586a4c7c6b8d8f78ab978ef76d97e8b6bf8a753553de4963afe577ab9ea7b090

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

586a4c7c6b8d8f78ab978ef76d97e8b6bf8a753553de4963afe577ab9ea7b090_NeikiAnalytics.exe
Size

94KB
MD5

7a348e35cbaa1702910749059eb0a6c0
SHA1

8fa73d5df9148bc3e114a42bea74d2791b586c84
SHA256

586a4c7c6b8d8f78ab978ef76d97e8b6bf8a753553de4963afe577ab9ea7b090
SHA512

61ac09b898202a5a27eef88f791ac295e1e794241a626a52d9b4c878c199dabed489ebec85a7960fed3fedd9578b3aa44cdfd7bf15700c3520bc4fa705239e25
SSDEEP

1536:9QKovsXvk5NpPq855E/lWqLPHq39KUIC0uGmVJHQj1BEsCOyiKbZ9rQJg:fFs/Rq8ENWqjH6KU90uGimj1ieybvrx

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	586a4c7c6b8d8f78ab978ef76d97e8b6bf8a753553de4963afe577ab9ea7b090_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	586a4c7c6b8d8f78ab978ef76d97e8b6bf8a753553de4963afe577ab9ea7b090_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe

Executes dropped EXE 45 IoCs

pid	Process
4112	Kbdmpqcb.exe
3596	Kinemkko.exe
1500	Kmjqmi32.exe
2508	Kphmie32.exe
2176	Kbfiep32.exe
1380	Kgbefoji.exe
3024	Kipabjil.exe
1928	Kagichjo.exe
4520	Kdffocib.exe
1000	Kcifkp32.exe
4672	Kmnjhioc.exe
3452	Kckbqpnj.exe
3096	Liekmj32.exe
1008	Ldkojb32.exe
2808	Lgikfn32.exe
404	Lkdggmlj.exe
1560	Lpappc32.exe
3084	Lgkhlnbn.exe
4460	Lnepih32.exe
2760	Lcbiao32.exe
4036	Laciofpa.exe
4616	Ljnnch32.exe
5068	Lddbqa32.exe
2588	Mnlfigcc.exe
3016	Mdfofakp.exe
4904	Mkpgck32.exe
1252	Mpmokb32.exe
4600	Mkbchk32.exe
4528	Mnapdf32.exe
1388	Mgidml32.exe
3564	Mcpebmkb.exe
1968	Mnfipekh.exe
3516	Mcbahlip.exe
4876	Nnhfee32.exe
4160	Nqfbaq32.exe
2404	Ngpjnkpf.exe
2016	Njogjfoj.exe
1920	Nddkgonp.exe
2400	Ncgkcl32.exe
372	Nkncdifl.exe
4396	Nqklmpdd.exe
3900	Nkqpjidj.exe
208	Njcpee32.exe
216	Ndidbn32.exe
4852	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	586a4c7c6b8d8f78ab978ef76d97e8b6bf8a753553de4963afe577ab9ea7b090_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	586a4c7c6b8d8f78ab978ef76d97e8b6bf8a753553de4963afe577ab9ea7b090_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	586a4c7c6b8d8f78ab978ef76d97e8b6bf8a753553de4963afe577ab9ea7b090_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kcifkp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2992	4852	WerFault.exe	125

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	586a4c7c6b8d8f78ab978ef76d97e8b6bf8a753553de4963afe577ab9ea7b090_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	586a4c7c6b8d8f78ab978ef76d97e8b6bf8a753553de4963afe577ab9ea7b090_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 4112	3380	586a4c7c6b8d8f78ab978ef76d97e8b6bf8a753553de4963afe577ab9ea7b090_NeikiAnalytics.exe	81
PID 3380 wrote to memory of 4112	3380	586a4c7c6b8d8f78ab978ef76d97e8b6bf8a753553de4963afe577ab9ea7b090_NeikiAnalytics.exe	81
PID 3380 wrote to memory of 4112	3380	586a4c7c6b8d8f78ab978ef76d97e8b6bf8a753553de4963afe577ab9ea7b090_NeikiAnalytics.exe	81
PID 4112 wrote to memory of 3596	4112	Kbdmpqcb.exe	82
PID 4112 wrote to memory of 3596	4112	Kbdmpqcb.exe	82
PID 4112 wrote to memory of 3596	4112	Kbdmpqcb.exe	82
PID 3596 wrote to memory of 1500	3596	Kinemkko.exe	83
PID 3596 wrote to memory of 1500	3596	Kinemkko.exe	83
PID 3596 wrote to memory of 1500	3596	Kinemkko.exe	83
PID 1500 wrote to memory of 2508	1500	Kmjqmi32.exe	84
PID 1500 wrote to memory of 2508	1500	Kmjqmi32.exe	84
PID 1500 wrote to memory of 2508	1500	Kmjqmi32.exe	84
PID 2508 wrote to memory of 2176	2508	Kphmie32.exe	85
PID 2508 wrote to memory of 2176	2508	Kphmie32.exe	85
PID 2508 wrote to memory of 2176	2508	Kphmie32.exe	85
PID 2176 wrote to memory of 1380	2176	Kbfiep32.exe	86
PID 2176 wrote to memory of 1380	2176	Kbfiep32.exe	86
PID 2176 wrote to memory of 1380	2176	Kbfiep32.exe	86
PID 1380 wrote to memory of 3024	1380	Kgbefoji.exe	87
PID 1380 wrote to memory of 3024	1380	Kgbefoji.exe	87
PID 1380 wrote to memory of 3024	1380	Kgbefoji.exe	87
PID 3024 wrote to memory of 1928	3024	Kipabjil.exe	88
PID 3024 wrote to memory of 1928	3024	Kipabjil.exe	88
PID 3024 wrote to memory of 1928	3024	Kipabjil.exe	88
PID 1928 wrote to memory of 4520	1928	Kagichjo.exe	89
PID 1928 wrote to memory of 4520	1928	Kagichjo.exe	89
PID 1928 wrote to memory of 4520	1928	Kagichjo.exe	89
PID 4520 wrote to memory of 1000	4520	Kdffocib.exe	90
PID 4520 wrote to memory of 1000	4520	Kdffocib.exe	90
PID 4520 wrote to memory of 1000	4520	Kdffocib.exe	90
PID 1000 wrote to memory of 4672	1000	Kcifkp32.exe	91
PID 1000 wrote to memory of 4672	1000	Kcifkp32.exe	91
PID 1000 wrote to memory of 4672	1000	Kcifkp32.exe	91
PID 4672 wrote to memory of 3452	4672	Kmnjhioc.exe	92
PID 4672 wrote to memory of 3452	4672	Kmnjhioc.exe	92
PID 4672 wrote to memory of 3452	4672	Kmnjhioc.exe	92
PID 3452 wrote to memory of 3096	3452	Kckbqpnj.exe	93
PID 3452 wrote to memory of 3096	3452	Kckbqpnj.exe	93
PID 3452 wrote to memory of 3096	3452	Kckbqpnj.exe	93
PID 3096 wrote to memory of 1008	3096	Liekmj32.exe	94
PID 3096 wrote to memory of 1008	3096	Liekmj32.exe	94
PID 3096 wrote to memory of 1008	3096	Liekmj32.exe	94
PID 1008 wrote to memory of 2808	1008	Ldkojb32.exe	95
PID 1008 wrote to memory of 2808	1008	Ldkojb32.exe	95
PID 1008 wrote to memory of 2808	1008	Ldkojb32.exe	95
PID 2808 wrote to memory of 404	2808	Lgikfn32.exe	96
PID 2808 wrote to memory of 404	2808	Lgikfn32.exe	96
PID 2808 wrote to memory of 404	2808	Lgikfn32.exe	96
PID 404 wrote to memory of 1560	404	Lkdggmlj.exe	97
PID 404 wrote to memory of 1560	404	Lkdggmlj.exe	97
PID 404 wrote to memory of 1560	404	Lkdggmlj.exe	97
PID 1560 wrote to memory of 3084	1560	Lpappc32.exe	98
PID 1560 wrote to memory of 3084	1560	Lpappc32.exe	98
PID 1560 wrote to memory of 3084	1560	Lpappc32.exe	98
PID 3084 wrote to memory of 4460	3084	Lgkhlnbn.exe	99
PID 3084 wrote to memory of 4460	3084	Lgkhlnbn.exe	99
PID 3084 wrote to memory of 4460	3084	Lgkhlnbn.exe	99
PID 4460 wrote to memory of 2760	4460	Lnepih32.exe	100
PID 4460 wrote to memory of 2760	4460	Lnepih32.exe	100
PID 4460 wrote to memory of 2760	4460	Lnepih32.exe	100
PID 2760 wrote to memory of 4036	2760	Lcbiao32.exe	101
PID 2760 wrote to memory of 4036	2760	Lcbiao32.exe	101
PID 2760 wrote to memory of 4036	2760	Lcbiao32.exe	101
PID 4036 wrote to memory of 4616	4036	Laciofpa.exe	102

C:\Users\Admin\AppData\Local\Temp\586a4c7c6b8d8f78ab978ef76d97e8b6bf8a753553de4963afe577ab9ea7b090_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\586a4c7c6b8d8f78ab978ef76d97e8b6bf8a753553de4963afe577ab9ea7b090_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\SysWOW64\Kbdmpqcb.exe
  C:\Windows\system32\Kbdmpqcb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\SysWOW64\Kinemkko.exe
    C:\Windows\system32\Kinemkko.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\SysWOW64\Kmjqmi32.exe
      C:\Windows\system32\Kmjqmi32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3900
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        46⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 400
        47⤵
        Program crash
        
        PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4852 -ip 4852
1⤵
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kagichjo.exe

Filesize
94KB

MD5
588fb9320c3230a37115975f853ce9ae

SHA1
189c8a18f5d4a2169071ce7fd33494c41279c199

SHA256
cfe304c6928645e048564c7368f4877db6fac9a470dade38e00ec2eae665be8d

SHA512
1549405bdcd5640f0d667f8aa2c0be2918eeb79f145222f852da5a4b040f60b306d82a7cbdb611a4a72a3dcb5a24e4ac24fed3f85c9c643df358a9338de7a431

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
94KB

MD5
160bc844db1ea388d66304c4fece1084

SHA1
be148cf4c838fea385db950d1cff7f661ddce55e

SHA256
94be586c2b1ac58c68d4d5c515f3654c1f76af9638e88a2cdb287ed39b1b4d6f

SHA512
f3269ab7b7662a499f9510c88fc3597e27588148090e4a9a733305cd432d7853aafc20de7176a135e4403181dfbaad1ff39e12fb2ef4a38d097188c4979ade2d

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
94KB

MD5
4cb0f5a18156db7140fd482a6c9e6527

SHA1
26f772e0a6e9278e521e1de289c55ad3c44e6ea0

SHA256
4fca9658be61736e09c1bb322c70659af61b74f9e3e43123c106d9738e67293b

SHA512
5c870fba980257fb2af60c03ac4f1987d8380ad5029868ae9f2bcf75ec95be7c5dcb90c56deacfb5e81a563a03de4620c5f1acba5af3bebeb1132c9f7bf0f449

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
94KB

MD5
44c1bf551527b44c36fcbff7d612e960

SHA1
215bb86e1d8c244f0d95f1d8c711bbc90edc9913

SHA256
9c3fa2c3caf10fdf9ea1558ba25e5f5a093cfaeadacaf406001e8ef32fd07aaa

SHA512
a750ec2d0f334d3f72cee1cef30e9f30719841349c5757f0548e0a4589c8c56c676f9964b74765bd4f297e3ba7841985e388a2de62880ffd651d9ffb14726d12

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
94KB

MD5
a9aecf6fa76c66478cc181cbae66eaaf

SHA1
61caff55cf0fc5e7f6a78a0520b0b0972ecf8b32

SHA256
940d9a847b054df324b1f3805b4528485e153e5d44064a65714d205c1bcaf88e

SHA512
e6e8d888acde4917118653cdb54cbf5139459911b62a23faba5d4405c5bcb4a3c35f07c77d2c718984e94afbce6ce21f1505b5ccfb18f96e3f2e242a0727c230

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
94KB

MD5
e76f1b07bfe65bc60234053aef80ba9d

SHA1
5e8cff29597977e36b97dccd75386ae1df038702

SHA256
205678683baca8de5ba4c9b01255baccc8ccded48079af0f177467f195636f2f

SHA512
0837eefdf119421335d3d29b3a0a6d20a7cf64767b1cde4271dd2c5dadb9e10779cb59b3bda81c215e084983f8ba9a1e8d3c3da5d79910e739819185b5a16f8b

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
94KB

MD5
e2d8e582c1bc2d5c4b348c9f2548700e

SHA1
b9aa41b7352f617571eb482a46b256cf6d448035

SHA256
a39e1c3281e4a7cf8b37dd122be7bddcb0a075db509c4512ce150dced9695f04

SHA512
5759cb44d2069dd609f9ff14d487b907b679b8024101bb4fb34dfccc758f5989c1dd12b67e2bdc6a95fd91129ee84c0e67c4af298957f7b634d5094d89aa8957

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
94KB

MD5
6d22215ecd458b909957246787c49818

SHA1
057ecc1b5c416b10341baae3f2afd087d226c849

SHA256
eba4ffd763b7ba0f47b27da7daccf2b7dea36ba2ae4a58f7c6f39a0853753c9d

SHA512
91f47501c7379d3e2eaed56ac856212a814817a67291e2f6399a22ba9503e48e4a02d6f18231c0617d3108ab87653707cc23a871f1c322c328187c3169cded51

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
94KB

MD5
fe81867821c808632bd3fae10f511742

SHA1
96d49f498ead698d0fe2b2a42047b640f687f9c5

SHA256
d348d01ce925d85b44d9bf418e01ddb6c79617d63dc15379f12587dc6162e4ce

SHA512
d7514e032e5baed94842c989f99fd1b9e8098f8d8ad0bee0dce132947805bd24e3fa42e025d3b9bc8da8ec8d36b64b9a342603ada5d84b98c09d535e67b01224

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
94KB

MD5
f4510010a4a05fb63bcda4a3f596c619

SHA1
c4ca3566b23d8aeba4c6c71ccc5a3e545109023e

SHA256
bb95f0b1612f2056bc8b047a2a8baa804802a0d13f5adf5941d146084174bfaf

SHA512
b9a221b70c120d3226e4ffda6823c987acbac524944f0daeae385c524201c8d76099df09c8f090b2dcc85b723779bff2af089bbb0ebed405bdbdbc017550cbaa

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
94KB

MD5
02a735ad4cf548321fa8afcb585481b3

SHA1
871c374b22aaf23fe08eea743edd42534a6947d7

SHA256
72b093698f68a6a1dc9038482609096b44c67f681014b2a4d49a9e1f5f986e04

SHA512
5a6630909a365a19fbc1c9b82fc43e947f1bdc99016cf38cee677e09cf73622f325b0305361b983ed34b62a751b96b82f0309f08daaf32dc4df58fc248080736

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
94KB

MD5
7dc81a173cbe86a93ecdf10c2acdff9b

SHA1
6e20322d00b5980eaa12b89b9b38484856ab48f4

SHA256
0fa83417d6e116a5ab160caf066cacf378ee4d4bf59898c64c7fde026ca859a0

SHA512
1dca76a00574178e7e7c9aa49d0d33ba58feef06584eb029a1fdc56dcb62c046f2fbffc8affbdeb207bd07211f868e6699c7baa866f0c4688b64026b479caf0e

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
94KB

MD5
fe6b3b434cea87b7ffe2bd147af65083

SHA1
d6d8f41ae250138a83ad8badb911492548e21e18

SHA256
b1ec68a4eccfa59fd8c0436c229076d6ba7e7113d3d53fa3ca882a5d46940cd8

SHA512
e21f99b4fe6688373b041542a55a2444ea3f3621ee8f51671417bc8cef7991d7acf80c6a2580d2f294d396973146cf67d125f3a0bed3317690c875661b45ee46

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
94KB

MD5
b3089058be97b53405c328df665ad2cd

SHA1
47da90299da673d11a55c042512634820a1a1c34

SHA256
d0cf70defd079759a0523ca8227fe8e8f4e1ef3ca32fbea8739334ffd2060cf9

SHA512
8a82a31c2a85b65a631219e3bc8ac06b542cf99c61c6e5de7e5093402727feaee7891dfc7cf08bf2ecd545911d665e38229bfaf6a2afa8e6a07c11e31f4f8d10

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
94KB

MD5
d55377271ae0b03e92d764a26e203e53

SHA1
30cdf0c0e67b3f533fe0d67470e431533fcbf15a

SHA256
de5a87e747aa0c0845cbae24ea44e3837a0d630e496e792de0c99e9971eec36e

SHA512
9ef753373906346cee34a27fc281d263a7d1e356cfcfa09ed3ba02d97a7d206eaa6c8a503449ced31fbfb14140421c6063cb62ffef0838a680eae925860317b9

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
94KB

MD5
a8794e2431276abe5f438bd5bcfd8c3e

SHA1
4644198dacba3e9019a05f17a71703855a563dec

SHA256
b57ceb4c6cdecce69d761307e387f797830f2015cac3bb75f41bcb094eb5c00f

SHA512
e2412a397bbcbcd2fe8228ffc0612a27312410b59d24c929c66f3888fa5d68e86ccb7fd83d587e745053d3d101568aec5c02172a441a348b405d2d7ac32b3850

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
94KB

MD5
282cf453e59a2fb9b02be54c003fb032

SHA1
10fe4ef53bfb11a57c0f9c6ed24d91d90ed412bc

SHA256
626d670d0613d6e4c1158dfd75ad3746a18ad7bd49eeec995425ec9280ddd171

SHA512
911afa0f2097475bc153ee756c7a2951ff1ed4946e6ad56ff4e782ed0bcf16bfb5298deb18426b9f0f148cb1e5078da934bb647f3a309fc54a9f105b9e6cc460

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
94KB

MD5
651c56c4941c61253f149c82b7f020cd

SHA1
4e6409f173c35e2809eee8c733bb37e972198c4b

SHA256
5576104aff923921ab3fde0a408c3db3d51e3e2a5596dc98d5e37041d2e960d7

SHA512
580f8fa3ca8bafc8b3080daed1af734aec847eca7ff5e36247f85aa133d08b4b50043a7a0772cc0f80c93a7f5cf8f11e216534cb222f415ccfedf6b726f93e10

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
94KB

MD5
7b1ec2710b947d029d6ad22e304e253a

SHA1
a585f1a2d28fcfe35e206a688b8d3cb10cd4c08a

SHA256
3f939b7fbe6d699af5eb9351baf5f3b87ee94349a6ba18042d78a73355691319

SHA512
ae34d970c91d5e894a640e38e7f51f105b9f1c5044d12dc44eb14f444f3cad1a48f653303038645196423f75d33d96db5b77d93dc3f25726bb362334c1903c95

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
94KB

MD5
001f387a4eb95b298cabb276f10d1d92

SHA1
3e613ffcc891348f154b88e8762e317b1aaac885

SHA256
7eeac5159f70f1640eae08424536d73a88519a311718fad7c243e969d5cdce7a

SHA512
3b179e5999e467c9ac75b661aecacd24a81897fe8b36b87ffe53ba955f4b9b109ac7e36b064f9bc578f4079526c82e2547218ae27f44f808ddafe138dd6bb155

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
94KB

MD5
3191a604f4c9f5cd8b0052eb36e1a6df

SHA1
a8603f6fcb29645a3b4514803df8c17c02c9439c

SHA256
2a2cbce7306d4537a99b78aa3910cd98937d73696881d9ef33cd84ed131bfb45

SHA512
89e4bebdf1a16a18dfad3745b803e28925f261fa605c0320b3330685199b18b0fbf958fef793c81d416b56b6b80d8efa3a1e922a941e137220a16ccb8529fa93

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
94KB

MD5
ce24d9da90c0f6838e6177ca127bd98a

SHA1
a976e52e5e72d426efb80f7c90de7f9af1bf19b5

SHA256
c22604fce7604e0530764fbcffa979b7b9d510466e620a0f61257d3e057c16bc

SHA512
476bd4bdacab90de7c1ef4ee68c15e813a078ee64baf095ab4ef7ae4d021093d082b72195eace73ebdf382c6acda6c2b985cb0f2824513ed493703943593565a

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
94KB

MD5
198954c5bc687370dcecb7a098675a46

SHA1
dd47144f859af5c4c7613ac65a2b1509f3a155fa

SHA256
c08f759a5da4cdcd17fc3ecfadf9a50783262e9503cb3d812351e9cff393bc47

SHA512
53e93e7eee881459f2efcfe4d10c1451e2e7db9ff803202b516c0a6489445d0cec321f1aa85525b87031cfb379fc4e8dffa0d274c81f5ce5459d661d29fae797

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
94KB

MD5
93a9cf8976594356cabbf24f73e75d75

SHA1
6c431afa75d8d983dcc88c665a5f127f59c88dff

SHA256
f51e99be0f84b448a7e796b553ecd91a061d6591a23d70efbd2e808966db334e

SHA512
bec28b03226d5617bc132db3f759596e2793fed44b84d6e44b5cff99a1721280458fd8a048129cd0892e64eff2173a7f72ef4580b414cc3788ce508846df2b4f

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
94KB

MD5
1a35051f984558380ff788cff36ce199

SHA1
0073ffb4777f2f36cfab081fd64af509dacc7074

SHA256
78110eea50c32f65ee3f224705dae4baf95ffb6c41c355fe7e17fe5dbfd32192

SHA512
e74af40d7887b90f8f93dd07431eca6fe00af4a0db834b52c2abaad5b13d479d08713b5ce334461309a50061734025e90bd096b601534859ffd8ed9a4e2fb56e

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
94KB

MD5
1002b529a7efd459fe28a5e6e381a3a8

SHA1
16d17b6d9e02d19958899c6b76d7bbe3c3adfbd9

SHA256
e37d96b0ceae811dbb22e99d57ac703c7b72201f1a9996a6be031ac4bbacc6c3

SHA512
e100266e8befa7c77d9533ddf5b8793cad75f43428ec81836e5f0b59ed4a2aba1129cbed4544fdcda0e2ea44b8d506bdde8115a15209df3d0f46ce009fbe92ef

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
94KB

MD5
2acf796e9f2edb3af937cd438103a8d1

SHA1
0b87a7e55405bb68a1aaf09115edcff0eb113c50

SHA256
fcd1f1c908343bcc8a7ad7629853183d6430b57b6bba9465692f6328dc84d8cc

SHA512
c079c21ade657bceecd89d1d07a190609cae528b597de5527978014c688dc7e53517792df342343aa5002a33876e669839ca9a362d086970566f19f60063a5d7

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
94KB

MD5
f5bb5292b502edd1372aaaea6e72f83b

SHA1
886f892050dbb575c9d682e3205a9be532bcbd6e

SHA256
f1492ddb29562eed9511ede4e39653d72ba63bed251f1642c1fb7762e584408f

SHA512
9bc393288af895e046bfdef8e79619cddf8d799954294fc56a50246b2d08a18937832f9c3a1ac529d0cdf886afbf656c43779b99f546ef3916cae0cc4939df7b

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
94KB

MD5
028d2bbe8d6f2dfefa67c31f305e579c

SHA1
3a785cc90e54a3807e7e9c44393fd4f96a3aaf79

SHA256
3c8e9c1f469acea5210e71a1dba79780c13658ceba896ed7497db85b9e58fd56

SHA512
32b252bfd69feae0358d6ebb24188b4202d8ba0f0c17c599df582aad84bdbd61b5c9441b5f6c918d30abcc2603eb76a5b27bd4c8db17466efe2991a3a43b581d

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
94KB

MD5
d3d7331816fd2ab328ef95de3aae59d8

SHA1
682723b352a95bd258b492eecd779c76996e5352

SHA256
c4244c2fad9c989b2dfed859f203c8aacc0de08a40a31fef4254928fe89c7fa1

SHA512
73cbf46a8ca3706f8e86e6f65f1ac252462db4643b1856061a73b4b309df25b31644ab63c604d8b7a570f21ec1d2a2ae7d8ca8881bfa902872518a065b0094e4

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
94KB

MD5
777cdcbad3219604abeebf3d39c5d57c

SHA1
ba2340acb42f4845bb770992a23bd187a0054c4d

SHA256
87d421fda52b8e3dc775e6d126f4ae1be9869223cda0c1e40c9285d445f33f5e

SHA512
bc2c006079d1afe78a15a524bea7ceeaef20184d87eee0fe7eb9edc8ca05b61083db6178b7453a155f179517ae3d4892ffc5bf221079cfe117f96c701f762fb4

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
94KB

MD5
900d29b4991cbb2d8c6cb18725795ca1

SHA1
2fdf86776d6f3676de3a83b5a335f1392944b7fa

SHA256
e20407624f4e1a0b7a92d6822c8a9be6adb5df86577eae2c647d00232589478d

SHA512
4a247d55dd33fa98fc299788ea111253de191a981cdd562ac72df2e5b0ceebb677da541a3a0c135c2c480e84ad50a14132f2cd8eadb7cd687cc03c34fb756978

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
94KB

MD5
78674890943b393e7208c55808e4f5a1

SHA1
8564d53ee2d8497c4d03cb1593f69c764f828310

SHA256
53f3964dcf8ec9ae5ee3698da4856988c7fa8a3f997eb5fd239ab6114894cd43

SHA512
ae44c28856b3036ba2833a96b7f2f3fb657eaeb439518621d93f84b13d2d7b27f15b2c790921d921a5f45a4cf36b9aac1faa52602a2093d02a3be66792199e47

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
94KB

MD5
8dd3f3af73d49b500a7b700f1a46365d

SHA1
3d811ec4d3f34f433eb523a9e6aeb51fea913fb3

SHA256
8377e1ce308071d88d38ea95393651887b061440e6b6b19a1c53143cc9498f0a

SHA512
0240e053f57bbc3676b502382642ccdaa3c78b90a83ccbebd39d7b68a836a84e668cd61b67982513ad9a29d27a3eec5d2e46ca8af1f82215204e0afa7ee20d93

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
94KB

MD5
671f2289215e6e173622def872eaae41

SHA1
dc46a365edc7affaa1c89a7b3d6d1b21e3be1232

SHA256
2d1eec9cc3c9ea4a91c003ccebb7d4da60cdb72ee374c40023e6809d29d55449

SHA512
f0a5c79c20b4873e3a94f379524b03de6812dc27eb81e5091bb2af9aae9f26d7bcf21570eb1b927f98ff0ade3a822484f74eff4e324ec2bd256a7c3987de5199

Download Submit
memory/208-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/208-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/216-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/216-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/372-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/372-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1000-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1000-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1008-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1008-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1252-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1252-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1380-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1380-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2400-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2404-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2404-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2760-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2760-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3024-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3024-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3084-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3084-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3096-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3096-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3380-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3452-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3452-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3516-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3516-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3596-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3596-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3900-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3900-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4160-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4160-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4396-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4396-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4460-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4460-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4616-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4616-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4672-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4672-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4852-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4852-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5068-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5068-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads