34b19967eb0b3e6351eb83879c63887676a941fef0347a72748dbecf3c65666e

Analysis

max time kernel
53s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34b19967eb0b3e6351eb83879c63887676a941fef0347a72748dbecf3c65666e_NeikiAnalytics.exe
Size

608KB
MD5

ce7606e59bcc18b1b2efae9354907820
SHA1

47f88ce3fba55e254c4a8555de1ea277e43d5af6
SHA256

34b19967eb0b3e6351eb83879c63887676a941fef0347a72748dbecf3c65666e
SHA512

1dc6e17584401681befbe7403fe0fe5d978e65c1e3ba2f7f7f52634fc21c1280b404b65684e3e7075c2177cd858652b8b5b7589aecbb4719d923264c8d7ca8b4
SSDEEP

12288:NdYkY660fIaDZkY660f8jTK/XhdAwlt01t:NCgsaDZgQjGkwlg

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	34b19967eb0b3e6351eb83879c63887676a941fef0347a72748dbecf3c65666e_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe

Executes dropped EXE 48 IoCs

pid	Process
920	Jmnaakne.exe
3688	Jplmmfmi.exe
924	Jaljgidl.exe
388	Jmbklj32.exe
3016	Jdmcidam.exe
3348	Kmegbjgn.exe
1064	Kilhgk32.exe
2232	Kacphh32.exe
544	Kgphpo32.exe
2684	Kinemkko.exe
4196	Kdcijcke.exe
2952	Kpjjod32.exe
3456	Kgdbkohf.exe
2316	Kibnhjgj.exe
3884	Kpmfddnf.exe
1560	Liekmj32.exe
3128	Lalcng32.exe
1648	Liggbi32.exe
1636	Laopdgcg.exe
3264	Lilanioo.exe
5100	Ldaeka32.exe
4296	Ljnnch32.exe
4952	Lphfpbdi.exe
556	Lcgblncm.exe
392	Lknjmkdo.exe
3148	Majopeii.exe
4940	Mkbchk32.exe
1720	Mnapdf32.exe
4756	Mdkhapfj.exe
2732	Mjhqjg32.exe
856	Mdmegp32.exe
3516	Mjjmog32.exe
4544	Mdpalp32.exe
4008	Mgnnhk32.exe
4988	Njljefql.exe
3736	Nacbfdao.exe
5072	Ngpjnkpf.exe
3628	Nnjbke32.exe
1860	Nddkgonp.exe
764	Njacpf32.exe
2024	Nbhkac32.exe
4424	Ncihikcg.exe
3088	Nkqpjidj.exe
2436	Nnolfdcn.exe
816	Nbkhfc32.exe
1256	Ndidbn32.exe
4616	Ncldnkae.exe
3040	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	34b19967eb0b3e6351eb83879c63887676a941fef0347a72748dbecf3c65666e_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	34b19967eb0b3e6351eb83879c63887676a941fef0347a72748dbecf3c65666e_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	34b19967eb0b3e6351eb83879c63887676a941fef0347a72748dbecf3c65666e_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3404	3040	WerFault.exe	128

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	34b19967eb0b3e6351eb83879c63887676a941fef0347a72748dbecf3c65666e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	34b19967eb0b3e6351eb83879c63887676a941fef0347a72748dbecf3c65666e_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 920	2892	34b19967eb0b3e6351eb83879c63887676a941fef0347a72748dbecf3c65666e_NeikiAnalytics.exe	80
PID 2892 wrote to memory of 920	2892	34b19967eb0b3e6351eb83879c63887676a941fef0347a72748dbecf3c65666e_NeikiAnalytics.exe	80
PID 2892 wrote to memory of 920	2892	34b19967eb0b3e6351eb83879c63887676a941fef0347a72748dbecf3c65666e_NeikiAnalytics.exe	80
PID 920 wrote to memory of 3688	920	Jmnaakne.exe	81
PID 920 wrote to memory of 3688	920	Jmnaakne.exe	81
PID 920 wrote to memory of 3688	920	Jmnaakne.exe	81
PID 3688 wrote to memory of 924	3688	Jplmmfmi.exe	82
PID 3688 wrote to memory of 924	3688	Jplmmfmi.exe	82
PID 3688 wrote to memory of 924	3688	Jplmmfmi.exe	82
PID 924 wrote to memory of 388	924	Jaljgidl.exe	83
PID 924 wrote to memory of 388	924	Jaljgidl.exe	83
PID 924 wrote to memory of 388	924	Jaljgidl.exe	83
PID 388 wrote to memory of 3016	388	Jmbklj32.exe	84
PID 388 wrote to memory of 3016	388	Jmbklj32.exe	84
PID 388 wrote to memory of 3016	388	Jmbklj32.exe	84
PID 3016 wrote to memory of 3348	3016	Jdmcidam.exe	85
PID 3016 wrote to memory of 3348	3016	Jdmcidam.exe	85
PID 3016 wrote to memory of 3348	3016	Jdmcidam.exe	85
PID 3348 wrote to memory of 1064	3348	Kmegbjgn.exe	86
PID 3348 wrote to memory of 1064	3348	Kmegbjgn.exe	86
PID 3348 wrote to memory of 1064	3348	Kmegbjgn.exe	86
PID 1064 wrote to memory of 2232	1064	Kilhgk32.exe	87
PID 1064 wrote to memory of 2232	1064	Kilhgk32.exe	87
PID 1064 wrote to memory of 2232	1064	Kilhgk32.exe	87
PID 2232 wrote to memory of 544	2232	Kacphh32.exe	88
PID 2232 wrote to memory of 544	2232	Kacphh32.exe	88
PID 2232 wrote to memory of 544	2232	Kacphh32.exe	88
PID 544 wrote to memory of 2684	544	Kgphpo32.exe	89
PID 544 wrote to memory of 2684	544	Kgphpo32.exe	89
PID 544 wrote to memory of 2684	544	Kgphpo32.exe	89
PID 2684 wrote to memory of 4196	2684	Kinemkko.exe	90
PID 2684 wrote to memory of 4196	2684	Kinemkko.exe	90
PID 2684 wrote to memory of 4196	2684	Kinemkko.exe	90
PID 4196 wrote to memory of 2952	4196	Kdcijcke.exe	91
PID 4196 wrote to memory of 2952	4196	Kdcijcke.exe	91
PID 4196 wrote to memory of 2952	4196	Kdcijcke.exe	91
PID 2952 wrote to memory of 3456	2952	Kpjjod32.exe	92
PID 2952 wrote to memory of 3456	2952	Kpjjod32.exe	92
PID 2952 wrote to memory of 3456	2952	Kpjjod32.exe	92
PID 3456 wrote to memory of 2316	3456	Kgdbkohf.exe	93
PID 3456 wrote to memory of 2316	3456	Kgdbkohf.exe	93
PID 3456 wrote to memory of 2316	3456	Kgdbkohf.exe	93
PID 2316 wrote to memory of 3884	2316	Kibnhjgj.exe	94
PID 2316 wrote to memory of 3884	2316	Kibnhjgj.exe	94
PID 2316 wrote to memory of 3884	2316	Kibnhjgj.exe	94
PID 3884 wrote to memory of 1560	3884	Kpmfddnf.exe	95
PID 3884 wrote to memory of 1560	3884	Kpmfddnf.exe	95
PID 3884 wrote to memory of 1560	3884	Kpmfddnf.exe	95
PID 1560 wrote to memory of 3128	1560	Liekmj32.exe	96
PID 1560 wrote to memory of 3128	1560	Liekmj32.exe	96
PID 1560 wrote to memory of 3128	1560	Liekmj32.exe	96
PID 3128 wrote to memory of 1648	3128	Lalcng32.exe	97
PID 3128 wrote to memory of 1648	3128	Lalcng32.exe	97
PID 3128 wrote to memory of 1648	3128	Lalcng32.exe	97
PID 1648 wrote to memory of 1636	1648	Liggbi32.exe	98
PID 1648 wrote to memory of 1636	1648	Liggbi32.exe	98
PID 1648 wrote to memory of 1636	1648	Liggbi32.exe	98
PID 1636 wrote to memory of 3264	1636	Laopdgcg.exe	99
PID 1636 wrote to memory of 3264	1636	Laopdgcg.exe	99
PID 1636 wrote to memory of 3264	1636	Laopdgcg.exe	99
PID 3264 wrote to memory of 5100	3264	Lilanioo.exe	100
PID 3264 wrote to memory of 5100	3264	Lilanioo.exe	100
PID 3264 wrote to memory of 5100	3264	Lilanioo.exe	100
PID 5100 wrote to memory of 4296	5100	Ldaeka32.exe	101

C:\Users\Admin\AppData\Local\Temp\34b19967eb0b3e6351eb83879c63887676a941fef0347a72748dbecf3c65666e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\34b19967eb0b3e6351eb83879c63887676a941fef0347a72748dbecf3c65666e_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\SysWOW64\Jmnaakne.exe
  C:\Windows\system32\Jmnaakne.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\SysWOW64\Jplmmfmi.exe
    C:\Windows\system32\Jplmmfmi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Windows\SysWOW64\Jaljgidl.exe
      C:\Windows\system32\Jaljgidl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:924
    - - C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
      - C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        50⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 424
        51⤵
        Program crash
        
        PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3040 -ip 3040
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecppdbpl.dll

Filesize
7KB

MD5
478957694de9f490660fee0cf71dc82b

SHA1
34f3a50ddd2421a435b46f0d52eb4e62715e13e6

SHA256
66312f42fc0afbd82575b075a7615eeb3d1fb8a125d73c95266dc79144067dcd

SHA512
a83a26f312404568372cc63f4730ed602a1e4b4054a436e1e75d6e066317179639a8a9aadd9f31e59115c73cf0f35cc3c15b0f6dc55c4a997a5d34324ad202a3

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
608KB

MD5
d2d4e5644c74cd0cb6bcc6ad20e1a291

SHA1
6c146d892ccbd1adf580a41540b23214be50df1f

SHA256
c2a73ed5ac726bb1285caf8cdde3084f8a147bc854e179d49a7f959e1c7c8aa6

SHA512
39fcf161205a1db825f6f0e660b1bddcfcf78a3c7f63df204b273279f2467dc4d239fc52399cd726beecb022a9217288bf532344d5724eaf91c77fa2680ff385

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
608KB

MD5
0bbf75cd12a2b9e176e8c59f123baa48

SHA1
3511b6f3345a0c180f8bf1202d562fde0f386f3f

SHA256
b33e1243665a6b923dd7bdd2303a71e8d5bf5d71c31b7ff7c0e9cff30ca679ff

SHA512
21749abcc6a70f8ef358240c25e0b28bbc3cf9ca166a1ff892ec60c223b796088e22ce3ba5017b68042c866dafce726bd1bda6a3b9780b33d58e880fd625387c

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
608KB

MD5
bc3ad210eac4b449dac9949abd4c9699

SHA1
60c0013b292459302af5a17f5dcf19e8e72ebe66

SHA256
61bacc64a0e4b549debfa43d8c73fd45e6a0d60e1a35628b4f323ac0b63c38da

SHA512
763092ca220cec8a468e4b56a5141c6e84a2b558c4dc310e8d7e3b383cd33766021e8e389d59bc0515a4cd51990dedc3b6324fa00a24953e44014095953d5c87

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
608KB

MD5
dd84df27b2dafe2f6bde95034a0d8c94

SHA1
5e58a0d0175fff1e54cb307143ffb10701aa1115

SHA256
c2006461ae097c4e4346943e75ad803fbc1887105908bb234a17b6f4cf26dd69

SHA512
a423e6bfaf1324ebab421edfd7e536abf484f41a7a1b032f0ae693a8284c0051d67ca7bcbaa51e2e346fe92665a34a97961e5b9163fd7dc621655e6f2d7419fb

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
608KB

MD5
71c249d633ee6316bfd29469faf55a24

SHA1
518a30ab7a3ca0c91ecf68b0aa27cbbdd2cc5575

SHA256
fc112c9681cf9da3919c8b4ae33b57ad9390940523b421e612cb01a51f626eb6

SHA512
505e3ee0b391b1eef0e8e67a5aeaf762c398daf5d4d16c6f6eeb968ecd31ab8f6abc2cd84377550da7f2d70b363998fc88f51fd94ad2d9f20328beabc975be7d

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
608KB

MD5
0e6255fb165416d0e8542aadb6c3bf29

SHA1
a718a152a275fa86a9ea4910fecce704817309a7

SHA256
26e05e90d31a0f97c48ebdf3b5236e3fff080a13750e8ca380f6af489e5d7327

SHA512
e72a4b88d5c1f20cbbe52b1260f6e14c3162e80517bc0a458c3819f23d96f25bbf57e1865d6853704f99bea67848b23281882c67fc0af4f509fa375a6de6d3c2

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
608KB

MD5
904d159e3ea2ba3350152a318b0da3d9

SHA1
4b9af5b389d968b23d46e1319410cf4a88d7db8e

SHA256
1dfa10985bdaf6150a01f2392b1e6713f17eb7cdac8247034e567c0fdb9bd752

SHA512
467696ae23b9bcef7c2ddbb45b94ee1eff3c3d64792a7fc3c52752d08ede664664743147dc7de05b6ae7609d046b9beabb8088fbc779ead70896039a2210c9be

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
608KB

MD5
1f4ec4963cd07fba2cae740f6fa58607

SHA1
94c71f4e1acc771de2a1278599bf86b6d5891e77

SHA256
b9218bcd1acb942122b65a7025e6e96bc9d2e2a0f61562464097d1a6343d4bb2

SHA512
09916cf04900e7d88fdac9d54b14a4ccbcf4f07ee82a4f25cf6b4ca7c604ab92f9623d4a36a4bcfcdb741f231b7805b4418d74320ff7f97ea82780bbb601bd58

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
608KB

MD5
287336052537fa6d8930ab1ca1dc053f

SHA1
ed82c95b9e1ef9a71f7da0cd9ff0d00d3fdda6d0

SHA256
d44d3b526c72987e3fe4aa5d9b6c22c82e720959ce352b965c0252aa696eac43

SHA512
14b421df0bb37e70b6a3677c6d46a160194f1dbf5cc380a05f565e4923713206e81d3ddaf577a252faac9bce03d8a84e86efcd7e772e2d3bc5fd0639fe47f732

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
608KB

MD5
6f3a1d7a66f8bdee74bf0fa7354ec096

SHA1
9d2feeb93499611729d4ac4859c21d51037c127c

SHA256
6da8a50457647fe01ddde01fddefa1c23b723bc658a297c6f633119ea954b264

SHA512
cfedd086575b338171b6a002490ae8d4a74e6687d65ec85348007db523198a6a7de8d2348fc4163998fd328cdb2c604783d6af8f5ddb78ebd54a3cbf258f00a1

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
608KB

MD5
1c63beaf9cd85420516288421c6ae24e

SHA1
8c6009741b1ff3cdd2a6bba72c0509e1e523582c

SHA256
a3a53289f4cb5c82c3e1e28787a2751e29af2b5924d3f0ad724f6281853ea578

SHA512
9e6b730fd9e2fa37800e7475699020c989fc61cb04e008cfe23ac59ef038d0e170387de8cd9c286a042060ad522980129ef60a905fa7d428477df8c8dd2c1c3a

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
608KB

MD5
508360c892ecc3297d13ee86d04fcc2d

SHA1
60b0c4f0420696e6a13c91c4d7f58f5191febac5

SHA256
77da36a5b9323718f83145307ae67de1e253dcdc6fffa7e5a5b03411a55ce9bb

SHA512
962f4033a2e7619a4315a9aea6bffc3b2c3cba80e371a1a729b6fc396a756ef5b553ed14d2035fb1e48a95cbd149794c0c28b046033889cb2c157a56e7e32245

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
608KB

MD5
8dd266f154434e2fed3360f6e8faeda3

SHA1
8d748253b8a1c78c529ada144b27d62ae41da1b0

SHA256
fe099b4e5f6c478af8ca1c9c8d2365e0a8f97142055afa6b9559efea3c72691d

SHA512
ed1aa7d68ea0cca710f7ebd9458600aa79108df2cca811d4fa77d6551c4fac5f8b6fe66817266b09b408fe62ce63cf26bc94b9e518a185950437b16b1bc40577

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
608KB

MD5
5b3406dcdec8297cc9d03553d80692a5

SHA1
7984d27ddd2909da9112a22a8edf51fd759df2ad

SHA256
9d5ba709e54a9ff0e76330581354273e5d8c7481162b79780d43a560a9849f96

SHA512
d1b5da88925242d043aa812941efbfc43198db44f7e53df69d7aad327d089b49c63b57969ce84ce1e6c3cfd642f9d0140b3c99698f813284ebd80389abf3c7a5

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
608KB

MD5
c151c7536bf5b584df2f0f706c4396c5

SHA1
a28c0447cb36c4be24961395d58e28815a4a3a58

SHA256
84cff98ac407dee368351540286d17a589e4707c9f7852dc081c6e3763c4475f

SHA512
f9fedfd2cbef0da2279ea82d796c65bcc0a92141e5e59f6994b64964dcb66a1b8b8e397334cdfd5cfa6303e4b9980fa9534656d72432c78d91c8c83958589d48

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
608KB

MD5
93953cb67a46f0dae7c3dca26e7c77e9

SHA1
a1ffa448cf39d9eed6b084f0106fb74f0a1ac107

SHA256
8fa91359ee029bcf797fccccf64d2fc6d07ff65fafe83959f8972a74e09a9079

SHA512
072b7bac57371d6336bfdcc886f7eaa335573ec99b44b03d321f8da6cfe5f369fc4b6e7fadc9b68d19f9119ee9961685ddd855d9b1f3d7c633bc5b8acd6ce715

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
608KB

MD5
72c8b31a805b89c919b4ea284abb27b9

SHA1
31a5699d2c8c701cf7ee78c3211dbb16e0ea4026

SHA256
65515b29874794508b436f36755bf26679f257b697d80b0929f36f0375ac9fca

SHA512
112067c6a1c226a35f78a937d67d226c2f1c8f260f799c55191334c61ec8fe2f5e6db37b402a5807b6af66d87772c96466fece921d21a7aee33f8a6dc7040295

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
608KB

MD5
215cb5afae7d4fc90bec402f6b48f415

SHA1
b4a9c35ea6113a1ebe5eaca9c45e54a28d60a472

SHA256
e73fa55e3ee51f1d05b36d0cb453f73b956be9f52652d29ce193facb19f14994

SHA512
300de5dcc43f26251d0c5a799a37c692cd84af98a319f5375dcb3e4dae2472ad30ce305b4249db6dbe39ec7801856b0b3ce02405126742556ffb4d8295702c06

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
608KB

MD5
30e01bab29d4c8c6f034e7b04bb0553f

SHA1
30209618c086f6319610b88f9e95b31cb2507538

SHA256
f75522855c8b1d96fbc1b656c46cd926f81709333c072d0bc7d04a1ce8444846

SHA512
84d0a053bd76a184b6a0a69ae674b37ced826be043014977476dbec3db213ac59882869f409f34e4d9b398fff630013a833a15932f888f7ea7de68487ba0372f

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
608KB

MD5
45164734a408ef46b98e30d909d1a710

SHA1
11d39c7b5dfff079e9770ff02316a0b3bae4642b

SHA256
3ffa8233b2d0bd72b2fa01f37bdd14efbb4a00e800a04a70437c5168ba322f00

SHA512
223c1048e1f8fe083cb193aa01e8d71497f2560cf4adf86d9be1eba46eb88bf4220ecfc77bb2a9777d3e09808bb179559bc4b42de4e56a82e71b0059a26dcede

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
608KB

MD5
22059b27389dd783b437a4826ac919d7

SHA1
acf69c596eea295d3cf2144d492f92d4fe74f5de

SHA256
24a2f87331671f7eaab873734206ec28086493b6dbd968e06dabe3ee2eb0a449

SHA512
42a3a98f4cd00c42e66be0995322a90b7a1c369a917d3f0dfcbd30041b4009761a941ad80ff22b66a6527da71e4a6c44ac53f9f09cf08dca0cc360c691c993fe

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
608KB

MD5
275513cf3463014ff065cf26c7ad0b5b

SHA1
f6f65afa3ded9df8dbfee04f1c84fda4f723bb61

SHA256
bf1e3daf50d3f4b38f60814193347ac3f240cf233e721394a031b41cf1aa4b19

SHA512
bdb1c3b09d04b14881c1bfa8ad5a34128f8341ed59f88cdd85eb7d3d6f44eabc24ad065ad23860f3346e2b3cd2b1beae4fe0f4732f539d8e032b2f5fcc626e1a

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
608KB

MD5
1cfc369b2d311e2f9003eee96bf0853e

SHA1
2a650bc84c54430a5729ee8146d552246903cee0

SHA256
dc192bd11b036b7ec6480f6dadbab4d2a0d581d0b39f1f420a8defaa900de687

SHA512
58ede499e48d9d909da9af8b4bc0f06ff16456d7e6f28904a36f7f6d3e3b6d8019f05f8d03e601e85212d8fb733ec3417cee638e907b59aa903379aaf68a92a1

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
608KB

MD5
1bb14ba874543215b932d324adbf50d7

SHA1
c3349f47adfed33881d5d1274d6134dcb1696c81

SHA256
23d2e48b535915575383fe36e132978d470a203179659789ad410aca2f4c70a7

SHA512
ab4b7701c19637c0045677088d186d2377c47d4aa4c4949d35cc44446c2bb052b15c70b1ff8115891893114f00896f21cff5111878225ffb03fce69b8a9953ea

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
608KB

MD5
d7096198eeef08867418146a714d9b09

SHA1
670b951450f64d6e752b82274391645077a80c35

SHA256
897c40c0d267fcba0a447b4413841546afca9e71c60644dcc129781642740cce

SHA512
0e51b8bbab8d94c0f104d965e0d2cef22ae5db22f82c707d133a71a7a9e75946136eaed426e327f7b2134cbaa2500641651d229e29d121c056023df69788d79b

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
608KB

MD5
fe40600feb1a7b5d835cb296fc4b522e

SHA1
5f357655df88b271646e3c06e80d340ae9a0db8c

SHA256
da804ad22177133c849de202645bbe16e0ce48eace6f178dd8a5c68506311b4f

SHA512
3a23db5e4075f42dbc0562f034112f2e5bbf4830df7787d7dbcb4502d109eaede80b0b694eb546ab23f7dbea6ffcfaa6524bd0c730e7b4b8cb5f0cccbf28d98e

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
608KB

MD5
0a37b48d55bdc224e9cb4e70c49f4126

SHA1
25f2f5e3c2abc90b0cd33e8abdb2d9dcc79ac9d6

SHA256
fb0ed258e0ba5dfc796c2eeb9fdfe235b61957800c0346bfce2dca1a57289ccb

SHA512
6e9c848b01cbb19a00e9f95ce98dd3567a7ffb995eb8fb61ff64dd7d16876530b01d611a1c6d3a8c9abd430cbb8ef544b69a13e8cb652297f3e08e24c97770c2

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
608KB

MD5
d30af48eb0164622de0dfe27f6fa0ede

SHA1
1e0e2b1445b2030112f9d5d121bb654575643f06

SHA256
dd99e62fc03ba27ee19dfee4d2096393595f9df4cbc9c836ae04fc49df796fba

SHA512
d5ec1a7aba245a5c0e2e28797497950c33dc986c5d3fd082b85ba9eb9b2cb042703efda4a65b1cc8092b4e737728a67757bff048f696fa724d80d89daa22d261

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
608KB

MD5
016a72cf9e7ea67605ab715ff52b4edd

SHA1
de1954f7715466ae527458d28d03acc1939f4142

SHA256
3b05a28572117d90be07d2e10fdfbb1a0583bc66d9c5cddb888842e33362fa97

SHA512
2cd63db4c1871de0aaace8edafd19c4c58046e18614edf066b567211426b21e8510748db6663b854dbc00aea07c1a9cf28780622f5f75135b714030dffe36589

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
608KB

MD5
fef22636450fd878a8512e5c97ebc984

SHA1
539c3e9013f2a2bb2f4b7cb81f78fa97b89736dd

SHA256
039c645044aa5eab0d3a4a3b2f94f815530137b8a9f5e873c7a0920accd1dd97

SHA512
a494eae106eddb5226b4bb0f898aef7bb4478076f633c9ca5bb708aaa910a1559971260477dc4f4cda3347accc5cb1c7af9194f106006398bb00f36722c1aed6

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
608KB

MD5
2708d306283419de61e084dc92c35029

SHA1
52e164419cd1a51a69204fe57719d012007f8b8c

SHA256
08d3f96d35292393fda78c174e6556be4edf2568b8e4d3db85801c3b20cf8c32

SHA512
cc3d11c7ff813615e9a619caae738ae41fac9c6a3fceec2f7f118c6f0f262f18959b680dbffb4b7bc1b39f26162deae7d81562802c79dde575e1d53716ce0678

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
608KB

MD5
ccc51e6b9fe0ba1554d92b71b7215ed7

SHA1
70f1efd4b28d8565d7832dad8c9364fd62d95738

SHA256
3e8f6123f691150520c88982a5c3e739018450e8684b673b6029ff0f6d147f2c

SHA512
e677e1fce400b071c60c34ae7bbe9f96bd2c1ac642034698650926fc299455e24e4e56ef3f404afd8062d7699fcb54e3fc1bfddad167e20ac4ef249ce9e3b68d

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
608KB

MD5
9b739897b6aeb2fc9e7d4c5c19eeb5cb

SHA1
21e06d9aa85ccbc2b54ed25731efa46e0ef59d5b

SHA256
4b3da1e62273b800c510a2620bfd9b2008e9de23a35c208148d3622514cf4bec

SHA512
b21f44f5dcfb2a6bb82c81904dcd7c56f12308aedf4d2dd64391f496e71bd630cfb89893ac786095a8b0d4a765f8f151668bd4053af82e44c7836be7996bad93

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
608KB

MD5
b7b1ed2e260af2f2d865c7aaf11479ff

SHA1
06ccf8cd7cf11d08fa0a22ec8f48a270ca5afb47

SHA256
6908d0ff35b9e7f0c2874034775e351aba8253965fdd1141d3936fe9cb761b1b

SHA512
01a72827dc4ddc00a27409c320365e331827629c292697442ecfddc18d7248896867327d7a7bb988899e3085a0502aa77583da5fcd814762797c391e6113a7dd

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
608KB

MD5
38ef74ebb979aa99b5c799e193c52a6f

SHA1
7a40974dff3060fc7c1f85204b74098cad763242

SHA256
5fd092bce4773dfa11386cc29d17f254f4f03dab5ce92a44fa7923dbd4cb3c10

SHA512
f5810652b2418f5f13660e9de15ce612744c16f496ede8c313fde5dfbb0d4aae66c10dbce9dd5b0bb70e8da9a476f8834235cb30fdc28aedc7729aed361c8806

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
608KB

MD5
0b47b001f3ce4a2fbfa568b97f140f76

SHA1
d1cf96b447c871a49f1b697ebad3818ab2cd428f

SHA256
d7137d0a073678fd668705348ffc2cd2241b61aa913e5054c2691500841894fd

SHA512
217712833f955974f86d5007784b64cd11c5c2985771956a0bc947fb1b8d039510c41efda175e5938bee01773e0bc79e94c82da0a897c070c790f1888f7fc94a

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
608KB

MD5
f0594ee44d550e9d0442ab6c0a06cd79

SHA1
698a6e705f4cbfd1110104d111af6c65c8128a41

SHA256
fee2551918784ec9efacdbf028b655e89ee80456aebc0becd337e7277cc44db9

SHA512
3f591142a5be432e30bef6ff5265f435e4797dc7e9fab4464a22f2535d66f2fcaec23f519b0e595f9932d977b790a2886627b48e93af9af156f894a87a04fa0b

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
608KB

MD5
1463ea185b38a3549245a9ada6f17808

SHA1
da35ed1988451d3a3bc31776d4f3a783ecdc606f

SHA256
085a4557cebea14d3d83192eb548d845d0e90321a5a34d44191cc9d31de9f87d

SHA512
74319037e99e6a3196918eaf47b9af18758c2d8803703d79beef1cb222c3e626502ba38c1765b6d9a89622d233f24fb3bc68fa69f907347a7fd44080a072628d

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
608KB

MD5
2f37477de746d18ca41e09222b31945a

SHA1
62faeb6ddc3e3ab53959f648a6495693bc41eb7e

SHA256
439965b4b1413a0322d4c05b50d819fe746f68385994df62aa8a018404dbecdb

SHA512
caa03272aa2a74c6de3fbf63ec330c60454966d1f83711cd6229dcf7c5eb39638b4aa79f0ef720065418bd1d0385481fc019b8259b4658c84cf5d4755b39dc7b

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
608KB

MD5
a1146fb30faf00916b0e04d73b106e25

SHA1
13c849a29dd225ff54380f9e27704b7529aa311d

SHA256
00573a5bdc0447a022c6606740634ddf9cafd075e7d608daa80dc365dcf9fa3d

SHA512
c98bc627e9d9ef64e7f73ab927c29d9baae8486d25d88faeeb0197fdee3a8d81f4b264257405e1193bdfa50dda0c119c0cca3f7419a80f19ac6bf477bb243194

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
608KB

MD5
c71cd3a42f7f9668a2eaa3f4526f0820

SHA1
32e0b44829a49e4bdad1b99f8d1b3148b8d7b003

SHA256
994da0151565a383716bbc757b8504501ce49a4c2d7a46580ff04a177338fb1c

SHA512
a30461b6515496981c2552ff23e9bd4651a064a8d34362641647d78e245c1b4f80b54e134a197d505b8bb100554e086f28446966842fffba9817c0a40d671721

Download Submit
memory/388-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/544-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/544-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/856-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/856-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1256-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads