7f95d6a8490

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
448KB

MD5
8a5ec7624b0dcc0ce99dbbbcc283d7ab

SHA1
b267a793307c7a089edcd92b43681eefb41c6e8c

SHA256
7fcca634a857b25a8ca81ded59bc7b3e8a9fccfc5080b37aacc6a30f516b75f6

SHA512
d9bb5ea58e2d8c62cc3c3229095c00b07eac2d2c7a66cc57e10bed10d4e918a8ea895e92f90c8b263516c3ad65b6b349aefad9e3bc698f3d111ba665c5c64e39

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
448KB

MD5
36bb73be2e862fa5c0704531f1dca9c4

SHA1
1e8ba3913f18d41727e3d4c5ea4105b66ead72df

SHA256
c51db096e0267a907417f0eeb5772b137539ca6bb19d87672d350297ef4cd9e8

SHA512
42703dc8339cba6f3ab75a886743dee529b88a4b464cc38c112f19ac984db614187e4fb59b2ae23360be8945323952b135d970275856af653274f8448db402e9

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
448KB

MD5
10e73c8a3c9c327374c5c9651240e1ed

SHA1
68f9763d82c877c021c649a73fec504d52e61b4a

SHA256
41c528ed0fadb115451f4f671a99eb9d78fc6713aaf75dc6cb86968d0d0d6d14

SHA512
35a8325d76437334cfb83064c0599489c2556c5a23bb9b4dec1c43fd14642921425d4e8f1c43ddfe04f92e0e384fe7731badb6c05ccc5deb074f01350a2693ad

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
448KB

MD5
63fa81f935312ef8308defe43f14ecf5

SHA1
c45d75c4e1135ada43709abd36e4b63550953c56

SHA256
081256f691cb1a1333f83f6ae850c911aedc4e17ae4f322f56d6f5520b2a47a7

SHA512
fac79fb78e896a7413674963c7f4c5d21bb5f080c7dd8f6cb0ec3798c6215496a35ea6abc8b8ef7683b4ad152e77793d784d5448f908efc452183f2112a219d3

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
448KB

MD5
4d61855c2ebcc0653d41f98e7e4bb051

SHA1
43c5daf583eff7f44c8d65e3704b8084603c6f5c

SHA256
a05ad2ea65eda609391a7ba37e226b51e596c82429eb91d895bbecfcb4647c6a

SHA512
78d48df8ab4c5d53412c2792e8b809dd0921d8138efbfc041323ce4bddb2c5101f8a48d6efc7d2c41b16af848c8ca62354eccdb89d4fa0fa91b11f78a91194da

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
448KB

MD5
2b1e6d645904342f650fb61d351595fb

SHA1
b1546bdbdcae8e0ee037d71d8ee3a2ca9a00458e

SHA256
f10795a3233f7adbff2ecea5c0c64683ad90a55006c8eb66e8aaa59daf301b8e

SHA512
d089fffb9be247c9b011a32f27b9b1a98b5be65e2c63c68035953cd345f1938bcd4d38b9b24160481c97dd4f97b42bf16956f040d42e579c6686849585ab0d08

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
448KB

MD5
38f01bd3fa0f835b68b6cf157e1e13b3

SHA1
edecae7c6d45db5fa70f7957385d038174837a8b

SHA256
73f0e9f35cd692d00b6cbf9d46874337d3434aa4776487fc1fb45323a6cbb6c4

SHA512
97b34bed6f1770bce52432103766d4b633c8349731508dcc1871a451aa6315640862e9ce7c7afa728af714463178fcfd1392bd7d52cc7214454803b7eb304299

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
448KB

MD5
e1982cd0317d22b6fa1a065933f8b6fb

SHA1
8b542143513a7bdfd9fd19e2e62030089aae5a1b

SHA256
479771b1899d53a163e176e1bc2916273444ae4ee2f25c59c81832f4c25fea90

SHA512
ed77f30b4155602f03bfa51e7ecac5d3db4b4de38374360eb7b500b658c3a32da0a4812544879d0ae07e5f4f58de72d284ddbe9bcce99280051e2f754d058b38

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
448KB

MD5
4007f66ec60a0100ed935fdec5d5040c

SHA1
dbf8b92e73c2b67915572341d119798ac031d471

SHA256
5215af9cdb254afb3c20c654ca348d8a49c6040d9b423550f59f2092e2a2977c

SHA512
f74590ee54f34d773a977ddaf117b1a2cc4b551b91290922843252e1aa6910617bccaec7439b1178fec8d233bebcfcfb0e383a781469f281e0fb8739a0f1ed7b

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
448KB

MD5
37097222155914199998ed15d2540657

SHA1
9a24072451817c52fa456042bdebed03481c12b7

SHA256
08aa6710d3daf5de53e0c1cf26018ce827c411d2195bbd846f4587278e689e43

SHA512
3003edd4e1c840bbfc6154d1c0bd230f72e8ef7348758bf7350047e3ce04ebc37962166a5b515090aa756832a9f5315129d4cc8a2d954a49cb54bd93b5a3d418

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
448KB

MD5
4c9dc54b71dd4073129815578b0b6d5b

SHA1
e6a8e987376953f6042ac6dc6324dd40bd5fee82

SHA256
239b7c2aac52884a0aa5ede84645b9a97dcb74ff239b6177e6a6aefbcb675923

SHA512
9995d04bb701a7e69c93ab41c1e7a761ac86c15f46421a07faa4b186ef3b1ad29e4687bf552506d227062ff03666e1950d9013a059b1d26a0f87ca6e3e2bc856

Download Submit
memory/64-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/100-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/100-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/216-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/216-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-450-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-415-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/772-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/784-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/784-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/876-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/876-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/896-428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/896-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-456-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-480-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1716-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1716-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1960-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-438-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2396-470-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2396-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2508-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-426-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3076-420-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3076-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3252-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3524-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3524-464-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3664-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3664-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3768-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3768-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4040-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-403-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4412-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-408-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-434-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4692-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4728-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4728-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4760-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4760-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4812-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-444-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-462-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-432-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-474-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads