4ee3f19ebeef7faea4d4365a93688bc9c7dcdc473a59c560b9c8b7e643cc9438

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ee3f19ebeef7faea4d4365a93688bc9c7dcdc473a59c560b9c8b7e643cc9438_NeikiAnalytics.exe
Size

194KB
MD5

5753f1bcab5c6c89d7e7244c4b1ac2e0
SHA1

b57ad6f1eca08c45115c865189163e52d6906a9e
SHA256

4ee3f19ebeef7faea4d4365a93688bc9c7dcdc473a59c560b9c8b7e643cc9438
SHA512

86f67ca2ef5fd3c084aa09e8e8cc5115052e22ae6b458557b0dbfec26c7c0aba6365b8b1c50a89829c23be56b3e3e12026883e15919d91992752e90831936e91
SSDEEP

6144:6AcEpD37BdSfUNRbCeKpNYxWlJ7mkD6pNY:6Y

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4ee3f19ebeef7faea4d4365a93688bc9c7dcdc473a59c560b9c8b7e643cc9438_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4ee3f19ebeef7faea4d4365a93688bc9c7dcdc473a59c560b9c8b7e643cc9438_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe

Executes dropped EXE 39 IoCs

pid	Process
636	Kphmie32.exe
1784	Kipabjil.exe
2560	Kdffocib.exe
544	Kcifkp32.exe
3524	Kkpnlm32.exe
2688	Kibnhjgj.exe
1488	Lmqgnhmp.exe
4792	Lpocjdld.exe
684	Lgikfn32.exe
552	Lpappc32.exe
1192	Lgkhlnbn.exe
4612	Lnepih32.exe
1804	Ldohebqh.exe
716	Lgneampk.exe
4788	Lkiqbl32.exe
2288	Lpfijcfl.exe
5004	Ljnnch32.exe
1608	Lnjjdgee.exe
1028	Lddbqa32.exe
4708	Lgbnmm32.exe
1768	Mahbje32.exe
1480	Mgekbljc.exe
1928	Mdiklqhm.exe
1128	Mamleegg.exe
3740	Mkepnjng.exe
1668	Mncmjfmk.exe
2580	Mpaifalo.exe
1640	Mcpebmkb.exe
3216	Mnfipekh.exe
4636	Nacbfdao.exe
2468	Ndbnboqb.exe
1328	Nceonl32.exe
4772	Nklfoi32.exe
4740	Ncgkcl32.exe
1572	Nqklmpdd.exe
1900	Nkqpjidj.exe
1348	Nbkhfc32.exe
5012	Ncldnkae.exe
1404	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	4ee3f19ebeef7faea4d4365a93688bc9c7dcdc473a59c560b9c8b7e643cc9438_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	4ee3f19ebeef7faea4d4365a93688bc9c7dcdc473a59c560b9c8b7e643cc9438_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	4ee3f19ebeef7faea4d4365a93688bc9c7dcdc473a59c560b9c8b7e643cc9438_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4428	1404	WerFault.exe	118

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	4ee3f19ebeef7faea4d4365a93688bc9c7dcdc473a59c560b9c8b7e643cc9438_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4ee3f19ebeef7faea4d4365a93688bc9c7dcdc473a59c560b9c8b7e643cc9438_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4ee3f19ebeef7faea4d4365a93688bc9c7dcdc473a59c560b9c8b7e643cc9438_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lpocjdld.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 636	4648	4ee3f19ebeef7faea4d4365a93688bc9c7dcdc473a59c560b9c8b7e643cc9438_NeikiAnalytics.exe	80
PID 4648 wrote to memory of 636	4648	4ee3f19ebeef7faea4d4365a93688bc9c7dcdc473a59c560b9c8b7e643cc9438_NeikiAnalytics.exe	80
PID 4648 wrote to memory of 636	4648	4ee3f19ebeef7faea4d4365a93688bc9c7dcdc473a59c560b9c8b7e643cc9438_NeikiAnalytics.exe	80
PID 636 wrote to memory of 1784	636	Kphmie32.exe	81
PID 636 wrote to memory of 1784	636	Kphmie32.exe	81
PID 636 wrote to memory of 1784	636	Kphmie32.exe	81
PID 1784 wrote to memory of 2560	1784	Kipabjil.exe	82
PID 1784 wrote to memory of 2560	1784	Kipabjil.exe	82
PID 1784 wrote to memory of 2560	1784	Kipabjil.exe	82
PID 2560 wrote to memory of 544	2560	Kdffocib.exe	83
PID 2560 wrote to memory of 544	2560	Kdffocib.exe	83
PID 2560 wrote to memory of 544	2560	Kdffocib.exe	83
PID 544 wrote to memory of 3524	544	Kcifkp32.exe	84
PID 544 wrote to memory of 3524	544	Kcifkp32.exe	84
PID 544 wrote to memory of 3524	544	Kcifkp32.exe	84
PID 3524 wrote to memory of 2688	3524	Kkpnlm32.exe	85
PID 3524 wrote to memory of 2688	3524	Kkpnlm32.exe	85
PID 3524 wrote to memory of 2688	3524	Kkpnlm32.exe	85
PID 2688 wrote to memory of 1488	2688	Kibnhjgj.exe	86
PID 2688 wrote to memory of 1488	2688	Kibnhjgj.exe	86
PID 2688 wrote to memory of 1488	2688	Kibnhjgj.exe	86
PID 1488 wrote to memory of 4792	1488	Lmqgnhmp.exe	87
PID 1488 wrote to memory of 4792	1488	Lmqgnhmp.exe	87
PID 1488 wrote to memory of 4792	1488	Lmqgnhmp.exe	87
PID 4792 wrote to memory of 684	4792	Lpocjdld.exe	88
PID 4792 wrote to memory of 684	4792	Lpocjdld.exe	88
PID 4792 wrote to memory of 684	4792	Lpocjdld.exe	88
PID 684 wrote to memory of 552	684	Lgikfn32.exe	89
PID 684 wrote to memory of 552	684	Lgikfn32.exe	89
PID 684 wrote to memory of 552	684	Lgikfn32.exe	89
PID 552 wrote to memory of 1192	552	Lpappc32.exe	90
PID 552 wrote to memory of 1192	552	Lpappc32.exe	90
PID 552 wrote to memory of 1192	552	Lpappc32.exe	90
PID 1192 wrote to memory of 4612	1192	Lgkhlnbn.exe	91
PID 1192 wrote to memory of 4612	1192	Lgkhlnbn.exe	91
PID 1192 wrote to memory of 4612	1192	Lgkhlnbn.exe	91
PID 4612 wrote to memory of 1804	4612	Lnepih32.exe	92
PID 4612 wrote to memory of 1804	4612	Lnepih32.exe	92
PID 4612 wrote to memory of 1804	4612	Lnepih32.exe	92
PID 1804 wrote to memory of 716	1804	Ldohebqh.exe	93
PID 1804 wrote to memory of 716	1804	Ldohebqh.exe	93
PID 1804 wrote to memory of 716	1804	Ldohebqh.exe	93
PID 716 wrote to memory of 4788	716	Lgneampk.exe	94
PID 716 wrote to memory of 4788	716	Lgneampk.exe	94
PID 716 wrote to memory of 4788	716	Lgneampk.exe	94
PID 4788 wrote to memory of 2288	4788	Lkiqbl32.exe	95
PID 4788 wrote to memory of 2288	4788	Lkiqbl32.exe	95
PID 4788 wrote to memory of 2288	4788	Lkiqbl32.exe	95
PID 2288 wrote to memory of 5004	2288	Lpfijcfl.exe	96
PID 2288 wrote to memory of 5004	2288	Lpfijcfl.exe	96
PID 2288 wrote to memory of 5004	2288	Lpfijcfl.exe	96
PID 5004 wrote to memory of 1608	5004	Ljnnch32.exe	97
PID 5004 wrote to memory of 1608	5004	Ljnnch32.exe	97
PID 5004 wrote to memory of 1608	5004	Ljnnch32.exe	97
PID 1608 wrote to memory of 1028	1608	Lnjjdgee.exe	98
PID 1608 wrote to memory of 1028	1608	Lnjjdgee.exe	98
PID 1608 wrote to memory of 1028	1608	Lnjjdgee.exe	98
PID 1028 wrote to memory of 4708	1028	Lddbqa32.exe	99
PID 1028 wrote to memory of 4708	1028	Lddbqa32.exe	99
PID 1028 wrote to memory of 4708	1028	Lddbqa32.exe	99
PID 4708 wrote to memory of 1768	4708	Lgbnmm32.exe	100
PID 4708 wrote to memory of 1768	4708	Lgbnmm32.exe	100
PID 4708 wrote to memory of 1768	4708	Lgbnmm32.exe	100
PID 1768 wrote to memory of 1480	1768	Mahbje32.exe	101

C:\Users\Admin\AppData\Local\Temp\4ee3f19ebeef7faea4d4365a93688bc9c7dcdc473a59c560b9c8b7e643cc9438_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4ee3f19ebeef7faea4d4365a93688bc9c7dcdc473a59c560b9c8b7e643cc9438_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\SysWOW64\Kphmie32.exe
  C:\Windows\system32\Kphmie32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\Kipabjil.exe
    C:\Windows\system32\Kipabjil.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\SysWOW64\Kdffocib.exe
      C:\Windows\system32\Kdffocib.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:544
      - C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        40⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 400
        41⤵
        Program crash
        
        PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1404 -ip 1404
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
194KB

MD5
4ffa3ac3e98d9e354cc1da02610035ff

SHA1
f8087d4412edc583eb2a122f430275a196a04d2d

SHA256
d406351e0db7d3f595d7c285eff5597aa05e7378fca1b83737d68dcb0e3d904e

SHA512
f52f6d6a4e0ff7cfcb91637ac3b42c612eda3dfc47c3d14b5d0fe7dd00beda6e938512c98cbab21b18f88e828a00324fe4d8ce8773077d3c008d06e448c219f1

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
194KB

MD5
cef65df00e454077db16784dfd67c04c

SHA1
cc41da537c7fb24665b7bae337cbfab13ffa65cc

SHA256
8021782c909fbaf44a0af79d12306ab786e4501e8d8702b63e1830ddf5fa81e8

SHA512
7a7088a9509fc380f54793d74eb9c7715619ca8fab2c7c8b6ec560c664d15cfb67bd9b12396363b320a6eab3e9e2217267e22e4dc6ac541b4259ee7753ed820f

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
194KB

MD5
1cf4077fe9b622bd22e29579332bbde9

SHA1
1442cd457957dda8131c9d8dab895d3b4329bdbf

SHA256
77ff79b3c88944d4761f01f0445ebe6461f392be9de7e6b55ee7d2c9faa654ed

SHA512
eccc0e26c71deee8369a83cd58ee30a58b0756b0f7b6a6e7479a449533c5387e9e1ca5ea2d477945be0900f20e702e30c300065185962276ff0b550ce4038130

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
194KB

MD5
d620f68f1940c68feec413cd80853a53

SHA1
c55f601911097d8f74c34f53bb29a5b4e849811a

SHA256
9ee89df6ac0c5f4d7171ba3536c006cf9f64e51eef849c38cd1bf23da35b0e56

SHA512
b7a356687ce7ed367723f918681299be230fb3fb3ab24dbabcdc54f6a34201ae6f569dd07366df6153d11e95f1ad6704dc95678b76c7d0ef69622c37df2a2bae

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
194KB

MD5
57a964d5e8c624cdca1caebef8c11051

SHA1
afb961f4cd174224cd86899f5eac1933bc2ddc43

SHA256
ade313afea9875aa7ae6eed99693e028b8b1d1e4f998eeae69d8f86da0c0f190

SHA512
4b463928ff5d16ec1acecafbce2b4d64e83fcd6d5ce8a91a36058d8a771db2591d0b18dd0ee377af374b6ad254f513ba280d67b9665adca7fe31a9b208d2a255

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
194KB

MD5
9499508b138433be2d2464881e5cf7a2

SHA1
499dc48bde3963787036b72f9336e88b52a11485

SHA256
2d84e37529ee9c9b941798872b5cd4603711b9416f4c5f0151789031782766ee

SHA512
3e7acdfc320df2d6a5363b6376c9db253a20634cf49e31dd7e3db5eb8d981ba4cc67c1b5e6e6294a72d470177514be351b704bb5de4dea5b54af98b5c7d9f20f

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
194KB

MD5
7ccfaed2e7c04e75c371932c8252254e

SHA1
301d92217f52836dcf5b6e6165f64667109c8bac

SHA256
41fe1ffd0c5b3d4a575f4794b4fd2f6c24453ca25c0ba52a180005de2ec67c5b

SHA512
7202e8bbfe02c53a8a735aad0c53c84eaa7a2fd45f9711d128726a055ff5c65fdc0e415459ba10a9da4cc69439b51fae9df14b4f64fcf0b0e47a6df8e816799a

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
194KB

MD5
1a98bd00b1ada9cadecba2c53bdd55d8

SHA1
43d81be5bec9354f8947603bff27b96dd93f0d32

SHA256
0c032f6abb46935c1ba163f49bff3154cfa914e0afdeed0a3273bc4647310fed

SHA512
60896522680981986046cca758836f9cbdb3e8953f22f89526f940dd27139a7ef087c676be6bafcd00aafd16d02064a71f6a31a70f3bf3d9b15bb9f7737f9202

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
194KB

MD5
853f03208a49821e481e954d5a513237

SHA1
c312452fac7cb070ba29f6e6cbbddeef58aca5c4

SHA256
90633c67d05f7b8e27a6a76091b938a30e1724d9a4277fe2b58a80c5154cd35a

SHA512
451c597174fbc6369c97897295ba0f3b7ede4c4bd5bf499b655a7f767ff69234a17fd1445713a40e577d83834788cef354c34aa2df9d04d047823fd47c36c81d

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
194KB

MD5
e278e94bc95260451382379dcf3449d4

SHA1
fda71cfd53c41e8d26e108adf8c9c3c698d1906a

SHA256
e12cbad276a84a71c41fbacbeed79d401792bca94bc97f958f67a1e7f821fe4c

SHA512
ae3fc152a77deb1540ef4a38ddd12d6d45b86e4ac6f421450c36dd93c504c890ef95979639608f115fbcef37503496656daeed66bd3779ad9b3553c6714dfe6f

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
194KB

MD5
60e539133ee07d73cf0d82df1671f05f

SHA1
ffd5d9134f33ded09544241573896e124861c733

SHA256
09524f90434c9637cc59b934bd59012f8762da569ffd10f49aa4ac78eff49c7e

SHA512
04bc4b4e3b38a22e64f553b0d14ef2d7f13ee5b62b5ccca066799e266c2c2f14b70d3b1923e1e342d1dc1e7f3b2e264b205852493b35cf9548fb8a977e78fbe9

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
194KB

MD5
19fd1c7489589406610432a57baf6161

SHA1
c534b096608a8b6ad76e5ad924ee4f47f1f8a216

SHA256
212116dd1e2b81059352542dedff2b6507d19c0bda68c2f5262434a1955c7102

SHA512
730cff45571c525774106f5d4044f639ef0ebe34b81fa4946179c9a7b1aef310e0893ecd88edc8d84168356ce367cc11d11319dcf00a55c0aaef94de1b2b9038

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
194KB

MD5
4689526f0752a73b81f33f983e6a13d4

SHA1
691167085d34c72d0fa488e0657c6dcb03de9c71

SHA256
6dc1f8ec288061beb316e6116983040111656c5a67b99cae17d5fb485ea11e43

SHA512
4f3ed858236628736d48a20c73af21f510df1f72d595f8977903557b93915dfa42aace54fcc3aea4d568e04c5cbbe8dc47420a2fcf37b8f49c9c931ec9313ed0

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
194KB

MD5
049118096c1c3d680446f2b74c5d2f6b

SHA1
556d8fb4ad0845002b063b6e76e9f9d804d612b0

SHA256
fd94855e92805c4aec95bbf247fb36d2c761ff9602a4ef447d00939c178b8eb7

SHA512
8ade387ae27864d7599e7b58dd20c413fc230a8935eb81396a8931cbf6f9bd890c2f42323cc99994078636b3ca5db65a0ff7bcaf55f747baa4147484fae6f2a5

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
194KB

MD5
22bb1d5b631d288b794c08fe4079fa1b

SHA1
cbc7f1dddacc6cf18d9d02f77a3c0da13c004d8a

SHA256
553076758900a6b86de589b5be3ae550fac1a939d5958a3adcd2a53620fd0f97

SHA512
7b0c3d66541f26c58d68de8997dbf953a03a346d28cc509616c3e9f9e2d95102ec1aec575d7a366313ce9e45f3f8231c1f130b67bd08cb61a486547c4d95adbc

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
194KB

MD5
1324d1624fb8d9a479b7d5322c4edea8

SHA1
5921b0eb4881f74cb145ab10e26cfbd8702b97fe

SHA256
0e5aea50170b1d9d101e66d92322481a661a41bd407ad4b7e9ec9a010d034b13

SHA512
91343f1d5df4e03129d004838179a03ec00e019c3228ace7d00876fb3a1ccadb4b104db0783432b8ad99a1a648f2c6e32e0ce34dbe8b453ab698c70d1c2e88ed

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
194KB

MD5
6974406489df2f8562ea77c2a0c2c339

SHA1
7b2497d7623e64c29e5b5a61be7fa0bd67d5a655

SHA256
1abeefd225d64085e075b83851d2f1d2f12a23db9d7b8f8c09c09ed0d00a38d6

SHA512
a336bc16cbcfd54db258f8dba3fc4cec6be30c0e07f031863074bdc31426b5613eae920e113b534a3ddbb50efcc54238ad5d342bacf23110d7cc0b6a725022e8

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
194KB

MD5
ee2f60b054d17754f3cd06ba42a39d6d

SHA1
508d070d911574ccc005ae3fb9d3a449b716be11

SHA256
594cf7e43c6658b2533b1f55550fce689f114ee598b0ee99b1715e0514a00f36

SHA512
aad0183fd7fec7886165498272744be183323445bf1ef79ba563467cd85a8308e2efff90f9e46167ae26f6d6a3f6336e51d1204649f051ffedbc5b3dafff86b7

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
194KB

MD5
9c1f95bf3cc3c6f62a88d5ad462745ba

SHA1
77b29f5900afa893fac919c456a292d5f65100df

SHA256
7726fb407c646d69a05cab624448c8a9b128428d0a27f3ccf8e63cf07e2549e5

SHA512
5e81cade52fe92d85b33d29e9eeee105630a8ba2e3240c35370db2bffa2eab6246c92c9a0c51a9c1661ba5e56a9b6f497bdf73809a8bba8147841cae09b86faa

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
194KB

MD5
8931d60696584d30dc3175468ef6dab9

SHA1
a5cc8e371d27ba8f353a071d32060f7a01580b52

SHA256
5b5f5a10611975c9a49656957f3832d86c4705412436e9c60f81d9632286b868

SHA512
b0b3e0e26ba94ca5437bdc9d249b1799b4700744354d4bff42af9bc684a39c303c892cab4690ec236d7c227517f3d3649451f0d71649382fac2c12531fea8da1

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
194KB

MD5
3dcbb1a97ba45374bcc0d71431c14c1c

SHA1
6687df4b1cc00d0edbebc0ab96cd81633cb2040d

SHA256
2c5c61dba1f75e443996857062be9a3e94baad204bcf55ccb99b37bb303b51b2

SHA512
789d865799feceb3a7352cedc28ddf65b6ef9d03293a325552cb7e9de465f165ab8b8cdad2f578c333368bea69d3b87fa6280f6cc33cada8dbbf36bd2ac3efe0

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
194KB

MD5
5ec140b34ec3400c667252be94d85975

SHA1
a277bbe6b420cac2508bc06a2f9fa57f9c0adf54

SHA256
b5166021dcf17bb9ec93707387a1cd403a9c7fedc62e16adbae182806aae0461

SHA512
57332e12326290e8e889c658c3d3fdb5c20fd388d144753bb1f8e1c4f1aa2c58f02dfc00dd2d8a6c3ce952c319a4d5abc23bca235008b8a15b2a0874f161dd73

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
194KB

MD5
336b4ef7d8971ac1b4ecee4b4dd8abd8

SHA1
0c84417b1813db0f9eade9d59f04d8069418f1fa

SHA256
56922eff40f919cc7ec578603608f238397e3fcf2dfbc23314dd77b43770e5cc

SHA512
668603373d7ef2d66baac6c7a267eeac60c636c9fc57a4d176c4cf6822e8693a5835a1dc4a70a9b607946ef486b0d95f07abf0ce02c4a8c3d06d64aec28ecc89

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
192KB

MD5
621a34f6d47ab08996a95e33533a4a3f

SHA1
991550acbc5575d671db3ae1407ebf1bab78ac34

SHA256
2c83d50f77c6ebe58aeb0fc76c9f234cf71997c9fd57e99e94276f07d7ed2baa

SHA512
a287206aa0d9cbae7e5acfdd63a992cf6b1500a2752c8dbc6475e142e8064035b09ac6abbb50cd01d958985a2a872c702e8b72be7dd20393d6f532e594839064

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
194KB

MD5
1c9271fa20220dec806176bc8dd1c08b

SHA1
c60924ba55fe9b4bb6f60647d9e022f53d6f2818

SHA256
f2c237f253633cfdd7d111f9948e67e87c6a979e7876142bb00dc492e0338abe

SHA512
426ca6dcce382c81a6eda67a1c2aac02a623ac1cab37b45c159906fabe837fec0fa528539e22d5dae69de2f4a34ec807d380169731c8f47c98316ae4c53eb7c8

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
194KB

MD5
eb2f1e39c4ebeeb5c0d0d8e41ea41e77

SHA1
e56a3bcf725c298839a8b605aef20f0fd4805aab

SHA256
eedfc6d78b7e8f4b26c6d4abccb1cf31ac9ae8fae8a5cd4f22799d5b65a8e697

SHA512
1a9847ca2466e44163057eaf1fc82e6a6f07fc84800a7faae90bfc1482802a9c0ecf13f0dd95516b677ab9bb5e80280eae9eab9bf84f9fda32d1963cac84f1e8

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
194KB

MD5
340e4c865fb585aa5ddc1ea778a961fe

SHA1
4dc21c7584bbe70ee135c37122e14166010b56fc

SHA256
d3bcb9cd653bf700e363e6e467c8eef90784f0d1524aadb221e9adb323a0c4c4

SHA512
1e861c5223de616a6c4b88ffe8be7182b7caab57ebd0c29ab2fa533c0d694eaa5a0cfd33326ad4fde2c5335e2bb6d169f2f3bf7c983fd967ee51fb5858e7d6e6

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
194KB

MD5
ce0f86633b8630f1777661957e9e4d29

SHA1
53a5d7de3a7582cd3ef24a2f93c5fe0a7036cd1c

SHA256
75a87df4b8a1ad00602485fc6a447639206ce48b637ab67f40a2cf66ca6e9f59

SHA512
458ab58e5ba6c275215a4e3d15b112579dbd4b33de47027b010b86017907bf5a12e21ba9210b7f4f60a9c3c1067287c06593ea8aa18bd55d258a4d7f6efaa0cd

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
194KB

MD5
0fcc4372f35b3a635744bb095f6353a0

SHA1
1b228a6e8b366c297db88b8b0278bc5ff9e574c3

SHA256
2381d817c5faf7dde7a59a1145b22117a9d0dee0f0d80239500c9d4032b6d05d

SHA512
43df23247eaf545224d0e4bf67c6bdb85f5765a679c3e8bdc14f6d5b6e95573f53a8f6a495935d0391a316176be24374bcfc70ffd1c2cd99762a795561f1deaa

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
194KB

MD5
34529b4999a4c49a5175d5e4ddcd096f

SHA1
1809ca55619cbbcdcb217bc78816428203028e05

SHA256
1478f8a407724e04425bae8fe9fa885d03bf890f38ed7eafe8e876bd45fda1fb

SHA512
98f44b873ad8ead94e2a08a1d5f3daa9be470a8c0cbe187fb25b9789ac3d98ff549230e1cd0a6d8ffa7ff31a3f17191790afcc3b3ca85f25c919d8ce5f62a207

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
194KB

MD5
d0e66c99a0ba1e09a0f42a2f5f5494c3

SHA1
3bfd0305b441f2cf3c8d42ed8108918882fcc7bd

SHA256
6ef673f4e56c76ef998ab126a71cbb80ae325767dad6c207333a9e04c7d52c26

SHA512
7fa6afd5aa5cc1bcc3da37327d91564c5dfcef9e9f3c8001ce96216a76c7afdc24531918c8789499e7479aace86dd3ff90fd4bdac1b47feaa4f778969f18d3e5

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
194KB

MD5
5e62d887ebbb794300e7fbd467ae2858

SHA1
dbb51bc1b4b710c8825899550cf58ce088085c66

SHA256
a6bfaf40bedfdde60d893d27490dbb66ec8a2b66543818b1943cc89729347393

SHA512
3981c4e50b1b010ff06119f484845c57ddb8c30c7b840dc0299034c011e520ca89ff1a16d1338a0bdcc687e5002822d2472afa35ada72c5a2b7fd9cba8ddb139

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
194KB

MD5
d8e1252f5be6f5a2aaf886ccaf512eda

SHA1
34730199b80df0cd9dfe8d3a3d814f2ee1aaf05c

SHA256
5b2ff6eef8c1407ff0c85f63f98f1129b3b90ff64dc6ef863ca4e1368eef1185

SHA512
91531d231749d2709dc961bc3692735ee53a54539cf66fa469ad957e950a4542e6b0a3c69bb7e37c84734709ddcbe9f30c836e3671cfd94bef45539f12766768

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
194KB

MD5
4ead4ef84ec733c650da83106cf193f6

SHA1
9e23a30b51e7ee36bba5e65fecfdce269e540948

SHA256
1c8fa66c2170d09e3e6f79121834cc0050457124c89f5a7b2a35ab45d5aa2d70

SHA512
480c20ef3f8f7f7076b9e055b8395f42fd8163f2758966f6207cea2f22093adf63d261899fc1878e5e81f5fdd2f2d663f906606e23ae0737cea81b27980fd60b

Download Submit
memory/544-36-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/544-367-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/552-80-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/552-355-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/636-373-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/636-7-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/684-71-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/684-357-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/716-347-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1028-151-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1028-337-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1128-327-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1128-191-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1192-88-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1192-353-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1328-311-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1328-258-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1348-284-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1348-301-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1404-298-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1404-295-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1480-174-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1480-331-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1488-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1488-361-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1572-305-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1572-272-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1608-142-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1608-339-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1640-319-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1640-226-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1668-323-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1768-333-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1768-167-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1784-16-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1784-371-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1804-349-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1804-108-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1900-278-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1900-303-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1928-329-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1928-183-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2288-343-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2288-127-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2468-313-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2468-257-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2560-369-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2560-28-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2580-321-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2580-218-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2688-363-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2688-47-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3216-317-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3216-230-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3524-365-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3524-44-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3740-199-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3740-325-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4612-100-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4612-351-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4636-237-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4636-315-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4648-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4648-375-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4708-335-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4708-159-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4740-266-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4740-307-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4772-260-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4772-309-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4788-123-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4788-345-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4792-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4792-359-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5004-341-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5004-135-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5012-299-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads