3f069718ca6a2282857b0a83b23517ff6f6073b5e4249aad6d971d7fc5b6043d

Analysis

max time kernel
53s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f069718ca6a2282857b0a83b23517ff6f6073b5e4249aad6d971d7fc5b6043d_NeikiAnalytics.exe
Size

80KB
MD5

cbf1ebd001206eb3454811e6ed9aaa20
SHA1

0c9fc6721cb613b939396edba2e9aac4998655b7
SHA256

3f069718ca6a2282857b0a83b23517ff6f6073b5e4249aad6d971d7fc5b6043d
SHA512

abfb63edcc1833d4443399eb5f78dc7223ec055560909ab1476bf888767179b999eb731ee4f29bf48b760814497efa9bb2b292f370bf4fc02f8e09b24368df5b
SSDEEP

1536:aViYuFTBVMarcBSZeqbXd+he82LGaIZTJ+7LhkiB0:ahiMaveqbtYe1GaMU7ui

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3f069718ca6a2282857b0a83b23517ff6f6073b5e4249aad6d971d7fc5b6043d_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3f069718ca6a2282857b0a83b23517ff6f6073b5e4249aad6d971d7fc5b6043d_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe

Executes dropped EXE 45 IoCs

pid	Process
3744	Jbkjjblm.exe
2904	Jmpngk32.exe
4048	Jpojcf32.exe
1312	Jfhbppbc.exe
2620	Jigollag.exe
4568	Jangmibi.exe
1452	Jkfkfohj.exe
1444	Kmegbjgn.exe
2268	Kpccnefa.exe
2352	Kgmlkp32.exe
1584	Kpepcedo.exe
1764	Kkkdan32.exe
4116	Kphmie32.exe
1340	Kbfiep32.exe
392	Kipabjil.exe
2168	Kgdbkohf.exe
3320	Kajfig32.exe
3224	Lmqgnhmp.exe
2480	Lcmofolg.exe
2964	Lpappc32.exe
2636	Lkgdml32.exe
1084	Lcbiao32.exe
1936	Lkiqbl32.exe
2292	Lgpagm32.exe
3504	Laefdf32.exe
1860	Lgbnmm32.exe
4604	Mjqjih32.exe
1548	Mkpgck32.exe
3128	Mdiklqhm.exe
1572	Mkbchk32.exe
4720	Mpolqa32.exe
1984	Mgidml32.exe
2040	Mjhqjg32.exe
3180	Mcpebmkb.exe
2648	Mjjmog32.exe
4512	Mcbahlip.exe
988	Nnhfee32.exe
2024	Ndbnboqb.exe
404	Ngpjnkpf.exe
3296	Nqiogp32.exe
4240	Ngcgcjnc.exe
4704	Nnmopdep.exe
396	Nkqpjidj.exe
2624	Nnolfdcn.exe
4952	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	3f069718ca6a2282857b0a83b23517ff6f6073b5e4249aad6d971d7fc5b6043d_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	3f069718ca6a2282857b0a83b23517ff6f6073b5e4249aad6d971d7fc5b6043d_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
440	4952	WerFault.exe	125

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3f069718ca6a2282857b0a83b23517ff6f6073b5e4249aad6d971d7fc5b6043d_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3f069718ca6a2282857b0a83b23517ff6f6073b5e4249aad6d971d7fc5b6043d_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3f069718ca6a2282857b0a83b23517ff6f6073b5e4249aad6d971d7fc5b6043d_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3f069718ca6a2282857b0a83b23517ff6f6073b5e4249aad6d971d7fc5b6043d_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 3744	516	3f069718ca6a2282857b0a83b23517ff6f6073b5e4249aad6d971d7fc5b6043d_NeikiAnalytics.exe	81
PID 516 wrote to memory of 3744	516	3f069718ca6a2282857b0a83b23517ff6f6073b5e4249aad6d971d7fc5b6043d_NeikiAnalytics.exe	81
PID 516 wrote to memory of 3744	516	3f069718ca6a2282857b0a83b23517ff6f6073b5e4249aad6d971d7fc5b6043d_NeikiAnalytics.exe	81
PID 3744 wrote to memory of 2904	3744	Jbkjjblm.exe	82
PID 3744 wrote to memory of 2904	3744	Jbkjjblm.exe	82
PID 3744 wrote to memory of 2904	3744	Jbkjjblm.exe	82
PID 2904 wrote to memory of 4048	2904	Jmpngk32.exe	83
PID 2904 wrote to memory of 4048	2904	Jmpngk32.exe	83
PID 2904 wrote to memory of 4048	2904	Jmpngk32.exe	83
PID 4048 wrote to memory of 1312	4048	Jpojcf32.exe	84
PID 4048 wrote to memory of 1312	4048	Jpojcf32.exe	84
PID 4048 wrote to memory of 1312	4048	Jpojcf32.exe	84
PID 1312 wrote to memory of 2620	1312	Jfhbppbc.exe	85
PID 1312 wrote to memory of 2620	1312	Jfhbppbc.exe	85
PID 1312 wrote to memory of 2620	1312	Jfhbppbc.exe	85
PID 2620 wrote to memory of 4568	2620	Jigollag.exe	86
PID 2620 wrote to memory of 4568	2620	Jigollag.exe	86
PID 2620 wrote to memory of 4568	2620	Jigollag.exe	86
PID 4568 wrote to memory of 1452	4568	Jangmibi.exe	87
PID 4568 wrote to memory of 1452	4568	Jangmibi.exe	87
PID 4568 wrote to memory of 1452	4568	Jangmibi.exe	87
PID 1452 wrote to memory of 1444	1452	Jkfkfohj.exe	88
PID 1452 wrote to memory of 1444	1452	Jkfkfohj.exe	88
PID 1452 wrote to memory of 1444	1452	Jkfkfohj.exe	88
PID 1444 wrote to memory of 2268	1444	Kmegbjgn.exe	89
PID 1444 wrote to memory of 2268	1444	Kmegbjgn.exe	89
PID 1444 wrote to memory of 2268	1444	Kmegbjgn.exe	89
PID 2268 wrote to memory of 2352	2268	Kpccnefa.exe	90
PID 2268 wrote to memory of 2352	2268	Kpccnefa.exe	90
PID 2268 wrote to memory of 2352	2268	Kpccnefa.exe	90
PID 2352 wrote to memory of 1584	2352	Kgmlkp32.exe	91
PID 2352 wrote to memory of 1584	2352	Kgmlkp32.exe	91
PID 2352 wrote to memory of 1584	2352	Kgmlkp32.exe	91
PID 1584 wrote to memory of 1764	1584	Kpepcedo.exe	92
PID 1584 wrote to memory of 1764	1584	Kpepcedo.exe	92
PID 1584 wrote to memory of 1764	1584	Kpepcedo.exe	92
PID 1764 wrote to memory of 4116	1764	Kkkdan32.exe	93
PID 1764 wrote to memory of 4116	1764	Kkkdan32.exe	93
PID 1764 wrote to memory of 4116	1764	Kkkdan32.exe	93
PID 4116 wrote to memory of 1340	4116	Kphmie32.exe	94
PID 4116 wrote to memory of 1340	4116	Kphmie32.exe	94
PID 4116 wrote to memory of 1340	4116	Kphmie32.exe	94
PID 1340 wrote to memory of 392	1340	Kbfiep32.exe	95
PID 1340 wrote to memory of 392	1340	Kbfiep32.exe	95
PID 1340 wrote to memory of 392	1340	Kbfiep32.exe	95
PID 392 wrote to memory of 2168	392	Kipabjil.exe	96
PID 392 wrote to memory of 2168	392	Kipabjil.exe	96
PID 392 wrote to memory of 2168	392	Kipabjil.exe	96
PID 2168 wrote to memory of 3320	2168	Kgdbkohf.exe	97
PID 2168 wrote to memory of 3320	2168	Kgdbkohf.exe	97
PID 2168 wrote to memory of 3320	2168	Kgdbkohf.exe	97
PID 3320 wrote to memory of 3224	3320	Kajfig32.exe	98
PID 3320 wrote to memory of 3224	3320	Kajfig32.exe	98
PID 3320 wrote to memory of 3224	3320	Kajfig32.exe	98
PID 3224 wrote to memory of 2480	3224	Lmqgnhmp.exe	99
PID 3224 wrote to memory of 2480	3224	Lmqgnhmp.exe	99
PID 3224 wrote to memory of 2480	3224	Lmqgnhmp.exe	99
PID 2480 wrote to memory of 2964	2480	Lcmofolg.exe	100
PID 2480 wrote to memory of 2964	2480	Lcmofolg.exe	100
PID 2480 wrote to memory of 2964	2480	Lcmofolg.exe	100
PID 2964 wrote to memory of 2636	2964	Lpappc32.exe	101
PID 2964 wrote to memory of 2636	2964	Lpappc32.exe	101
PID 2964 wrote to memory of 2636	2964	Lpappc32.exe	101
PID 2636 wrote to memory of 1084	2636	Lkgdml32.exe	102

C:\Users\Admin\AppData\Local\Temp\3f069718ca6a2282857b0a83b23517ff6f6073b5e4249aad6d971d7fc5b6043d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f069718ca6a2282857b0a83b23517ff6f6073b5e4249aad6d971d7fc5b6043d_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\SysWOW64\Jbkjjblm.exe
  C:\Windows\system32\Jbkjjblm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\SysWOW64\Jmpngk32.exe
    C:\Windows\system32\Jmpngk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\Jpojcf32.exe
      C:\Windows\system32\Jpojcf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4048
    - - C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
      - C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        46⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 400
        47⤵
        Program crash
        
        PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4952 -ip 4952
1⤵
PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jangmibi.exe

Filesize
80KB

MD5
54a8cf8fcf33f353a70175ac192d0f21

SHA1
ed2fb8765a95dedd68d94e574aa0c3bef70b34ef

SHA256
dea2d73ab72c08aa7e3d09cf28f61c55f8673706d0b2cf84436386e3c325617b

SHA512
83f164f389c265931d4b5671c1113ae3e518eafb1c8e8ff30c5e9665b2a3e37b0fc4874a91933a1c075be6a375f3e54c98cb9f4918fcb6883bbd59a825ea4991

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
80KB

MD5
190c65fda1863947c75e278b84e5658d

SHA1
c0be17c1a4cd9e9b63a026ea3d9e38036e548720

SHA256
a6ff1fac009518bf0858e531821bc65891421d78cf0771482c3b6a898337a440

SHA512
32ebbf56c9dd4044a7ce3d230e61243d6205c612fa6291fc82e6f455a1273329d3c4f9d45a488c511a202b40b9135438d8c9562a7e1acbc7894f74e9c75b2ed4

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
80KB

MD5
398ba2796ffdbbc3d090acb826d044a4

SHA1
f271c086e9416470bf909e14cb822b10a5efcd31

SHA256
92e8f91d191d88ce0803726677848d99c76c46f30624c698971a75206bd53bb3

SHA512
f47c231c51b54df4e78f820bd8393b2342e7942c715808b6b5041b8a9bbc094f1ed723d99352033d8d92e0f119d1b4762ad1efbefce8e44fb130c37d979f9d21

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
80KB

MD5
e2bea1a461763e9e4ef3ab3da6efe5d4

SHA1
a128a429728484d807a7f20ab5eceef7384c21c0

SHA256
f32e606fa285044ffe5f1ec150f627ff73d8b57fa71ac3497f0f29442c9ca892

SHA512
4f3f1bbca14176627b4d4395b606e3d8f018588194f9ce29d7faea7beb563e6251048b75595d10201afbed9311309254e26892121cd39fc64ae1641bffcc330a

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
80KB

MD5
d1f2a7c077a7fbda4ee95fbb2a46510b

SHA1
f29142ad2c784bec15ca89c9ade1fe331bf2928d

SHA256
426176d4bd467c43f349dc055e9137101d2cdace46a11288e0b5dbed7b469f54

SHA512
ea8711230dbe73a234830d9fb2c42c1b10680ac504bba4e5136ee651179aa1f44bf7b8c1c57e3b46234fda68d71efd24b606621350bf1c63c8ce96f73f33396c

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
80KB

MD5
023073987480455ceaf9a5c167d1d7db

SHA1
8f3b4ce2f76cb09b5a673e700d5726f1c0e9f0a1

SHA256
7ec8b50a1eb19da311a53c106838b7a4b01fa4886c4113d088e2ddd10aa5a797

SHA512
4a09aee17871b60180e318bc2ccfb38b857946c6e425c8cdc11f2a9aa31e83cec1f7ae3d6e0d729af8d0c3fa4480d49e50c87c8e4f9efe9cb423a720d6a7e4cc

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
80KB

MD5
6bcdd2380136f324e48af3235ed3f69e

SHA1
24bc9b9daef48a07feeed50c798ada80c8a56597

SHA256
72a49fb1ba3e55ba05b481ad50272c39aa3f9ec46af333e036848b03fe696c27

SHA512
d07dcaed2e57f5026526287ec1d732b0e796932458751d4b45bfc5182bd5fcca5d7d719199917d45664ba569d26dccf71a892093be65a07e3fca287acdd8fb6b

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
80KB

MD5
af2ba81512cc9ebc4ac2af339225baa2

SHA1
658a85a391405686995f6bf7bbfe39cbbb246993

SHA256
c7a49e38fc8b012ba20123421c179bca3f4570f9df10f81c5041aa7012b60d59

SHA512
dad2b5914b82c1241bae7b4fa64a278c486f7e004297140fd52d0154e40baf7c5e1fb098c43c0f7ed48a297aa17faabfd8038c13031863bde69b90a81f28ec3a

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
80KB

MD5
8004f720edf0afd04b9673fc4bb19574

SHA1
3446b3256b99999897833074fc78820ba3030f71

SHA256
80eb9edcbdb760740123e51f2c28bc0991179d2db3e6db5ec852ca1edaf37bd3

SHA512
4aa4d6335d159ed54e31a9541e9a00cfcd0f159023c4f948233c4039c9a77c1bb8e5f2d602a5d5879fcf3182972c258ad33b73c8255ed9c8b5a6f56a2bf27bd8

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
80KB

MD5
313e8f6e867368f50de41e321e2fc6ed

SHA1
d97c17bcc7494c2a3d1ee5bc60b8ce3a9a8a4ee4

SHA256
63bdc4a6c9635b6c871b2bc0ab8c4c80e82f63f139f99c50eb1dd7d4688e8ea9

SHA512
71972bbf0264581e167667ef301bd2d202082630656d59d2ad495cb1976e797ef4ca98db426665ce6821b4b86b67ca46deb7f86c1de4e00b64e4d303e67ec4bd

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
80KB

MD5
467aef014b7b86b0b084664d4b0ebca7

SHA1
12764825f513fb4b22986c7d2bf53ff9578b79f6

SHA256
407eec9a841100d70abdd08d809202c39deb09ab36eab498d48ef50062caf4c9

SHA512
6ccf775f1b7b2151d88820d94fe49f12559fb7b23840799af77e129230abc51023a9e8a6e4326baf41572bbed832e2e72c26ab2278ed66aee1839c3181947b4c

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
80KB

MD5
37c8141065f6f983997953d1deeae98f

SHA1
1835b2147bfa0b3180068814e17350bb3e30f9a4

SHA256
9ee57bc1bd43e4090f7dc302c37533022f42e0b78ca50a6ed3e6a99a4516dbee

SHA512
51a56a150424165d293d13cda51858ccf1c0cc33fbe8fde98d214d20ab122ba84662a28593e075f69368a9695532e57f23a16351f0161bca919f74f2f1db9c4e

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
80KB

MD5
9809711bbe15fbed6145dec6b0655713

SHA1
3270c9ecff3a1082f2a52727e7189ae6f694b416

SHA256
904e49cbd53f78f89fae1a70b8870f3e89d60b04ab5ad5a0060a0817e28f0bea

SHA512
38b1afedea94b97212d783c5c185baffc2dffcd906605082fb88256dc3c865a223bcb997a774583c62262f8580e861dc1caec7df3aeb8b1a741b52f4d10270df

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
80KB

MD5
1ce3080d19de99911abca0d11f92986d

SHA1
c76ef4abd9e31b6b80c6f33b1576dc4f13c8713e

SHA256
9ae1c59a4a04dd2bea12e8a5f1d678f32c1ce2fe2bb29230ed3d30a807baaeef

SHA512
c02395d91e5001698a1ae9f53a2d2891a6a6f94f5cc85a9283a24bb94a8186a79649ba1b9cefd8269ea41429673db5b414bce82d0146a2081672b934ea82b39b

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
80KB

MD5
2ffa2b1a066407202e9cc7f94d958aea

SHA1
9af9065410e3d68f7397c8db9cc1e06b899bbc6e

SHA256
f99023587f0e5551b031d114a48a2ca7b0bf905295708aaf6b19e61450644d78

SHA512
4c6b2b3dcb7d253dbf68564ca1be0ee15dfd8cd98582b07e359561ed7b230fdfdd69ad413341c975d324854168e87f7579d248b2fcaaf309600fee8c85155f91

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
80KB

MD5
4d20ee924132692fbb999fdc48db4dd5

SHA1
c07da09544f71311911bdd5bd158954b3a103072

SHA256
016ce45b81f497360b8c578c87f4cfa7794b348dd5b4cc3c45a633c7c99772dc

SHA512
0b38265140179182535af0a54bcd4c483b5dcb2a711741b4fe2ac4c8a32b6d4d5503b7245d9dca9f9e135a77c48e357d7400723021fc89bf1276d0552b473cf5

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
80KB

MD5
c90535592030f0c0f1712e82b0bfb633

SHA1
236833c9ac58b2dc348a61460391668dacb0c51d

SHA256
76d87d90531d092585e0fa52f53e32c62a82a400cde345369170b8018be29ad5

SHA512
554528ded50e60f9a051aa67a479da50932c2055307c7d039ee964eb5cfd4689adb6350f58137efa93d6a70c1337f5fd17e12e6b69c60851d37f8eb5051f5ec9

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
80KB

MD5
bb03520b39775aa6a5578094d4088bcd

SHA1
a191b3755cae2d5decb8b3f39fe1b3d5f6cf7602

SHA256
58be54166271940d8a35ef4073acc1d1563428a27edf01ced737f13b4016bb61

SHA512
1eb4523a667f27b2b4107954b34b64172b5abbec157128b98556cc7874327e3f1709b0a47ded0846167a31c374ff56900efa8d75ab961f48fad515e3452451df

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
80KB

MD5
2a849c8332f82daccbf3b77c0df3171a

SHA1
b4bcaba505a6d97150377aee30ab5aec05e271df

SHA256
d8ac5748d1d23308e1a2910cb52323c61cbe7458fd308c621ee19f8982588acf

SHA512
acfd7e947fe5e98c079bca386a37c8e74089ced5fca132b12d08ac57ef9648109b25ae031067cd14d7720a3334efb9e506e90e7c8c4e7a7c9f6608c9419bd24c

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
80KB

MD5
c3ed92c4d2fe15e65a8e4f178de2632a

SHA1
6ec8c613b529b59db5c077f94d93ce29a80a7b4f

SHA256
aa3eb5b148e9175c0aa23fd600bab8b7488f7c7e44e2e3d30168f27b21fc8a00

SHA512
ccd028b199d1bf3e19f2ad3acd07af5daebad7a894d11b5acccf3b620a176fd2f5a166a060c3f39374f17141da0a7f449221333ce6824f0a5ac7c161884905b1

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
80KB

MD5
5f32915eec78c5c60ec6e16cf897bf39

SHA1
6d1919828ab57746a51a918d462d8d2e03c8b174

SHA256
7b96ad75e39a6d9789baf0c3147428688d09b9ab50df7cdfc18e38719ccd7fa9

SHA512
37868ce1464cc44becc7a63d346b0ecd540d51a1d1a984eecb0ef18054b53a345dc56e8cb41cd2561464e4bb0b22e823d027da70b584db3d0a2b896c28addb90

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
80KB

MD5
c02bc76718520f655e3287fa6a8bd102

SHA1
aa7f9de6bf11ec34ee4e08b00d104a0e801bdfcc

SHA256
40faf32646dabd1f67e31bc1bc9bab0445661815f6397ed3e9489c41186bb025

SHA512
bfe76fdefee81e313e7dbe99a3394805848ede01d4d897a3158c83f82cf7ab2606c68544832b98807522a2e5dd2c2bbd45474fa09063e9ade3deff8a29c05215

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
80KB

MD5
1f16de8c7628c724a6f169c4c2886cfa

SHA1
78fd5b29d306839b753db9e3a0a2cc26cee09c36

SHA256
28c8fccde9d1a4fada752a238efbf03a6c07b76067811349a489c0f6f02e8dfc

SHA512
40085e860173a0ba15d31ff8efce1abdaa59888c9a754aebf9cd3795799ede6df7c03a3b86fb84479fdb585ab66bad70a5a55e05d5ff32ebf81c2c15e4952a52

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
80KB

MD5
d8b0715d1d01043f6c4a3fad84f0b9d1

SHA1
5d504f662d6e8cb0d12c25bad97d601ac91a2235

SHA256
f734b250cf8b04619fb579859eb8b2dbca89ec324ddcd6846a1f0412cf768adb

SHA512
c73ec38d919569eeb6131728382e3c6b04d9baab512ec70b3563f451a25c8e166677c95b0e266b01515aed0877ee55f8dc5ff9119ad7e156ac6ceda337cd10fc

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
80KB

MD5
343d12ef18426df0d63994a01876f95c

SHA1
7b76a75aa6323cfce37776e9701c87050e726aca

SHA256
f7ca91d8d5fb055b10939e7bf8dd525ac32967d5e7af5e03215e31fea6d9a92f

SHA512
de2b1286cb45176e603f85be11dbcd464584582b3abc8dc650e42133674bc82176c5215daa1628a8c8f4a4dd859e2b3a06ad66d6ed391f082894029f916342b1

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
80KB

MD5
003a343251663d612ed9a0947e1d8b90

SHA1
d5bfc8d292bfb118d76c4577534ea3b6ddc01242

SHA256
799f8ddbb3dcd7277b9b82abedf531f0fb50584bf223720294d6d4f84dfc6eee

SHA512
54333a63566c6224967ffdfa5f9f40b92f6828e2b9cb53b4a364d363e9f0c40768e1a78f44649f9d1902d932e549d840a45af0b07766a0582497405d5b622602

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
80KB

MD5
095b6b614504ede4a7bc0f15d85c74a7

SHA1
731136acf9601b4ca642e3bced4b5b623bd91feb

SHA256
b50dec0cba9e490bde4d837932e289f91a42d86810fb038d53cc135e85395aab

SHA512
3369ef9c4514aa126a01968ce7dc62f0365b3d171bd768b16b7e58dd456245ded3ce19f8aad341c494237d9f751f6f21cbbae18ee2a3c4755933df23dd78a823

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
80KB

MD5
1ae70c3843d1832cad1b855a2c0c02fe

SHA1
50ea90943ab3e10407c26993b58423a63d22cbe5

SHA256
7aa4ad61a870352b9109bfd1e808fa43fb1a8993ff8614d14f6fde8a1e4420f2

SHA512
fb992e9102bff34b581d754eb0145fc74456ddd8103484624cfa121308295d551418c90f2b0a2283621803d8203aa436d6a0267d0bf8627f53c466391a2e583b

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
80KB

MD5
417b2990189ed10f5a14bee165850700

SHA1
36213123278e2d3f05e867b87611cf6d6085f5aa

SHA256
c6a431b4b306dd5a1ae8f4c8c87698ab28136541db08872cb26d65bb71df4560

SHA512
4773c9b0aeb10f7eb2bf46d008b618b8b29a9f3ceed5e2041ff7e11335297b6922dc5643a867ebfaa5b77c9143bf350437a2133377d40a391230228bfc629f55

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
80KB

MD5
4f92d2a904c2bf98b8d7ae53020fcb1c

SHA1
b2181f11442407fd5c7ff2d9fce239312506ec06

SHA256
fad83a0fcfe1224573a3bbf0b6da76e09871a586bdf6f11c65654d92c97e980a

SHA512
438ac22cddaa6fa9546dd065644875b3abc871f1dffeb71c1da29abac09f3777f775104e7d4930e23097712642bc135cbe8e1154c4e8bc83fbb9f6d16350108d

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
80KB

MD5
84f8947d076701bd4b49899d33375ddc

SHA1
8613331e7d5197b0793e4397dad2a834a711b48d

SHA256
c2071ccd916aa18ee6ec98fa5cb87dbe244cfab4f3c2ff7ec3bb09612c24e7d8

SHA512
c5565ca164228dc12add3270c86c8e912c1dc99393f49db1c907997a487768e94ea7e4368dd6dca57a9231e547c63aa03b1628415e9928766eb49cd7238a4d47

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
80KB

MD5
a28684fecb510ccf93a0e72fecebd493

SHA1
8ba4b557116d951b033a2c44078953528065a2b9

SHA256
98986682577ba6d09a45b0072da2d7f5d58ac56982ee3bdf9f6aa09ddbb4556d

SHA512
bd84557e156c0307ecb3d2c9cda337a59fc207f0d79712a57aa2be3e93d56ac9034bb078f4a161866d1e236e12c068f35e7592410d3f87f2156524bf1e5923e3

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
80KB

MD5
d66b42108d660837abcdba0bc74e5539

SHA1
842b8b4736cc280b6f0aa4f782c1e968daf9d062

SHA256
8917fb29f3771f418222923ba8a6333c07fd1a15f93ba7a8ac33b535615deae4

SHA512
3f04add031bbcc425e76058cae1d7166630445577b988b880c45f6bd6bf64dd648cb4518f4a0ad98bd6bc5e568d86f80e1e2ecd25b7907db8574d21542dd924f

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
80KB

MD5
aa0edfec1f0905c8267577d2cc305034

SHA1
5c0bef59d2da3e17170d1c4a87f0b6ff30f901e1

SHA256
c64e5cb3dd3c48bebd1543fea93becafa56abc4f5cd6033504f141b73c8a3c7d

SHA512
65695bef8dcdce557fc196c9d4fe6222c16136deee8ff1d8a2bcadaedb02f22349a24dd76053b2aab0eb283deb14e5c2731f5567772bca0c8e6cc5691e17e4d2

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
80KB

MD5
bf24b925abf26965efb9b245e1fa8f7a

SHA1
a8a21672a6c41d698f07cd0d905a359234e397fc

SHA256
3a15449213f8a30d7d20334b1aff1d21648d94803723e7ac502e43ab5211ff98

SHA512
5278b1d3987aed254604febe5ee953706b32206a623da0ea7e661ec20f44fc074c3d3438c6103045cd2ba746d550f7a61070321777c2c3f37de1203be2c980c5

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
80KB

MD5
7a8ae65ecaba0b9340d764e4fbab4b69

SHA1
6c3a5244b0ae312886d59e0a42d7c245e6ae9ca7

SHA256
c6800048757b16ce2b660c0ef8f659da5c3d823de57acd8e987df8ef679837df

SHA512
4b8387b2a7623dfca71f6e95d06d8816a57feb4544509c04a4eb8c1533095ab7725ba844832462cafef2185208b72f396e7e6fde7632b7dde7c5c8dad6dad701

Download Submit
memory/392-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/392-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/396-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/396-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/404-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/404-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/516-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/516-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/516-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/988-378-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/988-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1084-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1084-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1312-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1312-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1340-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1340-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1444-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1444-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1452-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1452-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1548-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1548-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1572-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1572-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1584-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1584-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1764-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1764-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1860-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1860-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1936-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1936-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2024-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2024-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2040-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2040-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2168-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2168-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2268-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2268-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2292-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2292-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2352-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2352-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2480-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2480-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2620-45-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2624-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2624-362-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2636-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2636-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2648-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2648-368-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2904-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2904-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3128-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3128-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3180-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3180-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3224-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3224-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3296-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3296-375-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3320-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3320-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3504-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3504-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3744-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3744-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4048-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4048-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4116-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4116-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4240-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4240-374-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4512-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4512-379-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4568-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4568-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4604-313-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4604-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4704-373-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4704-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4720-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4720-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4952-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4952-369-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads