c7d840dc1ca97e9451ac10642c35171b82c72961a46011ff1c7895e7c40fa056

Analysis

max time kernel
146s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 02:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ca414eb6b6841e030edeb276544f0d50_NEIKI.exe
Size

237KB
MD5

ca414eb6b6841e030edeb276544f0d50
SHA1

60665df09f2e3117796ee8c06c8f74899d5e2305
SHA256

c7d840dc1ca97e9451ac10642c35171b82c72961a46011ff1c7895e7c40fa056
SHA512

df0254a1b80801f2df60c9fd53ef77babf54f6dc5ac75c1c7881ce7101e13f06dc9715b1f0db0b22de324ecab7e798a666da3740b969ac3112438dad04ab7bbf
SSDEEP

3072:/2jv/85rAUbj8Nq75Sq4iqnAUUjE02ZoL9snKKq:/2jv/85rXj8U5ihYjEToZY8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ca414eb6b6841e030edeb276544f0d50_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ca414eb6b6841e030edeb276544f0d50_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe

Executes dropped EXE 48 IoCs

pid	Process
4632	Kdopod32.exe
1920	Kkihknfg.exe
2604	Kmgdgjek.exe
2776	Kbdmpqcb.exe
3224	Kkkdan32.exe
4760	Kknafn32.exe
2280	Kmlnbi32.exe
3820	Kpjjod32.exe
2484	Kgdbkohf.exe
4956	Kmnjhioc.exe
2060	Kdhbec32.exe
5100	Kgfoan32.exe
5112	Liekmj32.exe
2908	Lpocjdld.exe
3504	Laopdgcg.exe
4844	Lpcmec32.exe
2676	Lkiqbl32.exe
3416	Laciofpa.exe
4504	Lcdegnep.exe
892	Lklnhlfb.exe
1604	Laefdf32.exe
3372	Lddbqa32.exe
2080	Lgbnmm32.exe
3824	Mnlfigcc.exe
1768	Mdfofakp.exe
320	Mkpgck32.exe
3788	Mdiklqhm.exe
1696	Mgghhlhq.exe
3056	Mnapdf32.exe
3284	Mcnhmm32.exe
4468	Mncmjfmk.exe
2836	Mcpebmkb.exe
2880	Mjjmog32.exe
1292	Mpdelajl.exe
4576	Nkjjij32.exe
2316	Nnhfee32.exe
1308	Nceonl32.exe
3632	Nklfoi32.exe
372	Nafokcol.exe
1436	Nqiogp32.exe
3600	Nkncdifl.exe
4740	Nnmopdep.exe
4448	Ndghmo32.exe
3208	Ngedij32.exe
3252	Njcpee32.exe
4292	Nbkhfc32.exe
1948	Ndidbn32.exe
2724	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	ca414eb6b6841e030edeb276544f0d50_NEIKI.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lgbnmm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2824	2724	WerFault.exe	132

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ca414eb6b6841e030edeb276544f0d50_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	ca414eb6b6841e030edeb276544f0d50_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ca414eb6b6841e030edeb276544f0d50_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ca414eb6b6841e030edeb276544f0d50_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 4632	2396	ca414eb6b6841e030edeb276544f0d50_NEIKI.exe	82
PID 2396 wrote to memory of 4632	2396	ca414eb6b6841e030edeb276544f0d50_NEIKI.exe	82
PID 2396 wrote to memory of 4632	2396	ca414eb6b6841e030edeb276544f0d50_NEIKI.exe	82
PID 4632 wrote to memory of 1920	4632	Kdopod32.exe	83
PID 4632 wrote to memory of 1920	4632	Kdopod32.exe	83
PID 4632 wrote to memory of 1920	4632	Kdopod32.exe	83
PID 1920 wrote to memory of 2604	1920	Kkihknfg.exe	84
PID 1920 wrote to memory of 2604	1920	Kkihknfg.exe	84
PID 1920 wrote to memory of 2604	1920	Kkihknfg.exe	84
PID 2604 wrote to memory of 2776	2604	Kmgdgjek.exe	85
PID 2604 wrote to memory of 2776	2604	Kmgdgjek.exe	85
PID 2604 wrote to memory of 2776	2604	Kmgdgjek.exe	85
PID 2776 wrote to memory of 3224	2776	Kbdmpqcb.exe	86
PID 2776 wrote to memory of 3224	2776	Kbdmpqcb.exe	86
PID 2776 wrote to memory of 3224	2776	Kbdmpqcb.exe	86
PID 3224 wrote to memory of 4760	3224	Kkkdan32.exe	87
PID 3224 wrote to memory of 4760	3224	Kkkdan32.exe	87
PID 3224 wrote to memory of 4760	3224	Kkkdan32.exe	87
PID 4760 wrote to memory of 2280	4760	Kknafn32.exe	88
PID 4760 wrote to memory of 2280	4760	Kknafn32.exe	88
PID 4760 wrote to memory of 2280	4760	Kknafn32.exe	88
PID 2280 wrote to memory of 3820	2280	Kmlnbi32.exe	89
PID 2280 wrote to memory of 3820	2280	Kmlnbi32.exe	89
PID 2280 wrote to memory of 3820	2280	Kmlnbi32.exe	89
PID 3820 wrote to memory of 2484	3820	Kpjjod32.exe	90
PID 3820 wrote to memory of 2484	3820	Kpjjod32.exe	90
PID 3820 wrote to memory of 2484	3820	Kpjjod32.exe	90
PID 2484 wrote to memory of 4956	2484	Kgdbkohf.exe	92
PID 2484 wrote to memory of 4956	2484	Kgdbkohf.exe	92
PID 2484 wrote to memory of 4956	2484	Kgdbkohf.exe	92
PID 4956 wrote to memory of 2060	4956	Kmnjhioc.exe	93
PID 4956 wrote to memory of 2060	4956	Kmnjhioc.exe	93
PID 4956 wrote to memory of 2060	4956	Kmnjhioc.exe	93
PID 2060 wrote to memory of 5100	2060	Kdhbec32.exe	94
PID 2060 wrote to memory of 5100	2060	Kdhbec32.exe	94
PID 2060 wrote to memory of 5100	2060	Kdhbec32.exe	94
PID 5100 wrote to memory of 5112	5100	Kgfoan32.exe	95
PID 5100 wrote to memory of 5112	5100	Kgfoan32.exe	95
PID 5100 wrote to memory of 5112	5100	Kgfoan32.exe	95
PID 5112 wrote to memory of 2908	5112	Liekmj32.exe	96
PID 5112 wrote to memory of 2908	5112	Liekmj32.exe	96
PID 5112 wrote to memory of 2908	5112	Liekmj32.exe	96
PID 2908 wrote to memory of 3504	2908	Lpocjdld.exe	97
PID 2908 wrote to memory of 3504	2908	Lpocjdld.exe	97
PID 2908 wrote to memory of 3504	2908	Lpocjdld.exe	97
PID 3504 wrote to memory of 4844	3504	Laopdgcg.exe	99
PID 3504 wrote to memory of 4844	3504	Laopdgcg.exe	99
PID 3504 wrote to memory of 4844	3504	Laopdgcg.exe	99
PID 4844 wrote to memory of 2676	4844	Lpcmec32.exe	100
PID 4844 wrote to memory of 2676	4844	Lpcmec32.exe	100
PID 4844 wrote to memory of 2676	4844	Lpcmec32.exe	100
PID 2676 wrote to memory of 3416	2676	Lkiqbl32.exe	101
PID 2676 wrote to memory of 3416	2676	Lkiqbl32.exe	101
PID 2676 wrote to memory of 3416	2676	Lkiqbl32.exe	101
PID 3416 wrote to memory of 4504	3416	Laciofpa.exe	102
PID 3416 wrote to memory of 4504	3416	Laciofpa.exe	102
PID 3416 wrote to memory of 4504	3416	Laciofpa.exe	102
PID 4504 wrote to memory of 892	4504	Lcdegnep.exe	103
PID 4504 wrote to memory of 892	4504	Lcdegnep.exe	103
PID 4504 wrote to memory of 892	4504	Lcdegnep.exe	103
PID 892 wrote to memory of 1604	892	Lklnhlfb.exe	104
PID 892 wrote to memory of 1604	892	Lklnhlfb.exe	104
PID 892 wrote to memory of 1604	892	Lklnhlfb.exe	104
PID 1604 wrote to memory of 3372	1604	Laefdf32.exe	105

C:\Users\Admin\AppData\Local\Temp\ca414eb6b6841e030edeb276544f0d50_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\ca414eb6b6841e030edeb276544f0d50_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\Kdopod32.exe
  C:\Windows\system32\Kdopod32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\SysWOW64\Kkihknfg.exe
    C:\Windows\system32\Kkihknfg.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\Kmgdgjek.exe
      C:\Windows\system32\Kmgdgjek.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3824
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3788
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2836
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        49⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 400
        50⤵
        Program crash
        
        PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2724 -ip 2724
1⤵
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
237KB

MD5
3dafccd4595e2a8928582487593ae083

SHA1
1f3d791f142c2111e7eb50969c0a902e3afe4f3d

SHA256
8eae636a913fdbc0ce0779a84240f987440724dc145693290a2707c6ff46e7e2

SHA512
cbe816550a230c29f31529889746a168fb0a9a7cd846f1aa3b555167884b0d70ef75f7eb8a6a95278182a3789d1af16679b3409981e63a94e0c02178fa60e9fd

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
237KB

MD5
4974cf1cd3547adfd0a708fe8897262c

SHA1
2ff8b5c2639c34ca89505e31340d539f410ce6a1

SHA256
2704aae9012eb06fee7b285f23dfb5b4c8eb40d0c1ca2bc096825d52ca6ff220

SHA512
ca4b57754b4632f846e6180f5e86b391504afd1be54d65fa3a1b3314b9a0ea6b927e867c2efbdf1b1e88ddd06676b6ca878cc39a1e32f5e7e489f05b0485dbbc

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
237KB

MD5
8bd97c38a7dd526a82897ce567eff734

SHA1
671ba77f538d557e6125f125bae31b1cd1d589ad

SHA256
d929418b59effba5b6e8a9a400f1033881dfbf33ef746694622ceee3690e4e62

SHA512
19aadbc40715b0274695fd9ac546c91bb9b3ae7c61713277e00eddd1972a58bc5f4fa72a4da18516d9ed98fe6989d70489b317a788321d1bc3c69284ea49ec27

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
237KB

MD5
2d58d9eea443fff3903cb6bc124fa693

SHA1
b725c8c16a8d3e123c3feb608a92c68bbd30ab80

SHA256
7872b73b3c407f13afd2c76182f2192c8338b35da9cc0991f995db526c4481a3

SHA512
1f6588be1ae98a8b2a335ea84a025de761d828eed21013848935271e0ecc557056c1c4c406c41ceab714fbb6fb7ab3247526bdc4510bd8bc494892ae1534fd02

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
237KB

MD5
19555d3d9d730d928a67f150c153ffc2

SHA1
655ab14013cfd78e76f4fb7bebb208a22a305227

SHA256
962e1840a1f0d7be33cc53586d8b3b253206723d3d58d5c8ad2a202e421e677f

SHA512
0fc3f2ab19cac4dfaf3bce6d90b54f2f788a91626ba00f828ac5e59c95e2597ee38e940290ab172a0797a1f0eb35f883148a036abc2ff08b903cb73384784279

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
237KB

MD5
8a4fe07cb2f82184f439f41c4ddf7fb7

SHA1
31890846f3e9fb1180457aabb589d6fe4890c6ec

SHA256
b904a4d10a037b0f0975f7a20a007de2a9d0f652880f47efa39b241bac9b411e

SHA512
fbb7da9a4e936dd71c297c7dcb262ac51e3c7a4d336b24e53afff8a1cc125fe487e8d3a3f81572965dfc768385c35c721be79f57b229865abc9bd12a85b4c4d7

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
237KB

MD5
cc897a47f6cd173d5fb122a534ffba70

SHA1
752c872a14b757335202481210fb3f0006cd7bad

SHA256
c68b1352311a881c86569da2317c97c7cb5dbdd0a19cd46a919bc60fe762f3f6

SHA512
1c1f4e9db7d3a7e58e3d9e490514a1e72e3c5442eb3842d07d0d9aa3d4b8dda5a3b30e0fee5f3021e7b8e532331066d4de1b2964f432ca85e5c70b9fa163c9bc

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
237KB

MD5
27a72d4bd185b7f3ae115d4121ed01ca

SHA1
d225bec40bf3b33f45c755dae7c71d950487a9f3

SHA256
ec726443366fb82437f93d4e0cf11bd1f5bafa95aac0b9568c02fed366e037f4

SHA512
04bd5f5466dddf49037233d25d8c1a4c222ad13258f58af2cbf1f325ba9a60dc1c1caef86b11bbccdf52ad8e33875702c550efc7d4d6c5a40bf483c388ecbcbd

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
237KB

MD5
8aeaf3e8daf55d70876cf23ad0e41b66

SHA1
8b33d465f8ab07a5b1b81c115218a7ab7c7401c9

SHA256
16e7cc1759c18060dc4c1392aa62ebadaab166f6edacace6e2c44a73e8c3892d

SHA512
bcc3ed623c9813c480569a7fade862b39ab542ae464b3034e4eb84f8e3cbd280cd6a333ee4fd63b59d84570ab1b4a335e2cffa94c9ad87560f90d749d6d25e1d

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
237KB

MD5
def3c10afa86fc3bc50e7b19e805fd80

SHA1
18b361fd99801e7e2920090bb5b37f71b5b9da26

SHA256
1c436bd83697eeea154763cef9c90290a452800cd0a648cb6b3b5685ec133ef2

SHA512
6f4d511bb620419fff7e76e4c88936b227f6c2c6ae8ada07d7000b8c810780fe77b5425a727bcf344ae0c63a2e2568e7cbb964485a7743bf6dab57e7b0d35645

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
237KB

MD5
cc0e12cdf1cc42535cbfd91ed4e0994f

SHA1
040ce9025ea1b85bea7b0754f967e950d0681edd

SHA256
b4b81ea53116b583801636f339f524c622fb30a61d5200b48d79ef712744e3b6

SHA512
3cc5e92adaae6f9fddea6215aeeb1c36fcc017aeb790b7a1e851a0f9585bbb6700e103964c563ff72a50bf1a4c5a86f55651b75945fe1a394e4c5abda749ce2b

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
237KB

MD5
9e3127f30b843a326049051dfe227784

SHA1
0f04f1eda7ddd2a174355acb527f535db731dfce

SHA256
77729f1018439477d9c1f45286f792ebecd31a0976910f6d1a1ab15436c6f4b2

SHA512
9998634a37caa110d0cf69144e847ea3a38f87981019ae54478227532ea1ca498347904e22a6b0e7c3add6a50f10aba5c6d2156e3b62cb291b43cd6462800ec8

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
237KB

MD5
58104c28c5ed8dd33da0a8f2d0eac1ee

SHA1
29d0204c45728ce8144b653c58d768aed7669240

SHA256
d3c52154b815adc2f350d3ddd19351b127b8eaa6f43da592250a2d013d37dc25

SHA512
5a6d43b9b881b1c4d25bed9e6d3070d08084fd157069c18d1d116786ed8b05ba2fd20086bdb0a0bb6869697b09680787a39d1ab22e114754568d9db1af76260b

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
237KB

MD5
c4664261904d15a6051e5a6c12b99a9b

SHA1
229b5308ffbd19f7bded55dd2f715d69052b7520

SHA256
f9e44ba84776efa9411e40894b0eb207104cb726e4fb5ba47cc96b75df1e401a

SHA512
08d9200ff623465f245554d8277f1c23ec135f40b0e08b4ce4cea87b8eb4b6aab7dbc5be9bb90ccf3cf5cfc393e3608d0250d2619c65dbf71913a3de2f213ba7

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
237KB

MD5
c96ad3b3a6529167dac1a1f0ffb87cd5

SHA1
6b2b64bfc8fac724000de527949fa8861f305209

SHA256
3fb567c5992c183c41cf30d6308ff4417d078ba76e5cc03358af79fd655da561

SHA512
ebb6e1a352478aa88420c30b67c69df6c56a2fd22b08725d5abac949611f0e08de276144871d46caee6f491fc9e52f1436685b8dd9160a1564db3cbc69bd24ad

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
237KB

MD5
715a09deb0f6622efbf36e873a59d74c

SHA1
d2dc0589fc588c2daaceadb996283d4002c6537e

SHA256
f04c8a33388f9c93285276041d989ffc8ae44d155731266e677193450594b84d

SHA512
de2d7a1808782cb14c29ac0f4fdbbe260fb7cfbcb54801dc02f4fc9cb73b0446b8d81fd6f220d834f05d6f61f62154191262449e6a31a6fcaff4d063e2da88b9

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
237KB

MD5
139c6b4766672c9ebdf491a58dd9f23e

SHA1
57d83d5e3424ed1d2073bb0b9bd769f3497288a8

SHA256
028ff73e258922ae83e2df71df53e34bcb54ec6c71236cafc6026979a367d109

SHA512
b953565ca8ce9d97fab94245d15471e415581ef3baf44d7d7e0374ae00c759dedfe71ccafa8250dffa8b2716f476a4a1686680659ee986085cab10a89bd8345f

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
237KB

MD5
972c3a2a03343d332c2ce944f8594031

SHA1
a87c0ce173cb06528db6bfc8ab5f7909782a7dd2

SHA256
f577b4812927d36e2219ef799253208c668e26209a473f831b0a0f9f9825a4ac

SHA512
f32d8976a52718902f2b9cc3340362725aa20150c39127b4cc3c2cfe3ab2b0330db39b9ed1adc8193b8925df794080065fcf7f5116aa47d8b557b1a9ad4ef4ba

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
237KB

MD5
f0c26e08c5f0720b914777f1fa747b97

SHA1
e56a303c9c9b91d3fcdb3a0ca53b6ba7e4b0968c

SHA256
052e055d6702199f2b8c79984378a1bb1759e1e9204750904b954a66a3f9fc9f

SHA512
c0f672813fc13074b9474ebd3b2ccef6f24ed6d44e3cd2719c3d608fbace4fc14532ecf115dd85d73d0e1a25d7f0a62dfd60cb0ada054e3b525c4289b724ca34

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
237KB

MD5
75c0af05d0c67ff09b9f44af56f55f03

SHA1
3eeba6f4afd650f8a4cce0eb825490dd8d2896e7

SHA256
22f00c42420aa4367513db944e3aafc368bfd3d759830414c9124837d7976972

SHA512
8f5ba4ece863e4ab5a364eac5541fce055d77420b47880ea3c1257096a4a219210dea65ab8c407ba9008727c262803be2e1cddaf1476394b4eda8373c8919bc1

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
237KB

MD5
d859cda85d3571534926a5d01dd773b9

SHA1
a95c58c16c1c1e7a2bec5794582da0951993367e

SHA256
d413cbc787647fd5808fdb5c7eb10d8a62f93066b566d28b831b05403a3fe4df

SHA512
4250ffdba4d8d2325bcfc08a765d4eee5bbced5b8fc3dc39580bcefbd54daf0dfec9170ca528d905b49cd62f94fea5bc10a8403b84a0c9600c00c1934d4f8ab1

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
237KB

MD5
54a576f7ef97a0592ed760f80f56ab54

SHA1
3b1e49970c50e58c1fdb8fe4ad237060ac005c7e

SHA256
c4ce6a5fe0b787f74a98a7713116b1eb01e0598c0266f68ef1cdf5171b29fd83

SHA512
23c48e8a8095fdb03d0d3e256feb38748ea79e09878e9aaf2f74596e7ada911297ba140e2b1ea02d4f7172d059b2d00383a774b7dc916c728f94253881abec20

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
237KB

MD5
aa08f625532c5e4b84b29ff7b04e3d71

SHA1
a0fea487f024a86c74b5c9897ac299b9979c447f

SHA256
30af89ed7b0807cca64833ee1b8e4d06ea5aa16211a347b7e7d194d45f965d44

SHA512
8d3165b1e9c4b40db181a51cba6e1d58f7baf990a1921784ee8968b7d6013e9626ad7b64a97f1e065ee7af6530e9d5e5c7fe5e01d5b58d3dc1d371f4db83f840

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
237KB

MD5
c753ccd9aeb87d13013baf6b60513de0

SHA1
a19f89687887f606fe6a8a224f90abd109018c15

SHA256
0b008043afe80e6bb69a3cf560907918fbf9a8b4af8e633f0dcd61d78f57cda6

SHA512
df25321d902740cd194bc339febb9b6975e2a0f9b045696a689eba27f29f6b4b7d187b71d4a7baa3a9b4fb7964be5d34fb01a072ea5a3cc7cf4f6c15548a33d2

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
237KB

MD5
00d9529d29c324e24ef44d8a601937f1

SHA1
3bd9503404ef4375f73991c35deb76e35b38109d

SHA256
d9f28ca56c42029438b74a5fb717289b50fe5a6373fd02b350fa577c21b8652a

SHA512
ab279704c785cb18e50c5931089451934a65a5decd3fefb1a3ed347b265b11009a2c8872e65ce8102bdc7784c08fde5a42f28bf7f5dc495ec63155374823ec39

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
237KB

MD5
e2ac4d8951549dc462385550becc1ef0

SHA1
e4154527bcfb7de706b0ab8d9993ae675d6c7288

SHA256
f4aef224891362c5c4e5452615de2c8b6fdec55174eda25ec10654593691b914

SHA512
1f77244d9bbde4ff181e487ff23ef0ec32a9327e7171167c341e46364824a9e6aba2f8b2e125f0b2e2920cad2dc66709c064b3ee7bb902b1ef57bc26ac021147

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
237KB

MD5
3637cea679f218a7b3d5cc0035176cb3

SHA1
e9fa26a098e6dcddfa3c0d542c4a8296f1e5e318

SHA256
017669148ab22e2759797ee80a1ae5879a248038aba228a540d7107255a686ad

SHA512
98fda0bbf10783df3f122e6af966ebd00a4ac470427b99064bca7fac53484482f88b6d12142c876d3911358cdaa514bc240b1f283d19782d0ff53f70b43e3a52

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
237KB

MD5
f6225c0cde3527109c250f42429d55c5

SHA1
704cf94f13b7a35cdb486b91515e9a52bf4059b8

SHA256
f12d7bbc2163b1bdaf4d90eb67b4095de6e58a027b9503ef1d70676a71711ef6

SHA512
afffcedd17beaa60ac662d1eee538537693d8a9d6d9b7985cd01cf4a03ef2683aed2a89da65f5cc299c4d249eddb7f858a78b514b3ed6cca07d129e8e01bcff6

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
237KB

MD5
dca372bd17387ec1f110c6cab4f9421b

SHA1
5f453471b390d01ba070007a90ab1cedf64d3ab2

SHA256
a6dc46b7ab040e3f18449c2e866e664af60b8e2cb8fa506fc753817e7288b35c

SHA512
aeb77c8d4fd30f9f12e9f5e6ebad78c75c88df976252ced78e8ac5333c0d6b3efd12a189c064e707bea17b3624ccc480d84762cf91af5c57430ad12176e4fec0

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
237KB

MD5
015b1b5929d845bc3589a7ba2a7a98b5

SHA1
163c8618850fa7ddb1fac2d9f6ed8364fd47f672

SHA256
7d94dec56fba19be0b1b803d29556557d52ef5682d4b7e08a55befb822ca5763

SHA512
01ec9bd286b24ce242ebc5c1c9bb3e229c009fe5dd1de7270e9c60d76b328ce8b519f88aff79df59cd3a0fe56dbfcf9c74c5292ae24eabce40c5b816b59f6154

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
237KB

MD5
7936ba3b558beefc4762b2c61730bcb0

SHA1
77a3639cf04319a8f5c745a67cbb398ea7cbb0e8

SHA256
996d10b5bac44fa0918ab009da40207b5afd535a01a691b96671d6219c2d5600

SHA512
a0404beb426efaca3501a26f0a13aa249e863154ce7d5d719238c1fd326e5ec60b516288bdfa4e3cb658a9786cb758991a0c50b0749f37d001ddb6ba1609abf3

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
237KB

MD5
bdafbe22e268d2d54dffc2a68a6d87ff

SHA1
453714b2cb191208166dd40a33dfd6ed5c68b2b7

SHA256
0d5815716f37ea2c9f8dcfa2b5148b27cd482a80035a67c27c8b6e56f097143c

SHA512
6b3a7f1b9c7ff5b8f1ba226a7e02c884946e38277896faa703a6753cb8e5ea0241147f2a48f0d70244a911bb01276a700be6f9b9b69a134f5cd5b9527fb93cf0

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
237KB

MD5
84c48afee4935b047c3c3063ded5a3ef

SHA1
c69edda5e29ae00759c05856d82c0a62e3d194bd

SHA256
6d2a43416d77c819b17af6f3e4a7cb351c86225f1bb24e34e82acb34024f2af1

SHA512
525b558f3f30985a3dcceb9c6dd041d3e0522f1e48c127ee4030cdb53c8ee4369db424fe3cf602cb5ee5507149261a2f0148f6281d558b53e27a25e5ea24912a

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
237KB

MD5
f4121b98d69495a3cdfdf73e1bde1842

SHA1
61ccac11ac1f41a8098e1301857b10ec9d2a650e

SHA256
523e2ab6af8f88a1ba9b08a933ee2659968ea0a21d645a429a5df5e86f43603f

SHA512
50e08cc214ca5404dfeb887196d055e555b9aa4de6f6f8196495223e4870b8ede696066b80babba7fa090016fb6ad0a7ea2322ff92ecf99d11f4d07c69822bf4

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
237KB

MD5
864e4b19b6a34d79012783aeeea894ad

SHA1
f6cbdc040eeeb317ecbdde7b0eb75e913afebef1

SHA256
c55a170dcb4174269569a6a088f13391ff9a980ffddddad5060f1bdd0f9d0f55

SHA512
7c5769ac7ba9dadda47756f984ad57eb071545d1b2b0b589f78209cc666d3cde37e62c7b753974af3779138d94b2e2c84dd99380bc93ce2b27753c53d0be6b6b

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
237KB

MD5
1282e2cef154c6d566e663c280801d10

SHA1
a66999d8e5f82a4c7ec4200c1a198e47d079a5c5

SHA256
29809a34d4de3ba85cbd9077f8fd712f7b812e18d751b31d01448bf924043038

SHA512
3c68ed703d08fbf3b88393bce69f8b553ca69a12af6210029b0fe664da57975dd0dbac03c692242a80d2827126b3a182c12e8c147a521c25fdb15c25cffa74cd

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
237KB

MD5
78266a0baee303fa0b7569046a5e5aa8

SHA1
db73af8aa1e6884a6e46f4362cfd910432d8dac1

SHA256
7a5f81ca291fc4deb2efd882de50d40d75396d3c993ed1aaaf929db6a0288452

SHA512
6465f31add8dacb3a13f7aa449081d4940f95547dbb42dabd3b115abd11fdee8cce8ac5168f5e0d288c54bb9c2017aa566c6efcb1fda5a985ec41f830f9f896d

Download Submit
memory/320-396-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/320-397-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/320-207-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/372-303-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/372-372-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/892-413-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/892-163-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1292-272-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1292-382-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1308-286-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1308-375-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1436-304-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1436-370-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1604-172-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1604-407-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1696-392-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1696-226-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1768-200-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1768-400-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1920-443-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1920-16-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1948-355-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1948-346-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2060-428-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2060-92-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2080-408-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2080-184-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2280-447-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2280-55-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2316-377-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2316-280-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2396-448-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2396-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2484-432-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2484-72-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2604-23-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2604-442-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2604-445-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2676-135-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2676-416-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2724-352-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2724-356-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2776-32-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2836-256-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2836-385-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2880-262-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2880-388-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2908-112-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2908-422-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3056-232-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3056-395-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3208-362-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3208-328-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3224-40-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3224-440-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3252-334-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3252-361-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3284-393-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3284-239-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3372-179-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3372-405-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3416-414-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3416-144-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3504-420-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3504-120-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3600-310-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3600-369-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3632-378-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3632-292-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3788-399-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3788-216-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3820-434-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3820-64-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3824-192-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3824-402-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4292-344-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4292-358-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4448-326-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4448-364-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4468-250-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4468-387-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4504-152-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4504-411-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4576-380-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4576-278-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4632-8-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4740-316-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4740-366-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4760-52-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4760-437-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4844-127-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4844-419-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4956-80-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4956-430-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5100-100-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5100-426-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5112-103-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5112-424-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads