bf82185ed846f8437d4be0ed671f64804ce0b34bc6010c81521d8f22f472b156

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

058320190339875a0a2125e29a66d2c0_NeikiAnalytics.exe
Size

136KB
MD5

058320190339875a0a2125e29a66d2c0
SHA1

77573e1cc1635b69f7a23a94734c2a7d44277450
SHA256

bf82185ed846f8437d4be0ed671f64804ce0b34bc6010c81521d8f22f472b156
SHA512

932900dcd0921b81d3fa9e901f590fedd5c0cad9f59955d1c7b81df45356eed942c4685b836ab8af9e42adb13f0dc67b54c5232ef0142b35358f02e87b021426
SSDEEP

3072:F4aCxoA9ofVg0sohLwdNbw+Y92xQuohLwdNbw5bxH0zVWccA:YoAqg0sohxd2Quohdbd0zscj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	058320190339875a0a2125e29a66d2c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe

Executes dropped EXE 56 IoCs

pid	Process
3768	Kaemnhla.exe
2400	Kbfiep32.exe
1004	Kipabjil.exe
3492	Kagichjo.exe
5084	Kgdbkohf.exe
1292	Kibnhjgj.exe
2208	Kpmfddnf.exe
2944	Kkbkamnl.exe
4040	Lmqgnhmp.exe
2068	Lcmofolg.exe
4928	Liggbi32.exe
4108	Lpappc32.exe
3728	Lgkhlnbn.exe
2980	Lijdhiaa.exe
1104	Lpcmec32.exe
4792	Lcbiao32.exe
1748	Lkiqbl32.exe
4708	Lpfijcfl.exe
4532	Lklnhlfb.exe
4088	Lnjjdgee.exe
2504	Laefdf32.exe
2084	Lknjmkdo.exe
2216	Mahbje32.exe
3856	Mpkbebbf.exe
4960	Mkpgck32.exe
656	Mnocof32.exe
1440	Mpmokb32.exe
3564	Mgghhlhq.exe
2104	Mnapdf32.exe
1740	Mdkhapfj.exe
468	Mkepnjng.exe
3228	Mncmjfmk.exe
4296	Mpaifalo.exe
4796	Mcpebmkb.exe
4436	Mkgmcjld.exe
4688	Mjjmog32.exe
516	Maaepd32.exe
3264	Mpdelajl.exe
2492	Mcbahlip.exe
4232	Njljefql.exe
2096	Nacbfdao.exe
2680	Ndbnboqb.exe
2892	Ngpjnkpf.exe
2964	Njogjfoj.exe
3600	Nafokcol.exe
4656	Nddkgonp.exe
2948	Ngcgcjnc.exe
5004	Njacpf32.exe
2404	Nbhkac32.exe
2232	Nqklmpdd.exe
548	Ngedij32.exe
2116	Njcpee32.exe
2076	Nnolfdcn.exe
1704	Nqmhbpba.exe
4060	Ncldnkae.exe
2780	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	058320190339875a0a2125e29a66d2c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	058320190339875a0a2125e29a66d2c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1868	2780	WerFault.exe	140

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	058320190339875a0a2125e29a66d2c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	058320190339875a0a2125e29a66d2c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 3768	3288	058320190339875a0a2125e29a66d2c0_NeikiAnalytics.exe	82
PID 3288 wrote to memory of 3768	3288	058320190339875a0a2125e29a66d2c0_NeikiAnalytics.exe	82
PID 3288 wrote to memory of 3768	3288	058320190339875a0a2125e29a66d2c0_NeikiAnalytics.exe	82
PID 3768 wrote to memory of 2400	3768	Kaemnhla.exe	83
PID 3768 wrote to memory of 2400	3768	Kaemnhla.exe	83
PID 3768 wrote to memory of 2400	3768	Kaemnhla.exe	83
PID 2400 wrote to memory of 1004	2400	Kbfiep32.exe	84
PID 2400 wrote to memory of 1004	2400	Kbfiep32.exe	84
PID 2400 wrote to memory of 1004	2400	Kbfiep32.exe	84
PID 1004 wrote to memory of 3492	1004	Kipabjil.exe	85
PID 1004 wrote to memory of 3492	1004	Kipabjil.exe	85
PID 1004 wrote to memory of 3492	1004	Kipabjil.exe	85
PID 3492 wrote to memory of 5084	3492	Kagichjo.exe	86
PID 3492 wrote to memory of 5084	3492	Kagichjo.exe	86
PID 3492 wrote to memory of 5084	3492	Kagichjo.exe	86
PID 5084 wrote to memory of 1292	5084	Kgdbkohf.exe	87
PID 5084 wrote to memory of 1292	5084	Kgdbkohf.exe	87
PID 5084 wrote to memory of 1292	5084	Kgdbkohf.exe	87
PID 1292 wrote to memory of 2208	1292	Kibnhjgj.exe	88
PID 1292 wrote to memory of 2208	1292	Kibnhjgj.exe	88
PID 1292 wrote to memory of 2208	1292	Kibnhjgj.exe	88
PID 2208 wrote to memory of 2944	2208	Kpmfddnf.exe	90
PID 2208 wrote to memory of 2944	2208	Kpmfddnf.exe	90
PID 2208 wrote to memory of 2944	2208	Kpmfddnf.exe	90
PID 2944 wrote to memory of 4040	2944	Kkbkamnl.exe	91
PID 2944 wrote to memory of 4040	2944	Kkbkamnl.exe	91
PID 2944 wrote to memory of 4040	2944	Kkbkamnl.exe	91
PID 4040 wrote to memory of 2068	4040	Lmqgnhmp.exe	92
PID 4040 wrote to memory of 2068	4040	Lmqgnhmp.exe	92
PID 4040 wrote to memory of 2068	4040	Lmqgnhmp.exe	92
PID 2068 wrote to memory of 4928	2068	Lcmofolg.exe	94
PID 2068 wrote to memory of 4928	2068	Lcmofolg.exe	94
PID 2068 wrote to memory of 4928	2068	Lcmofolg.exe	94
PID 4928 wrote to memory of 4108	4928	Liggbi32.exe	95
PID 4928 wrote to memory of 4108	4928	Liggbi32.exe	95
PID 4928 wrote to memory of 4108	4928	Liggbi32.exe	95
PID 4108 wrote to memory of 3728	4108	Lpappc32.exe	96
PID 4108 wrote to memory of 3728	4108	Lpappc32.exe	96
PID 4108 wrote to memory of 3728	4108	Lpappc32.exe	96
PID 3728 wrote to memory of 2980	3728	Lgkhlnbn.exe	97
PID 3728 wrote to memory of 2980	3728	Lgkhlnbn.exe	97
PID 3728 wrote to memory of 2980	3728	Lgkhlnbn.exe	97
PID 2980 wrote to memory of 1104	2980	Lijdhiaa.exe	98
PID 2980 wrote to memory of 1104	2980	Lijdhiaa.exe	98
PID 2980 wrote to memory of 1104	2980	Lijdhiaa.exe	98
PID 1104 wrote to memory of 4792	1104	Lpcmec32.exe	100
PID 1104 wrote to memory of 4792	1104	Lpcmec32.exe	100
PID 1104 wrote to memory of 4792	1104	Lpcmec32.exe	100
PID 4792 wrote to memory of 1748	4792	Lcbiao32.exe	101
PID 4792 wrote to memory of 1748	4792	Lcbiao32.exe	101
PID 4792 wrote to memory of 1748	4792	Lcbiao32.exe	101
PID 1748 wrote to memory of 4708	1748	Lkiqbl32.exe	102
PID 1748 wrote to memory of 4708	1748	Lkiqbl32.exe	102
PID 1748 wrote to memory of 4708	1748	Lkiqbl32.exe	102
PID 4708 wrote to memory of 4532	4708	Lpfijcfl.exe	103
PID 4708 wrote to memory of 4532	4708	Lpfijcfl.exe	103
PID 4708 wrote to memory of 4532	4708	Lpfijcfl.exe	103
PID 4532 wrote to memory of 4088	4532	Lklnhlfb.exe	104
PID 4532 wrote to memory of 4088	4532	Lklnhlfb.exe	104
PID 4532 wrote to memory of 4088	4532	Lklnhlfb.exe	104
PID 4088 wrote to memory of 2504	4088	Lnjjdgee.exe	105
PID 4088 wrote to memory of 2504	4088	Lnjjdgee.exe	105
PID 4088 wrote to memory of 2504	4088	Lnjjdgee.exe	105
PID 2504 wrote to memory of 2084	2504	Laefdf32.exe	106

C:\Users\Admin\AppData\Local\Temp\058320190339875a0a2125e29a66d2c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\058320190339875a0a2125e29a66d2c0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\SysWOW64\Kaemnhla.exe
  C:\Windows\system32\Kaemnhla.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\SysWOW64\Kbfiep32.exe
    C:\Windows\system32\Kbfiep32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\SysWOW64\Kipabjil.exe
      C:\Windows\system32\Kipabjil.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1004
    - - C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
      - C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1440
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        32⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        43⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        57⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 408
        58⤵
        Program crash
        
        PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2780 -ip 2780
1⤵
PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
136KB

MD5
4c71d3eced114eb837a59f2df1f05852

SHA1
7330e38afe978eaef99385f2beaf40803805329c

SHA256
152d0601096bd16ceced90c0936e5bbe1ebdd3194b089a57e5ff943e7f357bc9

SHA512
7d4efa5305c057e3e8dc7b4eb362524f50eb0a4b4c7fd326c40c0750012e2045f62ecbfb6e76f4aedb2c357d0712c2ca70255db63466328c4c565904205a8933

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
136KB

MD5
8c0c4c96550f2ad231afa095ea06d79e

SHA1
1c4aae270e0802bfebd81014dca69e6a7d56dd68

SHA256
53d277e1212ce025be44294b51f93bb3c71b18b43a576b57d18b58abfcb47a10

SHA512
beb757813de2d450a32465517093f2eaf0da0347e262ad59d4a6da0979f1351585ee1ba3518cdacc66d6f68dc091f8a1841c4136120ded9def6b2e29848a4fb3

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
136KB

MD5
ae5e06868f7da9c34a487ce35d870d4d

SHA1
41af729752353a1c95e8d65663f9adfdfe2aa745

SHA256
ae19518524950fc2d9e3fae47d9aa878af384dd916a36e178f5ae8db0a4a0e57

SHA512
b506d86cf043e406e269fdb2aaf076160c54affe7fc707a3770f0f8ae8227303decb8e58a54cd6d8c93284e1327668b67467fa3670c852c921eee2836fe45d32

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
136KB

MD5
b05bcaa426910c69c77052f77cc6f013

SHA1
977ff4ffdf6a72bec0221f5cbb558a8f6f80debb

SHA256
d7f4472e5e396b0869b08397c57b8f1fe11bacfd28763939495d837300fd9897

SHA512
830a3ee3766a035dcd31211089154100a22481e1a5aba38f0e0eb79b3920cba69c74cb042f01274082094f286e6a2724a1d5518befe69d3f101f7c8166f9c3ec

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
136KB

MD5
a34bb15130773d2a3d1a04607eaf38d6

SHA1
43e9d7033473b5b1b0089e0c2b9a9af037f30fd2

SHA256
ca857da75d8802a05019ab2089261f793806937ca0b5802eff2a511d489f8a0f

SHA512
5cc530fe23309d0cd43cfe29f6c4bc955b32544d8413750b36cd59e3695f4959cdfc27c6159594afcb9812aea3091e16ac18d89d30679d2958a8f56817c51f71

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
136KB

MD5
8522a16ebd4c69292737de66e261dbae

SHA1
36c6e38e36e356c75a3753db70172494aebaddf9

SHA256
8b9953bfb8355127752b67e26ea36fea5a51a67b6673bd32d56a2310f3f57aaa

SHA512
ea5051701af24154ecece467f61359ee09c92fec1bdf8e5d8bfc4e0eeb1ec81abd43c9488423574b78225f98dc67c15d6cd7ce744b2aa2c5fd3527b2e0a071e0

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
136KB

MD5
3ee5a0027230e003236015818ccf1b74

SHA1
ac3ebae777188d4c1280e86bd2092ad003ea67a3

SHA256
ef709e1e295af1d8af1239e9203685a8692c547e37681673ddd32f06f8c68c03

SHA512
9f45effa2544ef6d72e426c3fb5d6b3ef20c235b20ce585e4fbac0f5845d0c6762c2263071aa635965e0d2f21b879b1f03a903771c311659845b8005aecf9378

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
136KB

MD5
0c07dae7194b74959c4ea88ec6f36761

SHA1
58106048012f9ab6cf1734140ce00f80079b1a0c

SHA256
0e3a228ed28b4526347bb955c26252c867ab511f865315f815a6090771092238

SHA512
9332945a6c57462dbd5cb6fe084154f0066f0081527d54b6312f8ccef7909a4a93928f6b5e9bcedea3e98ec371ddcd68023e129a22490c46074482021f50272e

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
136KB

MD5
c3a2ef00397cbce459800b012e2d3f5e

SHA1
89cb1f03a5d8a47312b4421d111b3f28561db72e

SHA256
5661499bdde7215b7b19092dae271f951ba29afd067b4377a9d63c13b3961797

SHA512
4c88485e1a21cc81a2d78e518ff9d978ecb22770522ff324ad7f5e61c359093811bff83316205c3552e857d283f7894483da7006ef30646280e0e34e9981bffb

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
136KB

MD5
f9ac3265fb72aa57ac41bd167dcfb475

SHA1
af523bbf71b4a02143f972ebde62fc93284995fd

SHA256
92fc289700b337dae6ff4f0b116c1cc18d5429b1f9a8bcea8e7f229f83d32d66

SHA512
55c364a1bc911041b06e88f8ba60004098d2b83f1b10c22430052f18522705df81a4b29d1cba2954a0165d69a736b30eac1ca688d4acc3012023f31392e35c3d

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
136KB

MD5
91621918c2586e5437ea43972a9f3297

SHA1
18a9763a56d26d3acfd6a59108de5fb2a609096c

SHA256
71da13a14e632eb6f78589870e34a5fcf62b211ec6fa715ce1215fdd4a1ff5aa

SHA512
30f7d425c19d6b3f1a4af6d48cb3f38ee1b0f0052a865a84dda91dcb087f8175beefee2afe6bbfc3da622873385d79ac5fb65ed6584e72c8f4b676fcd0e0b28b

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
136KB

MD5
f9bdefed9a9ae98722ad8cf2e654405c

SHA1
cd82da8b5c53e3bfed4e7a2463ab858c85809ff1

SHA256
02eff9edcaae4de688cae573aeae9eb287f1f745af05d6686819df13841826af

SHA512
1767cc47ea97ef13f8c149474123c832d471391bbf4950a930bcfac303eea73346ed58b6edc5d6804e3ee48f94eabc4335e6b4ce3326ab87ca5e35827f05e94b

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
136KB

MD5
54f47987a8eb6ed4176e57e723273455

SHA1
0ad21c1fa7a2683b09a1a12d78e30e1a6b2e705f

SHA256
3046a5fff48c4e298d8b022f614ac49cfa0fa586a75856f68b531b0ddb58db99

SHA512
be457e2cbbda0b50b72ae0cdf5368da66c2bab92248aaa01cbdae8dde4e748007bdd73da81386c18c475a6feefee1c323ce6c875a67b33c8d9b9696b0a83f1d9

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
136KB

MD5
8998b74fb9e7cfa28a26517223201f0b

SHA1
42b0ee69fd3c3d8301051457d0b01266542dbb01

SHA256
354cf5af773c1edbdd2a3eae4cb381aed4c57197c02144d2ae7877577f0639bb

SHA512
3288e13c86c25b9488a5818980d30bb5494d170cf470c57371363d37a1e01fce9ce5d14a5dad4f6e88a0fa38aba8d20de4706dcfde9f8e789e8490d9cdda4ddc

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
136KB

MD5
e30f3039f59c875643fa62e20e152ebd

SHA1
9560137d8abc0d7c087092c24d214b43d5c51934

SHA256
5baeae79c4b9312fd269f714a31f2ff5ffd847845e3fba17e01ba0b534351392

SHA512
a15f13390278b20c1a231595a44a8e5daefbafa8863102221ed24f542fa1be9aacbedc29ed9413ee634b60eb0cbaa9c21b7f6f9d6893166e58d19aea709ac41b

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
136KB

MD5
d5b127cfbe0b0f63e131991e100b4e65

SHA1
78de6a7d72b431fdbb999af0b2891a3d11414d54

SHA256
d781ce22547364e4a65f8e0bcd23664a0a3b74a8352e0299d49afa31cfc42a93

SHA512
c559156eb49b5dc135099088d9baa4290a6883ebb89e74c41202671538bdd9432ded30cf55d92fb9b0941ff784522566636739a61fc9571504afb8b701d14dbc

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
136KB

MD5
6a3f25fed784d4d9661d560e8716c742

SHA1
6d374bf46a401b48c691dcc9e89f216d10a98090

SHA256
5d411b62a3c5c3a7ecd90a869f086836c5640cddf12280fb30819543b7ad5531

SHA512
ca007dfc40410e2696b2f14ccb07926f04e9d46df5c55319cbb141967c97b3c06483507edad5d30c4558dbf7f501866f54749f67b313ae066edf84b23cd7f819

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
136KB

MD5
dbf46c15da5cc9b8aa9e1ce974d3c1f8

SHA1
1083e595c684c46c984a307e90021592c889c530

SHA256
f411bb94e045e5d876e654c89d8884a3ef504a16b2e230f5693d989d8a94286f

SHA512
37d29dfe42d43b99bf16265c71549b8456bbb1aaf64ad9e287d80c3d5441c0889cd56175a91b528bd9640dbd155aa7dbea8c5ebda6a09a8a2c93df16322603c9

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
136KB

MD5
5ebc8af90b899da2d4261b48be2dc248

SHA1
4dd2ecc48a57efa80aeac91630dccceee9a17258

SHA256
f3d9dec0f1e3d619f6960018305cf9cd390835049d871356ee7d8fa339403d9f

SHA512
045b09af8b8e22ed564aba2060c47d41c154854f5e0547291322505c7f64f6d90e9ace3668d39c5f30172a17346ece17eed81f8a731dcf0e60df72694ee2b308

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
136KB

MD5
2f62213423692f67a7fe9a6315b3b953

SHA1
4ec97240ee5835270fac9731ecd8d82a06c7c5ce

SHA256
e32e4fc04f97448693a62588333c50ae6bf81f5a9171c6551a999d3d5e0e0bd4

SHA512
5361494d7d6162f677faa0c8639fbd1fc049b3bbe230f2a56de67f1e38120ed17de9a7edb84d72a645691059546e2d7271161c772ed3b9aff05f75731501a048

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
136KB

MD5
90cd6a8248f5c4f3de6860bc881c1409

SHA1
3f9d6eb63956ba58e3d4b2054537ecad711559e1

SHA256
243999e091036815ca801d9d83c166623c95dd1e9a47a4dac0b86409972462cb

SHA512
cd2a9799901e83d34ee77e76b83a4e6b164f7a141f371860db6db76bae4f17385ff7f1d37399ebc8d8ba4dd2994d714db57b20bb48ce252f8c0ee96588f95ac0

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
136KB

MD5
7510aa65a610a916b5cd34ceb7f22e7b

SHA1
0184270391c09dfa6453bbcb34a3bd32c65560a2

SHA256
b27479542aba4b23e47979a5603185ed92cd54518147dddd8c9c7dd078bd45dd

SHA512
c8e33c0e6a17380b2e6f9e6ef77a49a4aa7e1d3f12506b49b3d5b10f37be74ddeac7f394fbf7234acf82228de16c4c5f52fc5ea42b7bcb43b640ddd1b6c5ba6c

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
136KB

MD5
0c3d0091f825a9cbb423a7beb5a1f5a2

SHA1
7d2fd8a22f578f28c8bb1ff2ffc31355cc4b5268

SHA256
62512fad35974eccafdec159bd94449e5595a7639ad556125364f07129454bc3

SHA512
7c95f41339611801c62ccfd6ed7bb168a4d6302760f4fad5fdd4c79f29704a912bf28d087caccc67030e45c1896242630d9a5e7ec8a89e4cb595c9a64dbf1219

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
136KB

MD5
9db20715cadd7be941dca4cef31ab411

SHA1
479dfabf55c8922443224d27958bfbce0a62bfdf

SHA256
b83eb3501ad463d4d385833236f27ac1fcd4a0e16f0b354ec853715ed9abdc71

SHA512
e13d63d21f251ccfe0f1e36ed71d53cb672c01f7cced62bc6de9e7220a49a20c0f24921eb2e15df326546c4e32de577877bdb4b7e8a771caade775e8f6aa8d52

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
136KB

MD5
61df4dff0c057b0b0b0608053e2bb3cb

SHA1
8862c8aa31585d01a88d74adf414b1f4a7f5ffdb

SHA256
57a944587bcb094518dcd6acaab4b8380d36a14e36d8d1d40651308f8ab98c1b

SHA512
fd66b4afb4428fb894eaaf4ec205f3531097d842200bceb9b2a5025ea1fbf9699b2d72d2e8a6149e9f924d5747ce322d15c81c26b7c7c4c329e1fd2db4242df4

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
136KB

MD5
8eb270c50e296bcedc7e56ae0d5f380b

SHA1
4e2b1bac398a1e9f3ea02acf3c20ab13731323d1

SHA256
4d8a69ab2bb2e8333bffa136f861a183fa06164a103b16bad60ec4ee3353c7f1

SHA512
425208e6f348b585193a2de6cac3eb4be4e4e3194d061ac0b3c2c6a7f2a8dc3756960707b6a46d7998dc0e03036262ec358df14542cc43ceeaa440248167710b

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
136KB

MD5
b0e17cff79c84f8565674c0371f0238d

SHA1
7f20be380c79e1d7c1f2d2790af60f73de6736ea

SHA256
c1c977dd5c261e93c7a98939c997b719771790196a24d8bc7bde414e125cedb1

SHA512
4f007a60ef43d0bbae9d9064716698fa99b33b412d8578eefdf5e9cfaec8082efd591bf241d8863fbb7ab83051fde8206284abaa3ddc99d13c99ec61dc663508

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
136KB

MD5
42fc7c73f91f69c2f50c97f69f71fc24

SHA1
ec60ba9507c249f4c2b9652c2e53fb0b2fcae49e

SHA256
75112ecc2bd379b7805645c65c9867951443129639b42e27f56052b13e6bc2e7

SHA512
fd1d784377b061b15f5bd5c781fc599bb22e423c3e8bae2906fc9f4f651d62db315fdee7c05b90502c5934b9cb52632a3fa87828d59327eeea2800731dbef406

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
136KB

MD5
01db40f655ae49de860d6eb1d17b25f9

SHA1
37c9532acff18ae21c009dbd518b8a3a97c2106f

SHA256
0530fb80bacc191b675315a5575961070867090493ed496ecb0cabba622f3e29

SHA512
3e0eb1cdd91f093efc9d627a25982a27872809df6f31ce72db0c1163bdaa2368b71693ee7f8ed12affe4bdaecbf46b395577d0b11163b8340abb5c53043be37a

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
136KB

MD5
bf98b2c62144650175263d9bf20784f3

SHA1
4f9cdbb4b688bcbb06935fae52ab8fe70d6b4744

SHA256
6b965efdbe94019979c9f76ca75dcacb49223f4f223940c6084613549b81b323

SHA512
d42b546beed8caf5bdd3bd19edd0b5720f470910fcf6efd23f694e074dca7057c05f66f23d776aec1ac79c2b88fccb31dedd3a4e2e87f0e1fd8e78ea8d87c799

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
136KB

MD5
a43f7ff0ef937a4ab4350b5cad106aec

SHA1
a12a3a39f6508552210a84a17e8ac4a8aa3b2670

SHA256
2c2e3dae00d27ce7634b1d2fbba42009e177d03ed3224f4cf08a7813a632650c

SHA512
521de095841d3727b140cd88083c2eabbe8ffe4799474f5aa7dc3ada2d3011c4113bd92bb5315dbe234aee6a567780a7466bc014306d32543b49dc2ec617b43f

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
136KB

MD5
aa79ea4a45c22668279af8f064e0ac3e

SHA1
6acecce72432e5a40e50310998a2b0fbad373f76

SHA256
47baa9e17bfcba86d1d707f50c0cf90ae722c52ed9689db93951d3826acbf15a

SHA512
6e92b28c703c2628c415b01bd8fb06127fe46d7c3ca6080da383b421f2d1ececace6c58e637df9a6708d469143a50eaad0f8ab0fee6ff84ea6e920b9bb4723e6

Download Submit
memory/468-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3492-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads