64de8b72ece5b4b20e9d6e67b41e5258c318a32fd7a6036505468b363d6accce

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64de8b72ece5b4b20e9d6e67b41e5258c318a32fd7a6036505468b363d6accce_NeikiAnalytics.exe
Size

63KB
MD5

719a9ae1214d7d05c607400f8ed87060
SHA1

6908fc6e55eb0818fc936d9b5e7343ae6d92e4f2
SHA256

64de8b72ece5b4b20e9d6e67b41e5258c318a32fd7a6036505468b363d6accce
SHA512

d256496509526e32bca24ad6c778571b7308494618a7a1059b2e94927f2d29e39787085265e9453fe1b27a19e2e980f5761cc8f5e168730e16aa35b25294ad35
SSDEEP

768:cTQhSAsu5TbDyvGlG0K8cT1c6C8ty8TjYfexlV/1H5oVEi3amrUTvn93b7NRDMFp:cXu5Lg02TjYk9+VREn9rjDHE

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	64de8b72ece5b4b20e9d6e67b41e5258c318a32fd7a6036505468b363d6accce_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe

Executes dropped EXE 47 IoCs

pid	Process
4988	Kinemkko.exe
1892	Kaemnhla.exe
3740	Kdcijcke.exe
4564	Kbfiep32.exe
4256	Kipabjil.exe
1544	Kdffocib.exe
940	Kkpnlm32.exe
1612	Kmnjhioc.exe
3004	Kckbqpnj.exe
3576	Kkbkamnl.exe
1872	Lmqgnhmp.exe
4504	Ldkojb32.exe
1556	Lkdggmlj.exe
3056	Lmccchkn.exe
4536	Lpappc32.exe
4692	Lcpllo32.exe
4560	Lkgdml32.exe
4632	Laalifad.exe
5112	Lcbiao32.exe
1176	Lkiqbl32.exe
4748	Lpfijcfl.exe
4744	Lklnhlfb.exe
4708	Laefdf32.exe
4772	Mjqjih32.exe
752	Mkpgck32.exe
3140	Mcklgm32.exe
4932	Mpolqa32.exe
1272	Mcnhmm32.exe
4740	Mjhqjg32.exe
5016	Mpaifalo.exe
3656	Mcpebmkb.exe
3464	Mnfipekh.exe
4460	Maaepd32.exe
972	Mgnnhk32.exe
2104	Njljefql.exe
1860	Nacbfdao.exe
4220	Nceonl32.exe
4396	Njogjfoj.exe
1688	Nafokcol.exe
4804	Ncgkcl32.exe
4796	Njacpf32.exe
4436	Nbhkac32.exe
1644	Ngedij32.exe
4476	Njcpee32.exe
4472	Nqmhbpba.exe
3128	Nggqoj32.exe
868	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mcklgm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4204	868	WerFault.exe	127

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	64de8b72ece5b4b20e9d6e67b41e5258c318a32fd7a6036505468b363d6accce_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	64de8b72ece5b4b20e9d6e67b41e5258c318a32fd7a6036505468b363d6accce_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 4988	2184	64de8b72ece5b4b20e9d6e67b41e5258c318a32fd7a6036505468b363d6accce_NeikiAnalytics.exe	81
PID 2184 wrote to memory of 4988	2184	64de8b72ece5b4b20e9d6e67b41e5258c318a32fd7a6036505468b363d6accce_NeikiAnalytics.exe	81
PID 2184 wrote to memory of 4988	2184	64de8b72ece5b4b20e9d6e67b41e5258c318a32fd7a6036505468b363d6accce_NeikiAnalytics.exe	81
PID 4988 wrote to memory of 1892	4988	Kinemkko.exe	82
PID 4988 wrote to memory of 1892	4988	Kinemkko.exe	82
PID 4988 wrote to memory of 1892	4988	Kinemkko.exe	82
PID 1892 wrote to memory of 3740	1892	Kaemnhla.exe	83
PID 1892 wrote to memory of 3740	1892	Kaemnhla.exe	83
PID 1892 wrote to memory of 3740	1892	Kaemnhla.exe	83
PID 3740 wrote to memory of 4564	3740	Kdcijcke.exe	84
PID 3740 wrote to memory of 4564	3740	Kdcijcke.exe	84
PID 3740 wrote to memory of 4564	3740	Kdcijcke.exe	84
PID 4564 wrote to memory of 4256	4564	Kbfiep32.exe	85
PID 4564 wrote to memory of 4256	4564	Kbfiep32.exe	85
PID 4564 wrote to memory of 4256	4564	Kbfiep32.exe	85
PID 4256 wrote to memory of 1544	4256	Kipabjil.exe	86
PID 4256 wrote to memory of 1544	4256	Kipabjil.exe	86
PID 4256 wrote to memory of 1544	4256	Kipabjil.exe	86
PID 1544 wrote to memory of 940	1544	Kdffocib.exe	87
PID 1544 wrote to memory of 940	1544	Kdffocib.exe	87
PID 1544 wrote to memory of 940	1544	Kdffocib.exe	87
PID 940 wrote to memory of 1612	940	Kkpnlm32.exe	88
PID 940 wrote to memory of 1612	940	Kkpnlm32.exe	88
PID 940 wrote to memory of 1612	940	Kkpnlm32.exe	88
PID 1612 wrote to memory of 3004	1612	Kmnjhioc.exe	89
PID 1612 wrote to memory of 3004	1612	Kmnjhioc.exe	89
PID 1612 wrote to memory of 3004	1612	Kmnjhioc.exe	89
PID 3004 wrote to memory of 3576	3004	Kckbqpnj.exe	90
PID 3004 wrote to memory of 3576	3004	Kckbqpnj.exe	90
PID 3004 wrote to memory of 3576	3004	Kckbqpnj.exe	90
PID 3576 wrote to memory of 1872	3576	Kkbkamnl.exe	91
PID 3576 wrote to memory of 1872	3576	Kkbkamnl.exe	91
PID 3576 wrote to memory of 1872	3576	Kkbkamnl.exe	91
PID 1872 wrote to memory of 4504	1872	Lmqgnhmp.exe	92
PID 1872 wrote to memory of 4504	1872	Lmqgnhmp.exe	92
PID 1872 wrote to memory of 4504	1872	Lmqgnhmp.exe	92
PID 4504 wrote to memory of 1556	4504	Ldkojb32.exe	93
PID 4504 wrote to memory of 1556	4504	Ldkojb32.exe	93
PID 4504 wrote to memory of 1556	4504	Ldkojb32.exe	93
PID 1556 wrote to memory of 3056	1556	Lkdggmlj.exe	94
PID 1556 wrote to memory of 3056	1556	Lkdggmlj.exe	94
PID 1556 wrote to memory of 3056	1556	Lkdggmlj.exe	94
PID 3056 wrote to memory of 4536	3056	Lmccchkn.exe	95
PID 3056 wrote to memory of 4536	3056	Lmccchkn.exe	95
PID 3056 wrote to memory of 4536	3056	Lmccchkn.exe	95
PID 4536 wrote to memory of 4692	4536	Lpappc32.exe	96
PID 4536 wrote to memory of 4692	4536	Lpappc32.exe	96
PID 4536 wrote to memory of 4692	4536	Lpappc32.exe	96
PID 4692 wrote to memory of 4560	4692	Lcpllo32.exe	97
PID 4692 wrote to memory of 4560	4692	Lcpllo32.exe	97
PID 4692 wrote to memory of 4560	4692	Lcpllo32.exe	97
PID 4560 wrote to memory of 4632	4560	Lkgdml32.exe	98
PID 4560 wrote to memory of 4632	4560	Lkgdml32.exe	98
PID 4560 wrote to memory of 4632	4560	Lkgdml32.exe	98
PID 4632 wrote to memory of 5112	4632	Laalifad.exe	99
PID 4632 wrote to memory of 5112	4632	Laalifad.exe	99
PID 4632 wrote to memory of 5112	4632	Laalifad.exe	99
PID 5112 wrote to memory of 1176	5112	Lcbiao32.exe	100
PID 5112 wrote to memory of 1176	5112	Lcbiao32.exe	100
PID 5112 wrote to memory of 1176	5112	Lcbiao32.exe	100
PID 1176 wrote to memory of 4748	1176	Lkiqbl32.exe	101
PID 1176 wrote to memory of 4748	1176	Lkiqbl32.exe	101
PID 1176 wrote to memory of 4748	1176	Lkiqbl32.exe	101
PID 4748 wrote to memory of 4744	4748	Lpfijcfl.exe	102

C:\Users\Admin\AppData\Local\Temp\64de8b72ece5b4b20e9d6e67b41e5258c318a32fd7a6036505468b363d6accce_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\64de8b72ece5b4b20e9d6e67b41e5258c318a32fd7a6036505468b363d6accce_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\Kinemkko.exe
  C:\Windows\system32\Kinemkko.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\SysWOW64\Kaemnhla.exe
    C:\Windows\system32\Kaemnhla.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\SysWOW64\Kdcijcke.exe
      C:\Windows\system32\Kdcijcke.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3740
    - - C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
      - C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        48⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 408
        49⤵
        Program crash
        
        PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 868 -ip 868
1⤵
PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
63KB

MD5
63549c03aaa4ee98ec771b53a4c2f140

SHA1
7413d513ee9454d82818a669a8a67d62817bf212

SHA256
7509eb74316c2a15420e72c01f8b0265665edc5c0924dcb04709f8c4e2d77eda

SHA512
b0d4534e905bb14cceb09a6e9a85fe716232cb305c27cb4cb13c06e9a36c0d09f17c32cb2727c02e5aa7ad7243cee1cf6a749fa682455c89ef486774edf57834

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
63KB

MD5
f38d13c00d0bbd21e317b9487bcd0a81

SHA1
c3fcd3851ee1bbc2440ac1e30a19cc67ea8a6a17

SHA256
c656fcb46fd193f99444d1c830c1fb82ea86af5111c495d7017a2682f567a23b

SHA512
4f0fd3fafd70430a117256378d5cbd364befcfd1e04787f447a36b71d27a30b9e717d4edeed8177a26a1c67254f0b89ffe859d67b922d3408e122da479239b05

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
63KB

MD5
97cd59ff0949b4ab47724743e9027cd6

SHA1
25229a7aaf163662d6bd4637fbf1a4cdc1762097

SHA256
9771fe3d6e9a25a28c5eac34a6234050a3d263a714df14df6fbc49f7532fab8d

SHA512
c62021432d156b38c204e18d332cb42b251bd2a036dbdd3c46fc60d8890cd59f7ff5926e74d568ce4e37f3ace88880c26c266720266cda32e292777de0fadc6d

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
63KB

MD5
ce2af0d260c48d0e5c4732ccd7077cd6

SHA1
d1b3361b712c5a7456912f2804bced3ceaf4e45b

SHA256
381005f04169f5f2ce3209211042e60527a0d6b3c7ae0848539962d38379ccf1

SHA512
5b16ff4387cedc090fb9424ac2725123f11c703bfa7bcdb4258bb734ed20969e20d2fec3e9623ddf13824530214c218028257e42adbe8d3dd988bd999cbb8031

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
63KB

MD5
3687444e2e87f413451b0c882e4b9f1a

SHA1
ac974f5392db14f268f45d489ac2a575ca1e6974

SHA256
d14cbb62aaff87694bee86aad310f4f09839e766444487aa6c4a3f81516086d9

SHA512
aafcd996bd58b19c00771ad323b4b175c6ef9ea608ce75918939b6deea8464063896ed2dc9b1e09f25d8ea6dc77d8f1c9533bb3787939727f06aa7781e0a9e22

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
63KB

MD5
54a31040594a43e6269901a00bbe77a1

SHA1
42bd740099b4b25e71cf1cd7f8aa062e5517a74e

SHA256
9f3c24dba9916e78660f44c888b94ab31487c155d3a58e2e9b48f29efbf52a6e

SHA512
9bb68f399f8b09dc8c36c564359474916c63122f3d9fceabeb7e0329164cca9dbbd116892037695ff7bda13ad522fd2202c7db32e7248c8b04744487ba9a5164

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
63KB

MD5
40d9e576684f4bfc892ffaed0ae83ba6

SHA1
0f16b86b7a0ee565aa911272dfaf555fd915dc4e

SHA256
b678b27fabf82b659b7403e7aa3383930b6ddd9d58f48c129575c4dae2f1b9cc

SHA512
60c1f04e5066f480065b43dddd6f6107078352d5483bb77a33fedd0088b7cb7bbddded9cae5b70c0020889f70c32a921b43c0d2e0a4c6b8a023a4e93f41cdd6c

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
63KB

MD5
9aae274319c1f3d1dc6163589366e7b9

SHA1
afbdb86737f09e31a8c2d12270fdf4680945f3a9

SHA256
52c7d28b8de916f935fdebe0b9ea1b7186e04995529cb6c6735d67d71776e2f3

SHA512
671a550c56d0dd584e91559666c027fbb06c6f3e53fdd1a89794158373f35e76d3cd4808e828c743f8656a7f359472c52dc692ccecd85e78230f4984da599b37

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
63KB

MD5
b4e78178a809310f81ae36abc08db5f6

SHA1
5b21c4f5500e18e44bc12feaee08591bcab71790

SHA256
06397de30acf7fc95feb1abbd8bbf2b434f8b0191521bd62470146c3b4d3f0f6

SHA512
4f39a709fb7eeb75804822430d22fdc3dffb6846e2e04b7c9659b2f84703bfdeb32edcd58c4e12fb35ec5e7da182c97652aef8c4c7158b1a547918b5aa403f3c

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
63KB

MD5
2b228f4e5e098b441febc6ee8faae39e

SHA1
27bad46babdc23df452b01e04c7ed7c30e0542ed

SHA256
ffbffb6a5893944bc3c5015423dc1198b615623fc49922125d081a39e37f3e4c

SHA512
0c87a0fbf8b388a5d949e712426caae4540e56474a5de84b8de61825adcbd8ec8ce37cb31c4e825dc556b4e87ffec83f8d38f266412c779dc4e09e41195a254b

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
63KB

MD5
e216eada09a3f698770ce70924a92183

SHA1
d2d3a931d3d959601a64445d21337a2d1ebf8af7

SHA256
5962e6ee520738577ec46f40e229d39d3b4db663e3fd593c35267de696912951

SHA512
1f1b370f2b14bdd492e95f87210e53b03ba99287678150dcc9a826c226726f3d3799ac63abe3b669df0346cd6c58f69cf06749c37eb56ebe073ca68500f45c17

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
63KB

MD5
4b262c179932fe95a0d8186d848d0afa

SHA1
4fab8bd7552ddb1e8dbc85ac48a1a730ffe469ed

SHA256
653eae430ec8c21fab8bfa6ea1b124217e041882b4ef51e873c1982a1c4407e0

SHA512
b7709ccb3f38a9713822ab8b08db701ee5fb1ace466cb9c4f7e203fa74ae477be773a2a94093277b1a831c2361090170e5e1dbb7ad9431e138776e24c66c7d96

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
63KB

MD5
8a8142c4e3a5f3afe13a3ad67a7da11e

SHA1
fc75fe259964eed7cd151a6b17e7fe21d04a11ae

SHA256
7756ca1e7fb87693f3dbac2a0711090db7d2fac8c7b110c9116e8fc8df7d2f93

SHA512
e7733e85bd805cf8a1b2c3ffd2d4bd707c25fffc589d1b96ce3fe943562065195457373d6cdbf565274d335faa8126dfa752b174e12ecddedb4dd27bd0e884d9

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
63KB

MD5
4d8a8755489483e65c9ebc18f053f58f

SHA1
bfcbb43acd5c6861d7de6866dcd85157536d2cca

SHA256
ea76a20acf422d9b1759608dc006f9a04fff50cb2ecc532dfc285b134efdf92d

SHA512
5d0f169215a586c5b6ee5b52aee27ba5d9985d31fbbc85489f8ed178ac5bb73422b2492da012c923f4a402ceb1f729f38ceea14aa8e589e52547963a95325d5e

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
63KB

MD5
35a61d400b3b71c5b4eaffe63d99fec4

SHA1
3136b94fc06306fd76c7a8fbff8a624ec203c05c

SHA256
d889fa5906b41ebe4680a1bd523b9995e7bb5b6d07473c7d9daa7778fb5480e5

SHA512
52aaadd0a158a92edb64dade6c32229ae057dd55c146c04fb23d696ca00d40a429eed6e48da5b55ce9f061890555b3e6a83dd902f4f2650b5f5074b9c92ffeb9

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
63KB

MD5
24315fc8e2fc901eeb436dd903fae022

SHA1
ad73b4047e8bc787f92cfd3550f4c982aefcfcea

SHA256
bf5a97ae9de3fff90f0f59902c4a17c81a21eff70edf6ad05097d83b368d3682

SHA512
9cd571463f11b24af8944f9c724f8fb8870017acf43291b1497e12f9ff7634c9a2cff436a7ce438d529a738419129b30173a47fc7a23cc702a83b15307eaa791

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
63KB

MD5
836364d14e6d87dc57f8726320bd2762

SHA1
e3d8eca509aa14a04e70f62f9c97c9fab28489bb

SHA256
8ee63b38c114cd11ee6b02554b97cb3c40d3311d2efe478c83675ef0589e0a02

SHA512
8760bc43d97782f090704d69822ef1a15f85c6ba36b65270a8d170edbe789ce3d6549f3c2a773e0775ac5734636418e7c0688020ad4e7a6c82e2b44cbfd25a21

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
63KB

MD5
959fa10c2a69b542f472a9a16f0a4f43

SHA1
b93fb4d89fee9d9232a672c637f136a0880b2e5f

SHA256
bb323322fe7f0cdcd06a9b00f209d2d8860f07446ccc75997c5ffda7db6b7893

SHA512
6050f5287e56bdbb03b043e053c6291f3560121270ade70eb4719c4e5ea9341b7856df0c75759fac4ff8ec9c7ed710e742b32a93bee7d0d3b8740b9d1ee35a66

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
63KB

MD5
b064704a485ef6db862b13b5781ee670

SHA1
e38ac1dbed0290fdd0a319b076b1b58baf6b88e9

SHA256
f0c34cefa39a5d45c9614a9f6e9c25b33a2de83f7c4301c28959266bf0ea6d09

SHA512
2cb80d299c8ce6f3d587e4a7971d8ed58d74a2070358f437c11bc78bbec696c7ec361cacacd1aa416165802105fa8ee97cb46ad63909b91e238e291877a9b724

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
63KB

MD5
43d63aa01d66f724bbcc96cb371d8b52

SHA1
0a4d85ce6901fa3e8d920395b5dc6ee78531cc88

SHA256
06c1a218f4d599698227f41fb0f1d24d005c7f6ea54037972037c635be825643

SHA512
9cdd4d8791ebc48ac70e40ca929d02c1de15a27bd647b6d10da30fe63e8b5f13af422698876d0a025651a04faa9e80ba52fb9113969bd4d56351e186196a5899

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
63KB

MD5
514dfe3cdc9321cfd5fc0b7514f9549f

SHA1
7201f34df425519dea0d359333f671653f6d6fae

SHA256
b53ae98119300100ee76a525333138722037f1bde7037f7d3a6573e30bccfa00

SHA512
5e0fe71ccb74f8201d0e54c571e85f5d8c1279f25711d44b87f684cae9444be5ee9f6cb2b50e5cd813c421d3df9a6df4bed87ca6c38f4f715ace145c21838d56

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
63KB

MD5
61de9abbcf22c66b435be4a9a08e8c16

SHA1
d38a7408f4c3d3ea238e8e3a898d42cf5a83d0d3

SHA256
dedc975ac3487bba77707e91c878ad4eba3da6efab3f030d19f9340acb24ba11

SHA512
9db4db253dc4dde0778b7f1b4a5be0cb2952d2515b6b47c7db9a86d4c00e94f44f5c780c935446044bd6f0f57427ec121b7c7d8e6beac2a84d9c311a3e1a3478

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
63KB

MD5
73b347c3d1446398ff8412301fac85e9

SHA1
57cf1bcb9b2de3ab4981f8d99e77e03b6b66bd43

SHA256
7943c1146c597861bb628b80fc7231f84a5d848e8d2e5b06702d468db38f8964

SHA512
4183bf71736f8acedf0fbc3dce4f2d3b48d730a13fd05dfff4d40de33dc348f410fa4a60d6f6c02dbd7b60fbda9ff5d45e4166bee70d3efba83aa1a37be0976e

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
63KB

MD5
4c003e43a6ac064ae154af3ed5800894

SHA1
c6f9e76f231c8ee70b3d0a30d93f9a7007ba5587

SHA256
f24a6243258f723f2257ad28c12a04102c4478f1c72931ba6b2ec741c61eb009

SHA512
d1fa9b58d379e077aa3c0e5f763ecd1e98f65bc1a8fcf011c7149019642aefdbbbc73d06498e186c19004004a0fd98596332d39a26e0b058a500b5b5e29eb454

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
63KB

MD5
41719e89e650fd14921faa2bdcc901f1

SHA1
12f704836431d63b7c031da5a42e6e7ac32cf547

SHA256
fa884f21284067a05fbda13d8c7bd6f1f299683d8a066675a9d511c8adedf2ce

SHA512
85b21f5305d26a75e95969f6a6455aa714970114f1f28ba9b387f90366355e949173917b759dbfd1ef3bbc0b472d68420fb731d5b750b2baa6c0c2c97f057d86

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
63KB

MD5
5749ba9642d532dc54fcad120bd80636

SHA1
1fb0d0969917f619fb69ece3b2510aaef78dea14

SHA256
5347b4086c8c693822298eb42b60eb58d0b955a6d95da8a63f97adddfb3a9c3a

SHA512
a6a33f6226add5fa87d3fad9a8ee4646084162357b12e00756573d0f6d1b636a95955dcc53a64abb5e2c469c62f5988a43e6b777ee7dc67b8d0722c0e63daf3f

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
63KB

MD5
46a745e8ea7a0122bd36df0a5feccf12

SHA1
5b116c05538406bd47441155f7b9f81f0f1f5681

SHA256
27249643514578ec4d36e2d0571006057068f3c2299937dd313c42032b22ae10

SHA512
94988988a3aa14e953aa35af2793f5eed1737ed3b0a794cd51b838f2a5dd92e4546b8b2e837303fb3776bf741b4cd0bf38a5184cff88013a18cca55ae817ec46

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
63KB

MD5
05c3f1f420f658ebbefe8185630b3e1c

SHA1
a983a842f868fa0be07c80028aec30dc7d1b47c9

SHA256
4444cd17901d8eaa267b0aebd44cd1c30a12f456dfaa274c46b2548910309531

SHA512
535420ba32f07a7b7796d1a5d143d1f9fb7c939d20e840777d1b603719a0ea59cc40f7cf0ff3bd4fc48705b5d470155afa9af4909e4d955e296d48ba81b33cc5

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
63KB

MD5
e925d2969b92a8276aabe685a1d37ca8

SHA1
5916308acb7d00fdbdc817e0f4b88bcdf0b2867f

SHA256
8c1e31b8a167cc3a81abf2268b0eedc43735529d52d7e355f811427b06e21473

SHA512
236892a111f8903dd01ce6807cea3f97703e9fd59c700484d68b60f5c5d3baa967286fc206b0f9ef8464eeff2860fe6255cb0b6bbc9fffa065f56c4c92a118f9

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
63KB

MD5
353e2532060d0dd62760e8505b14f720

SHA1
5ccf2101ad355ff6db125fab821ef1eb512f9923

SHA256
e7734f03d7d88436465ae746cc7792453a46496c000b8485402f4a43f0e4d0a8

SHA512
1a95544ebf7973810aae26db06486f6c9bfc7ce2683c0316d0a9aaf050dc558493c8cde4669815892e75f26c1fde3c350fcfd6d8bf4ce72fa5f997e078d67e06

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
63KB

MD5
9030bca3e6f50ad0acce5e58f26f7eff

SHA1
376eabcedf3f073f9d39beacd50041444c43746a

SHA256
02f17f547b8882f3ff4e563a6c9be0418b07d3a0f45857134065e617b7511682

SHA512
56d4ad495f7704237a3a08cfcf04b0bd3afe89a139bbb97b25784f73ef3c9cfcecfc1b0e039c3cfc24fe2b45c234f8b2b61a815800b5ee0336637ae98a65701c

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
63KB

MD5
68154205b33a9f01fe23d7c6f2aca29c

SHA1
2a979d13aa817085f5712eedc0d3ce0dfb1a8780

SHA256
b34bd9ecbaf4ec584365f48bbd1dc547955b787e5dadbb106bf3ca88f5d56904

SHA512
bfb1c2a134b6d6376fdef6b38b52984b07ce6b5bcdcafb6cef6913ca7a430f6c1150591e20b43adbca974ad68490a0aecce032847051265c50e1a77207a0a4f3

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
63KB

MD5
68d05f8da705c66329936ac375fb9920

SHA1
1ded8d2bd221e6da787936e648cae863d550baea

SHA256
2783e33df4e64b186e7c64e7b03295606da91bebb67e13e6e462b8170d324c59

SHA512
67f1b5e3472afad37c56ea7fe651115cd36ead7e69381a5abd90d8ca2a353a6cbd5de3fe05ac4d6a24787f4e9c2eee7468a131b7c3d0a2b1ea8f75cf19ddc9ee

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
63KB

MD5
917d432c998324997b385d73399fafa9

SHA1
a3cc30f85282685a26b43f8446838838951a6f27

SHA256
e0595c6dc727f4c4caab80c4c87d3dc008a646ece9c96c557a7f3f2faf481381

SHA512
1958752e132d6a872ae7b01fdbcccf147776cc48ae03a13044032dd3afcb129a6d052a1f277b7679e9d249f3717d4af8652613fb9efbe5c55edc3fa500d2e90d

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
63KB

MD5
194498ec4ca02e91fa4595c4adda3419

SHA1
c26f51470efc860277c17fb4127373126387236a

SHA256
d908e03c8be1ae628928d5e1f40acedcff6fa65b72f942216b908bafe88ab43e

SHA512
b5cb36151d2b51b80c463f7330f38703642722c6e90c556ab15325bedd3faaac63358f4d4c4838d8c77c732e3f68b737c3807f5c1450a78f6972f723eb74c7f5

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
63KB

MD5
0af48e5e0e817c1809bd05f816daf0de

SHA1
8e6b4d06f24fe4d17176a646cb4fd8ba9e84fe31

SHA256
9b82afc9e9f553770e0843666d142fa6f530baf684e65b0649c543c11899f44a

SHA512
94aca0c676d1f9d44a9ab4d5af80b3878c631293ac82f9954ddacfdae78d0d14689b6b30a5be3ae79a7fbac85dc9199fd4f42d0b099bc26b4037423e7ec8af1c

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
63KB

MD5
de4cef631e0c0d8c354c7029f507afb7

SHA1
915ede6f37da86fd8742c046ba724333762dd321

SHA256
ae6a577e760ad4bd35a49ff5be48e17a611a1196c901ff4d47457f82f611762f

SHA512
5c010251c43c06e77a743e0dbcce485de7cbdabc780d16ea676cc7d0f0944ca9d3a5f7a70b1c9ca18ac3fa7a381496cf103e5dbda79915602d5d0e2026eef944

Download Submit
memory/752-368-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/752-200-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/868-346-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/868-349-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/940-56-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/940-384-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/972-360-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/972-268-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1176-159-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1176-373-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1272-365-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1272-224-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1544-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1544-385-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1556-108-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1612-383-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1612-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1644-322-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1644-351-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1688-298-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1688-355-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1860-280-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1860-358-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1872-92-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1892-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1892-388-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-359-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-274-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2184-390-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2184-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3004-75-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3004-382-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3056-112-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3056-379-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3128-348-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3128-340-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3140-208-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3140-367-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3464-260-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3576-80-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3576-381-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3656-248-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3656-362-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3740-28-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4220-286-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4220-357-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4256-386-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4256-39-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4396-356-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4396-292-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4436-316-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4436-352-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4460-262-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4460-361-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4472-334-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4472-347-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4476-350-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4476-328-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4504-96-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4504-380-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4536-378-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4536-124-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4560-139-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4560-376-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4564-387-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4564-31-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4632-375-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4632-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4692-377-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4692-128-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4708-370-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4708-184-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4740-232-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4740-364-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4744-371-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4744-176-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4748-168-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4748-372-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4772-191-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4772-369-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4796-353-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4796-310-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4804-304-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4804-354-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4932-366-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4932-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4988-389-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4988-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5016-363-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5016-240-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5112-152-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5112-374-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads