92ec3cd136764c80654477afa4231ec327552a5aa53c980ce86c1639074248a7

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92ec3cd136764c80654477afa4231ec327552a5aa53c980ce86c1639074248a7_NeikiAnalytics.exe
Size

55KB
MD5

f8039e3649e1c0cc97bf3574418799d0
SHA1

4be0b9432a1656eefdfa05818e41369cfa847cae
SHA256

92ec3cd136764c80654477afa4231ec327552a5aa53c980ce86c1639074248a7
SHA512

65584dbd2f2e7ba5f8bbc476f1914a49f8a9f8d7dfbd1deba00a44361c2226fadd250b54eb9f7ff457dba1b23f536b34cf016ae7855107f26d9c2fd7fcbe3b4c
SSDEEP

1536:/GPdrhB7MuUYjl4JH4SO+Olu/9KvWM/2Li:ErjVj/dQ/oPEi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe

Executes dropped EXE 59 IoCs

pid	Process
1932	Jbmfoa32.exe
3996	Jigollag.exe
408	Jmbklj32.exe
1616	Jbocea32.exe
3960	Jkfkfohj.exe
4728	Kpccnefa.exe
3032	Kgmlkp32.exe
2016	Kilhgk32.exe
2700	Kpepcedo.exe
4224	Kgphpo32.exe
660	Kmjqmi32.exe
4824	Kphmie32.exe
3828	Kgbefoji.exe
1944	Kagichjo.exe
1156	Kpjjod32.exe
4556	Kgdbkohf.exe
552	Kmnjhioc.exe
1100	Kpmfddnf.exe
3484	Kgfoan32.exe
2984	Lmqgnhmp.exe
4476	Lpocjdld.exe
2832	Lcmofolg.exe
4852	Lkdggmlj.exe
2992	Lmccchkn.exe
5060	Ldmlpbbj.exe
3904	Lgkhlnbn.exe
4360	Lkgdml32.exe
3564	Lnepih32.exe
2912	Lpcmec32.exe
2828	Lcbiao32.exe
4364	Lilanioo.exe
3292	Laciofpa.exe
4204	Lcdegnep.exe
4560	Lklnhlfb.exe
4576	Ljnnch32.exe
2608	Lphfpbdi.exe
4512	Lgbnmm32.exe
4412	Mahbje32.exe
1920	Mciobn32.exe
3772	Mjcgohig.exe
4612	Mdiklqhm.exe
1484	Mjeddggd.exe
1140	Mamleegg.exe
760	Mdkhapfj.exe
2848	Mjhqjg32.exe
4348	Mdmegp32.exe
2624	Mjjmog32.exe
2000	Mdpalp32.exe
4072	Njljefql.exe
1340	Nnhfee32.exe
5072	Nceonl32.exe
3612	Njogjfoj.exe
2568	Ncgkcl32.exe
3324	Nkncdifl.exe
3068	Nnmopdep.exe
3428	Nqklmpdd.exe
3388	Ncihikcg.exe
4524	Nggqoj32.exe
3520	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	92ec3cd136764c80654477afa4231ec327552a5aa53c980ce86c1639074248a7_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ncihikcg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3508	3520	WerFault.exe	139

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	92ec3cd136764c80654477afa4231ec327552a5aa53c980ce86c1639074248a7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	92ec3cd136764c80654477afa4231ec327552a5aa53c980ce86c1639074248a7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	92ec3cd136764c80654477afa4231ec327552a5aa53c980ce86c1639074248a7_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 1932	3972	92ec3cd136764c80654477afa4231ec327552a5aa53c980ce86c1639074248a7_NeikiAnalytics.exe	81
PID 3972 wrote to memory of 1932	3972	92ec3cd136764c80654477afa4231ec327552a5aa53c980ce86c1639074248a7_NeikiAnalytics.exe	81
PID 3972 wrote to memory of 1932	3972	92ec3cd136764c80654477afa4231ec327552a5aa53c980ce86c1639074248a7_NeikiAnalytics.exe	81
PID 1932 wrote to memory of 3996	1932	Jbmfoa32.exe	82
PID 1932 wrote to memory of 3996	1932	Jbmfoa32.exe	82
PID 1932 wrote to memory of 3996	1932	Jbmfoa32.exe	82
PID 3996 wrote to memory of 408	3996	Jigollag.exe	83
PID 3996 wrote to memory of 408	3996	Jigollag.exe	83
PID 3996 wrote to memory of 408	3996	Jigollag.exe	83
PID 408 wrote to memory of 1616	408	Jmbklj32.exe	84
PID 408 wrote to memory of 1616	408	Jmbklj32.exe	84
PID 408 wrote to memory of 1616	408	Jmbklj32.exe	84
PID 1616 wrote to memory of 3960	1616	Jbocea32.exe	85
PID 1616 wrote to memory of 3960	1616	Jbocea32.exe	85
PID 1616 wrote to memory of 3960	1616	Jbocea32.exe	85
PID 3960 wrote to memory of 4728	3960	Jkfkfohj.exe	86
PID 3960 wrote to memory of 4728	3960	Jkfkfohj.exe	86
PID 3960 wrote to memory of 4728	3960	Jkfkfohj.exe	86
PID 4728 wrote to memory of 3032	4728	Kpccnefa.exe	87
PID 4728 wrote to memory of 3032	4728	Kpccnefa.exe	87
PID 4728 wrote to memory of 3032	4728	Kpccnefa.exe	87
PID 3032 wrote to memory of 2016	3032	Kgmlkp32.exe	88
PID 3032 wrote to memory of 2016	3032	Kgmlkp32.exe	88
PID 3032 wrote to memory of 2016	3032	Kgmlkp32.exe	88
PID 2016 wrote to memory of 2700	2016	Kilhgk32.exe	89
PID 2016 wrote to memory of 2700	2016	Kilhgk32.exe	89
PID 2016 wrote to memory of 2700	2016	Kilhgk32.exe	89
PID 2700 wrote to memory of 4224	2700	Kpepcedo.exe	90
PID 2700 wrote to memory of 4224	2700	Kpepcedo.exe	90
PID 2700 wrote to memory of 4224	2700	Kpepcedo.exe	90
PID 4224 wrote to memory of 660	4224	Kgphpo32.exe	91
PID 4224 wrote to memory of 660	4224	Kgphpo32.exe	91
PID 4224 wrote to memory of 660	4224	Kgphpo32.exe	91
PID 660 wrote to memory of 4824	660	Kmjqmi32.exe	92
PID 660 wrote to memory of 4824	660	Kmjqmi32.exe	92
PID 660 wrote to memory of 4824	660	Kmjqmi32.exe	92
PID 4824 wrote to memory of 3828	4824	Kphmie32.exe	93
PID 4824 wrote to memory of 3828	4824	Kphmie32.exe	93
PID 4824 wrote to memory of 3828	4824	Kphmie32.exe	93
PID 3828 wrote to memory of 1944	3828	Kgbefoji.exe	94
PID 3828 wrote to memory of 1944	3828	Kgbefoji.exe	94
PID 3828 wrote to memory of 1944	3828	Kgbefoji.exe	94
PID 1944 wrote to memory of 1156	1944	Kagichjo.exe	95
PID 1944 wrote to memory of 1156	1944	Kagichjo.exe	95
PID 1944 wrote to memory of 1156	1944	Kagichjo.exe	95
PID 1156 wrote to memory of 4556	1156	Kpjjod32.exe	96
PID 1156 wrote to memory of 4556	1156	Kpjjod32.exe	96
PID 1156 wrote to memory of 4556	1156	Kpjjod32.exe	96
PID 4556 wrote to memory of 552	4556	Kgdbkohf.exe	97
PID 4556 wrote to memory of 552	4556	Kgdbkohf.exe	97
PID 4556 wrote to memory of 552	4556	Kgdbkohf.exe	97
PID 552 wrote to memory of 1100	552	Kmnjhioc.exe	98
PID 552 wrote to memory of 1100	552	Kmnjhioc.exe	98
PID 552 wrote to memory of 1100	552	Kmnjhioc.exe	98
PID 1100 wrote to memory of 3484	1100	Kpmfddnf.exe	99
PID 1100 wrote to memory of 3484	1100	Kpmfddnf.exe	99
PID 1100 wrote to memory of 3484	1100	Kpmfddnf.exe	99
PID 3484 wrote to memory of 2984	3484	Kgfoan32.exe	100
PID 3484 wrote to memory of 2984	3484	Kgfoan32.exe	100
PID 3484 wrote to memory of 2984	3484	Kgfoan32.exe	100
PID 2984 wrote to memory of 4476	2984	Lmqgnhmp.exe	101
PID 2984 wrote to memory of 4476	2984	Lmqgnhmp.exe	101
PID 2984 wrote to memory of 4476	2984	Lmqgnhmp.exe	101
PID 4476 wrote to memory of 2832	4476	Lpocjdld.exe	102

C:\Users\Admin\AppData\Local\Temp\92ec3cd136764c80654477afa4231ec327552a5aa53c980ce86c1639074248a7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\92ec3cd136764c80654477afa4231ec327552a5aa53c980ce86c1639074248a7_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\SysWOW64\Jbmfoa32.exe
  C:\Windows\system32\Jbmfoa32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\Jigollag.exe
    C:\Windows\system32\Jigollag.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\SysWOW64\Jmbklj32.exe
      C:\Windows\system32\Jmbklj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:408
    - - C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3772
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2624
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        60⤵
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 220
        61⤵
        Program crash
        
        PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3520 -ip 3520
1⤵
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
55KB

MD5
5a04f05ef12094702baabf9c4de253c3

SHA1
f85927eca1fb5f64f00693aab38986e6d0825382

SHA256
cc2b5a7974d75aab9fef35dd855f990578ef44b29db8889b761164b4ec073e1b

SHA512
a4f864de251698e529687fa245ee67e1bbdb1d9d9642ee4485201c576ef6725008f9691cd4f1bc63314fc69feb532154e61fd4461a42b80564dbb6edbcf124e0

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
55KB

MD5
fa40cb8de330cc63f0b48bb240b3d00a

SHA1
4cd9a7fb2af05b8025ef107d50266ade039bc721

SHA256
4e8ff40a9fa671236ba2091d3410b8244f2248d017cca236015a63bc69204ae9

SHA512
5a8eef5efd6d105b44918cf396b3119e0d98e14cdb35bffc757767b5c68ca55f54dfbaef37f41ec7a98bb6961d7141945d7f84cb85ab91dbb627345f24f2e150

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
55KB

MD5
6b76a6b6775fac4b147347cd4bb786b4

SHA1
a1824d20f8136067451f8ac4ed716c00792b1637

SHA256
c25e337fe12166d7cf857f3862af92bfb90f0253e8b3c745586ef68fac05689c

SHA512
ba9dfc976887983dc580591f3ef6777f2381c29bce0a72179e69b8a41006c832ebb61e59ff4a523dc1bb6ca2458c490bcbffce13c77bac383d2caa9ec99e8d1c

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
55KB

MD5
98404154575f43e53dc7e9843c5aea57

SHA1
74638f2b30214b0c9698ed11f3070f42b787e92e

SHA256
eb1f9607ee4bf36e764b772fbd9d12e5327c2c0da5d8ca9c34e5f599fc7d6727

SHA512
d8621744c3dae241cd519c4f91b91012737bc05b96a48be5fc992afd1c6cb25cacad4b97c7610edfd6e6d02f04057204ceb8a1f66197a1f5c2bb489958bfb2e6

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
55KB

MD5
3985bd6fb84a74c02588715046699226

SHA1
612809ab68c29474178f1dd6639dacc98908e85d

SHA256
79c61a231667128ece9a7f9ca0f231a5dbce3f97e388cef2697c9ce668af0c6f

SHA512
7fc4c7d6b623fa75f6abe89d7ac58e9731973e7dfc955567837418eb9d82a51df0b62f3711fa0e830b6a9d1055e825a8169afbe584e32ca8ed79ca6db6268c52

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
55KB

MD5
a13ce0bc959c4823e753d21962f0ce15

SHA1
c6272edbabae1eaf28ea60ff775300a25680c3b6

SHA256
283720ff716023e74c9aae98b553c3f1022fc711081ca4f0452bf111568ea091

SHA512
7caa6012ea467ad8803f8042bbfa6e4e30a0720e1fc90baf73a40fb47c7a909286d92c073af070c9261712a4a75529167d60f0a240f6807f9d03cb35032952a8

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
55KB

MD5
77b26d1e187c5015d69c9f28dd6f7964

SHA1
e6996f8429aa2907d42eed998721593a148eb663

SHA256
248c7af1183cc99de0c71401b4ecb882032d9bd6366c1afca35f0097c286f206

SHA512
cac7537eab17b6778aa4b34f84a0ca0f34dbc6e304a0cd0355d1a36da104b9462a18874c00b0e2a385f14bb3e5caee09edf87a918c4a0d3cf6b329a7ad4a0385

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
55KB

MD5
ac87ec2c2fdd21aa2d3129b85cc83e7c

SHA1
a1e893215af7a15530fb7718a4f8841409df0aa0

SHA256
b1ca6bb225a6c4864814d6320c436baa1228f2ab35c8c16b77dd17402554c05b

SHA512
d59763f3361317c00d0ba6b0ad31431839b8e270fd080ca3885574664ab4a1ae628575dcd977eed550bd9c600dfa94407b543a2696b5d24954a9ccfb4b7f3bd5

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
55KB

MD5
b7dfd5c8e62c01da735c08e67ab0ceb0

SHA1
15b5cf07ea41967ec7e37a11d193eb30ec136e6a

SHA256
4f21bbf90d92287ebbd71b3edba6b3d78bf3ea5d9baa7928f889c6d320c4e605

SHA512
3153038d0d40f019d18e3e1892e459dc8d9d44979c466da05b811d18cfe683d15bc0b4b35f69b616ee00a06ce8c940c8ed8c7efb9c1b16bd71edfe77f03e8e5e

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
55KB

MD5
bd6cd063f8c769d3a31783e291f645eb

SHA1
e4349a997ae660bedf9ebb62d12f4f2b069f26fb

SHA256
8865d01d09a9640607f11a8e22327e680a7686de570d73edb030852385f78e63

SHA512
ed15eac3cef121564b886ffe791f65f216fd0541b19864586aeece195dcb8701a9e9502929856e6e4a16513795d7cfc02d486037d617d99ec489d559eafaf91f

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
55KB

MD5
d5334b451b73d11f953ea6d679f82eb7

SHA1
190f5cf7c60eb09fa2a1671ee822d12d0e3ce9a1

SHA256
e9310665b27d5540e02dfe2e4652f88ba4db859702961c355ff477a57c93660f

SHA512
64148395add07a4fd5441dd4eb171a7df86bed37d8ea5af893bef635e2cf69f8c0409f72a329657dbc8c9adedcbd4efb70a75bac3201b10c880737bc8654933f

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
55KB

MD5
edad167bec978280e15eb834e5917a8d

SHA1
36f95a75ae028749742b4edfaa204cd657f36af5

SHA256
6c2002f7df4557e2ef1b6f362fb434872a1deb0442d30d3663b59f615196e4a3

SHA512
9357681cce47aa402bf6c04b136027053656b057e3d3023a46191f60e3df3f0686104c4037c57681bd3c14cfea72028327eeddfc6d45fd8b623da2b75c6af12d

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
55KB

MD5
701864f5b6dc15f166fc1b27c54deea5

SHA1
8ceb39ac40df973587b76b1c182d6e3f10610225

SHA256
297abb624ffa7d43ab660c0cb428bb9075bc6c3975167b7a350b2c6e3cf80375

SHA512
795c293951a73b836cb246181d9c5ab5c0cec2812e56cc03762128ad0f82ff4c1dde308aec5ca644e83ba0cc5e0fbf1e94bfb1a24c335295e434783ff0d61b52

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
55KB

MD5
e08fdb3d1a089875397249010f42b235

SHA1
1ef89b27f0580f85844118db09bec3f890a31c28

SHA256
d24e2b97e58f7195a9192b7e151d52508d6dcba3ffceebdc99123c0d1097e20f

SHA512
d203b0ccdb15005a96588facdbae88c337418c5ffbeecdaee2c21c90429e4739f4404fa5580387525931b4f0d44f8f64d3cd89a63a2ff7eb3c82445bbf257961

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
55KB

MD5
47c36db3ad60b9c2627effa6548fcb1e

SHA1
99678dab4926674ef6378919d1fd533c9db2c4be

SHA256
f493dc6c310518d7f3043b7ceb6d7f6e348a91434f2f34c53b9d6d3107cec5f7

SHA512
178db65381b79d7bd0dd63874af48ca16ce404a5442ebb90a3d9ace05886eec615398522b4cb9e88b0c0aebaf431bef8a53143cc3f019a5d3913e5d8358d3d60

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
55KB

MD5
21fc996c5076dfded7e7effb7908e837

SHA1
1491d0be6653791f07b524612e5c67665dce7670

SHA256
3c8744a0a114d80d3ce2676a3cf87b6c6f2a97de6da5d4edda67f483a0284db2

SHA512
3a1a333497f23a24edb57dd544b9d6a003233876964ead59d93ac5d9d8f2a9d1eeddcc91caef55df907c2ba039e308d5414ee9126c4261cc11f6bf3b69f79056

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
55KB

MD5
b7b624ee56e58668a87eb7778d1fc4fa

SHA1
604562cccc4d4212de4e3585e70a7852d6bb671c

SHA256
ca7fa3c57fb5836fb6e15b0f8fd30888036427ee1d6c740985859f97bc184c08

SHA512
d14ea67864219c3b3c5f641d81e5bd22faee997db292e7304d596110ccc8a5f3465cf5ebd82193f1700ff3ed219ce6346095a8fd2ebe423e0325325b1584c694

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
55KB

MD5
b18f1ca860c8abb145651a7f8ce938a9

SHA1
5485d5dab8955ef8360d5034f2f267518a71ef3e

SHA256
032bc8de82e8e169f8d0ba75a618eade733847bb2f9b04f933270a2a44a64af0

SHA512
0c98554aa8b2e689fb5b3f0c8268a7fa0190a31f4f1dce85506cbd3292cee197ed0ca563b765fac41606d83ac12f680888858013e98994297396cbd2d1e6fb00

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
55KB

MD5
3433369be34c226c116bef340561f5ff

SHA1
426a92ce5edd245716ee101e69ef14bbd4f62e64

SHA256
857cc674bc7caf07eac550fc11b3fb72984df1e5b74c98a5fa582cd9898746b5

SHA512
eed20301b271ca6900315b4a7fa3751548cb01693b7a42af56f9c7d34c4c015240114d0c4d93303da3bb30a063d2db0df627e22cc27d21308b012ac4113b210b

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
55KB

MD5
c659a6ce8b0d0887d6b36dc7d4d0e755

SHA1
27ce5ef7fb93e6118c9ba17c4d5049c91757452f

SHA256
d3f3a758df85baa40d65dd57de55f95ea3d7fc0f48e6acf0b05de89a60854c3d

SHA512
a0b3d2f04589e6d1b3a2fbd84e40177bcf66617d956269ecc29a953f17eeba9838ad98626156ec6d9619b8ee5120cb5876d46501bd0ed5f7849286dadc64d7ea

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
55KB

MD5
b6b8e8b9115311217d9ac7e1eebd3785

SHA1
c702d9099ba2d49c0b64cf1090e67671d8ecf128

SHA256
84600dab27d75596f46714a8a936f9a270703d5bfb0a7acdb03308ff5f89f8dd

SHA512
bada9ac6786c5a9c16c380a0c030cb5bdc04dee65fc2f2473d62cee15ef7efea0f3e4934ea47ba42e889b5218ec5e958eefc1f64042a9fd66a52ab2c75ecd246

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
55KB

MD5
3fa6fa893bd434b26145eb14b7da048b

SHA1
1c3d9bf0559c54a7b38b80df6fedfd6eb5091dd6

SHA256
ec6413a0b045238e07c50bba87f66397c31d2ff50be9bc66a1b3d05024a5c477

SHA512
ae5ee9470f08db1aad088b3b46c8fa813af2c0afdd16c308f3f8f8dfbc08b12c276bc295ca2dd1b117bb49f6dd48f8c63e76561b08693321773c83541edf66cb

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
55KB

MD5
cf0971ccbb1e0e27dd08a9749fd45326

SHA1
9c06f5e60a62d9540b7ccdf9de8fb65735175ddb

SHA256
3c220021348bac9ca2c9b8b59a0c4da16d073d172ad231433b8f109895936646

SHA512
f22d5a8b2bee8fc8c9fa4a780697a714698672c40fd08c9566fcae0e2c990751c4d92bab08605496d80858005d6fbd05c57d8ad96ad9e22e534d662c3ece54e1

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
55KB

MD5
3e3051f90ee710ea44ef90d25b8c3d65

SHA1
af8182648f563c37610e5b8b37ae28b36759bb81

SHA256
08326aee4cffb20d7fddd0c1ee11668f2ab97a9d91d70d9498a9e86461348a73

SHA512
6b96f86cdf17d0bb12f0b410730b8a3b361747fb498d3e0fe682b2409621d6c516992709dcf100035473088e81c5ff052028840d4b8a29357cb356ae7db2e3de

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
55KB

MD5
b5b00c08771bf33f896f538147e2f2e0

SHA1
06fd483da9c82db761dc0e49b3ce0bdecf37cdc8

SHA256
1bc6c09af228ebb98b31b43eb34cd09cb35cb975eb8a6df9b124e7abb0b0dc3d

SHA512
407a04b6a2e9382a2959e0f443bb7f34d7d9f3cfe5b116af95083381a6ccd078150a03ff4263e12d60386aea8521ce8ba57cd1a3a2c672bb19b41e474baf476e

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
55KB

MD5
ba484184603b1fba9fe8c90ce1bac3ab

SHA1
5653406931244df636d30ee6bd52196b45585e52

SHA256
9ddc97dba972563b380078c9d0dffad38beecb73b1527de65d9d367bf5d973b6

SHA512
6bfc733c0d5d54c2bf31b65c6a0af978757150a665f8e9234fa1fd0139bbcfd547d8e20080ab18463a179d6d60e3cc97d433d1815b9c0bdc3a3842d36f1e4b52

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
55KB

MD5
1e8b197c2d976e41bc59c548610c6af3

SHA1
b753e293e270db3aefa2719319534a4abf1c44a3

SHA256
d2b1c305adcc8578e20bab32da5b6b5c939cff190fe6de9c099094b300d21d17

SHA512
bcb9a82364df8d1bcc58ea1fce0e9b91a8593d0511fef78da4bfecacc1f559eb9efda544a15ab029d94d45d5d0a7fa20d014455b0396d39737cbb8a3adadb59b

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
55KB

MD5
10f313dccfadfdad18f2a9ae82d3465d

SHA1
f0881bc0e1003081f7a4ca20dd431019fcbc0cc7

SHA256
b342c7297d9c45a720843e144166882e23b6f69312acf8c53f39c5c2f6947219

SHA512
e3dc842fcfd301c18f07456ded51fd39097ffde217ef98ec9218ea2d5ab051358d07f0c5dd6aac9ab93982824c8c64ab89768c7b9740eeccea502df3017706c9

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
55KB

MD5
851f4e9238f96df2b0bb43c61504cfc5

SHA1
5023852cda73889d665359e9f8a7280a4f2929da

SHA256
eb416b9a2abde318d4a1d15b0601e4e82c67e5ed99b2172714b173eef4de7fda

SHA512
5c43fa0229cf3f8429d1de6161ad1a8036ebb2f07770211ad82ae54e5498256a6b0e5ccf204e1e5f8c0af495735c3160b36426fc1311cfba2855174782eeb2f0

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
55KB

MD5
c645f7f11a8ea50bdeb28abf77891f53

SHA1
1bc0febe8766c085cd0b34d4e7e0f6f0a7312944

SHA256
85009ce2df05d9593b6938f95e4f41df27a2ceca0d2590a11bd28180166181e1

SHA512
5f00364c70ee93280c2731bdc644b220ac6b29b9669d11e8c3ee2d14bf0e91934c0e63e42a4e9edae87105aaa30c31c4dafd19064f0e484be10e6ad510eb790e

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
55KB

MD5
93a35edc1b84277f4306acba77b254dc

SHA1
952887ec8ddc27f988ead73d9113ab72f342ca07

SHA256
cba4ddcecd4bc69a9b236e6513a73906b45635dcdfc893afb43cdacb9001da76

SHA512
332ee73aa71f467d5184475f45f0e2ffdea1ed8bee5160f2c78f90aff77b56039cd84cf2074fe6e0b5ab0a328f37bc16c80d09cc16efb543f2f30c41686bd534

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
55KB

MD5
6d187cfc6475c2dae4670fe56952b2d4

SHA1
063b07c9f8e5bcd6ad4d3be2736f9b1129f189b0

SHA256
26cd56c98e38ab0b5598d3a35809f79a7e5b2bf85f3eb12c9c8f3b85d1d697d3

SHA512
f6ea4db27195397656fae627de6fa7e926fa6e36ec3647e9f099eecd02b58afb2b2f76652e8d46f2285fa03ab62b7f0ac42949b15dd8091f3faf6167dcaeb15e

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
55KB

MD5
b3b24aee32b1051f135b52dac8a6cd58

SHA1
1ce60c01b6fa9a29bced60b1b3ec19df3838f113

SHA256
8fb3a5583e27bef67c74ea31c214956a9ad2d53241f43c94329ff13b028306c3

SHA512
2c7533f977c2f1c81624d95458daae7de27207b7041146341165f87e3f56146a6d035994a6fd31e8a901b133e92594ec278245df3a3833cc84674264dcf32473

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
55KB

MD5
a89885100459a2abd0648665d710d2c5

SHA1
bdba2f665b280b358a3cf56b8f9ed3e094fd3d79

SHA256
f9998ca2ef8c876005ab72ac552e2167ed0a2a1ba92151a4676c83f731355140

SHA512
34a4984b632bd57232e9d730de7e7dc75bab779d25e40cf211288d3b9acec0ece701c6bf882a214d1f3161d162f25b3ea986a55f5c5d974e6e7ea01b1188eb76

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
55KB

MD5
43bc9ea827004963a35b55bd754985f6

SHA1
9e523cee649d6ba340913148276b02e736402002

SHA256
d877c482ea4b2af5ea22e977586c6882efc36008650d7ca61b6c9e66283f3e63

SHA512
8cc97aa34b8455d27651ce97f6c8f1410f61045fdc1db041cb02bdc260932434adb6475e774331b7c7c0840a165061dd46c19aac03cb8fb562f18857d8a7b4b4

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
55KB

MD5
cb20b92536f78e6235077b309daf074a

SHA1
7ed3f7f731f69041fc29f37430047d0d9dccb525

SHA256
9f012b59a2f74383ceeb855212bb1f8e7f1eacd112637648875e70e696965873

SHA512
7b66eeeb3951fadd871547bf0bf94c7160db8bb4fdd467b9e448925aea317240b2d6c11a6169432888920e8541c30fea0a9a266cfad4f79fc53a67727995d345

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
55KB

MD5
48fcd3029e80a63dff95e75016147c88

SHA1
4d9dff031e8281e4c8428807698cafa8ae7ff322

SHA256
abb96fc7cee6a6d09ec223d7ca971b1386264a857016957b930c1f9921e6303c

SHA512
e0a9d91104c3ac2bede0a961d17df0739d958da98afc60e80663234d7e3ca96e27cc60d34c482045ac869ccfd40004cb652c2d2f5bb81940bd6133c22040986f

Download Submit
memory/408-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/660-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3996-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads