69d9e76839bba4fbf0ce5f558feed4a7226634fee575d02de4230e87433365e1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7418f0676c1fcf08bd6f19b2091c3dd0_NeikiAnalytics.exe
Size

481KB
MD5

7418f0676c1fcf08bd6f19b2091c3dd0
SHA1

b20847fcceb6642dc40e70f1712c9f2f92dea377
SHA256

69d9e76839bba4fbf0ce5f558feed4a7226634fee575d02de4230e87433365e1
SHA512

40da2f62e4cdca4550d5ce31f9fd45243d74953c8b43636566be7c8096d8c194c589bcafdf4e916cea2cde0612b47f3f3904d31ec8084218ce73456bcac7456d
SSDEEP

6144:cZjx9B88FM6234lKm3mo8Yvi4KsLTFM6234lKm3+ry+dBQ:cRxBFB24lwR45FB24l4++dBQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	7418f0676c1fcf08bd6f19b2091c3dd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iinlemia.exe

Executes dropped EXE 42 IoCs

pid	Process
1020	Ifmcdblq.exe
3300	Iinlemia.exe
4908	Jjmhppqd.exe
1596	Jagqlj32.exe
5024	Jbkjjblm.exe
2124	Jjbako32.exe
4384	Jfhbppbc.exe
2012	Jangmibi.exe
2104	Jbocea32.exe
4260	Kpccnefa.exe
2428	Kilhgk32.exe
3792	Kbdmpqcb.exe
4132	Kmjqmi32.exe
1252	Kdcijcke.exe
3688	Kgdbkohf.exe
4596	Kajfig32.exe
4400	Kdhbec32.exe
1452	Lmqgnhmp.exe
736	Lcmofolg.exe
1272	Lcpllo32.exe
1432	Laalifad.exe
2204	Lilanioo.exe
2772	Lcdegnep.exe
4344	Lnjjdgee.exe
5076	Mnlfigcc.exe
3292	Mpkbebbf.exe
3016	Mgekbljc.exe
424	Mgghhlhq.exe
3324	Mgidml32.exe
1056	Mcpebmkb.exe
3592	Mnfipekh.exe
4872	Mcbahlip.exe
3616	Nklfoi32.exe
4028	Nqiogp32.exe
4688	Ncgkcl32.exe
3248	Njacpf32.exe
3684	Nqklmpdd.exe
4200	Ncihikcg.exe
4992	Nkqpjidj.exe
2796	Nbkhfc32.exe
3484	Ndidbn32.exe
3128	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hiaohfpc.dll	7418f0676c1fcf08bd6f19b2091c3dd0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	7418f0676c1fcf08bd6f19b2091c3dd0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4060	3128	WerFault.exe	126

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	7418f0676c1fcf08bd6f19b2091c3dd0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7418f0676c1fcf08bd6f19b2091c3dd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	7418f0676c1fcf08bd6f19b2091c3dd0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 1020	4704	7418f0676c1fcf08bd6f19b2091c3dd0_NeikiAnalytics.exe	82
PID 4704 wrote to memory of 1020	4704	7418f0676c1fcf08bd6f19b2091c3dd0_NeikiAnalytics.exe	82
PID 4704 wrote to memory of 1020	4704	7418f0676c1fcf08bd6f19b2091c3dd0_NeikiAnalytics.exe	82
PID 1020 wrote to memory of 3300	1020	Ifmcdblq.exe	83
PID 1020 wrote to memory of 3300	1020	Ifmcdblq.exe	83
PID 1020 wrote to memory of 3300	1020	Ifmcdblq.exe	83
PID 3300 wrote to memory of 4908	3300	Iinlemia.exe	84
PID 3300 wrote to memory of 4908	3300	Iinlemia.exe	84
PID 3300 wrote to memory of 4908	3300	Iinlemia.exe	84
PID 4908 wrote to memory of 1596	4908	Jjmhppqd.exe	85
PID 4908 wrote to memory of 1596	4908	Jjmhppqd.exe	85
PID 4908 wrote to memory of 1596	4908	Jjmhppqd.exe	85
PID 1596 wrote to memory of 5024	1596	Jagqlj32.exe	87
PID 1596 wrote to memory of 5024	1596	Jagqlj32.exe	87
PID 1596 wrote to memory of 5024	1596	Jagqlj32.exe	87
PID 5024 wrote to memory of 2124	5024	Jbkjjblm.exe	88
PID 5024 wrote to memory of 2124	5024	Jbkjjblm.exe	88
PID 5024 wrote to memory of 2124	5024	Jbkjjblm.exe	88
PID 2124 wrote to memory of 4384	2124	Jjbako32.exe	89
PID 2124 wrote to memory of 4384	2124	Jjbako32.exe	89
PID 2124 wrote to memory of 4384	2124	Jjbako32.exe	89
PID 4384 wrote to memory of 2012	4384	Jfhbppbc.exe	91
PID 4384 wrote to memory of 2012	4384	Jfhbppbc.exe	91
PID 4384 wrote to memory of 2012	4384	Jfhbppbc.exe	91
PID 2012 wrote to memory of 2104	2012	Jangmibi.exe	92
PID 2012 wrote to memory of 2104	2012	Jangmibi.exe	92
PID 2012 wrote to memory of 2104	2012	Jangmibi.exe	92
PID 2104 wrote to memory of 4260	2104	Jbocea32.exe	93
PID 2104 wrote to memory of 4260	2104	Jbocea32.exe	93
PID 2104 wrote to memory of 4260	2104	Jbocea32.exe	93
PID 4260 wrote to memory of 2428	4260	Kpccnefa.exe	94
PID 4260 wrote to memory of 2428	4260	Kpccnefa.exe	94
PID 4260 wrote to memory of 2428	4260	Kpccnefa.exe	94
PID 2428 wrote to memory of 3792	2428	Kilhgk32.exe	96
PID 2428 wrote to memory of 3792	2428	Kilhgk32.exe	96
PID 2428 wrote to memory of 3792	2428	Kilhgk32.exe	96
PID 3792 wrote to memory of 4132	3792	Kbdmpqcb.exe	97
PID 3792 wrote to memory of 4132	3792	Kbdmpqcb.exe	97
PID 3792 wrote to memory of 4132	3792	Kbdmpqcb.exe	97
PID 4132 wrote to memory of 1252	4132	Kmjqmi32.exe	98
PID 4132 wrote to memory of 1252	4132	Kmjqmi32.exe	98
PID 4132 wrote to memory of 1252	4132	Kmjqmi32.exe	98
PID 1252 wrote to memory of 3688	1252	Kdcijcke.exe	99
PID 1252 wrote to memory of 3688	1252	Kdcijcke.exe	99
PID 1252 wrote to memory of 3688	1252	Kdcijcke.exe	99
PID 3688 wrote to memory of 4596	3688	Kgdbkohf.exe	100
PID 3688 wrote to memory of 4596	3688	Kgdbkohf.exe	100
PID 3688 wrote to memory of 4596	3688	Kgdbkohf.exe	100
PID 4596 wrote to memory of 4400	4596	Kajfig32.exe	101
PID 4596 wrote to memory of 4400	4596	Kajfig32.exe	101
PID 4596 wrote to memory of 4400	4596	Kajfig32.exe	101
PID 4400 wrote to memory of 1452	4400	Kdhbec32.exe	102
PID 4400 wrote to memory of 1452	4400	Kdhbec32.exe	102
PID 4400 wrote to memory of 1452	4400	Kdhbec32.exe	102
PID 1452 wrote to memory of 736	1452	Lmqgnhmp.exe	103
PID 1452 wrote to memory of 736	1452	Lmqgnhmp.exe	103
PID 1452 wrote to memory of 736	1452	Lmqgnhmp.exe	103
PID 736 wrote to memory of 1272	736	Lcmofolg.exe	104
PID 736 wrote to memory of 1272	736	Lcmofolg.exe	104
PID 736 wrote to memory of 1272	736	Lcmofolg.exe	104
PID 1272 wrote to memory of 1432	1272	Lcpllo32.exe	105
PID 1272 wrote to memory of 1432	1272	Lcpllo32.exe	105
PID 1272 wrote to memory of 1432	1272	Lcpllo32.exe	105
PID 1432 wrote to memory of 2204	1432	Laalifad.exe	106

C:\Users\Admin\AppData\Local\Temp\7418f0676c1fcf08bd6f19b2091c3dd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7418f0676c1fcf08bd6f19b2091c3dd0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\SysWOW64\Ifmcdblq.exe
  C:\Windows\system32\Ifmcdblq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\SysWOW64\Iinlemia.exe
    C:\Windows\system32\Iinlemia.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Windows\SysWOW64\Jjmhppqd.exe
      C:\Windows\system32\Jjmhppqd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4908
    - - C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:424
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        43⤵
        Executes dropped EXE
        
        PID:3128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 424
        44⤵
        Program crash
        
        PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3128 -ip 3128
1⤵
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ibimpp32.dll

Filesize
7KB

MD5
1a3183f2ab3729b215b3d1bc0d34bf47

SHA1
86318d2a95c91b56a7ee82005e4eb3e9bad3094b

SHA256
1f569093cdcdf11446a2040963f2df7fdb2a2245f0db1d29e5ccf952c1794ddc

SHA512
bad892b1233ff881de94cc39fac95e4dc7b0a8c196525af51e718f3ff42b70847630c7d49ff763afd7a9bcbb81d353c0a487555ede76c9382e3465c2c37421fb

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
481KB

MD5
a8a160b81538e43814c05ad9ec6a3fdd

SHA1
1eac4d43b440b6b9bd0d6ca9363a1a86d32a5ef6

SHA256
fdaec0ab7b9f62955b2cf1b63750c169e6c8e3148449090078d425ec1bea295d

SHA512
16d7158b45ca00c8198534e0c3f1617bd2381f3ab27bb483b06eff2213466ee8e67ba9a4d4df95beffad313d5eb2f1c953aa1956cce6f7a25793a470faa59377

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
481KB

MD5
4a05fd7ddf0aa08100ce06fde3b4e102

SHA1
b6f7605466876e1bda5c817ed589da97f6aa69f6

SHA256
044739ff4ba9a820e6ae21462c8f2fb129e0d61ed29724d08104d938471dccc4

SHA512
59c7aeb6c0af16dd6ed7921c80c078f2b8472b39f1a015d65fe03134b4cc3103f9af1bf4e6488c1bf973b402d8997f0b354b9e8231088418aa29b6704d0e85c8

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
481KB

MD5
3f640e185c1412b94e815599a9270373

SHA1
2f513faaff26e518f488a9f91f166ad872604ac6

SHA256
81ec38562c535619d5bf3d85b2914e5f850f3a940f3ffb026f2d9deaccf588ef

SHA512
e5d6a316e118fa52b63bb3449d5855e99029c3eca211e15b7736e950a6e8986c4bc6d7a2f571a9f29a4e6c89a9446abde67d459e0e198455f197236554d55495

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
481KB

MD5
a0bd921da1c63e80a27d0443636338f4

SHA1
577538011a01fb0481fd492b7df101da0cfd6072

SHA256
0a654accc6a998957dcb9b05932a949c4cf7bc9e7eef02ec3cc1eccc1fd677b2

SHA512
2cf761db05557a648d15e4e04fa9548c1f15bdd1cbd09b98c5ee54c92ea98ff64576991ddc14ff5b0781929b326951b61f6b480ef0597a3e7149a419b5ec7fd1

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
481KB

MD5
35fddac30896fd71929c82a00f18cd27

SHA1
f35442c739578276ecefb3b73739c7db017aa85e

SHA256
9d3e811387a1dec25bde0518a844b5279810cfcad7c62ce3b5241a52be5fc038

SHA512
65b7f52bdeb19f276f3cabdc4c6fcaaf65801c1251076723ccaf545c335ea8ecbea66de06741ac8bce24d6e1be7bca747aa68bc1c4b74c175eccf457a90e3bc5

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
481KB

MD5
229b56b32f941c29e6c237cd55cd2747

SHA1
38adf4685d3f0a5e6ad2671ac872aec4d1da6f15

SHA256
0d368ddb11d6e481c3c4ab8d0de8224d01e37677f9c33f983bcec9f5549c3b56

SHA512
5c7d439cfc956757e334a034901377facf2647b016e520a194af5528c40e8450a312352ca91d6ca1fa3e9c9c1e62d5bdb4a19a876404e3c4d14075bb458ea093

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
481KB

MD5
afcca1efef9a2bf6ae1439f0414417ad

SHA1
07dfbc12b608d64c03b4b3def920103de037ce71

SHA256
f6e764456d4d2a0823d5ea1590277fc8cf8b42a654744eada61959611ed3e571

SHA512
2eba3dd3fb990327b5bcfc85f6006ebd96178c1911f2d02e527ac551b1685478a02761d3abfddd96dc1a942af14b4bc077e14c19b4e8461c3bfc8270fbde2e60

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
481KB

MD5
03b73b3804ec33706a8477fff9ffb041

SHA1
919eeddf164d489a83eefa7b8268c7a6b8a99bd9

SHA256
5cfcfe38be7989f761a9a5142f1eaa33597271f0877e4bcfcc1b066358de8dab

SHA512
70ab0b61cd063d603e6c0d70e0d0d0a7bea294f501594c2fc42f18698caf4ad74294991bcdf08cf32c8a191c6338a43704a1880b23269691c296a0d2411ec5a4

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
481KB

MD5
2a12f1e27a62802a659cb416f096972b

SHA1
8d446ac7a2602d808cf302a5d5dab15c53db46c3

SHA256
ff8e59725ceef6ed42ff51e2d121a1e2c2ee3958a4f883aa60dacb9454e2e34a

SHA512
731710fb55e3cd349664f97c91e9d671c070c195d0f2442fe07f5abf2706ca4eb28b19b2a5b6cb361f645f328eb9574c7247e1c7058b2693c850f23485cc29e4

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
481KB

MD5
2cf849251b313c17cb6c1d3ababe716b

SHA1
b0ff9e667529f789c70400f5152e410aecca905f

SHA256
d4141d00942cea061ed1da6b95f034e593de6eb84dbe60bc4b8362f7892527df

SHA512
5b44d6261d88a52fc78fd4684dfb24fb6ae8a0644c7619c89cee9774b4ba0f7d61fb569aba2ee23d07346e3dab20dea13474b0e55034957eae98d64c8bbb2c9f

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
481KB

MD5
9566eb0e95a6b0f830653daee4699d77

SHA1
45a6c4f50d34fa1492b072f4dac95e0030e78a3c

SHA256
9c4cb40e49c7217ae5ee95f96107decf91f76235082a5bc5afcd2573b5451d66

SHA512
28b037afd1183fe38fc6875951410659d5cea4d8a7a9be08abcef2564ddebe5a6a44867cb1fd0ad495e9d029b55ce50fbaa1c4dc8d2c513041bd6b88ab8b0a40

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
481KB

MD5
4d73c05833f3583b8fc939a2c52b9855

SHA1
70836d3fd14711844a4c90eb851a2f0c99526898

SHA256
339c6a45929f9971e18d638a8dd8d2eefbbfa9e861dc51216095a58c1b6cfb98

SHA512
0e0721e780a00e8cd964b5e16b3cb6ab7a80b72aa36445d3d97a5178531b1593356c9462399ea4f826ac894b5c63d0f50c884eb6c63b1f465b232e3d86f62667

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
481KB

MD5
d2b3a3f629413e73c1809b7e6e40ffa8

SHA1
34359a703e2fe68997bfdbe03cca99cf43ad4517

SHA256
cf42b66f2713df8f09e2f6e401e50022b2219383c1749282f4e17ab3d0843f03

SHA512
a5a2b9bc07e7bf84431cea2f65cf26023687be68a96f776f9ec811271d3c807a6cb67151302617a293db0bd1a87d5a016ffdf57622acdfb0cb7b5294561cdd77

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
481KB

MD5
806625877b7539445969dcc574143d00

SHA1
2039301d14bb8a4c2abe6113d7b7dd25a4d8709f

SHA256
4d858671a571b6e4a05cc1f240ec30d394e469bed6738c423991ca8d84037bb7

SHA512
67a51f96e34f0676436416c99ca6c38421577a2e5a355fb37b4cd4eea58ebb9c2293cb052a2e59c57a19cfa549c69f84ddf7731845ea678fb960b692a1391efe

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
481KB

MD5
26d80dfaae921c8ee4797f03a9c413fd

SHA1
b58bcc942da9dea3556c620cdb75853f036633e5

SHA256
35e2a52dc633a8a5bad0ced2bf49b25d89cfc01ce9ff667fe5648fc0756263d4

SHA512
4777d5438185ec9679c9247b2106961f54ab9e074d5630660eda6618ec6da0e33acfbd370408a49382315d9eca186ffeccfccf2e72380011af15f1d32d7999bc

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
481KB

MD5
241426ab20f40316abe32c368855dda3

SHA1
778bdda279124f06416210b3cad1cc956b7e1811

SHA256
ceaf4490d4336e1290d89d4ec1a07dfeb2a065592d7797d65d3e9498a57557be

SHA512
14bb9fde42a130df1eb610c34f70c9b662d70e8e8e51f769bafc8aee0c07148ba90329d2a9cd5000737eb179fcc35a58c0908b79f43cc1b47ab2669a0558a409

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
481KB

MD5
0b172d86fcb56cfa656d8cd3c13413b3

SHA1
f26ac596f95c6dcc7d906c13812914d6858fd08c

SHA256
68ce745a850c555079455f7aaaaaddd80f4f65e179f7d5fda985c846961a8740

SHA512
12ae11954bf3f8a940f5b781c8d49c127686c4ec76b2c1e88128e5ff22e16e1120e61b41e2a0d6c2fe9def6359ac558bd9416f5cb0daca80f1b3c39a31ffeaa8

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
481KB

MD5
fea2c7d760ba2508be5ebcd529335231

SHA1
acffe08cf0d8935cf8e56a1cf6b1385db4e3248a

SHA256
d42a50bd36e3a5ac15a3e2b2343d467a120abd87dbb9958f612a9fddf34f7f3a

SHA512
f97f52bbd1e026b2bd8491d46dee42e6ff698c79c93637c4d12fbc3ab384a87cc4cf55578216e4659391a5d0775480ab635c7a91bff91fd3e73f23e0e637e588

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
481KB

MD5
8a23f5154130a50f3d99af21350808f9

SHA1
c6a47257e9049a214bd468eebe8c948a596d6507

SHA256
97ecb75d00c10a09b8016165671319cb2f9316ab1d4da29c901fbc3c02340dc3

SHA512
8837312972b03786c17f42676d69e095912b7172b095c6b99ff31fb5c23b511393b725fe71b87159def79d2a2cb38008f6c7ea6dff3c7979560095dff590ce04

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
481KB

MD5
a0c8e3597ef0655b3e3c99d5f6019f0f

SHA1
4875b2ada0da1972dccf4852c5e16b08fa3100a0

SHA256
2e3dac4823258f77dcaf4f07fdffa1e299d49973adfc30f642dbdf06c5550c3c

SHA512
236dfa61549b7d842f3f78b911d2d49eeeedda32281f022f6e2c30383dc8881dc86ef23686ac077f3366f91b578d084689e4808560a9f2c53a52704a6ef02d0f

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
481KB

MD5
d6a86eaad7910eba03104af77ae7aca5

SHA1
10c90299eed4f820a18cec5a91590bc3ff9918e1

SHA256
68b626941abfac9bc8dedae1d5199256768975576c3f296b95081d367b6e3180

SHA512
ba8829a621386c72a0353053952d03e5e25b01f9882103896b15d23dda048e5bf0070407c65cc874290e850ce6dc30eef0c4e92921e55ab710443e882c0bfb6e

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
481KB

MD5
5c6e15c8ec7af9511d3fb31d75e5de87

SHA1
bff4da15a04e2616254eef539686b6b7539c7777

SHA256
6ffffa9c8044b1da05b5f44acbe8cc88ed2362ffaea0a9f81b40b40cd6d17555

SHA512
b04745a68ba54bdfcf2346cf8b8c7c6f5bc76ff8e4f1aad264df142afeb98dd07324186c45a86bcd8ecf5b286bfdb7ff7d63556b0e82c127aeb952b4be548a39

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
481KB

MD5
f728dc6f8084febd7246a5da4ec939d2

SHA1
7808c196892435511c08b0d559c59c75b1f2d3c1

SHA256
313fd3c4e61cef281d6a5745382764d92bdcfb6e4464810d101e6fde58ab0adf

SHA512
f47504f5f45b3203280242085bf0925f773654b920b183676f0ce1c74e5f1b4bb9926817facb1980d9fc7a90b5da577ce69fdf6ba12e353dd1b847995aab4b8c

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
481KB

MD5
c3616f477a7457db98f62f64576925f6

SHA1
a2e86cb99a2c66825b5386c7142b901e7a5324d1

SHA256
eae65fca63ff1508bf30ec451018d1e299437b54e488a91ad09d7001394bec7d

SHA512
3acf6d7b1b38339c9371bd7cf6abf1f5155aad12d806ff71dfdced46f45d68974903b25392a5e82d4ce1197c400727220fdcbb44b0bdd95657503cffa806c825

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
481KB

MD5
9df6b77d08eecca0b7fa68b8ada8c23a

SHA1
787dc828eb7f470e4708510370564463508ca4f8

SHA256
b5ac9d0f1aac541941402b919664df6c925366e9d507aba55a38deaee4a42144

SHA512
4a9c05d2e370a5b088461a8a4ddb0f4caa950d9cbde02f01ed620b5be1652f226f6b9c13bee5b824f6c96bd181a9a578658336b397671b02b2ca10b66f337316

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
481KB

MD5
50aaff6425b2a0b99f938eacf062dd2c

SHA1
273b62bebf503ca282a9b607fdfdbfa64915ea34

SHA256
3064af6be8a0c9d898d8f4c44440e745675f70670c9a564148977a76b3cbeb08

SHA512
6ebd7e6cd12065a50f972b3606b6e5781885c279cf65715309f05e39ac1ecfa8e468ba0487a6231fec7027cb56e3bba95a0d72a5bfdbe17d1a2f31dfa9f56c47

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
481KB

MD5
bbef550c9684fc3809a1c16a44cb3b57

SHA1
27856d2db4a819620a6ac3e273e2400d616f8f2b

SHA256
c03cc4f3a9de59e7787925716dcefc82c48e2a405b8750a2efd1c148bfd0ea71

SHA512
6b1cb596439fc5187fa8b43364cea3c945434a87d74ee743e134dd2e2ea94b66bfa15d7cce217f984ba099197f46762368e7ac34fdc7cb98c73b525c107b4083

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
481KB

MD5
403f8c45c5604aad5be37947665411f5

SHA1
5132cd0d63105797a9c60d6f76e51df80fc275ea

SHA256
bac0451937d1d4c1dd964af297d181052408430d9a0565da186b8df2545d8e48

SHA512
edab1a6ab768e2770fd7d3fc0e66dc96645aef23150dbac8ee15f3faa4a8cd91bc9a815f4beb00b17fce20f1a05549c45f50fd49ae4b68015a86e1958bd862fe

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
481KB

MD5
160e7cb8785e0dee4ffc306c879c611a

SHA1
2a95141118c47eb546379d19db6d844a2e0d7a21

SHA256
691250e5b9f4d0308c5a59905cd18acadbbf7ca8460f94c956ee519383bcae8c

SHA512
508842dccf2a6afc461a2873656da8d4d462de95cbc52750d854e09163836f7471b23fa186ab4404b37060b369517fb0c07b97dae1a04f8098b32510eeedc4a9

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
481KB

MD5
379c9b75af4df7b9785bbd9fe0180b3f

SHA1
06890ee38866ca5992e3ecc8162959fa49e2729d

SHA256
a067a024c22d599fe0bcbff9e15e87ca77c708bce63c8babdb50893532eadcd7

SHA512
b256423f241580535faa7ef49cbdc3b34fdd12b4e54bed280d6b0559574ce08ac3f0a55577080c9f5644104dc24e4c506f31d168696d0d40d492fd235df84879

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
481KB

MD5
a245696924dbf0439f10a5d4c0aa5b47

SHA1
0d5c392c8df3965c8eb8bb1b21980f59a97355fd

SHA256
8790f142322493b4b903b0f0005e6459c13b7a980781f257cb59e5b2e51c3f07

SHA512
4410c596208b0e8452d45ebae12b5434cb7123c2870f9448345d8108d411f93083b36c2de5f55aa82374ea8c4d3e528dff995133201788567679b3c668013dd2

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
481KB

MD5
085a852940aabdde30f79c8b614f7ee0

SHA1
3021889c053d1ab30a20ef4116da260e8cc952b9

SHA256
3db5b1f6aa0259b9c5c69b7645daca48af8d319898cdcdf5896785656cb2eb99

SHA512
421467f8fb8f168b97d63468d5256a5de4a0ea45ee6e7f7867ea6dd5f2537713aceeb925c60ab1c8a2413c8260c59deabb6fb51c236ee2837e5394751070681a

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
481KB

MD5
9aa287a12fe7c0c3a1a3d2d7272aa482

SHA1
4692b502707c450ab5ecdf3c5ac61600206c3c7d

SHA256
8f8792ba9bf98ccbf561d8e4b8e380022a0b13dea9887b6c8a657e553e2c7e80

SHA512
fdc81c7dbdf94c75a2d4a887141857448d954e27ff52d305b74a5eb541755e43e770b97b224c37a1ba7193943d2351df00acc5b8f6fe9edfe5f6382f101a744d

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
481KB

MD5
eff6d0b9235a3dab858dc95014cbd2a3

SHA1
dd8a7b593ba768223de0dc7d1d1b87bec157e143

SHA256
da42fada8759ac0ec6200deb03ccae2dcf7036f3a6edf4ad9b63830b7b57f216

SHA512
61d88c5f695efbe1ecfa097edbf3ed03b83276a118a4d2179df1a8f6a886cd896c097d6e96fd9ad5034128eba48a1f68735b675c865a4b6c07b9871d2fe4573d

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
481KB

MD5
b31e4d0aeb24fd51198e9697d6d02af4

SHA1
44b35325456cf4ca78de8ed560bf17978dc9dada

SHA256
e601dfb6e7b352c88dc46e036310250e2f39b312d72f8f05b702d7dc99ac13a3

SHA512
6193afda4471108a5c1b8e5d9d50ba395dc65d134669855b6cc6213b0b0a20b29cb90b8400048ba007cce272cf4df3f48a85fc202503d15dcda8f8feb67c416a

Download Submit
memory/424-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/424-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads