9c068ef9033c58848378782ed57659663874dfdf6eae64f5ed00d6ba5aa0513a

Analysis

max time kernel
51s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d01f6933f085102998b040c1b24a080_NeikiAnalytics.exe
Size

94KB
MD5

5d01f6933f085102998b040c1b24a080
SHA1

2450cf8379718afd32ac07377f903352a3a03a5e
SHA256

9c068ef9033c58848378782ed57659663874dfdf6eae64f5ed00d6ba5aa0513a
SHA512

ae5d6d39c8d85c4ccce3a6e8615e302c1b742f5852e327db146f352df411dbafe6892afcf0c224e7b272ee68dc15ff8e60eb6b9156d91e710e4602878829ce52
SSDEEP

1536:uYAyFtlxngn/m6f1A4LRryRNZbzVO2L/aIZTJ+7LhkiB0MPiKeEAgv:nCeo1AMuB/aMU7uihJ5v

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5d01f6933f085102998b040c1b24a080_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe

Executes dropped EXE 64 IoCs

pid	Process
3472	Jkdnpo32.exe
3936	Jmbklj32.exe
4152	Jpaghf32.exe
556	Jfkoeppq.exe
912	Jiikak32.exe
3048	Kpccnefa.exe
452	Kkihknfg.exe
3636	Kmgdgjek.exe
4596	Kpepcedo.exe
2480	Kgphpo32.exe
2036	Kaemnhla.exe
2840	Kbfiep32.exe
1596	Kknafn32.exe
3420	Kmlnbi32.exe
372	Kkpnlm32.exe
4372	Kmnjhioc.exe
2168	Kkbkamnl.exe
3476	Lmqgnhmp.exe
2400	Lalcng32.exe
3688	Lmccchkn.exe
3796	Ldmlpbbj.exe
1440	Lgkhlnbn.exe
1540	Lijdhiaa.exe
2384	Lpcmec32.exe
2188	Lgneampk.exe
1472	Laciofpa.exe
4424	Lpfijcfl.exe
4352	Lklnhlfb.exe
1512	Laefdf32.exe
4740	Lddbqa32.exe
2916	Mnlfigcc.exe
3628	Mpkbebbf.exe
404	Mgekbljc.exe
2160	Mkpgck32.exe
1720	Majopeii.exe
3684	Mcklgm32.exe
2892	Mjeddggd.exe
3228	Mamleegg.exe
1660	Mdkhapfj.exe
4780	Mgidml32.exe
2708	Mncmjfmk.exe
4988	Mpaifalo.exe
3192	Mcpebmkb.exe
5008	Mkgmcjld.exe
1172	Mjjmog32.exe
1968	Mdpalp32.exe
1964	Mcbahlip.exe
4012	Njljefql.exe
768	Nacbfdao.exe
5016	Ndbnboqb.exe
2704	Ngpjnkpf.exe
4272	Njogjfoj.exe
1264	Nafokcol.exe
1744	Nddkgonp.exe
2028	Ngcgcjnc.exe
3060	Nnmopdep.exe
2224	Nqklmpdd.exe
2824	Ndghmo32.exe
1748	Ngedij32.exe
4192	Nkqpjidj.exe
3484	Nqmhbpba.exe
3160	Ndidbn32.exe
540	Ncldnkae.exe
1348	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	5d01f6933f085102998b040c1b24a080_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lalcng32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1048	1348	WerFault.exe	148

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5d01f6933f085102998b040c1b24a080_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5d01f6933f085102998b040c1b24a080_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpcmec32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 3472	668	5d01f6933f085102998b040c1b24a080_NeikiAnalytics.exe	82
PID 668 wrote to memory of 3472	668	5d01f6933f085102998b040c1b24a080_NeikiAnalytics.exe	82
PID 668 wrote to memory of 3472	668	5d01f6933f085102998b040c1b24a080_NeikiAnalytics.exe	82
PID 3472 wrote to memory of 3936	3472	Jkdnpo32.exe	83
PID 3472 wrote to memory of 3936	3472	Jkdnpo32.exe	83
PID 3472 wrote to memory of 3936	3472	Jkdnpo32.exe	83
PID 3936 wrote to memory of 4152	3936	Jmbklj32.exe	84
PID 3936 wrote to memory of 4152	3936	Jmbklj32.exe	84
PID 3936 wrote to memory of 4152	3936	Jmbklj32.exe	84
PID 4152 wrote to memory of 556	4152	Jpaghf32.exe	85
PID 4152 wrote to memory of 556	4152	Jpaghf32.exe	85
PID 4152 wrote to memory of 556	4152	Jpaghf32.exe	85
PID 556 wrote to memory of 912	556	Jfkoeppq.exe	86
PID 556 wrote to memory of 912	556	Jfkoeppq.exe	86
PID 556 wrote to memory of 912	556	Jfkoeppq.exe	86
PID 912 wrote to memory of 3048	912	Jiikak32.exe	87
PID 912 wrote to memory of 3048	912	Jiikak32.exe	87
PID 912 wrote to memory of 3048	912	Jiikak32.exe	87
PID 3048 wrote to memory of 452	3048	Kpccnefa.exe	89
PID 3048 wrote to memory of 452	3048	Kpccnefa.exe	89
PID 3048 wrote to memory of 452	3048	Kpccnefa.exe	89
PID 452 wrote to memory of 3636	452	Kkihknfg.exe	90
PID 452 wrote to memory of 3636	452	Kkihknfg.exe	90
PID 452 wrote to memory of 3636	452	Kkihknfg.exe	90
PID 3636 wrote to memory of 4596	3636	Kmgdgjek.exe	91
PID 3636 wrote to memory of 4596	3636	Kmgdgjek.exe	91
PID 3636 wrote to memory of 4596	3636	Kmgdgjek.exe	91
PID 4596 wrote to memory of 2480	4596	Kpepcedo.exe	92
PID 4596 wrote to memory of 2480	4596	Kpepcedo.exe	92
PID 4596 wrote to memory of 2480	4596	Kpepcedo.exe	92
PID 2480 wrote to memory of 2036	2480	Kgphpo32.exe	93
PID 2480 wrote to memory of 2036	2480	Kgphpo32.exe	93
PID 2480 wrote to memory of 2036	2480	Kgphpo32.exe	93
PID 2036 wrote to memory of 2840	2036	Kaemnhla.exe	95
PID 2036 wrote to memory of 2840	2036	Kaemnhla.exe	95
PID 2036 wrote to memory of 2840	2036	Kaemnhla.exe	95
PID 2840 wrote to memory of 1596	2840	Kbfiep32.exe	96
PID 2840 wrote to memory of 1596	2840	Kbfiep32.exe	96
PID 2840 wrote to memory of 1596	2840	Kbfiep32.exe	96
PID 1596 wrote to memory of 3420	1596	Kknafn32.exe	97
PID 1596 wrote to memory of 3420	1596	Kknafn32.exe	97
PID 1596 wrote to memory of 3420	1596	Kknafn32.exe	97
PID 3420 wrote to memory of 372	3420	Kmlnbi32.exe	98
PID 3420 wrote to memory of 372	3420	Kmlnbi32.exe	98
PID 3420 wrote to memory of 372	3420	Kmlnbi32.exe	98
PID 372 wrote to memory of 4372	372	Kkpnlm32.exe	100
PID 372 wrote to memory of 4372	372	Kkpnlm32.exe	100
PID 372 wrote to memory of 4372	372	Kkpnlm32.exe	100
PID 4372 wrote to memory of 2168	4372	Kmnjhioc.exe	101
PID 4372 wrote to memory of 2168	4372	Kmnjhioc.exe	101
PID 4372 wrote to memory of 2168	4372	Kmnjhioc.exe	101
PID 2168 wrote to memory of 3476	2168	Kkbkamnl.exe	102
PID 2168 wrote to memory of 3476	2168	Kkbkamnl.exe	102
PID 2168 wrote to memory of 3476	2168	Kkbkamnl.exe	102
PID 3476 wrote to memory of 2400	3476	Lmqgnhmp.exe	103
PID 3476 wrote to memory of 2400	3476	Lmqgnhmp.exe	103
PID 3476 wrote to memory of 2400	3476	Lmqgnhmp.exe	103
PID 2400 wrote to memory of 3688	2400	Lalcng32.exe	104
PID 2400 wrote to memory of 3688	2400	Lalcng32.exe	104
PID 2400 wrote to memory of 3688	2400	Lalcng32.exe	104
PID 3688 wrote to memory of 3796	3688	Lmccchkn.exe	105
PID 3688 wrote to memory of 3796	3688	Lmccchkn.exe	105
PID 3688 wrote to memory of 3796	3688	Lmccchkn.exe	105
PID 3796 wrote to memory of 1440	3796	Ldmlpbbj.exe	106

C:\Users\Admin\AppData\Local\Temp\5d01f6933f085102998b040c1b24a080_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d01f6933f085102998b040c1b24a080_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\SysWOW64\Jkdnpo32.exe
  C:\Windows\system32\Jkdnpo32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\SysWOW64\Jmbklj32.exe
    C:\Windows\system32\Jmbklj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\SysWOW64\Jpaghf32.exe
      C:\Windows\system32\Jpaghf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4152
    - - C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
      - C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        65⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 400
        66⤵
        Program crash
        
        PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1348 -ip 1348
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
94KB

MD5
fcc281cb49921f9043f3ba17e60c5bc8

SHA1
8897293faf466ff77108a7f77c199f20087c8ec9

SHA256
41702778711048a8d38ed85ffdcf204c3d6b090bd40658ec69c197bf10154d11

SHA512
d625a785a40cb65edb28d7c1a413ee47ffcb0eb305606da0a085ab21c5480d8c3b35997d6fa8ffe54e4c802945af48d75129fc247e89c64beaa41fb5ebbffa95

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
94KB

MD5
7c05a6cb62d1a322e415f97ceebe9d97

SHA1
541ed30f5a047816ab95dfcc156ff1fd790e6646

SHA256
9f8775b0c93195879c427784acdb6d934769e002d4c29c6bb1c3516527411cd3

SHA512
070e82b544edaf421c4d69a568365c69510a29c83ac145d688c654bec557b25586bd383bf63becc0ed1761052cb59c5b3fd1b1bafef11bc60ee4918de7ff4109

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
94KB

MD5
8522327eaad4921a68203085e4c88091

SHA1
7c293393ca30acb7da8a9e8d57edc1bdc014faa6

SHA256
74e7dfa7141f571809063fb5ea14b66670469f97923afbd19a201d0d39b9813d

SHA512
1b9e32e78564f9eaa567b33eec2eac4f9fee7f29bc7d154021f0eff2edf759cdf31d4b42422b384eff8ba824ae3154be199b085bb789d525122a2f41e34348c6

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
94KB

MD5
a3203d55c6c621f988f198c36eb84b5b

SHA1
beb9b585ea825053fa207255b890eec58917cbbb

SHA256
548f4fd93a52e6bd914834b4f6eac85f2325084476af83e8ba73e82460739cba

SHA512
d3b494d10150257907641701683957654d9a95eaeb271f4b4e33e3ec1aae35f3ff16977a20f31c42db9b3709a69106eae740f8a9de238fa1c7c82d8a324853ba

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
94KB

MD5
15f4cf3700b22016c67ab0bb864705fc

SHA1
120779b05dd18560b152e1651f11b39ae9b65823

SHA256
068a07ffe481fd83b16d681482d96d0f39667716df32331a4efe9c0d56798d71

SHA512
03f13462272bf9ced730fd30b4a9c77df09a1c815f64a527bf7b9882a6e264b29ae1895681ec53f6c27eeb06b39f7a520869efe104a0f7ffd1dd24e725630d23

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
94KB

MD5
413bde4a0f73c74285c9f567ca1e966a

SHA1
f9dfa9cf236a8c55be342846a98bdf48679f2987

SHA256
a20156dd1670948018ec329f8952394e6a7f717f0d75bddba42076daada9c799

SHA512
ea3d31988b06c502e164c2557f1cde17e0c496a060ba5328a3f9654b8b3a127c93ae3c0ac28c80b62309e232f3e44e8d4ba80227e0f69caae554a2a3a6cbc09c

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
94KB

MD5
5af8e5c903f26b1fd4205b790027a443

SHA1
445a8f17aac9aab33a7f609d95b40c1f852a3578

SHA256
39a7d9b06bbb3c9cc11c381bc1a6d3256883a71caefcd14344f128bf3843c663

SHA512
88cf1c0c6cafd12bb657f75a0e7078aabeb7e048e6a48523efe8ac59712f34bec9b2c64af61e823f3757a1d2a2b2ea24ae0ea2f7d4f3e1aac7909150c2c03f6f

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
94KB

MD5
05f159dda5e8a4fc03b1133fa1e96a49

SHA1
697d3fa296bbd6c78c4f86730989149155b7a128

SHA256
b95ecc1f990e6915431e7a34589f6d341182dae34a8c8a692f2a6b6d6c536cd0

SHA512
2785039f18d29bbfd9b7db345b7e4d61950ebe07cc7ba7094dcb51fac9dd4de83304cb7522260313f74ed6aa423c4d84aacd15fa78f02fd0b0c343bd2abeb4f7

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
94KB

MD5
78a870d6f242668b699b8cfbae8051ef

SHA1
64fbdd29c6cf63ead4b87c1c7db96b4bdf1d0737

SHA256
0ce0d8ad7d99e766979b537bb20e826509435bfdf4f5735898530af86bb29401

SHA512
6a6ddad88f5a3fa58c701d34d8639c1a5a7f93c1813a861682413f61f8e896b5f3284805fb539a399c6c3f927968f0fcc8c86160f0ea2c84c650b32105fcc00a

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
94KB

MD5
e1fbb8e67d394cfb90bbfebb4bff8989

SHA1
f4d6ecea0c58f57cda7cf4c22e7bf7a12b3010d8

SHA256
23e399b9119ad097ff65bd8d3787a9bcc73a1b9b16e27fa80718835a10e83ee1

SHA512
2fa4689aec9a9ad275ed4275ae30e72c3cf1ccf1051f33412edb0b2d6243622f784e5c977617479d0b56fc6590b2e83c41455e3b35d8a1b146cbeec68d9ad421

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
94KB

MD5
118e3cc60d21bd46fb213ba5a711d6a6

SHA1
d0c659e0cd98a053061ea4a712730c14f63d5cdb

SHA256
778ddeb2238bc0e95df757a4b46313c42a9310d67eeab54ed132bca5c8dd99e1

SHA512
0aab83c336555266eab6ce1125662d97ec0d8f8cbd8810f7fc26de61410632f6b563527ca116f53161a5315eec3474719c111a5015e941a4425a29d3a0633b52

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
94KB

MD5
00e75fd7c1010b68c473927525e19a75

SHA1
1207d3d2327edb660d2d3d4b1d2ab671c37b1a08

SHA256
34215b97c39ac3d7c48f15563fc0bfce6d8d3b2d1bceed84d85f28fe618defa1

SHA512
f2127805cc4ebf8c3636ec408837d077e051e037afe0ebc756a9f8d04595c1d733022c873fdcd2f6a54b79864c16f9cfca7e59cce93bd07ac594d0aa9abac598

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
94KB

MD5
f36daa4711e941c23451b7c783a1eb40

SHA1
1c7dcde328209d9cfec32b93e61aeab93953fc6a

SHA256
79813d0861fe6942a584afff204b3d7e6d25928c1ed67c4cac1ca482bda33fc2

SHA512
ee0e7b85c9939f097658a79fd1dd20e363c7e3c1c0368a0ac0d6c0e89ad7adbad2d0f9dafcdbd2cf8790041ed3c58400a818a64977208ceda0abc070b612be16

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
94KB

MD5
e40a27ae2ca4c9027c935e17bc658cb1

SHA1
23627d083f6450e4ff84160378fd28ebb27e4547

SHA256
c3b50c63f0f18a2a16ab0f6d38da9ea29d90b85e200596634d23358e371a717e

SHA512
6947215b97e6ddfe9aec552f6ceff6ef1761f5650588d6e59bb2e35f169281c40fd770f765a8b90e71e448df461d6eb98873a6d66a334e4102b26a1c96549954

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
94KB

MD5
2b97831c7d620b744986b5f515037201

SHA1
a414f07a577b14538f865df53aa797bf29d02750

SHA256
9b19ed73676ccec495d22f2b08d0c9d6b25023664c468e7e3339660c1515e7a5

SHA512
31f18fd4564636792ef7c13765721bbf63d79876acb72a140568f0e1a037d51f4ef372a7f150dbc94d9570b9e16e5f09fdaffbf9633ad9d36594804ed2f5f621

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
94KB

MD5
174604021a81202fc79d2e1af188e3af

SHA1
5c46bba8d76a94e078ae823a763b0ef702ba4e02

SHA256
3064ba6159003aac0fea638c02a50123283421494eb97f0792cb9b88cec96ebc

SHA512
d7f6c2fd6956580da1e6e47632fd41bb2ee8082fc34d377694be5979245a2440a4c2cb6d6f266e3c2387e492d27223297ac89f2b6cdb15cf16ae5deda8ca2131

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
94KB

MD5
7573ad584dcdb4cb7d6d73381c38bf0c

SHA1
701ed34bd8e9946c524a4a485714401df6102776

SHA256
c842752d64834fc9eb8bf38ada66d85d3b92871e2c7284be618ce4e31cde7fba

SHA512
7a8ead2c78ff3585851da9d080fc4e17d819b06074282bd75993b5ccaafdf3382323a95123e6fb9e179b342442a7735f6a5bf6036e2d87938dc2f271d9f3e81a

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
94KB

MD5
5cc61c84fee5103b7dc23e25ce5a4b67

SHA1
32269ab744718c5dd3f1e61726494cf36a25ba83

SHA256
45b5f47a2236d17e36177dad2bc6d674240a61a62a04843c15ec8c0542eed0e3

SHA512
3549bef7def00b39def0cb698b7a5c093b38586a0f84efb6748597165ec0dab0a0694cd4deef607467f5da7063a1c5be475fb60beb4c9f5cdf170c81b8ca5512

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
94KB

MD5
1c48ffe808f40b53dd122593af8a4185

SHA1
6c82872967e75d56193274e0824e120f1f0c3220

SHA256
2a2aaa8c5dfb8a331ca8c6d808f3ca143088818378fec30e4020c3a663e9f725

SHA512
2198ab2af3fbdda49c61076ca7fd99c39b05021ad32049fc7b87f16dad2da1daa1901742e3fac76c331d7394e47c66aa868291364c51497124db8008a7340df7

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
94KB

MD5
04536f8fa4f84674ce37b5cf8f9f53a4

SHA1
f568179dd86538a15c7af2ba0e6e0305dcc7b076

SHA256
20072ee2d349b216ec486860b4e023bfaa742a9c336ede639289b7b4286e2d5d

SHA512
87f5d0f20c2c4e7ca16555d0f09a826ef081047c76954af2fa6cc52eb5b692db83650163a4f5424ede8034ab762304d758b541657e9b24812723be1e48c231f6

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
94KB

MD5
2eb45b7b5c0910863e941bc7f5019350

SHA1
891437498f1d5d49029854a323d94744c6b6f2c7

SHA256
42d7ff7141fb31dc633865e0d2557ffe5b7fbad5e7d64c6460ea90bacd872ea2

SHA512
2db91349d2b6cf2b0def588f9bf1df7b11cf813e26ba087d62453c430a0e3e7c5f58d511173d9f54e07b3f8e4483954f793c83015b81a7a5a73f64a78c2c5da3

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
94KB

MD5
8c0657dacd345cdd503b9a1c4ace62ea

SHA1
b77eb34a9ca0b75872f1f74306d9dd3cc9174d5c

SHA256
25d19db6153e85a1083eed1cc8a144b8337bd4f9530581baa74733ca69490763

SHA512
013508fc55843f873e44b490ef88a529c3d5354fd31352cadbb9849872915a7418d4a47c66d80c8f81391c43a6d25d159bfb242a4f8d62a4aeb53a2066304866

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
94KB

MD5
219cf075b7d5dba0fbb552571115ef0c

SHA1
5559f342e386ec43af386b62f63677c987b4dd10

SHA256
3bb503e0d34e3eacc160c0637778c19b5a88befad92f6009624a724af352e604

SHA512
ba80f1a581340259a9aadc2f2bd684b94bcfd054e043c564311c308942f74ea9fc38fd326b37d53883f41d7856e10465d3114999c116c304b2ccf2af652e9c9a

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
94KB

MD5
a44f8a854de7ac98d017ed6317dba21f

SHA1
f1089ac440e2e8b94f0c113337d4143f2eaa13a8

SHA256
a985abd5b2c6fbcc918851a7e2e815b344ad9c7376ac5ca0c9d1dedf2b34a651

SHA512
4ef1a9a9e12d4f6a657663ab812f2a87a0037a0c8218f2074005817b59babd51854106ce9a525afdaa11865f05587634ae8d20238994ceaec7a74cc3c0118b00

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
94KB

MD5
98dc9f8e0d21a216260d591fe1e8c7b1

SHA1
e492b6748c7a51348769d2c73bfc5fe17c1ff5de

SHA256
c440bfca177b69df97c9e91f9176a4f24a80473dee27fb071ecfc95932c685f4

SHA512
e9ee2ae7b63f0d481428c32c437b98e8373aca45258369c1382761b01ba815112abde33f98f69fda48ab865a4de1dcad9467fdcc72dbb1524025a3725ea36696

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
94KB

MD5
d4292802aaaf2dd6454c909fa7421180

SHA1
5ebcafbb3ffe1d6d29645f602fdb978401818144

SHA256
ec185b06a7c892522ea6ed996d30926341654b8e1808d621e328e464b54ce60e

SHA512
f1e7ca5b81aa87d9566a41d14aaeed42998f4b58f63bf67db028a22fa3a8d2f790c4d45a0c776ac39ef0a67fe3857dd5530673801665fb237e2761d8cdbe3dbf

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
94KB

MD5
a14d4d98e52af42b07f49885a3c865f9

SHA1
df5f35c8876efa00c27baf33620bc283de00086d

SHA256
68ffdb249d990196d51b128c26706eb882d369ce0bc1ffc30fdd0c58337936b8

SHA512
ee2d7adaaa29a0334741932a92c89a928f6736655647a4077367e7b61403957338c27f4fcceca670ee0a56e34b689cd8b59434c8338375a8683172be30642d6c

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
94KB

MD5
6f4edccab4f1eee41bf1efc1bd25801f

SHA1
2508b00534d33289fdb7021c4dcb86e63ed65e85

SHA256
e48ac6606b38f39ed29fa71b08e04527c645f2d408c771d1fd3ca4c4d6f5e02d

SHA512
4a6d0ecbfe0688ee1c8159e83e0918fa0b060fa4892fb66f5939a6692c798e40109e41e3c7bf6aa000ba255d3429d8c0230018cca0a163a2b08969371b1250c6

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
94KB

MD5
c92f7efe02bffd39c4c355994f586e0b

SHA1
6bad89706921d89de5be75a3399102ec606d6e66

SHA256
9ce15ab7a90f8ba663bdaf4fec3e0b65a7fc53640a91642c0cc5d7f9d48e26a1

SHA512
0b3a2f2ba77a3dc08a06e1ea53b3ba2ad755be8946c8769a81f2efcbd96da0fa92652af318c58ff1d5d1d215aed047f7beaf200058459435e1f8d75b1dbcc0c6

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
94KB

MD5
610648ceb9c20e8cd90626228e3df18f

SHA1
9179b2fd9250cb83f60068562945f867b343916e

SHA256
94f768fb62d63eabbbc54b867b616f42f33c83e743cc5d9260ffb3fec32e881c

SHA512
4491144742e07b6cffa66146451440bdd9a92e1d9807db4dd1bc5b3361eaf39c6369d8b91cab95730eac67769bce935364fd810c6a1213730bea6b5f573df951

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
94KB

MD5
84e4a20adb234eba042a18ee96c05d76

SHA1
850bf6e95310dc70dde60637568a5f62dc8322f3

SHA256
260a339c6a8bd89e5f485e5e7dc8f91cd6e0930bdddf9b651ee9a160c5185873

SHA512
ca354571ec44e70a612c530e2eacf5537872e9962de246f8571b611ac677ccfac473789f02b299b87db8472c2cb66fba162a7deab7db1169bb7a1c366332b6a8

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
94KB

MD5
e8c2ef1dcf25e945ed3187119eaa17a7

SHA1
6ab521c81f64e995523b7eb6b29f4ca09a62186d

SHA256
bd8d7a8cb612dac880b2e32ec85b2ba81cbe1d4aed2fc201d22fa09e786d3ffe

SHA512
0d782d18fadcea3db9032bbcf3d61f33ad71b22ee3f4a142cee2e7e0e8228d3fb7e9ce8e1f8b7d4b7a6db46b014d41842d3e6660dd4cee32f65ab4f2aa983531

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
94KB

MD5
98c1a4d044f776f550b754c707e1a0d9

SHA1
094cfb3aa25354913da535b9d098ba1459df40d0

SHA256
c0168247918f6189949357bc45dcf4115120119610c37e497fef4bdb2b442379

SHA512
eab505d89316714ddda8441af2a25a9b94075aa7edbe58cdd034d5bcfa1e295863efe8a8f1f545a69f038d0e2e222fa75b4a138e6b503500145347adfda46bdb

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
94KB

MD5
d5289d7531512880e8e75d9dc4bd49b2

SHA1
af28f5c5c0af3f5e990e07f08ddf3d35580c65cd

SHA256
4a0ae7e5eafd59eb82cb0fa8c67314454b77ffe61e11393740aff4673c541cb4

SHA512
2e543163a93a4f1ae918ca9e32b27143589ecfa856fb34e8ae257913912b6e5305cee9a8f48a344783bd5bae772ebb64f695c15fc2eae5017789f0bb6c4ee0aa

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
94KB

MD5
494a0dc5a19ae8d4e52a2c2e4baa78f8

SHA1
dcaca7038887aa047aedb71a53c65aa8590cab9c

SHA256
ec8f974cb4415952cc66ba29553d742957eac35fc984f6f1c3e8eb65f1a77087

SHA512
2c7677bc68fe8c2c7e078ee5c3f26ed3093ea69ced4b45159aecba3e8b512120c486d20e1f5e93f205f318b755b4ef81c81f4b11208e66b2e5a10c71d8c00ae7

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
94KB

MD5
97024149281e19deaf2b36571bf5a186

SHA1
7716597f0e7a0f4232dc5b807a5c992839ecf680

SHA256
3e8f2d15145221fd3b8fd2b84d66adbd6d29d9e55e139ebfc74d16d88e7bc7da

SHA512
5b91339ba6bfdd8ebe040416c09d91b4150684f2ba9897392f211ffcaada7abae1d9fc07162e99ba043b3081971659fbff6a42a76cb6c31a944bb626629634f5

Download Submit
memory/372-130-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/404-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/404-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/452-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/452-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/556-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/556-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/668-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/668-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/668-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/768-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/912-129-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/912-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1172-431-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1172-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1264-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1440-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1472-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1512-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1512-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1540-282-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1540-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1596-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1596-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1660-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-363-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1744-429-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1964-378-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1968-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1968-438-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2028-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2036-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2036-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2160-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2168-149-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2188-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2188-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2384-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2384-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2400-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2400-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2480-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2480-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2704-404-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2708-403-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2708-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2840-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2840-103-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2892-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2892-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2916-337-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2916-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3048-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3048-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3060-439-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3192-417-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3192-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3228-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3228-384-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3420-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3420-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3472-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3472-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3476-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3476-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3628-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3636-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3636-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3684-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3684-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3688-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3688-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3796-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3796-267-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3936-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4012-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4152-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4152-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4272-411-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4352-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4352-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4372-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4372-227-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4424-236-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4424-309-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4596-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4596-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4740-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4740-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4780-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4988-410-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4988-345-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5008-428-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5008-357-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5016-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads