cca3a65876ae466e33bfb1a50dbd2ae1936778df3eb1e705c382612bd3ceb642

Analysis

max time kernel
92s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74b4aa44c68be06c36a4935578b71391_NEIKI.exe
Size

290KB
MD5

74b4aa44c68be06c36a4935578b71391
SHA1

33dec1b16a2ed6be063112bfbc7e42d0cdc56640
SHA256

cca3a65876ae466e33bfb1a50dbd2ae1936778df3eb1e705c382612bd3ceb642
SHA512

1265a100f8416edd760b809ec2354217c485ccb802c2a8377d570d2009410e3bbe2bb855fe6598b4bf09651f6005584240cc69abd69d8ea519ba2a3df6d12be2
SSDEEP

6144:BQZWKC4K+wxnEgHhkwmjEUmKyIxLDXXoq9FJZCUmKyIxL:9KC43wxnEgBTF32XXf9Do3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	74b4aa44c68be06c36a4935578b71391_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	74b4aa44c68be06c36a4935578b71391_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpaghf32.exe

Executes dropped EXE 43 IoCs

pid	Process
3332	Jdemhe32.exe
4328	Jibeql32.exe
912	Jbkjjblm.exe
884	Jidbflcj.exe
3484	Jpojcf32.exe
4044	Jbmfoa32.exe
1624	Jpaghf32.exe
4444	Jfkoeppq.exe
3100	Kdopod32.exe
1464	Kkihknfg.exe
2232	Kpepcedo.exe
1612	Kbdmpqcb.exe
1568	Kkkdan32.exe
3160	Kgbefoji.exe
1940	Kpjjod32.exe
2008	Kkpnlm32.exe
2536	Kpmfddnf.exe
632	Kkbkamnl.exe
4528	Lpocjdld.exe
1156	Liggbi32.exe
1056	Lpappc32.exe
1400	Lijdhiaa.exe
2532	Ldohebqh.exe
4688	Ldaeka32.exe
3120	Lnjjdgee.exe
3904	Lcgblncm.exe
4188	Mahbje32.exe
1828	Mgekbljc.exe
2140	Mpmokb32.exe
1364	Mkbchk32.exe
3620	Mdkhapfj.exe
1304	Mncmjfmk.exe
4292	Mjjmog32.exe
2152	Mcbahlip.exe
940	Njljefql.exe
2948	Nklfoi32.exe
4460	Nafokcol.exe
2104	Ngcgcjnc.exe
1472	Nnmopdep.exe
4304	Ngedij32.exe
4356	Njcpee32.exe
1440	Nnolfdcn.exe
4372	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jdemhe32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3716	4372	WerFault.exe	126

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	74b4aa44c68be06c36a4935578b71391_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	74b4aa44c68be06c36a4935578b71391_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	74b4aa44c68be06c36a4935578b71391_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 3332	2332	74b4aa44c68be06c36a4935578b71391_NEIKI.exe	81
PID 2332 wrote to memory of 3332	2332	74b4aa44c68be06c36a4935578b71391_NEIKI.exe	81
PID 2332 wrote to memory of 3332	2332	74b4aa44c68be06c36a4935578b71391_NEIKI.exe	81
PID 3332 wrote to memory of 4328	3332	Jdemhe32.exe	82
PID 3332 wrote to memory of 4328	3332	Jdemhe32.exe	82
PID 3332 wrote to memory of 4328	3332	Jdemhe32.exe	82
PID 4328 wrote to memory of 912	4328	Jibeql32.exe	84
PID 4328 wrote to memory of 912	4328	Jibeql32.exe	84
PID 4328 wrote to memory of 912	4328	Jibeql32.exe	84
PID 912 wrote to memory of 884	912	Jbkjjblm.exe	85
PID 912 wrote to memory of 884	912	Jbkjjblm.exe	85
PID 912 wrote to memory of 884	912	Jbkjjblm.exe	85
PID 884 wrote to memory of 3484	884	Jidbflcj.exe	86
PID 884 wrote to memory of 3484	884	Jidbflcj.exe	86
PID 884 wrote to memory of 3484	884	Jidbflcj.exe	86
PID 3484 wrote to memory of 4044	3484	Jpojcf32.exe	87
PID 3484 wrote to memory of 4044	3484	Jpojcf32.exe	87
PID 3484 wrote to memory of 4044	3484	Jpojcf32.exe	87
PID 4044 wrote to memory of 1624	4044	Jbmfoa32.exe	88
PID 4044 wrote to memory of 1624	4044	Jbmfoa32.exe	88
PID 4044 wrote to memory of 1624	4044	Jbmfoa32.exe	88
PID 1624 wrote to memory of 4444	1624	Jpaghf32.exe	90
PID 1624 wrote to memory of 4444	1624	Jpaghf32.exe	90
PID 1624 wrote to memory of 4444	1624	Jpaghf32.exe	90
PID 4444 wrote to memory of 3100	4444	Jfkoeppq.exe	91
PID 4444 wrote to memory of 3100	4444	Jfkoeppq.exe	91
PID 4444 wrote to memory of 3100	4444	Jfkoeppq.exe	91
PID 3100 wrote to memory of 1464	3100	Kdopod32.exe	92
PID 3100 wrote to memory of 1464	3100	Kdopod32.exe	92
PID 3100 wrote to memory of 1464	3100	Kdopod32.exe	92
PID 1464 wrote to memory of 2232	1464	Kkihknfg.exe	93
PID 1464 wrote to memory of 2232	1464	Kkihknfg.exe	93
PID 1464 wrote to memory of 2232	1464	Kkihknfg.exe	93
PID 2232 wrote to memory of 1612	2232	Kpepcedo.exe	95
PID 2232 wrote to memory of 1612	2232	Kpepcedo.exe	95
PID 2232 wrote to memory of 1612	2232	Kpepcedo.exe	95
PID 1612 wrote to memory of 1568	1612	Kbdmpqcb.exe	96
PID 1612 wrote to memory of 1568	1612	Kbdmpqcb.exe	96
PID 1612 wrote to memory of 1568	1612	Kbdmpqcb.exe	96
PID 1568 wrote to memory of 3160	1568	Kkkdan32.exe	97
PID 1568 wrote to memory of 3160	1568	Kkkdan32.exe	97
PID 1568 wrote to memory of 3160	1568	Kkkdan32.exe	97
PID 3160 wrote to memory of 1940	3160	Kgbefoji.exe	98
PID 3160 wrote to memory of 1940	3160	Kgbefoji.exe	98
PID 3160 wrote to memory of 1940	3160	Kgbefoji.exe	98
PID 1940 wrote to memory of 2008	1940	Kpjjod32.exe	99
PID 1940 wrote to memory of 2008	1940	Kpjjod32.exe	99
PID 1940 wrote to memory of 2008	1940	Kpjjod32.exe	99
PID 2008 wrote to memory of 2536	2008	Kkpnlm32.exe	100
PID 2008 wrote to memory of 2536	2008	Kkpnlm32.exe	100
PID 2008 wrote to memory of 2536	2008	Kkpnlm32.exe	100
PID 2536 wrote to memory of 632	2536	Kpmfddnf.exe	101
PID 2536 wrote to memory of 632	2536	Kpmfddnf.exe	101
PID 2536 wrote to memory of 632	2536	Kpmfddnf.exe	101
PID 632 wrote to memory of 4528	632	Kkbkamnl.exe	102
PID 632 wrote to memory of 4528	632	Kkbkamnl.exe	102
PID 632 wrote to memory of 4528	632	Kkbkamnl.exe	102
PID 4528 wrote to memory of 1156	4528	Lpocjdld.exe	103
PID 4528 wrote to memory of 1156	4528	Lpocjdld.exe	103
PID 4528 wrote to memory of 1156	4528	Lpocjdld.exe	103
PID 1156 wrote to memory of 1056	1156	Liggbi32.exe	104
PID 1156 wrote to memory of 1056	1156	Liggbi32.exe	104
PID 1156 wrote to memory of 1056	1156	Liggbi32.exe	104
PID 1056 wrote to memory of 1400	1056	Lpappc32.exe	105

C:\Users\Admin\AppData\Local\Temp\74b4aa44c68be06c36a4935578b71391_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\74b4aa44c68be06c36a4935578b71391_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\Jdemhe32.exe
  C:\Windows\system32\Jdemhe32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SysWOW64\Jibeql32.exe
    C:\Windows\system32\Jibeql32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Windows\SysWOW64\Jbkjjblm.exe
      C:\Windows\system32\Jbkjjblm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:884
      - C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        44⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 412
        45⤵
        Program crash
        
        PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4372 -ip 4372
1⤵
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbkmec32.dll

Filesize
7KB

MD5
b9a9a56f8eee5f527ec54ff8af01f3e9

SHA1
3fe862ac38231c20b7fb743014fcf848ec2217ff

SHA256
c0f93a9aa784a7a20c300bda107fdaf0df5273ad4ab23618e65ee3b553d99f55

SHA512
4b007c1c234b7cb1a0232bd2d9103bdeaa483cba85fa6246190efb2644c85e77055e08f9acf6cc8e96c0e0a2ec15eb0dfd5cc83f997491009de8e8dcee160905

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
290KB

MD5
5b854fc30475fb44bc31ad57be165315

SHA1
6dcd393f9ec44644ec412d90999a547254e6dce2

SHA256
0a765c421512f24e3d3cce4eb23a2ec69bd14a9cde30f45d4df3743d83316e6e

SHA512
81a8c8a533940d150f88bd9f3be4cf2ca9e548b3c2beed281d6663761994b69b20ce96aea87532ece0a437ef711bfbb09e264a2ac0be4113dc0593efae69e1de

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
290KB

MD5
7d848905ef61fea2a867693b27aada96

SHA1
b92d2b78cc6c466324563948f4effd8a5244d883

SHA256
8530c440588f5ee59cf35f4fa54e4cefdd042ca16ffab745ed141cc2231d731d

SHA512
251ac92534a78642c9cb4498c6e805d2547fdb2516e3b24f57716007b4933f339904c55006d77b5a05741abe5b78dab2920f1bae4c08cf2d9bc9bafc5119637b

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
290KB

MD5
5724e055ed19391b5b2f7959a4faf83c

SHA1
61e163dbe1b50e38d9599acc7cc86a92249cca87

SHA256
024a0761fb5228827cba31790ebc28b2a4bcccf0ccc854b855a4e28b530948ec

SHA512
5e776d8132c3c8fb362311ec8cd1b5d07e9eeb41bfb0507e00b9406563860153908201e5e5e515f3d6844b04e1d770fa58abcbee5208d15595a51a912cecf3c4

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
290KB

MD5
fbdcc3b3fe3094d882419e9c663af199

SHA1
3146575a1f7d6f0b97437b1370a9bfc7c87068f0

SHA256
ff02948cf3edb2fdc9e7f6fd0188dde969a589181bd52fb4fe4764e13d884642

SHA512
ff359930b5bb039840d31b7c55a660cb2f25c81aaafaae4e837f7287df4efb24e2d390d058f0379a4d99386d4b0e5b2f476ea223f8764e4b4c9032ce99f17809

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
290KB

MD5
42bc8db99aec6c2bffac96871b2df96c

SHA1
0998ef85a815587538bfc51c59456e34eb3f15a8

SHA256
759a92f473de8a101477cc4b03ec9b909efff058f7d01aa9e72f8fd82cb8dff2

SHA512
30359032e769a8214e3e8a65546067d603e8190bc09a208223ede00275deabec6f1b36898b25bac53a72cb4e12591eb7781ba73fdb215c3f14390bc28f119dd2

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
290KB

MD5
f1632ad39caa44303b321adeb69e17ca

SHA1
6c82516fe5e26e94e4e4ecd524d13ed0a3e577d5

SHA256
7337ca8dcef2d82e3d01671a7e6569970b4fa79308bfab1ebf57ed5efea92875

SHA512
73bcca4cc81f1cf4af7386084aaa84d47deca3828fc10bb179db8c9de512f5dffc782ee5e72c4066ad438300ca830131869711413c4a305f2b5d44e9c04a113c

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
290KB

MD5
61874823253bfed366cac146daad5f41

SHA1
56760a3087a3611b6a24b7165e8e83d6cf07d3b6

SHA256
0595a0cd53f3eac3ef3a6eaf4e22f3a94935ad5686e8ee664c6a31302f224808

SHA512
a8e8042e20de51652c076ff3a17c4352c5ca3765d0b6ffac0b85f9cceef2aa3c4a741ed33e256efcf75597be68240492feaab011cedfac83290d662c1e3c5b03

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
290KB

MD5
37c5d63440c748cff4c882f17836f74a

SHA1
5a304675415bc54cefbb329f6e5ab948f7b24e8a

SHA256
03d90d635887de09138cc83061c1e11987af421a0329fb25b66aade738719bff

SHA512
c86beb8de2c59b32943b0847b01c5d7a86a0dafd4396c85ac3b6715a91bf051904f2fae71501ede3554c7e289cd74cc3fc12568e3dfa6c95966e37b31c820651

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
290KB

MD5
82a7e1bc98a24c1bc9153b26d373fe51

SHA1
f33f7c7603635508585da49eae03884ad8862b2c

SHA256
1c2a9ca454ef148590125ab97ffc40d7fecb50471547b07d4db3efb7071fdb4d

SHA512
28775254eb7ba122d8363ac330c8f5939ac466b2ad084b8ddd377778d6cbd974236ad71a833ff15e6848b11eeedd135a27c0f35a2060a9da450f4333b03efa99

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
290KB

MD5
4e4da54c7fcff9239b1889bfb321b1a7

SHA1
2ef90082e41fb0bca00ff47fb372fcaeb9d44a99

SHA256
4b3e98436c9807a6b031d4981940c939caf399f35ac1a58494eedb3aea942a6c

SHA512
15302970857d3ff78218f008bc2b847851cef595400c66ed7a4107886c822901b0fbb77507b7a55dfbbbec089ef0060cefd69088cc579d0145859be82997e1fa

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
290KB

MD5
8fb4e87fc11bca7a44a8a9437e8450f8

SHA1
a061d3ebd6e035ef70c31548ce7d1d658aaa5d2f

SHA256
69089c356b3a6dd66f014f86a887e6e095c2fc045bab13137210df974be5c493

SHA512
52dc5d952749989ff24f2e797b5b94bcedbf0fb4bc1a05be33f3252e99ba11bb22d27bb3c56543c01a44059e58c01f6393badfacf262d97438308e6e4a6fa3d4

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
290KB

MD5
21e6deaa083856290972d6069e1bcd20

SHA1
0a5307c70ead263a31355530feaea206b43d965b

SHA256
63f4c366ac7a0b9175b1c947691b091d477bf620c62c9358723679feed8974bd

SHA512
a591a97128b1dffcc86a6fd159b8adf32ea4d090fc44f18298b399cefdbad6226a0fcf4a22a9abbc3c6b3525a9a961f58accbc1b8e7814b694e5bf089c74e4af

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
290KB

MD5
a1cae9f451d92af1f30d686a9c6a38b3

SHA1
7aac1c8214b6ef47a97fc400970153ba14bf79e4

SHA256
9184dd10d9215a5cef2ec1884b8c8d24091124e900e14f4b8e890d3e5ad100b8

SHA512
d49d86d4336ccfae6cbc447c592acfe955e89e1bb950097b118054a30a3248f45cfdc6bb592da2db5e295b3eda232e00fc3b446a73d3eb3de69810e8a128ee47

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
290KB

MD5
0f461f31fe405486379ce219af7aa055

SHA1
224d810261219d1f76d709e98d3b3d34f87cee4f

SHA256
e0b1e11713ccf56979b2dc806e270bd973698b8689425343ec7d5810da4e0c2f

SHA512
0f0d2c0a5d477530ffd12047a1f1427031a54df8d3c1c11263463a2f5077cd2de69132528106e28cdb061d7dfd011fcd43b7534284f413df65b849568f4c47e2

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
290KB

MD5
9543a2e635b8e58bfd366c10c420913b

SHA1
f53ec1f65911bc6500fce8f000c6fc457944a2f7

SHA256
2681995632003ce46004b1fe9b9bb2f265babdc1481f9a4ef429bcf659c808d2

SHA512
f79c2c967931a6a2f9f4c6bf1a9e86cff8de1057a4fb62ed040090aecd98cda27f9be090085c5fd5a50c4ac86a587d16a9ee7499b710770ca308929f0c5a78e1

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
290KB

MD5
aaf6b2b443bc6788b2275b6331bd201e

SHA1
836852826b4ec5d2f553f41f50aed5322418e447

SHA256
70d2b0810262e5829610b72eb89f9ab967352dd988dd4ee13a5312a86bb57257

SHA512
e6c96e2401761cd2ec361ca8d0a685674fa42aec2817f955db363cf6a4c94a5988ccd3f0854e8893fedf3761d2906013ee5aafb28fd29d0fc672c301a92eae5e

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
290KB

MD5
39bce78554f55716195413616b0caebb

SHA1
2fb72dc58b4fcdae2b0d41693519c08c629a0672

SHA256
112e58634f8d11e021d1a959c0d348ad130f52c539eb1c4a9a4f84cfff547898

SHA512
565bb5bbd6c512c51ea9d46d371f5a378b4e88bbf7534ce9bb6595fa078421735cf8fc344ba2a89be020e7e0a6b56076f5fcd689435456d7d81ea4545eae5db0

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
290KB

MD5
bc14cfb78f8082be359a4d5af69d3000

SHA1
75a0312fe61ef0519cb8b91fe71afc10919134c4

SHA256
3cbf331d654539b51bbb84131dd0d734d126799100d5e70612fb23d55d869aaf

SHA512
e5c13dcf4bc714593da02c560fad9af725d3aed8e0cf3ab338d61d3ade8c3630a928d1759966ac370b01c7a3f78c4750a0be257de8221cc4cdc4b2105d1b370d

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
290KB

MD5
d44689b3ff8304772abbfcbedf935662

SHA1
a59e9b8159b0cbfd83f6c93b3e639d2db7be3138

SHA256
d864da58e40d43d4a5dc5759ac176716cc62063a2aa8f65bb2a31454ee3b263c

SHA512
002211ff1ec51cc86a41a3321a467d59dd7ac51b0cb22d079cc3584e9ee3205ec6e5a8786c25c43ce683ff1d99bad52422c225d84da9f90bcff3611656f5cd1e

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
290KB

MD5
53ea68eda8df5b782c5f09cbf6f8da4d

SHA1
19bde050ad461d46cdb5a9b84b0dc61b72f76d84

SHA256
6026d4dc6206294aeafaca9e7c9e90f872cea7a60f2dc840a1f3a473b509e333

SHA512
75c8ea4d0edd8cc950fbe48e743610277937e7fcfb26a488bd4266360549ccdfc21a88762226e6a1a53573db175f533c8ff2467a83f2222d5835442d673c5bd0

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
290KB

MD5
d85437dee49bcb7d20e6cf1ca6f4437b

SHA1
bde2003b8cee9e3158c1cf5853b9612a947ca4c1

SHA256
fc7a931201cd6cc46cc5133e7c03471fb8775b639ae348b7deb835a90c9e07d4

SHA512
3416b81069339a6252dfb58c7dca44aae9f0ca8b96c2d22e0c09054e6a736c322c707dfd2c9417ff08b7de741d9d9bda978208dd56c61341f62e60fce804c939

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
290KB

MD5
99b7d07d99f017acc5712dd7dae14f15

SHA1
d5dfc8f6ef5d9e9327c2e1518adc533cb24eff4c

SHA256
5e73d2449e4a58abf7aa5826f8a7ef64bcfcee3eecfaee9a95bebd07528ce9c3

SHA512
9830b3eed081f0063f874108fbbc7466bbacf639198270cbaab64ad21dd8c6f66fba9004f847321f0530b654b5ee10875f35fc9dec8879acabbc225fd46eacb1

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
290KB

MD5
e8540ec4eeb75707b2dfc17f582f86e3

SHA1
280573c63cbd2e11824b99e2b3ed79ac814041d5

SHA256
a5ed51680e305d73dc50b8cf9b95eff2876f2ab14bf54f46aed1127a677460b8

SHA512
477143c4764702abbc797b8dcf6d1ed62d6ef11c0ac6370407ef8b2d48c5ba051fb47540d7aa95602bc8a582786eae1c0b281786034d290cf949135eb157bd78

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
290KB

MD5
8990119ae251e718e660974399643676

SHA1
cb38321718092270012e58b20a75202ed0d7d5d9

SHA256
e250ae30094cf20fbee756db4636f0503eab495edc73c10330e63c3694bb18fd

SHA512
4bdd11a78c73db0f8b21a34e82ea44bc8cca66085820a5bc720d606acd2d5bea71c7ea24f3b204e241141822d400a2a66422d855a6f596b00af48313f3bd8726

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
290KB

MD5
4907efac5770c4310e6aece53cd65333

SHA1
6ce512dc31e21dbcefe9eff5d495f5224cc87f8c

SHA256
12640414c08db661304abbb40b5b867fe784afc84657580cfdd8799e24591952

SHA512
854ef06505a6c5f4eb0dd86a0972626e6d27c1e3316d2bc0a2281bad94d66bf5859d5cff20dddc1a736bc361f3ce49e347dba64e9bb0759063af75daac66590f

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
290KB

MD5
960dc4d953333e9cedc9f23f2ca9e6ce

SHA1
694e2d26b156c81f7e0a29042cbfaae4e2a03cc8

SHA256
185610c0d95501944b9dad7acbdfbc34b85d25432e72bd38ceb322b160f196e2

SHA512
711c7fe4e5f39ab3f9685717bcda8ff083d5b5070d0650019c7715df771af19d29b8119d35d56e8a3a1881916e5c1f9ade7b4889a1d4cdb80da24620bf24b9d0

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
290KB

MD5
4aad0918d2a20a92491ccf81f118fe48

SHA1
53d1cf6deab90266a963389da2ec664fdc4490e0

SHA256
f78bbaa1be5c380be84d4e65bc846e295ca6fcda008ba03682b73c6f433c5cca

SHA512
8c79eeb63e193ad68e920db0f40e76480a1d13ec8ea264a982455f4f80b6d98eb4f7476993c90b199d404485b00a7ef89a6a5778ca9a596c0300cb3b139185e9

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
290KB

MD5
0322cbfe817d14df3abaf91ea29b7329

SHA1
08ac164954fd08421ea4a048d6f89e13bd4eff5a

SHA256
e4b24df879a87b804fbfd36dabcd4ec4ecf9590fde8019aed22139d1591cb803

SHA512
a90207446d0a83bf2a2852c057b35667104852ff7b90eb62bf479b3061196f0ad8f7b79c1174b0e7a277ccddc931724fd92ebf9a8871f9101e7aeba8de29a16f

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
290KB

MD5
b281d596c5b623134509e7506ecf71ef

SHA1
91190cf3d8fb3eb2e08cc99c74120e28467873d2

SHA256
b76a75008830decabed39727268c4cc1733f3cb08ae6b82cad8514bc5fc96830

SHA512
0efb15854a993efacee7864bef44e9f30ad57c29bfa76cb70de1cb28f8efc8f5632cc08a80e6e1396dd25bc1514c36abbcdd5d9156bd3dd90f33e3c9e771def8

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
290KB

MD5
66dc84d098c1efa5fb68352606e12f0f

SHA1
ffa33b7273f22d6e2023eb9fae0bea9c5c182681

SHA256
07bcc9a6800c3e6e56d9ee91f53a559413b492bfb2fc57f387bacd6ea7c40f1c

SHA512
e334bbe96a9e9e4a42f98f5c1e5595345a1416fe62f5e3f4eb5cafa5d15c6fbd3baf3f414321a1652c31d6091de349aac462b51bbe9647c16856aae50c8394ce

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
290KB

MD5
f91be8bd0daf1c180a3689c88602a769

SHA1
37c1ed02ade93db1f2462f888811592f776ea18f

SHA256
e9780a8c7147cc186c77a641cc13a7c4c1b1b2549c28144e92ce87e134c9d6e3

SHA512
741b18938650203af8c1c37cbe8c7537f426cee37eb41dac167738bee20570d95b4907f1b47b3ef58b7caf07f9fc54fadb3cdf3b614d0d798e3f95929a4674c8

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
290KB

MD5
291021d5468f2f731ad0887c2dfa2cf5

SHA1
0d780d1fd80e9abb2b70f22ec6c4abc7cad31d03

SHA256
7d5a3f2538b4860a9347c088f5d5390e45ded13373c9183d794b797dcfcf8789

SHA512
19ad2f74eee29506d7939927584451615da6399942b53639bb3698fb6be9684d434d8770d3fc5eadd721769a038a685511440577817178bc7c10dd702768faca

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
290KB

MD5
1df9f06b90f04203582da2115308b543

SHA1
fa3adc5d8e6ae218016af1befd34422b19d98895

SHA256
4f1eb01f569a57a8fc4f2edfaa904de05b597391b4647bf5b5ef3423dc9566ed

SHA512
46c42dc3e49b6a850da02cf2e84b6d6bf64a2cbb6b92e9262a638a9d6c1c900ae139d07e01744a1366d9b8a768d39c238e4b85bb01a7b76ec203541fbbaa3eb0

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
290KB

MD5
5877bef53483473a160ee77cf899330b

SHA1
7eb3816d718185e78cd9168845bbb1cc4f3c58a0

SHA256
ee72be9f58596f21a055df1bb0b2f6b384e6baa00faec0218aba79ea62e1e899

SHA512
a95c5caaae1be01403979edf14133e2a505c63bc9d5e99649b87c19ac66d3ad9f8a161b134fb3f5d6e20c184d3b370259a00beace2ddec87487b4d96d88244f5

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
290KB

MD5
7cfb8c407ce5cf764c4f2cee8208bb7a

SHA1
cfe4f9bf91592ae07ddeb70281ffac603a727a55

SHA256
302cebb9db3fe0e379c68cb08b864da7c7d406b45acdf89cdcb98417bfd4454f

SHA512
c45fc7914dad05de0c788a798c0fbc777989266e6b774c0f7da835cf1d5a9170a6368f7d1d60a47338daaa16a1e97309fc7907d0cbd65b07cdf8c1ca96d32bbe

Download Submit
memory/632-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/912-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/912-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/940-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/940-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1056-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1056-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3120-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3120-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4688-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4688-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads