45635b1312a01966734198e18a450aa6df05c7fa699c5e987f3d8b74b8d922af

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae2c91d72ba509b40087197762bc8c60_NeikiAnalytics.exe
Size

89KB
MD5

ae2c91d72ba509b40087197762bc8c60
SHA1

ab20f89c854e49fec3dce81733d914502e1238aa
SHA256

45635b1312a01966734198e18a450aa6df05c7fa699c5e987f3d8b74b8d922af
SHA512

29589f8cf713d032b4945be05f11bbded8eda9090aa6117266c0ad316347cefee946699c7ca50a292c2efa84fddb52e31818ee0638ab34c2b0847514c13d722a
SSDEEP

1536:SEMvG6JMyuxxast3fBgjbUM5tj31npXN8NvY8xLcmlExkg8Fk:SEM7ayuxxaAvBGUon4A8pcmlakgwk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ae2c91d72ba509b40087197762bc8c60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgphpo32.exe

Executes dropped EXE 54 IoCs

pid	Process
1716	Jfhbppbc.exe
1604	Jmbklj32.exe
5064	Jbocea32.exe
2076	Jiikak32.exe
4896	Kpccnefa.exe
848	Kbapjafe.exe
944	Kilhgk32.exe
3628	Kacphh32.exe
2224	Kgphpo32.exe
1720	Kmjqmi32.exe
5084	Kdcijcke.exe
3028	Kknafn32.exe
2352	Kpjjod32.exe
5012	Kcifkp32.exe
4552	Kkpnlm32.exe
4636	Kajfig32.exe
2392	Kgfoan32.exe
3476	Lpocjdld.exe
856	Lgikfn32.exe
3748	Liggbi32.exe
528	Ldmlpbbj.exe
4980	Lgkhlnbn.exe
4864	Lijdhiaa.exe
4712	Lpcmec32.exe
2812	Lkiqbl32.exe
1464	Lnhmng32.exe
896	Lcdegnep.exe
4004	Ljnnch32.exe
212	Lgbnmm32.exe
4284	Mpkbebbf.exe
5048	Mciobn32.exe
720	Mjcgohig.exe
2536	Majopeii.exe
1380	Mdiklqhm.exe
524	Mkbchk32.exe
1948	Mnapdf32.exe
2912	Mdkhapfj.exe
2296	Mkepnjng.exe
4276	Mncmjfmk.exe
2668	Mcpebmkb.exe
1828	Maaepd32.exe
4720	Mgnnhk32.exe
4464	Njljefql.exe
716	Nqfbaq32.exe
2984	Ngpjnkpf.exe
3244	Nnjbke32.exe
3808	Ncgkcl32.exe
4884	Nkncdifl.exe
3312	Nbhkac32.exe
2824	Ndghmo32.exe
2684	Ngedij32.exe
1440	Nbkhfc32.exe
2216	Ndidbn32.exe
3760	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jbocea32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1504	3760	WerFault.exe	139

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ae2c91d72ba509b40087197762bc8c60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ae2c91d72ba509b40087197762bc8c60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 1716	3888	ae2c91d72ba509b40087197762bc8c60_NeikiAnalytics.exe	83
PID 3888 wrote to memory of 1716	3888	ae2c91d72ba509b40087197762bc8c60_NeikiAnalytics.exe	83
PID 3888 wrote to memory of 1716	3888	ae2c91d72ba509b40087197762bc8c60_NeikiAnalytics.exe	83
PID 1716 wrote to memory of 1604	1716	Jfhbppbc.exe	84
PID 1716 wrote to memory of 1604	1716	Jfhbppbc.exe	84
PID 1716 wrote to memory of 1604	1716	Jfhbppbc.exe	84
PID 1604 wrote to memory of 5064	1604	Jmbklj32.exe	85
PID 1604 wrote to memory of 5064	1604	Jmbklj32.exe	85
PID 1604 wrote to memory of 5064	1604	Jmbklj32.exe	85
PID 5064 wrote to memory of 2076	5064	Jbocea32.exe	86
PID 5064 wrote to memory of 2076	5064	Jbocea32.exe	86
PID 5064 wrote to memory of 2076	5064	Jbocea32.exe	86
PID 2076 wrote to memory of 4896	2076	Jiikak32.exe	87
PID 2076 wrote to memory of 4896	2076	Jiikak32.exe	87
PID 2076 wrote to memory of 4896	2076	Jiikak32.exe	87
PID 4896 wrote to memory of 848	4896	Kpccnefa.exe	88
PID 4896 wrote to memory of 848	4896	Kpccnefa.exe	88
PID 4896 wrote to memory of 848	4896	Kpccnefa.exe	88
PID 848 wrote to memory of 944	848	Kbapjafe.exe	89
PID 848 wrote to memory of 944	848	Kbapjafe.exe	89
PID 848 wrote to memory of 944	848	Kbapjafe.exe	89
PID 944 wrote to memory of 3628	944	Kilhgk32.exe	90
PID 944 wrote to memory of 3628	944	Kilhgk32.exe	90
PID 944 wrote to memory of 3628	944	Kilhgk32.exe	90
PID 3628 wrote to memory of 2224	3628	Kacphh32.exe	91
PID 3628 wrote to memory of 2224	3628	Kacphh32.exe	91
PID 3628 wrote to memory of 2224	3628	Kacphh32.exe	91
PID 2224 wrote to memory of 1720	2224	Kgphpo32.exe	92
PID 2224 wrote to memory of 1720	2224	Kgphpo32.exe	92
PID 2224 wrote to memory of 1720	2224	Kgphpo32.exe	92
PID 1720 wrote to memory of 5084	1720	Kmjqmi32.exe	93
PID 1720 wrote to memory of 5084	1720	Kmjqmi32.exe	93
PID 1720 wrote to memory of 5084	1720	Kmjqmi32.exe	93
PID 5084 wrote to memory of 3028	5084	Kdcijcke.exe	94
PID 5084 wrote to memory of 3028	5084	Kdcijcke.exe	94
PID 5084 wrote to memory of 3028	5084	Kdcijcke.exe	94
PID 3028 wrote to memory of 2352	3028	Kknafn32.exe	95
PID 3028 wrote to memory of 2352	3028	Kknafn32.exe	95
PID 3028 wrote to memory of 2352	3028	Kknafn32.exe	95
PID 2352 wrote to memory of 5012	2352	Kpjjod32.exe	96
PID 2352 wrote to memory of 5012	2352	Kpjjod32.exe	96
PID 2352 wrote to memory of 5012	2352	Kpjjod32.exe	96
PID 5012 wrote to memory of 4552	5012	Kcifkp32.exe	97
PID 5012 wrote to memory of 4552	5012	Kcifkp32.exe	97
PID 5012 wrote to memory of 4552	5012	Kcifkp32.exe	97
PID 4552 wrote to memory of 4636	4552	Kkpnlm32.exe	98
PID 4552 wrote to memory of 4636	4552	Kkpnlm32.exe	98
PID 4552 wrote to memory of 4636	4552	Kkpnlm32.exe	98
PID 4636 wrote to memory of 2392	4636	Kajfig32.exe	99
PID 4636 wrote to memory of 2392	4636	Kajfig32.exe	99
PID 4636 wrote to memory of 2392	4636	Kajfig32.exe	99
PID 2392 wrote to memory of 3476	2392	Kgfoan32.exe	100
PID 2392 wrote to memory of 3476	2392	Kgfoan32.exe	100
PID 2392 wrote to memory of 3476	2392	Kgfoan32.exe	100
PID 3476 wrote to memory of 856	3476	Lpocjdld.exe	101
PID 3476 wrote to memory of 856	3476	Lpocjdld.exe	101
PID 3476 wrote to memory of 856	3476	Lpocjdld.exe	101
PID 856 wrote to memory of 3748	856	Lgikfn32.exe	102
PID 856 wrote to memory of 3748	856	Lgikfn32.exe	102
PID 856 wrote to memory of 3748	856	Lgikfn32.exe	102
PID 3748 wrote to memory of 528	3748	Liggbi32.exe	103
PID 3748 wrote to memory of 528	3748	Liggbi32.exe	103
PID 3748 wrote to memory of 528	3748	Liggbi32.exe	103
PID 528 wrote to memory of 4980	528	Ldmlpbbj.exe	104

C:\Users\Admin\AppData\Local\Temp\ae2c91d72ba509b40087197762bc8c60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ae2c91d72ba509b40087197762bc8c60_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\SysWOW64\Jfhbppbc.exe
  C:\Windows\system32\Jfhbppbc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\Jmbklj32.exe
    C:\Windows\system32\Jmbklj32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\SysWOW64\Jbocea32.exe
      C:\Windows\system32\Jbocea32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:524
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        55⤵
        Executes dropped EXE
        
        PID:3760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 436
        56⤵
        Program crash
        
        PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3760 -ip 3760
1⤵
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbocea32.exe

Filesize
89KB

MD5
d5701e02838ee331cde37f19242cd90e

SHA1
ae6990141162bffc18dde8e62e547de95413ef0d

SHA256
2409e975d00f8a45c64c6ffdffa60a2a9cc1bb505c84e40d27f445271df46503

SHA512
aba1106722e35eb6da542d7e5b4623a6267bed5eecc4b603c41438c44ac08a15987711e0c069f60a807a422957dfda01763df1d97a8d2feed0820eab57cd9537

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
89KB

MD5
0dfa35d7e6ed98baa64fc2aa10af4b6c

SHA1
7ce50124c7735cb649f7c333e20f235b565550d4

SHA256
a8f4c7143b2569b0a54d8fa3eaeeda694d48d40fa60d63939baad333add899fe

SHA512
1c84503c734c5aef1f31b24dee11cf38f883e51b236ef57743e71f84d81b572845060662e6c5c8f4791cdfa47878d5c0948c8769650034cf36873be547be5d63

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
89KB

MD5
9f17284bda90ccaeda90b769dd9b4562

SHA1
1464d8833e0fdb879d76ac3a250bdc13f7f5e4cb

SHA256
35f9eb617ac5698433f516a923e15dad59bbdf0c8dde4a4b8bd8e771a6d88099

SHA512
ff456d5456750c629e41849056f3507fc9669fd9672852437b8c2c2a44384239d5f0c5c6668eb743bf8bcaa7765209386009aae83924ec5ddb89c470c6104580

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
89KB

MD5
b24f968c9e9a276fe899c3379647f3e2

SHA1
9bcfcc5826b910b5f17cf0b3b167fd0b8b916a70

SHA256
c7cac2feee730b937df404119c980490f784d2591138b5562312380a008a7b00

SHA512
46a588499c20dc0e93f7c669a74ef1a58336231bab34c5f76364ca2d5f9a200b2258e3064ddb7584c82be87bda65f27be168e6951f9b83e377f417dd1539aab2

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
89KB

MD5
b3d491848ab28f943f77c498e28935b4

SHA1
4c0fc4e6323d3924b7ff5a0bb56619832d2b243e

SHA256
edce2f7ba1435d44426e4b7c467c4b86cd1ae029b7110cb1bd7ad67bdb2c2217

SHA512
324f657002b675ae68d6ea5a1692e3735503401c8e25451edf7077a339b02355c5a2b9c630940fe65b9715db34d5e8fd9b935500907ddd732891b2895e8a098d

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
89KB

MD5
0c93286e03a0dc94b687ba876af834d6

SHA1
c6520fba99c479cd574722e77ffb275f920f43be

SHA256
f239f2af41d07485eaef91214ea615779284d1f05e0a55fedc9e2bbc089c1f77

SHA512
f17f313df807c6d68ec7def188d9f9aff5c4cc3acc3471022d463fe1a63f631275b6ed5158b156229bfe02ca779d3fb939634595c5e016f95967724c7c5cb839

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
89KB

MD5
173eaa9a1a38c221537ee6d19dfcaf9a

SHA1
d4a6bc0f32895eeee6a457a57a19ca2801e04aa1

SHA256
3807f67a92d9f18b57645caba977e8d3a5add94d64d7fc35ffb96d659d5ce2d0

SHA512
bfcfbb6163050024e02e390fad4cba36bb45218829477045b12a7b5df71becd113e6fd299b7acdabb1af5016fd5dcdbb16d1399a47ffbff394ac680992aeb082

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
89KB

MD5
682090f0b5236fb4ad379d9f0ff92274

SHA1
8b38121b186bc0bdc21e115e8b45e4eb506c2fc7

SHA256
7dad942f10d80448683ef574c116795c7a92c03a31a20016c13abe27c8b6107c

SHA512
a54f92aed50ec3d1cfa1c51c4c023f694f7323a1d7d304594c5f4fd9dddcf880e7ff7ce883c33944fdae89dbd35a63af1fe1028736404a7607c7296fa8b98de3

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
89KB

MD5
d460d1b840e7c90d3f522952bffa6ad1

SHA1
51492eeb8c36485a6fd7ff7abe4e7326517fc406

SHA256
4e0dc2a47e8d1cb4afd0c2627824dd0ee00ac4c7508e71a67e69a7640faeade6

SHA512
ef8e725239d8aaae13e9c2fb867ef8aa1162b226c667c3abe60d4a8fbac9090d4f34a3a3d8b35cace5974c06190bb98bade406de472af5e96f681c6f343ac1e1

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
89KB

MD5
e76893a5c6778301ec715dacf9922499

SHA1
9ff9e65ab9411fb047fa22533b14977893eff35c

SHA256
bf9f91905109f476963294bcf8df58f6eb87d4f28f1fd232e404809af32d8866

SHA512
4c725f764d2e8bd5355ee959efd8760758f25db5a915331a3345dc321be9782565df20993689340a20141284e37c54999ef64c92ba467bc9092762cac5f6ffda

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
89KB

MD5
2c0dbcc005c4396ec6e1121f1ac6fc2c

SHA1
17d98b813944e7ee1db958b19e4ba1b04584910e

SHA256
a097a721aaa5ab2424bd78eb44896a571a97af2cb15b84a80ec81bedce8b7f59

SHA512
2e4d6bab3aed64fa72aef276926fe7ad23aaad0fb9464274654ebaf2ccb4d0070a7ed190843e0c98a76043bc27a92fc147a19bbd0b32339c838d3adffde918bc

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
89KB

MD5
baff855c7a5317726942d1754d628fc2

SHA1
9bf081ab7fb14bd29793dd9079f2b94c4a3de5c7

SHA256
07a555b512f0da4b68453d86a1e0988ba8d272aaff313b92293f5293780e0e64

SHA512
14789b44e5b90cace6952ff8dafbd692090c05317ccfcdef288f11a51722b022ba014aae715eabaa50687b4926db6f53fd94b1c12784092fc9bc0ca4f3b6c249

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
89KB

MD5
9b8f03ef1fb8c3312daa006a97ad1b31

SHA1
9182dd74d59658d86cdec97289cd67aeda49e10f

SHA256
779af1a5300328becf624e051ddf817a0d1a64f996012637803f5326072ba46d

SHA512
7a4c86427a7ca0a03ef6a00e0372b8990a2a139c652fd14311371aae08b2b8b8abc47c2e1780c668e16bf1fa13fd121d851974dd7dad255f482f357143746ae1

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
89KB

MD5
255dc5f3c53b75b2d632f203e66631cb

SHA1
1b91bb15d0c41b9557253ed932f7807f98baf7d5

SHA256
97f673223c4381808c4fafad3d180945aebca67165129104a2ac781871ec078d

SHA512
da158c157d9e75a035375cb6bd65fcc92d53db031a569e13a564739d4c2feba3b0ca3d0093ef46b8503e22e90bd0ceca24dce0d6e294f0704cc69e57306630f3

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
89KB

MD5
29b801e204474e697b835e8c399ba0cf

SHA1
55e9952662823a71b6babb79950fccfd5f5830bd

SHA256
3646bb9a3d0c24720a1251238fc2b7c21bc942c85e251730b93c795544057acd

SHA512
3e48d71d23c4cf0e3faf676d94006522f2913a7629a9f38d9330e7b00dc0e199f6b89d0fa457b67c87f29c53a8fa779951ad96216f79f4c639fe621e955f697d

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
89KB

MD5
137a5abe0625d5a13e2669071b72436c

SHA1
50550b6713c8c9b7fb08c2f407ab5f6b2213abd2

SHA256
ebc2c80be4e6cacfc92ba7285c15bdc7ff915ff027343a9ab779ee9b311c8d46

SHA512
be1392413b29818662e45761a739b8e95ee75007b65ca44965aa162a6b4b6d34548f574f18fbb1c66cc9b5065ebe9b4974287c6947ce33f4adf80b988a3ba606

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
89KB

MD5
eb7d91bbe55cd4181cce5ab70dda28cb

SHA1
bcd515a431838fe5e932cb66ce79ea8214ff4b3a

SHA256
ef80033c4582f02d384d70415615663bf4b092f7f9bfa536debe502c85775c3c

SHA512
2708263e8f14ce75c5a3ed35b3ad3c9b1ca8ffba28867a4d55694e2fe79da8e6eebe1e788d147a4b231758a2d6fc2c99d4d3743bf63a5d983d47f5a5a5abe1ad

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
89KB

MD5
1dd9945b243bb017570e2a851bf25ca8

SHA1
ecb1cba4142a3e25592655eaa186d2641e7e53ef

SHA256
684430c2198cb3b0ca7f18523dcebf4808e0649ede3980cae0097e97bc9871d6

SHA512
c8d341631623ef8f7af924c511266b0ecacbb436ab71fdbaef4b734714b45e57bf6f7dcb1e0efb9c5ef873ee07779254257f550920a966d2da911e0767564aff

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
89KB

MD5
89ebbcc571d061a890bd614a6eedf2ab

SHA1
a614eb99f96b363a0d0a6d0d79c2d23592ecba2e

SHA256
038d8c17e72ca61358115c45a07fc70b193d9ea5c3bc5837c30f7a418902c656

SHA512
d94ffcef7026da1c40f010fa10e8d3f4ba488f327044f7b2806b2c8ad8688298a721252fb9d5f4feb49f433ce9326993ca3104bc2bb5eb5cab2eb46250b3c7ce

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
89KB

MD5
8c29e2b6686ef803514341dcba349c06

SHA1
94e755708c893b0643d7397ca00d1e8a82159a95

SHA256
e281c0c44be3943d27de4dd265c59dffe74592d31671186c323b2b699581756c

SHA512
51b32d3512255f29c52fd6f7987dd7838f732ccee7390b3a94cad778b6f8cf4650628a3138374058be1fc2729b8abbe0b91c6483cfa989a605b82e002f73605b

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
89KB

MD5
193fcdbbbf84e4baa39f862f677d2d65

SHA1
524627551cabb18e8bece00a81005642a7d2b633

SHA256
2140594669ae12fd0795d7129a567911d34a9b29aa306deb36d9118804bed988

SHA512
7c973e48961bf3f3c9cf261938bacf5279dd3227135a310e06d44bd20019cfc8971b425280ef2857f05bcaa5de32178199bd049f0e16011fd5aca88697d512d9

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
89KB

MD5
78952110cd8bac8a328f0c3cc73d72ae

SHA1
59cfbf0b324aa83d10126685d5a34a2d188b2ab8

SHA256
f71894bae296fdcfae5348020fa2db882cc481c7346a0f710295a18e1d20a5aa

SHA512
9399cadd0c8de856f15430a73b45af92a8b2a8fa4fb266a526ed05e7f92546f8c4d17e6c1c8680cd9877c003ea799de4c71dcbcf6b371d231cc82b015aa6d317

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
89KB

MD5
ed0d1765bfb9bc069d83fdc7cfe69a6f

SHA1
c661cfa71027c2fb204d87b46927b2dcbedefc07

SHA256
501bd56b0a38e171f72e5b5b909cd7d9adf8a0d2c6a809bb6ab36f4607938a0f

SHA512
88f0affed4695fa3a989c898e4201d3e360188d192947524a64b158ce597d42c61680054e90bcc1e94e7dd642f2b65fc73e7ab76baf2372af09f1e59b5aa6f3d

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
89KB

MD5
6fc5531c84d91da4817b943f5ccd2402

SHA1
92ff300ad2cbec955d0bf2332e960d328b7cdf53

SHA256
58b21f25b00c791791b390784cfa9964fdf7c3780212952238e64b863d6583ad

SHA512
101f2a0e10523047549150909477b8c86b4af4b2f433214f03e6e2eaee1616baff53ff80c4eb8616b43cf3b4d0e5d064cfd42c30309eb0929c8c39c5a2923052

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
89KB

MD5
7be11599cb37f365ce1f72d983c301c4

SHA1
c9f483ebd255299c2698be58b892f0e2ac232f4e

SHA256
8dc1d785aa447d4285879aa90fe333f7987734ee0ee5e4d3eed2457d699768b4

SHA512
7b87d5e72eb83a4f07d885b82a695e07285ad241cf7f9fa2c7bc5bc61c63dce193009b7b6740b845f52f93a3cda0d3a983bb573003e681288e1e857ec6886bfa

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
89KB

MD5
a52235e171783d84ff40a8d30a5d8a32

SHA1
99f2ef5765a09d51def4aba4667f4d82a10e004e

SHA256
f127acd3f1dcf7bb6585124735acafb51fb5583839182a686c726b9e8533269b

SHA512
f5b161bdeb37bd45a1619d3c600fdf50d9a077fee954b9520ff8aa37ab1fb68097c4f6ebca33b90156097cd00bc0a341ecc4ce6c3a77674bb280881f261b22b6

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
89KB

MD5
48a1463273b05786fcc86cb9b0023167

SHA1
7f4c0d8f89087f4b3f283bcc5ff7ff0b24320123

SHA256
5f5f2175d6c12f0730c7a54c26ebd841ad157b98af6fdffbf869b622baea401a

SHA512
56a1d2fc25f0ff3063c253ce2f27b49b1332b0eb5b5c9adf0df4c3c1a6d7848bc0a1f7c25961a0770e749757a2b36e79a0667a17c979be4e68b69386e534b318

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
89KB

MD5
54c6c1ce904fa8bda87bccc3de8d7f45

SHA1
1de7bb593a9bdb0e5e0bcde9e799f1d4df041ed0

SHA256
59aa2af9c15b3ab6bea7d7b1fa5e8ba7180357821d64c8a86c5b2acc343c8544

SHA512
c45de1d34d8c11b4de8fb57e5f7370e2410cb770c2932c46c86af677d56c61e8fc9b7cdec197f2f2c5cb66639bb5d9c8e513c7796ffc3ab09e2165ddd7c28ba7

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
89KB

MD5
c03e2c4b20beab590840f537e0ce6ed1

SHA1
f17e145bac3bf2987778ebe8b560e6b2121a2ae3

SHA256
560847a4b8ad4fff49b8fcfcef8e01cfed8644338713ad269fa1e172cf09bae9

SHA512
c1041b7fda0f0ec1171c84f79ec0cf37d74d6bfaf8536ab4151a3a04b4ac66c3079ef1f7b781dfc24cc02fa61f7a0d0310184a1a4adae70ae33f1fc2b28e3bd8

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
89KB

MD5
6650a195d6094c55cf0f24251c63c36f

SHA1
cd4ab804e9fc7f35482df38008fdd742974c015e

SHA256
c557a81415b4de1a1e8b80beb40692ad49b4ac9ac2c38ac7c108da4119fc9a19

SHA512
8c1b721436e1188de8bc688cc78cc9a5bd320f1309376a93440cdcd5a2930155a286154a17ddb9836242a82bcae6965d7d56e989ce56f695ebbed929dd8c4339

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
89KB

MD5
4c176cc284f19a22eefc0f9bcf449d5f

SHA1
f1332ef238c166f7b75e83665d81f724a25324b0

SHA256
d91f0e4a99f8400be47f595df0333ccae46d605298fd91267e26d189ac3899bd

SHA512
87dabf9446cba87da30ca1437b53c456d470b2e04bfecf7361eb47883772ec9ad1e01f84475caadc706e9b9ef98f99d8fc9b1159d7190c189073515439de0e55

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
89KB

MD5
0a605d088dc2903c2c0c2961bbdf38d1

SHA1
9cc71dcdd6e5f7c0204b89b424d4ed78e75ab303

SHA256
2d55a8e0d9c8a1c605ee20a8b92f9eab7f9b8226077e380a457a2668e2d89976

SHA512
d7245cac6395612b134b2209f68745b27c9932154c1a84d8c242983971f4718e119c5445ad48aa473542859af3f0e2614843fb727d93d297e5d6d5b1d521b776

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
89KB

MD5
9e6cad4ddc0089279909c3ca0aa580a5

SHA1
d2c339f8c45a270cbde1405a7f7ddfce9e5e9746

SHA256
f387c13bc268c0be38b50e5fdad18b6bd1c9d89ab618dfb99841e85f7470bf44

SHA512
39a560a222fbaef678f2246045f4fa78e9dd79335986fc64699aacf0a42fddf8600089bf49da137c6dea92dcab2027fcbfb7b78f1dcfbb9bd14b7b36f1918d36

Download Submit
C:\Windows\SysWOW64\Nphqml32.dll

Filesize
7KB

MD5
ff0510eb3576ab2b02a85a91b4de797d

SHA1
c7bf044e938a7c56c50c24df9f5f0e52a0341c07

SHA256
75a7ce7bc8009d9be7bc07e75e4bb9c4201c62c22b760e23325e4457b55ec0f7

SHA512
39f7b835857fd1bc2d4d63e0919bf2570e40ed8782ca871ef3048a0f3d6fd2e3d349cf106ea4c9c592f4bc5dc7ec586f6a38424e86a958dfc5578aa62a12911a

Download Submit
memory/212-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/212-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/524-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/524-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/528-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/528-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/716-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/716-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/720-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/848-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/848-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/856-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/896-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/896-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/944-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/944-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1380-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1464-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1716-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1828-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1828-398-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1948-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1948-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2076-427-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2076-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2216-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2216-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2352-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2352-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2684-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2684-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3244-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3244-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3312-391-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3312-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3748-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3748-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3760-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3808-392-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3808-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3888-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4004-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4004-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4276-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4276-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4284-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4464-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4464-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4896-42-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4896-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads