31717ab7468d56c1884b6604dcc9339c048f4903884d9d3a68f5e63d68ff1212

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 19:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe
Size

704KB
MD5

1f2cda5d47d44b927288a8a686f4bfb0
SHA1

fd662317725fb01fa88cc4385b41946f6228db5a
SHA256

31717ab7468d56c1884b6604dcc9339c048f4903884d9d3a68f5e63d68ff1212
SHA512

79f4289e3366cd83345714449c9525f471d59ace5f1e0a8d5b64e5c6ba87735f3d7e9f904a6662bf83405e8f482770f24dd176cd14a277d79cffe8663d363247
SSDEEP

12288:m4CaPh2kkkkK4kXkkkkkkkkl888888888888888888nusMH0QiRLsR4P377a20Rw:QaPh2kkkkK4kXkkkkkkkkhLX3a20R0vh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe

Executes dropped EXE 19 IoCs

pid	Process
1312	Kgbefoji.exe
1620	Kmlnbi32.exe
4864	Kgdbkohf.exe
656	Kajfig32.exe
3960	Lkdggmlj.exe
3188	Lijdhiaa.exe
1064	Lkiqbl32.exe
5056	Lgpagm32.exe
2076	Laefdf32.exe
2372	Mciobn32.exe
752	Mdiklqhm.exe
3904	Mjeddggd.exe
3956	Mncmjfmk.exe
2252	Mglack32.exe
4212	Nacbfdao.exe
1396	Nqiogp32.exe
2588	Nbhkac32.exe
2768	Nkqpjidj.exe
2056	Nkcmohbg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Milgab32.dll	1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mciobn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4628	2056	WerFault.exe	101

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1312	1352	1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe	80
PID 1352 wrote to memory of 1312	1352	1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe	80
PID 1352 wrote to memory of 1312	1352	1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe	80
PID 1312 wrote to memory of 1620	1312	Kgbefoji.exe	81
PID 1312 wrote to memory of 1620	1312	Kgbefoji.exe	81
PID 1312 wrote to memory of 1620	1312	Kgbefoji.exe	81
PID 1620 wrote to memory of 4864	1620	Kmlnbi32.exe	82
PID 1620 wrote to memory of 4864	1620	Kmlnbi32.exe	82
PID 1620 wrote to memory of 4864	1620	Kmlnbi32.exe	82
PID 4864 wrote to memory of 656	4864	Kgdbkohf.exe	83
PID 4864 wrote to memory of 656	4864	Kgdbkohf.exe	83
PID 4864 wrote to memory of 656	4864	Kgdbkohf.exe	83
PID 656 wrote to memory of 3960	656	Kajfig32.exe	87
PID 656 wrote to memory of 3960	656	Kajfig32.exe	87
PID 656 wrote to memory of 3960	656	Kajfig32.exe	87
PID 3960 wrote to memory of 3188	3960	Lkdggmlj.exe	88
PID 3960 wrote to memory of 3188	3960	Lkdggmlj.exe	88
PID 3960 wrote to memory of 3188	3960	Lkdggmlj.exe	88
PID 3188 wrote to memory of 1064	3188	Lijdhiaa.exe	89
PID 3188 wrote to memory of 1064	3188	Lijdhiaa.exe	89
PID 3188 wrote to memory of 1064	3188	Lijdhiaa.exe	89
PID 1064 wrote to memory of 5056	1064	Lkiqbl32.exe	90
PID 1064 wrote to memory of 5056	1064	Lkiqbl32.exe	90
PID 1064 wrote to memory of 5056	1064	Lkiqbl32.exe	90
PID 5056 wrote to memory of 2076	5056	Lgpagm32.exe	91
PID 5056 wrote to memory of 2076	5056	Lgpagm32.exe	91
PID 5056 wrote to memory of 2076	5056	Lgpagm32.exe	91
PID 2076 wrote to memory of 2372	2076	Laefdf32.exe	92
PID 2076 wrote to memory of 2372	2076	Laefdf32.exe	92
PID 2076 wrote to memory of 2372	2076	Laefdf32.exe	92
PID 2372 wrote to memory of 752	2372	Mciobn32.exe	93
PID 2372 wrote to memory of 752	2372	Mciobn32.exe	93
PID 2372 wrote to memory of 752	2372	Mciobn32.exe	93
PID 752 wrote to memory of 3904	752	Mdiklqhm.exe	94
PID 752 wrote to memory of 3904	752	Mdiklqhm.exe	94
PID 752 wrote to memory of 3904	752	Mdiklqhm.exe	94
PID 3904 wrote to memory of 3956	3904	Mjeddggd.exe	95
PID 3904 wrote to memory of 3956	3904	Mjeddggd.exe	95
PID 3904 wrote to memory of 3956	3904	Mjeddggd.exe	95
PID 3956 wrote to memory of 2252	3956	Mncmjfmk.exe	96
PID 3956 wrote to memory of 2252	3956	Mncmjfmk.exe	96
PID 3956 wrote to memory of 2252	3956	Mncmjfmk.exe	96
PID 2252 wrote to memory of 4212	2252	Mglack32.exe	97
PID 2252 wrote to memory of 4212	2252	Mglack32.exe	97
PID 2252 wrote to memory of 4212	2252	Mglack32.exe	97
PID 4212 wrote to memory of 1396	4212	Nacbfdao.exe	98
PID 4212 wrote to memory of 1396	4212	Nacbfdao.exe	98
PID 4212 wrote to memory of 1396	4212	Nacbfdao.exe	98
PID 1396 wrote to memory of 2588	1396	Nqiogp32.exe	99
PID 1396 wrote to memory of 2588	1396	Nqiogp32.exe	99
PID 1396 wrote to memory of 2588	1396	Nqiogp32.exe	99
PID 2588 wrote to memory of 2768	2588	Nbhkac32.exe	100
PID 2588 wrote to memory of 2768	2588	Nbhkac32.exe	100
PID 2588 wrote to memory of 2768	2588	Nbhkac32.exe	100
PID 2768 wrote to memory of 2056	2768	Nkqpjidj.exe	101
PID 2768 wrote to memory of 2056	2768	Nkqpjidj.exe	101
PID 2768 wrote to memory of 2056	2768	Nkqpjidj.exe	101

C:\Users\Admin\AppData\Local\Temp\1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\1f2cda5d47d44b927288a8a686f4bfb0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\Kgbefoji.exe
  C:\Windows\system32\Kgbefoji.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\Kmlnbi32.exe
    C:\Windows\system32\Kmlnbi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\SysWOW64\Kgdbkohf.exe
      C:\Windows\system32\Kgdbkohf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4864
    - - C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
      - C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        20⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 400
        21⤵
        Program crash
        
        PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2056 -ip 2056
1⤵
PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kajfig32.exe

Filesize
704KB

MD5
86e56603d799d3de9fe8e069da6098cd

SHA1
04b4d5f372fb1a046adf681c94b345dda51eef8c

SHA256
1835ad395374f5fe98a92be769c589c05574fdf1e92e15e415c67ed1e6865f28

SHA512
6386085b8afc5695aa297cb3e8e33beab215b863366fe86500b41edd36c59f288fa154e560fbdfc24ca1f6586c8f65a18c6e0cc823cfff69c889fa2a8ee4da45

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
704KB

MD5
185170e8d4f547d78e0be66d311f719b

SHA1
4b75e9dd4c30665cbd1f3cc0a047754edc3a8953

SHA256
a7aecfd6b831aff464fc990e54f4b0a3d455aad69f782138e1875b993c2c59b1

SHA512
d39f28244c9202fe87222a2c827880707fa7a6d1e7cb5c860042348af8bd4cd82af6daa804be6a80779d1354892cdfa3fcd089d2c95b67be7cb4e87103a1f2b2

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
704KB

MD5
654dfa7963ceb1ebe12c84843fd3741c

SHA1
0ac19bf37d8150678028f271fd5a31da44e0dd91

SHA256
58b13f8e99fc070ee0cb8c9add21e4ed72d0505112dcc8db7b65997267c55e8b

SHA512
f1689f3440cdfc508f7bbf060ab7b0aacad0eb7c83769bc9c8c0947fcb21e8f7d8fed761d302fc5dec38901849788e1696f5912d2b6715bf6e3ef34c9e45be1c

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
704KB

MD5
de5a80b3a7b09779311093d4227c97f1

SHA1
5c628603bb43b0de2850363145144d49fd14716a

SHA256
8fa7517e69919f88a4c03ac823fb2224799e928b8799101f60ff7c05adbaf0a9

SHA512
10f463a5e34a0dc04aa87b4b70a843dc083e03afa76f026013e435143347e8e12b093d049151f4576734c6148f8b7b4173a7dde056d1ba06a33ab352c3cb797c

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
704KB

MD5
aaa3ab2605271ce35a13c0a3e23093ff

SHA1
9d1826039e9cc78fac9a1b14ee16a086a811aedc

SHA256
91554f9c7b04ccdaf4e659957579c9c63308c5e5a1adf70fa2824b0029e648ba

SHA512
c832134a07c64486c6d1e96b57870145ea36b2c1b167e2adc2d613665dbf2d894fea73d740b42bd5fa01d6074ba0c9340ab680a23c362b2ef2643b7d931ea14e

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
704KB

MD5
6581063fb284b845f1a744b463eb4d47

SHA1
8b142a081014159f0ae227b56d3f8ccdad79a91e

SHA256
316088fcead2047ae5bcbe265d0f9cbcbc18252a19a536dcfe89dc510074f4df

SHA512
72928e3638f0955dea8579e9c5dd103efb3202c08797e0ade56d90cc7996aff0ecdb32a355b940077b3765027d9f23991ae3f6beb404bd0e46cb3d67a1d87757

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
704KB

MD5
2363ae3fd95be7002f83a36569c64762

SHA1
932064a83c406bd597954dd914fff1b9223e5420

SHA256
585f1ec22129f6d3860b35c8059481a87525b335c06af4086d44f3349d27505f

SHA512
401c09642181ada4ace5825c65d49acfd901cf109f170f03d6eb9b87a8f36967a3e07bfe98baf326979d87e80cfec35c159eb34a33edcf297e991fb3b78aee63

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
704KB

MD5
3c4cb6946672242192ffc7905c296568

SHA1
5f69bc6e2ae8146b1c1a6aebfef87aae28464918

SHA256
3b3d571db50726b374b830b989c40685b5b2ca4218665d2ed9a0c4555accabc5

SHA512
2526de0bd9be168b1c6f7b0430b3dbf6677fae0b474f5197fe9e3d0b8d5f65781fa1c9704cee1fabd0ecb3f714c177e3f5575ff47856887ca930943ab6d5a723

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
704KB

MD5
31c2b6c3e25b31821872b2f02893f667

SHA1
06d63cbcb3908a5c25168f00eb62c64a0edbf809

SHA256
af1c06a648fe52102fbc92f604445ffb8efa680c801f67b146178834cbb3d3a5

SHA512
b1b0f03e3d6c4297fe68fbb7f2e2d208bc182fca1c8cfc508e5a180c9d4b19ce0234ff71d22fa61887bbf7b78a28419071e6621a5f016c3c87d607fc64d35b5d

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
704KB

MD5
37ab636e1f0ab049fea3387ef39b9c67

SHA1
dba84c045ea9d78b6599c81b7c28bb3026760e5e

SHA256
27c73b0ae81c6925866c945bae0cfc48e665eeced4a05da68390ecfb11e26454

SHA512
0805193ae5f3b528dc66461de05c5f3012924dc908e67d6318867a2b4ed0c66662655d7f8b8a5afcde4b53dbfc2edd12b67e3aa7d437a55452d26c7b2647e14e

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
704KB

MD5
318d6d764a613f9b345ae7250b632a0e

SHA1
eb73c48310185db4978b29fbe3baed4d1b529930

SHA256
072fb698f60c8e4e7c55ba21bb60c8a4f0781fc964fda64feb6e42148e3e8e62

SHA512
13e129338a2df7e9f7dc7d2a931d01f2d1fb38c1389f789305eb313f1d49fc12704e588638b3844c20cd8d93a6b2c91452154b1643d45209c7de38ca3d7b53ab

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
704KB

MD5
8be2d13bd9a0717e7b220bc96c15acc1

SHA1
65e0e9b214ba5a4fc20fd987bedeccf77c1605ea

SHA256
9aded285d1a1fff42642e2cafec528765b83c17eb7926136fc0caf1a96c84d91

SHA512
35d3bec6cae8d2d338d9b946eba027071800c773dd0b7686338ff492a20c39b62ea7083225661cca14d095378e877e4c1e4caaa5cb2956161fa6ea430df60297

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
704KB

MD5
3a73b9c0b9d3b98738705755ea4a42cf

SHA1
9416f18bbe5512a0b85485ee386e57fe58129b06

SHA256
74130b139c5371327436905ddca966dc69515fc5531efb6e91281a8e0fd48e05

SHA512
84c7fe7c1e5a455529959f2588261d2e78b949294a1daf818b2a13700b7224647dd858f17d2b23f2938eace7c230bc7345631aae30c4806c67b3516601f2fb55

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
704KB

MD5
1bdda66612abf9295db1ae6371c17327

SHA1
4d18f06b5fdb16f608d53bfa0caa0baf6be0ab03

SHA256
3df20c55a91164abe81579c3773eb50618f22d009a34650ff34a5b8b0c26bf8c

SHA512
328d071b841933b4c022a5607bf54cf872f3024b74d03aa6b9e4e99b7523b69159534e9e2035f9c3e76e37d1e25c9729a3dcbb5fe008a10d471decae08ad0dae

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
704KB

MD5
d24962fcd2f362131775f073bbbd0b72

SHA1
643f316309371d469d71895621bd51f5a895ea10

SHA256
65a9dcd833a7a14d87c427a1c240133cddef4c104b3606f3f5d7de21368bd3f9

SHA512
d07d4f0865cc9d389bc018b3d33c28d15ca8e2e51df72ddeefc9ccf6b8023b2bedeab9865c0907261bab719378bdaaff161522ae8a8fdcf6ab91138de5fa217e

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
704KB

MD5
eca048f746aeaf8cdbc3a358cf2a6b20

SHA1
45dc5e980edb383529180ac22f684c988a464bef

SHA256
e0d4b7c9aa2e366e110f59be6f31284df33810df2616266cbf0881f2a009dfd9

SHA512
1beae3b41ea849133ddeac169cc0f5e00ee83ff2f73b2c3a128ec30807478d5efb787d1df143f1d57e15aa0308fc1b8959995fda054637cd4526372c4383d093

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
704KB

MD5
e85c93a69cb4b0d35f6cf802702c832b

SHA1
2ebd9da6c681ff110cca26f5705ab9ba896a1428

SHA256
c9d93057724186df6fbba4b0be1c0926a884683a0fcd7fd5ca409bc9a850a35f

SHA512
e6504222ae81e6af871c5541cdaf49f1e5728aec2b3e65785907162840557a837c5d5667cad2653e8323983c30bbe193d401b261f0e130e1d1b9f9b578e28353

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
704KB

MD5
fcb8fb0f284cb830aae90a1f4860a188

SHA1
b2a081df816740e97ae66fcfc85857a890c470b2

SHA256
0f4b6e81fa9149aa2d40562536f149946feddd87017da0bbfdb30b2e642b924f

SHA512
eda529d3f81389b75794098f58f65fc5e8fed59e16ffba2332d3bb2e4c128c7a08306bf21e21ca2a76cc9ba77cff584af1bfe5bbfb8eb60135e7f0cdb71d9ca5

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
704KB

MD5
6dfab77f36ce27f2d7244f972b827f71

SHA1
66403e8c3514d86cafac6b26b4a62fce26334b2b

SHA256
08912d743946d71f9239d35d5f8a41564a0f0440f1a024a8e062951d2b4f0ab5

SHA512
d7996250a895dbddf08ef9e9784eb00ff984e7b0f44f355e7637e9b86a7fee22c8a42abeb3d360456e1372760231015e53438aaf662b0ae5e9448a8bcf3175cb

Download Submit
memory/656-115-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/656-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/752-90-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/752-169-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1064-142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1064-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1312-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1312-88-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1352-79-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1352-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1396-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1396-165-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1620-98-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1620-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2056-162-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2076-161-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2076-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2252-116-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2252-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2372-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2372-171-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2588-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2588-164-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2768-163-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2768-153-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3188-133-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3188-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3904-99-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3904-170-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3956-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3956-168-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3960-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3960-125-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4212-166-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4212-126-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4864-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4864-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5056-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5056-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads