b9790b490a7673d32b346e4311ded40a4785bb28ca869b7cba62c92cfe7814fa

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b67b59e9470857a911d64149afeaac0_NeikiAnalytics.exe
Size

124KB
MD5

4b67b59e9470857a911d64149afeaac0
SHA1

79585d1e59c35946305b1fdf807af6efc70e12ff
SHA256

b9790b490a7673d32b346e4311ded40a4785bb28ca869b7cba62c92cfe7814fa
SHA512

d246b86d7d4b8157d62291bdbf3096f9c982572000df522df3faafd3f07d9ebbec1ae5acb7ee917f4b265346aa053552756f31d98544109041a7a56981706e89
SSDEEP

3072:KIj/mgJq9p9romoj6+JB8M6m9jqLsFmsr:KcIr9oj6MB8Mhjwszr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4b67b59e9470857a911d64149afeaac0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe

Executes dropped EXE 41 IoCs

pid	Process
224	Jfhbppbc.exe
5000	Jmbklj32.exe
1476	Jfkoeppq.exe
3408	Kpccnefa.exe
3220	Kbapjafe.exe
1708	Kacphh32.exe
3168	Kdaldd32.exe
996	Kinemkko.exe
2172	Kphmie32.exe
3900	Kgbefoji.exe
4724	Kmlnbi32.exe
3964	Kgdbkohf.exe
3852	Kpmfddnf.exe
4064	Kckbqpnj.exe
4876	Lmqgnhmp.exe
4356	Lcmofolg.exe
1240	Laopdgcg.exe
3452	Lkgdml32.exe
3384	Lpcmec32.exe
1032	Lgneampk.exe
4348	Lilanioo.exe
2200	Lgpagm32.exe
3832	Laefdf32.exe
4296	Lgbnmm32.exe
2344	Mnlfigcc.exe
408	Mjcgohig.exe
376	Mpmokb32.exe
1596	Mkbchk32.exe
4452	Mdkhapfj.exe
1712	Mncmjfmk.exe
552	Mglack32.exe
1392	Mpdelajl.exe
3696	Mgnnhk32.exe
1684	Nnhfee32.exe
4904	Ndbnboqb.exe
396	Nnjbke32.exe
2856	Ncgkcl32.exe
4060	Nnmopdep.exe
1400	Ngedij32.exe
3556	Nbkhfc32.exe
1872	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	4b67b59e9470857a911d64149afeaac0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	4b67b59e9470857a911d64149afeaac0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	4b67b59e9470857a911d64149afeaac0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
464	1872	WerFault.exe	125

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4b67b59e9470857a911d64149afeaac0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4b67b59e9470857a911d64149afeaac0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4b67b59e9470857a911d64149afeaac0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4b67b59e9470857a911d64149afeaac0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	4b67b59e9470857a911d64149afeaac0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 224	4056	4b67b59e9470857a911d64149afeaac0_NeikiAnalytics.exe	82
PID 4056 wrote to memory of 224	4056	4b67b59e9470857a911d64149afeaac0_NeikiAnalytics.exe	82
PID 4056 wrote to memory of 224	4056	4b67b59e9470857a911d64149afeaac0_NeikiAnalytics.exe	82
PID 224 wrote to memory of 5000	224	Jfhbppbc.exe	83
PID 224 wrote to memory of 5000	224	Jfhbppbc.exe	83
PID 224 wrote to memory of 5000	224	Jfhbppbc.exe	83
PID 5000 wrote to memory of 1476	5000	Jmbklj32.exe	84
PID 5000 wrote to memory of 1476	5000	Jmbklj32.exe	84
PID 5000 wrote to memory of 1476	5000	Jmbklj32.exe	84
PID 1476 wrote to memory of 3408	1476	Jfkoeppq.exe	85
PID 1476 wrote to memory of 3408	1476	Jfkoeppq.exe	85
PID 1476 wrote to memory of 3408	1476	Jfkoeppq.exe	85
PID 3408 wrote to memory of 3220	3408	Kpccnefa.exe	86
PID 3408 wrote to memory of 3220	3408	Kpccnefa.exe	86
PID 3408 wrote to memory of 3220	3408	Kpccnefa.exe	86
PID 3220 wrote to memory of 1708	3220	Kbapjafe.exe	87
PID 3220 wrote to memory of 1708	3220	Kbapjafe.exe	87
PID 3220 wrote to memory of 1708	3220	Kbapjafe.exe	87
PID 1708 wrote to memory of 3168	1708	Kacphh32.exe	88
PID 1708 wrote to memory of 3168	1708	Kacphh32.exe	88
PID 1708 wrote to memory of 3168	1708	Kacphh32.exe	88
PID 3168 wrote to memory of 996	3168	Kdaldd32.exe	89
PID 3168 wrote to memory of 996	3168	Kdaldd32.exe	89
PID 3168 wrote to memory of 996	3168	Kdaldd32.exe	89
PID 996 wrote to memory of 2172	996	Kinemkko.exe	91
PID 996 wrote to memory of 2172	996	Kinemkko.exe	91
PID 996 wrote to memory of 2172	996	Kinemkko.exe	91
PID 2172 wrote to memory of 3900	2172	Kphmie32.exe	92
PID 2172 wrote to memory of 3900	2172	Kphmie32.exe	92
PID 2172 wrote to memory of 3900	2172	Kphmie32.exe	92
PID 3900 wrote to memory of 4724	3900	Kgbefoji.exe	93
PID 3900 wrote to memory of 4724	3900	Kgbefoji.exe	93
PID 3900 wrote to memory of 4724	3900	Kgbefoji.exe	93
PID 4724 wrote to memory of 3964	4724	Kmlnbi32.exe	94
PID 4724 wrote to memory of 3964	4724	Kmlnbi32.exe	94
PID 4724 wrote to memory of 3964	4724	Kmlnbi32.exe	94
PID 3964 wrote to memory of 3852	3964	Kgdbkohf.exe	96
PID 3964 wrote to memory of 3852	3964	Kgdbkohf.exe	96
PID 3964 wrote to memory of 3852	3964	Kgdbkohf.exe	96
PID 3852 wrote to memory of 4064	3852	Kpmfddnf.exe	97
PID 3852 wrote to memory of 4064	3852	Kpmfddnf.exe	97
PID 3852 wrote to memory of 4064	3852	Kpmfddnf.exe	97
PID 4064 wrote to memory of 4876	4064	Kckbqpnj.exe	98
PID 4064 wrote to memory of 4876	4064	Kckbqpnj.exe	98
PID 4064 wrote to memory of 4876	4064	Kckbqpnj.exe	98
PID 4876 wrote to memory of 4356	4876	Lmqgnhmp.exe	99
PID 4876 wrote to memory of 4356	4876	Lmqgnhmp.exe	99
PID 4876 wrote to memory of 4356	4876	Lmqgnhmp.exe	99
PID 4356 wrote to memory of 1240	4356	Lcmofolg.exe	100
PID 4356 wrote to memory of 1240	4356	Lcmofolg.exe	100
PID 4356 wrote to memory of 1240	4356	Lcmofolg.exe	100
PID 1240 wrote to memory of 3452	1240	Laopdgcg.exe	101
PID 1240 wrote to memory of 3452	1240	Laopdgcg.exe	101
PID 1240 wrote to memory of 3452	1240	Laopdgcg.exe	101
PID 3452 wrote to memory of 3384	3452	Lkgdml32.exe	102
PID 3452 wrote to memory of 3384	3452	Lkgdml32.exe	102
PID 3452 wrote to memory of 3384	3452	Lkgdml32.exe	102
PID 3384 wrote to memory of 1032	3384	Lpcmec32.exe	104
PID 3384 wrote to memory of 1032	3384	Lpcmec32.exe	104
PID 3384 wrote to memory of 1032	3384	Lpcmec32.exe	104
PID 1032 wrote to memory of 4348	1032	Lgneampk.exe	105
PID 1032 wrote to memory of 4348	1032	Lgneampk.exe	105
PID 1032 wrote to memory of 4348	1032	Lgneampk.exe	105
PID 4348 wrote to memory of 2200	4348	Lilanioo.exe	106

C:\Users\Admin\AppData\Local\Temp\4b67b59e9470857a911d64149afeaac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4b67b59e9470857a911d64149afeaac0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\SysWOW64\Jfhbppbc.exe
  C:\Windows\system32\Jfhbppbc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\Jmbklj32.exe
    C:\Windows\system32\Jmbklj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\SysWOW64\Jfkoeppq.exe
      C:\Windows\system32\Jfkoeppq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
      - C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        42⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 400
        43⤵
        Program crash
        
        PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1872 -ip 1872
1⤵
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
124KB

MD5
42805c2c0495598bc908903039c52dbe

SHA1
8be4294449d406b383be02e171d606a42731ffe4

SHA256
5a07c8df8a538ac91693c259aa4de9ed95706c2ebdb0c3b7a5084af85348fefe

SHA512
cd6c6909b71d4bcc02d351c3994294b50607d8d026069f2fcd41a9e1d4854a64448b3271b8ec486282119b1c10f7913f98b9dd380f7eb28f8a460a27be941e46

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
124KB

MD5
a454332a109fc6eb6ff558b442821785

SHA1
59bcb4e8a575fb1e4506183b0923856e2920b440

SHA256
03e347617f19c32e21a4b38e7ea4345f1a1f2f3bca52b1281c33ff27bd634cf0

SHA512
92f593a67ff9a09e116c371963c8ef139aabdcd5bced4554964e28d42a98d41a12f678dd0b9776a1081c316e851fd0108776c2311be03c28af13c116bfdbf9ff

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
124KB

MD5
08c72abf4ebc4a001a7357aa7c7225f1

SHA1
cd9e1700fb7d38a3f50e2206375ce63dfc986a64

SHA256
02b8a7f45969a2af27e9d5cbf5226941726257d8ac989d415d18879eacd117da

SHA512
dfaf29b2482ed78b6dcd6d5148fdc36061aef161a487db8084a8c5868ec4410bf5615068f22effc916b7b154c7d13a8b7d83a51df4310bbc488b34416cb96d17

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
124KB

MD5
10d2cfc73ecba0eac1819a4636da8700

SHA1
0a4f907195ea5c19666a12505bec9ed35b94c037

SHA256
3540158cb46f7d15382db221fae47af162483a31c4b207606075397dab08c8c9

SHA512
31f5c08b8787687e419def347312fb6121edf662d963429b33f2c85ab61e4b2bf4038cd4b539c553b78e4d1f35beee2572cb4cb8a97e73bdcd3563bb597b3353

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
124KB

MD5
5f91b5f785b1c36f5a43a628c039e672

SHA1
c20174e4f44bf3424e82261f6b3037003d5f04cb

SHA256
f78e6ffd11023f6ad10f3e9bf20ee2abe8bb41f92593ec86977c8eff15113d80

SHA512
fb5fdb1bb061364781783cd75f68d1be8148a5d07a496fcfffd6283ff255f21a314b2516fecb795dace5ee8623a6843ba575fa5a2d0326975e3ecfbc1e410341

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
124KB

MD5
9451934da00f120840dbdfa4dbcf4aac

SHA1
441ae519a3fa340614dce55156a85d258cd2000f

SHA256
63112a109f50497efad4663df9721f52bdb0c139433ac60dab71afd40ea6d1c4

SHA512
2dc9b383d90010a6e39bc2e20fa63ec3446be6a28bd76b9ba0a169b56fab6f49fe2d8b65126463cefa32d9cf12f39cfc2dcbfc46271c30b98a7ff84f6be65e2b

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
124KB

MD5
42fa169ee5c97175b39b6f40127fafdb

SHA1
ee93639798370455c58408958d726b4b23627499

SHA256
b73d015b4bf014f18b98636ea325ebad1de1647055a9a6749e5a5919bdad7559

SHA512
62add1afa80124043b2a0c2b27ef42d626a840bc7e5a3f7fec18fdddf72af10e0f3540be5e70a23792bbc136a2b3c2b863deb2ad96a49ffd2fb1b087a4b41d6b

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
124KB

MD5
03a7d7b6f6f55229657bb02bba13a57e

SHA1
37ab812947ca03b2c98de96dacd20df1438343ed

SHA256
b644b787e081d379a67cbe37942d671d762c0a3f2bd2e969a684b0394fa92229

SHA512
4cb17837705255f727116bdebe3e7da23578ab72710414f968879e8ae2426c95088ec6aff83d33aba77f1bf9a2776bd05616c7502663d6f95afa5706b3e612f7

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
124KB

MD5
c6e812aab7874c2fc1501a7c5e1ec9a5

SHA1
1318406f5d6dfba24da41a00127671b350d61030

SHA256
4f063ed77b3e7cc92530d2bb9beadbb3e19728a09130bcbd92893cd7d914ad47

SHA512
9d51882b351ec75bd7b94cf8faae6e30f0bcccf6ad4257f4f7b15dc37156a115ba8edb3870d8fd566bd8d37f1080e07c60b294e078a9b0f8bbd3cc3d48fc0081

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
124KB

MD5
0bcf9dd5bbe781496b0a3c970fbe2561

SHA1
f6d1c1b9b45fdb6fcc2d730abda73199c9be8194

SHA256
7d4850e86cf48f69468ba53b0b9cc01afe41bb93ad00785eb9fd6ae21580fc58

SHA512
4f59d6026396c07ed6215cbaf9c5b6074337552220df8c054df96fa2a40b6eceb7a505692098feac631d13d70496caab5d835eda9c99906a8ed2048ba0797874

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
124KB

MD5
0a70184e7c3efa1aa07da04b9bf537a8

SHA1
d6e53964a230e102d217f203e3031abc3fc52ad0

SHA256
ef4c651a708a2209d06813e9962aa0863defb6acb72f995e29eed79eeac02e99

SHA512
2b731b75f90ce125c637c818780789bc913e9ecf741e14edaf0be90ab8a4f97ae7e7b7eac3be7cd3d6afdd88a5f9f9a0e866b06002ab47dbc8e25dbe0a641751

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
124KB

MD5
f6b07a0a295243f3154731b75da8b4b6

SHA1
6635258657f15cdecff183073f968154f79e422b

SHA256
e1f92a474cb4a9fb6a0c8be79c47f28cf54529475ceac08ca494b3142e49a789

SHA512
79a559cd258a6a901b284c66c4ac886c0b2302fac5098c4a98866fceb4681415fd440f05bddddcda403c49a0a4d0907cc4f6d6d3911c67b537991d45aa915819

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
124KB

MD5
344dc8d8383250ce7f2e94107606829c

SHA1
b456a3a164d2fa32968427122ccded372df0e26f

SHA256
136237b373dded24bb06d842fdec4c1cef83b715bddfbabab13058310bb7a97e

SHA512
9e656dd42b1219721f26831fd15ab386d13e7cf149699027793ef2a4f13f9b10be58c3c643413b4420260c4d2944452729901bc294bf4e0b49e192b5eeeb6d64

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
124KB

MD5
a188247d122e7b34a51c4ccca47e083b

SHA1
9c5c5d8c1ed4e0d43ab36020199c2b7422f2e3fe

SHA256
e84ed0e6c3e894755b9e824f55fa25d34e26c108f875c6823321136e2a6a4c3b

SHA512
d65d9376a015eeded24003604af1619be3f3c40241e95ed2a698b36d4cadc7b83e6788a0105e5cd6c5e150d7904f54c55def0a4d14026da783d47d14dbe82fa2

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
124KB

MD5
2294f1fea7c640b7b45e1131dafa2a2c

SHA1
6051ea1f2773a48559b2ac440f7ffbb925def517

SHA256
7e82ac162a46887391c89a8043b198e2c83a4c7eb99924935f4df91df5ec9441

SHA512
49f83d9313d417b941d92caab99632722cbb0873dbe6433a14614138c6321adf3fc8b3d8cf546f5cd164642a1cf74196f357a051814df904a69a574fdde46026

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
124KB

MD5
88502c39b23b5a23e29e3b8d2b71ed0c

SHA1
74960e3fdd8215636fbfa95ad1deaf2d3272c271

SHA256
711879e240d315d907871b65c68cca19604bd610a58c5c69310253a72dfb143d

SHA512
3226d87cf8ba0ae6f62a8443ba7c1428ac6b9ad9c07826b9950f4c78f67b6db918ff9406649cae3f4560c3056ecaaf5725e11b5dbcb00de08032f52b31d9cd57

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
124KB

MD5
8b10b8408c4f08b64e3d6c57142954b4

SHA1
268b6620a41d668bb1ec896a460296797271c785

SHA256
f93684aafbf832f1c1ca96f993ddeadefe452db007fc4bd7bcd606feb33db27a

SHA512
7d35ab6f5d51e226114562b2339b9872225c72120c62c580f5f77987d584e3e418b1804f310c723cc912d4c98bc098ec54e90d8bdf7cbad3172ae1f57b19782b

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
124KB

MD5
8e49be801beadf3a0c03f60d6c436243

SHA1
b54d17a33fc5b89f042dd9204396cc2c05bfa45a

SHA256
e030b63ecad8a754687d3b6414ccbdbe227a808d144a5bf3e9763cbfb26d49eb

SHA512
843b89404cc64603290832ec7c152c96ba97c1290e3733c81a21c717d2a22910b9fa99741cea672a9c33b715b348eb4f51d3a676379500ab8cf0e25e74b36bac

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
124KB

MD5
5affcde7bf0f30d7e1b7fffb48c9e228

SHA1
c01bac18a0ad1ccfff1ab5442a7c3cb016a6a648

SHA256
2ae4bbd3a19c8bff00fe200894b2eaf7e84dedb8e2310cafba9bb436e52ebfc7

SHA512
077380b515ad88519263994cf6058a645f0a103c0c012f6ee7807d2614db5d08f9c8a331c2bed4f992f35d6b9f1014efbfa94b211aaf41304bca92fbdc29a855

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
124KB

MD5
918c6bd4a7c1cd51b43ccfb2b4766390

SHA1
3bcef78592ddb349685c1620607d3c165917ed75

SHA256
20d948d6fc09ad3131f804a134014a371eef3749caa7acad59879f236e35064f

SHA512
2392bf242c69b6caf8d7104e5361e388235b9fd66bd2378bb968ea68e75fa2e86fa09b51f1cb3e8811b2edd838cae36a2ec2e8bd9ea80601b523f03ad6a0e130

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
124KB

MD5
da2b2332af4a979e46d16190e13174b7

SHA1
255f49fd8a874d5abe4c3469f4b6bb28060fb2e3

SHA256
a6c6b3294d9cebd79ea3daa48ec0a2e2167463d442354b0368e662d97daa0524

SHA512
ee55dbb75c90025807c4eb0b25b2da54c1054f3afdeb6fc11aa15920c8935472061858ddc240369772692acf802a82649f555f6f83ca29c26ffbf4c05a569d55

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
124KB

MD5
12903ff2de41f5fbcc45803a4a8e42ef

SHA1
498fd457e682bde2b28adfaf476e62bfec6eb018

SHA256
53d57245fa7d43c41417bd2250bb18ae6e9aaffb4a79084ab1e1613261a26f5c

SHA512
f9f5e90ed66933845d36baa1b336fe0373df325a41de3eaad885bad87ffcfe35ade1d9bc7753b0c6c0fd71e819ead8c46e29873e4f3539716cc0e60160fcf6d9

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
124KB

MD5
7d04510891fb97cc4216756ea3e032bc

SHA1
a9884bd959dc12e02a3d956e505d890a4e0500e8

SHA256
5c3de96bacebfdfc8b8e32f47eae3665f9e7a4164fe3b6ffe22df057a4ebb0ce

SHA512
057917581cb69e05ce1117cbdce6e2b2f0dc6c1f618abf5573d12e31b94e11bb1c99042a1f645590899e4e9f97154440c59ed259a1c2cc9049cd10ddaef3c337

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
124KB

MD5
b143c18b6300c771768cbb6540dbd50c

SHA1
cd7c0a2475e51767b6f8ac19fcac0c8a31ee405d

SHA256
ea96357eee626018c0611669500274c70d08b164111c26b8d056b79742a87028

SHA512
b6618ab354e62cb3f47c2bf26b85210be7f23d37fc115f2cff060c67924df503bbb19e0c39263055b3b44bb0d035c3f97de144eef1cd9675527fa3b9bcada5cb

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
124KB

MD5
b6c8725f08cbe973ecad673581893ba8

SHA1
a065655bc2f31378e10f1ad4e5e4b3d181896b78

SHA256
ce7061ff2eeccc910ff68cc17544533db8227bd7abfdc56ce8a28e68ac794f0e

SHA512
d1c1b72c5da665af4b23a7c459a81e6567867de7bd0ccf920bea2f50e1c18d11c1a1b1c089b23662efae116fb856449f11e66a53490aa710513b92672fe9cecb

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
124KB

MD5
1b9675946bc25d4af76189d988444ce9

SHA1
11e11c755acf5cd492a4172b0b28d97e75869cae

SHA256
54bc28f32f73fbbb5cfa433b191c92a9af8756a4b2a65521884932bd6aceabcf

SHA512
02a24a68c8c943711f7508fc4c8e077b515c9118e44d2bd9f675a8a44c7750b15299eb4f40cbc9a546773e2e8bd133b37f2ffdaf200bc53f654102f01fba916e

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
124KB

MD5
5f88dce30747e694a9adf9ef9997c5a7

SHA1
4c1e44a7b6cd02d4ac72401048e5c715a9c32c40

SHA256
123a2d687ea82bae55d75b74a9cf8bd86f2027ff344e1388ab93606e5dd1eba4

SHA512
3dd4e96faf2877429d5f383f3112467dae9db5c3653f2f7f78ab5abd6a6863e17182cad44af4eae3aff0bf9701f30a7350ac943cef6a83465077234dcdd305db

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
124KB

MD5
8d25443229ba8bb2db47176c7af63f72

SHA1
d93476b5f2b67448785e269705b09356d02c5e5f

SHA256
697a1c5dd618774835f71123dbb92dcbd7cad41e54ba6b3a7bd159b5d15d2b1c

SHA512
082486c4f449123ebbbe078f3c570a9fd1a58c436950b248339a421f9f28bb1768dcc84d5177dd57be038cce7bde3f77819c767b915666559351a18e8ee7e489

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
124KB

MD5
183727bb363d89121089c86c222669a5

SHA1
4ab7187f4de1835b5be90453a4f71cdb4db8b9d5

SHA256
e891d803e44de1c0bd380c4011517b69f9c4734db045301b0719e7c1730111d0

SHA512
c4c77fcffb189e23e9cc75183cd1eefa1e2232784c47db4b4a63e7c4397082abe1fdb9efc8da237eaa62d71eb94b80a090a49c86343da5f11e8aa99108bd518e

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
124KB

MD5
2838a04c156e53b75ce9dd46328c7d5a

SHA1
0b7bdd9fddc3b084fc7dd5b9bf641694b31842dd

SHA256
7a480b6d4501577eef770ab1b97e206cf236551507b6c09f3e66db67e07a6dab

SHA512
e610cdef7c92f218685d5f0000ab608b4a71a67ef9c30d63af4dffec24ffbb3d66d50fc78e1f2d43b08802a8f98f2f6042946d89b1d05d1c8d263d7d3e125d44

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
124KB

MD5
69bee9caedac815b0df5734d1e52c34c

SHA1
767c615001bd07d3ba391a3c3a460c1481f34a75

SHA256
d8139d2994d6ff6c57aaa6f71a0fe222f2531150f21418a545c5065862e37ccd

SHA512
c9d43ba1ec2e3434ce43290e66d5793b6252dda00e1ffdbcef0d177dcd9e1aa7b26b98f99dfec3cf3f6d03e576b4658e887ef1b6a6b230e9d98d2d3ca48d793d

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
124KB

MD5
7e3ed1caee0b56e8e56ae1720c793009

SHA1
f312f808bea256bb4264be8ea35d639706fbdcea

SHA256
7857b029ee4fba471d20907543c9fbe61edd505c81e3e4ff7ac7c5dd3e05d938

SHA512
703e7e755294986c4aad45aa6783f9f10aa8b30f7094fbc6f7b0dc05f3bc7b4bbdfa63e1309e6f79c073d91e6fba33bddc74e54866a8d80eb960564e2b0dce98

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
124KB

MD5
d670323e331be53db9b9e1ebb82b90d2

SHA1
9c656605b32f4e1e42cfb9ff494ccaae516d8083

SHA256
2e709dd5ee029b26b81d7392e5beef737d476f3e28bba72b1920aaf35eb0e34e

SHA512
e641e4affd03d1c751de2f6ddc69f4f078afa7d2f1f3279d1d3cff3946f05be4be6a4ecb0cb16fd64bdbbc35406b54a6a9819c2dcc2b5d4df75ad96f6698eb2c

Download Submit
memory/224-349-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/224-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/376-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/376-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/396-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/396-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/408-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/408-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/552-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/552-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/996-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/996-343-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1032-165-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1392-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1392-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1400-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1400-314-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1476-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1476-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1596-325-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1596-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1684-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1684-319-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1708-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1708-49-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1712-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1712-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1872-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1872-313-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2172-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2172-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2200-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2200-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2344-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2344-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3168-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3168-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3220-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3220-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3384-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3384-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3408-37-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3452-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3452-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3556-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3556-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3696-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3696-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3832-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3832-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3852-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3852-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3900-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3900-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3964-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3964-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4056-4-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4056-350-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4056-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4060-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4060-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-337-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4296-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4348-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4348-331-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4356-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4356-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4452-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4452-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4724-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4724-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4876-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4876-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4904-318-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4904-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5000-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5000-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads