d879f6b30f61ba421c84ce29f507f47f05786764404a18f95e55c5b2722fe3ca

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 18:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b003374f4ef184b39e9d5eda1ab0790_NEIKI.exe
Size

104KB
MD5

0b003374f4ef184b39e9d5eda1ab0790
SHA1

20c80f51041bd5dc6645c2e45fee2b7c425cf5f6
SHA256

d879f6b30f61ba421c84ce29f507f47f05786764404a18f95e55c5b2722fe3ca
SHA512

adbcfdcd3951b149c8e462ecf8285e1418957d9f5762c5b9f7abccb9bfb9d32903db2ae2d0582e332ae4fc713ea812ff255bf0b8415fa59fb8a5bb3b1b118ab9
SSDEEP

3072:LJDLpWcpdem8QRpC3AZUokZerre5T9x7cEGrhkngpDvchkqbAIQS:LPWQvdyTokZery5T9x4brq2Ahn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0b003374f4ef184b39e9d5eda1ab0790_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0b003374f4ef184b39e9d5eda1ab0790_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqiogp32.exe

Executes dropped EXE 55 IoCs

pid	Process
4916	Jaljgidl.exe
2508	Jfhbppbc.exe
3908	Jangmibi.exe
1716	Jdmcidam.exe
1356	Jiikak32.exe
968	Kbapjafe.exe
1288	Kilhgk32.exe
2368	Kacphh32.exe
640	Kbdmpqcb.exe
3068	Kinemkko.exe
1060	Kdcijcke.exe
3720	Kknafn32.exe
3268	Kmlnbi32.exe
1968	Kpjjod32.exe
1580	Kcifkp32.exe
1700	Kmnjhioc.exe
3860	Kdhbec32.exe
1240	Kkbkamnl.exe
3644	Lmqgnhmp.exe
4948	Lcmofolg.exe
736	Liggbi32.exe
1928	Lpappc32.exe
3220	Lgkhlnbn.exe
3948	Lnepih32.exe
1796	Lpcmec32.exe
956	Lgneampk.exe
4756	Lilanioo.exe
4340	Lpfijcfl.exe
4264	Lcdegnep.exe
5076	Ljnnch32.exe
1492	Lphfpbdi.exe
2328	Lcgblncm.exe
636	Lknjmkdo.exe
3324	Mnlfigcc.exe
4540	Mciobn32.exe
1988	Majopeii.exe
452	Mnapdf32.exe
2832	Mdkhapfj.exe
4164	Mcnhmm32.exe
364	Mjhqjg32.exe
3416	Mdmegp32.exe
3576	Mkgmcjld.exe
2988	Maaepd32.exe
4816	Mdpalp32.exe
1216	Mcbahlip.exe
2720	Njljefql.exe
1940	Njogjfoj.exe
4356	Nqiogp32.exe
2304	Ngcgcjnc.exe
1480	Njacpf32.exe
4064	Ndghmo32.exe
2252	Ngedij32.exe
1012	Nnolfdcn.exe
3464	Ndidbn32.exe
1848	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	0b003374f4ef184b39e9d5eda1ab0790_NEIKI.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kbapjafe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1528	1848	WerFault.exe	137

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	0b003374f4ef184b39e9d5eda1ab0790_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	0b003374f4ef184b39e9d5eda1ab0790_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0b003374f4ef184b39e9d5eda1ab0790_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	0b003374f4ef184b39e9d5eda1ab0790_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 4916	3364	0b003374f4ef184b39e9d5eda1ab0790_NEIKI.exe	80
PID 3364 wrote to memory of 4916	3364	0b003374f4ef184b39e9d5eda1ab0790_NEIKI.exe	80
PID 3364 wrote to memory of 4916	3364	0b003374f4ef184b39e9d5eda1ab0790_NEIKI.exe	80
PID 4916 wrote to memory of 2508	4916	Jaljgidl.exe	81
PID 4916 wrote to memory of 2508	4916	Jaljgidl.exe	81
PID 4916 wrote to memory of 2508	4916	Jaljgidl.exe	81
PID 2508 wrote to memory of 3908	2508	Jfhbppbc.exe	82
PID 2508 wrote to memory of 3908	2508	Jfhbppbc.exe	82
PID 2508 wrote to memory of 3908	2508	Jfhbppbc.exe	82
PID 3908 wrote to memory of 1716	3908	Jangmibi.exe	83
PID 3908 wrote to memory of 1716	3908	Jangmibi.exe	83
PID 3908 wrote to memory of 1716	3908	Jangmibi.exe	83
PID 1716 wrote to memory of 1356	1716	Jdmcidam.exe	85
PID 1716 wrote to memory of 1356	1716	Jdmcidam.exe	85
PID 1716 wrote to memory of 1356	1716	Jdmcidam.exe	85
PID 1356 wrote to memory of 968	1356	Jiikak32.exe	86
PID 1356 wrote to memory of 968	1356	Jiikak32.exe	86
PID 1356 wrote to memory of 968	1356	Jiikak32.exe	86
PID 968 wrote to memory of 1288	968	Kbapjafe.exe	88
PID 968 wrote to memory of 1288	968	Kbapjafe.exe	88
PID 968 wrote to memory of 1288	968	Kbapjafe.exe	88
PID 1288 wrote to memory of 2368	1288	Kilhgk32.exe	89
PID 1288 wrote to memory of 2368	1288	Kilhgk32.exe	89
PID 1288 wrote to memory of 2368	1288	Kilhgk32.exe	89
PID 2368 wrote to memory of 640	2368	Kacphh32.exe	90
PID 2368 wrote to memory of 640	2368	Kacphh32.exe	90
PID 2368 wrote to memory of 640	2368	Kacphh32.exe	90
PID 640 wrote to memory of 3068	640	Kbdmpqcb.exe	91
PID 640 wrote to memory of 3068	640	Kbdmpqcb.exe	91
PID 640 wrote to memory of 3068	640	Kbdmpqcb.exe	91
PID 3068 wrote to memory of 1060	3068	Kinemkko.exe	92
PID 3068 wrote to memory of 1060	3068	Kinemkko.exe	92
PID 3068 wrote to memory of 1060	3068	Kinemkko.exe	92
PID 1060 wrote to memory of 3720	1060	Kdcijcke.exe	93
PID 1060 wrote to memory of 3720	1060	Kdcijcke.exe	93
PID 1060 wrote to memory of 3720	1060	Kdcijcke.exe	93
PID 3720 wrote to memory of 3268	3720	Kknafn32.exe	94
PID 3720 wrote to memory of 3268	3720	Kknafn32.exe	94
PID 3720 wrote to memory of 3268	3720	Kknafn32.exe	94
PID 3268 wrote to memory of 1968	3268	Kmlnbi32.exe	96
PID 3268 wrote to memory of 1968	3268	Kmlnbi32.exe	96
PID 3268 wrote to memory of 1968	3268	Kmlnbi32.exe	96
PID 1968 wrote to memory of 1580	1968	Kpjjod32.exe	97
PID 1968 wrote to memory of 1580	1968	Kpjjod32.exe	97
PID 1968 wrote to memory of 1580	1968	Kpjjod32.exe	97
PID 1580 wrote to memory of 1700	1580	Kcifkp32.exe	98
PID 1580 wrote to memory of 1700	1580	Kcifkp32.exe	98
PID 1580 wrote to memory of 1700	1580	Kcifkp32.exe	98
PID 1700 wrote to memory of 3860	1700	Kmnjhioc.exe	99
PID 1700 wrote to memory of 3860	1700	Kmnjhioc.exe	99
PID 1700 wrote to memory of 3860	1700	Kmnjhioc.exe	99
PID 3860 wrote to memory of 1240	3860	Kdhbec32.exe	100
PID 3860 wrote to memory of 1240	3860	Kdhbec32.exe	100
PID 3860 wrote to memory of 1240	3860	Kdhbec32.exe	100
PID 1240 wrote to memory of 3644	1240	Kkbkamnl.exe	101
PID 1240 wrote to memory of 3644	1240	Kkbkamnl.exe	101
PID 1240 wrote to memory of 3644	1240	Kkbkamnl.exe	101
PID 3644 wrote to memory of 4948	3644	Lmqgnhmp.exe	102
PID 3644 wrote to memory of 4948	3644	Lmqgnhmp.exe	102
PID 3644 wrote to memory of 4948	3644	Lmqgnhmp.exe	102
PID 4948 wrote to memory of 736	4948	Lcmofolg.exe	103
PID 4948 wrote to memory of 736	4948	Lcmofolg.exe	103
PID 4948 wrote to memory of 736	4948	Lcmofolg.exe	103
PID 736 wrote to memory of 1928	736	Liggbi32.exe	104

C:\Users\Admin\AppData\Local\Temp\0b003374f4ef184b39e9d5eda1ab0790_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\0b003374f4ef184b39e9d5eda1ab0790_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Windows\SysWOW64\Jaljgidl.exe
  C:\Windows\system32\Jaljgidl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\SysWOW64\Jfhbppbc.exe
    C:\Windows\system32\Jfhbppbc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\Jangmibi.exe
      C:\Windows\system32\Jangmibi.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        29⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        56⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 412
        57⤵
        Program crash
        
        PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1848 -ip 1848
1⤵
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
104KB

MD5
951e4bffee2b24a9a59b8083245c9509

SHA1
d75537c5f04e9fd76336b95e9264fc622d36976a

SHA256
df9c27ee1af3e05f5db6bfc4534600d1a07a758db05d545dffca56c0f6e85dbd

SHA512
5613ae6b9e30baee397908e01a1332044d45d2c12d941c09f76ae62a75423028760b15cc3e7805397794e764e547a8077227546f0f7c0efd4088506908fd7627

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
104KB

MD5
fc5becdfce2101d5cf6ea18b42926523

SHA1
679d7740bc1363e5e87a37d63c4edd9610facbcb

SHA256
079a9fc36798d716ac190e61c58d54bd080f17985979b7a5427df77beee38d79

SHA512
e9583833e0f3c9666aed7760e3416e66c8841770d40766aa9573a0c111071c3c83ae938bdb207d58eecc1ec775d5324fbd03176e965be4b267f55359c9aeba40

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
104KB

MD5
626a545c2f0065d6f857b1e502b89de3

SHA1
2e08a9a78427b20e3b94dc7cf78d1903ab65cf68

SHA256
cdd95373aaf964ee7be195a54b3da35f78b2fb2ca378bd64bc786294e0a3abaa

SHA512
a71857be900cb3a122743d7a7ff9cff972dca0d955a5981cd866648d7cfbde6a13b7bb5dc666c1580dc38176920194ca82fdd545b6da9d82a1e808e7a7f5283b

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
104KB

MD5
2325d6e45b4bbb9eb97bb0f37de0e9de

SHA1
1e445c463057174ed9eba6c6692c646c60405e14

SHA256
fbd1937b891c0035a77394d42bb172d71f01291476de02b1c8f10f24359b8795

SHA512
7ef8224120eb813edf7dfd8f24400b7c93f8deb22db106cf0bc893fadfb42986e95e61f1a85a652418a34fc255798a6650715c7551782e337c2970988f623763

Download Submit
C:\Windows\SysWOW64\Jflepa32.dll

Filesize
7KB

MD5
84a1fe10105c91e6debdef10234d271a

SHA1
85adb628566ef24094f68de930c2a486e9380943

SHA256
19cd6ba46d164afe80e481c34d003df63cd5c26066b7c2100f3ca0293e4ecf05

SHA512
78bf5d56764bf02da777dfda0dca563234effba8920b84775f7124949261d0ab626fcf30f4c3689da08fb1f9931cf1703b9c9dd954ac71f8610d9fb861ba8881

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
104KB

MD5
9e192f8298f2c43c59679473b5bab58f

SHA1
2cc311546b6309459e9206b7492e28524ef6789c

SHA256
79b1b4bda65e1be4afd72cd3110729cdde1db95bfa01a9a60345927f92676971

SHA512
09f8694956fa9fa0f801686a9340e01564a9c202089bee0ce6972dcc44641181a582ea6b3453c6dd098f4aaa304bf5ceb08b8d6236b76da7f2484cffca10cfbf

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
104KB

MD5
1f51d0eff5facd34e235ff006d372437

SHA1
7b5ca7092804d2013aef068f20435234eeac2bcc

SHA256
0857ec579275f1e51c386de2e83d5d35167605d9af59d1f8b3183518fd39ae3e

SHA512
fdbf59e53e6823c9e704af9b5efee17ad8c987951ce90a946c83cb5d1c9317ec3f08cbf93c2f785e695889d2bbbcf96967ffeae4ba3d0317cda6ba80e7e020ec

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
104KB

MD5
9155e0e7dae569d9694edfb1ffb7804c

SHA1
6c89d4ffd9c628c5318c37587f4b82daafc7649f

SHA256
01aff63a91309fb97600dc13c11c289b002ca69704af3f66b1d559b6d8ea3156

SHA512
0b38076c7fdc018b343e84ef4905b419ec66f849f929d833883423db102a8cf99f92e9bdfdf620ae180d2477171c441c00ab8cc3bd05d21db5f3f2c2a7754047

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
104KB

MD5
734554f10bbdaf0a4db12ebc6a233dee

SHA1
a5b18d7b106adf76288ddc37b28fa31b177fcf2d

SHA256
986c14aaa632c3fb842cdf7389b387a4291be98c8dccab55990477a8acb3bba0

SHA512
a1cd7646e46d94485ea2b235b8ae7cdc44ec7bb734b619e8c1cb013ec562eeacc4765e3464122a3e4b9a8a43726967f16874a11024299cadb603373389dbe495

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
104KB

MD5
40c8e1d8df4aa6254baa5e04b306752c

SHA1
dc838d01769ac3a2d8d5defc92bdb2199f70c9b8

SHA256
751b91affa6e1a35f4037e54c145eac4fe2be5802b222da00efd5f4ea321a9ae

SHA512
c590b5ad1d66a7835f03e4ddc3f93f6d3054bd6edf3795a8aea6a0e432e0cfb1aebe24cb78c2ed4f4a22265522e71df70508b1a20187ab5d5e4270d591db60a6

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
104KB

MD5
6952f89467f1e7da4358b2f37a7eaa78

SHA1
52c641cd9163b6a59689b73fc62e4459dc47754e

SHA256
67975df674921f14fbc82246ae695d9015082af34cc12543ad38ef7f1da57329

SHA512
59ef1d66aa1c9d6d75c430882b53f32fac95802651c6b44f8a25a39b46f2c7f7a767fb2f3df8c209dfe28b1b2a760ff16b530453df4a666fd01fbf3cba93a680

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
104KB

MD5
39b9f66147a1be648a608738dcd01a1c

SHA1
b5f372c14530181e049c32c318273faddd3d0e7b

SHA256
b87e75163df3e80677732bbea853c5674628ceb3f82b99383bff63bf0c9e5796

SHA512
62d648815ee375c4c381295746f71957ffb0c4866c8660d821e5442fb2700848b001fc9728504d3ad4141d05f36f35d993165e3e0d5eaf88fe284ee8f5a8bf9a

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
104KB

MD5
005717e8187a9444e99560a0f6826962

SHA1
70ad0e6c411f0dae2709564975171b57a94c280c

SHA256
8d1bad8b532fd6205e700089d896ecf797d6f1a159098db7489a3035d1b0de1e

SHA512
d4de739ec9f231eddf04bebe30e2fb57e7532ce3f5f6ccce4758d6e9fa3e3d437a2aa893c058530a99cc1e50e2afd6baad6e5e008e1c7ca47c95393d00dc8568

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
104KB

MD5
04d0ec3e890f18469743fb23a49a17f8

SHA1
4583df5fb58d85e569b744921fe3443f5c5d1842

SHA256
0a1f46ce9286949fe951c3042bbf72bc72e1881b1dae047733ee76cad1649b2d

SHA512
6e31ce85d567056d20b67d3d55b0ed9badbe908e8bef55a772ce809efb83a973b7f092d67317fec6adce1402d6a4b64759cfca9eb01aab400a9a867546de5958

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
104KB

MD5
4276fd58f1317cd57d6dcad2ae00121b

SHA1
dc36ff12c2ef72c27dc7dfa08b1d9dea4a04766f

SHA256
ae0c69a8521f5ee3dbb2f0ebce95cc3fe1da4fe3d1d47b410bc4bbe262b4af99

SHA512
b13b0a772c9a3cc6bedc5b78873024d74dfe75ea9bcc4aa129f5c7f356b40519aa1e35efd4bc5a352b005d9ee9161444cb3302389fec28e1f6901df385478824

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
104KB

MD5
ca9c800cb9fc8e009d9cc47f8fc4c06a

SHA1
0254f0876ac6e9141f55a7cff8e599e85a2f19ff

SHA256
a6c666abf82642e8a5e67a6d600ed14bf460fd408e66aaeb7a340d5976eacc38

SHA512
4ef06616c21e0a019947c5f62f3dbf582d96940e974f3b4aa420fea578e90e941e84e9485246e52457fd5f63e04c3cfa6ad9aaa5797b6444bd4ea810bbc9b54a

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
104KB

MD5
4ea29d326418dbdc7383b5cfb962c7d6

SHA1
aa09a2876f02eebc53621b7f256aad0befb4c6b2

SHA256
e22f321d01e89bf2de5723c482afe9c24c1e934c5089f8844cdf99270ef90996

SHA512
03adaf42a3d67cd58e40a02c09264b822b96ef8bc50de255f280ecf2163359c8749e62ccf6edd083b8baeb272cd61b80864b6d6e108e2cced90b7005fd88521e

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
104KB

MD5
7a313ebd88b72e6048bb8435159422ab

SHA1
84a05f20773c42e5402843c24660e4bc9cd9da99

SHA256
182f8dc47eb1e018b247219bfb490ef074c23ddc24561b7ca08acfbd92917936

SHA512
66c486ff7c1229bf60fba6d805087191e318b91b86bb237c421c6bc88a249f9491d3a79252cfe6dab84d1ed226e5867af30abcb1410e322d37ae135f4eabfe38

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
104KB

MD5
419057b5a463e4da890cb362f7a760d0

SHA1
32307fbe2d4647da8efcbc85164546d79b8e7785

SHA256
e8f64cc176931057b8a1077ac669ac05cfb8fe8c6a7ad4e7c6f24843120475ac

SHA512
c883108955f9f01573f1896f72db6439fd4537c14a2ec708bf1adebe1b9ac75096ef3adbda901c91a20357aa6687173e8c7136ab891a7fbc56d072a2f3dcfbc3

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
104KB

MD5
37f603ecc42c7d25819487426bd6a160

SHA1
2f24d2b12a8e6c3eb1caa048fd63f9be7152f901

SHA256
0516b9ad59497a33a65b1cb1c0be360d9f9c3b6b9ae7872bc2c61b64996f7812

SHA512
e8cbdf1fb0b30f78145d1679735a24d12568bafa358e25fb360593f15f4d77718ee96544f610bedd91fb556ca71ff89edde444ab8ec021aabc7c54c3c8afb453

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
104KB

MD5
186cf60953e6f670764f8f9e46a66cc9

SHA1
2fd8e526ad9e4670a5f56106c859b89ff115ae78

SHA256
662ab0c6d1cc5e01cb4d8e38231ee97be4f1eb793fbdcf53912e0ab216a93ded

SHA512
ec99d296206f9e6cf1830fd6b2fe2c8d7eef95d6a1e32eb369370c7d5b7e2d1e76efda4f002762fb08e6341762b3cdb24c79f92e7c531e3c70cebdb99d0635a2

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
104KB

MD5
9e389df0fe66d25f6f7c3f83997d4678

SHA1
f3f69165261a674b5a69479884d420432b5f6752

SHA256
c1fc16d0d9e3dc2b0131faf2e6aa41db3d3d0db93e6c4d4606c7143406f80af0

SHA512
b4ca82abe90072d55a6df5c3135cc1e03fdef40be08a37d68877a77902797744aaedb660ef8e577f339dfb466522337b648d3bcd3effb4de4c0eeb49d97058f1

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
104KB

MD5
31c95372aa2adfe2f22aa8edbc9e3efb

SHA1
917840d85619219e9737223a3264c1530ac0664e

SHA256
a3708ef924e9ed963f4cc9b08c06d2789f2aa81ebb9521ce065f71a71cca7798

SHA512
e985648a7757ba7c971a6f1bf2d6144ed87b9c6150c54d37b70e231b5bdcd9d0e842f5cc39173e9f4c90058c5b48b67f7566b8d607e6c3517ff8ca59fe354a7e

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
104KB

MD5
2f9db663155bf1922146d39c66a860bb

SHA1
13ab7075317180123757cb182b3ebabbeca90831

SHA256
dd88aa13791e0663b2b6eb88840d0b45341f39970c24a59817d007c73d66ea31

SHA512
55006878617dc03614e7ce5f35a97216831641f87aab76bc8478623e8e69581d5906b75cde331ea81b95a7ec5860d906bf9da80f7540c535848cfe7584c0b973

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
104KB

MD5
c7b4568e63adbd71598de9d85c277a27

SHA1
549b943413e7fe444ae6ac892735618fa4550976

SHA256
9fe25faf2544a7fb23821c14c0816c0ae6834df71a7930127669b0fc54323cfc

SHA512
20f2942011f9a8c3675706e8c1e2c344c822309d8b8787a4f6f45ab82febad807858b097c808d865053c05b020abf9e1b8445f3bd2b8dd18a24382aedd8ca747

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
104KB

MD5
d490e7e7eb6078dd8a0a83cbf10a5247

SHA1
60c6de3d8be10a2f9ede33e0ab5d5bf7b116bbcf

SHA256
3452787ebeb4226dbb60129c58f2e3239bb2a71ca269f8459b08ccca5d0e0923

SHA512
9fc8154a9854a530263a28624b4553b08022be41ca30b42465f0cbfc9fd5b40635f1c86788b35a510aea369a9578b00b51b841953da05e24432fa06d8674f813

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
104KB

MD5
fc2dcc7d5bb9034e67eeca1fbbf617de

SHA1
e816f2edceed1460f93a1aba0a1072e0310b7ad0

SHA256
4466bd2fd16edbbde0564d964266090b8c9a2f365b713f5eb78972d1acf17847

SHA512
fd0131e63fd791bf3ad0a9733324cb5f59eb9cc0a233e749ecb9f58e6607782f3c85332e452506198200598b8925f149da174a2959c646eef00eb009ddc87ae0

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
104KB

MD5
a3f80bff2e6d497d1be07d4a94a440e5

SHA1
335ba43e6564cbccf08538ee3ef46bfe03b76f7e

SHA256
2d95d87e4a309e6350d9e61437dba73da04077f76464e37262355892bf5ac11c

SHA512
afb3d2d268b33bf9078ea1fa98c5f5dfdac822a527c8c19b0a3fdc0e27aeffa2eb7161de10cbd8fd2a6fbe540e6834f944143b72d1c6f44143cb4c5f62c84ed4

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
104KB

MD5
e6ce3999ab0645b37cb65040c9e61422

SHA1
d7d01455f60995cdc920ba4a70f965e704348a6f

SHA256
069265d478b5d302bd769d08d47badc79d8e890188206b52291d5ed0f233de67

SHA512
638e95254115343956688685db96ec8e49ec42e57f5e7ab77e5d75d5f8eff78b4ce68e495e9e95f23d6bd55d556d30e56dc4c81cdee5f4d91ef1889cb8f8376e

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
104KB

MD5
7420f12da8c5a669086224a0df1e9a43

SHA1
0de632a302cef310d1dc2025bacc4731b78f42ae

SHA256
99b38515aca4f3bf33fd9f5c93cd51b262b4bf68686be2fe89a46d742200b4db

SHA512
b80de254fe40ade6153b3344697b9fee9c11f121ec91d3586e7fffbfc9826b04e64b393ab027bd1f1ca4fa6f8349a8e273e1aee127e139744852a1985271e508

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
104KB

MD5
d2b873cfa2ae734ee4503d9babc22c73

SHA1
ebfc489da4f2fde5a80c4ef423bbefa9907a4512

SHA256
08c6b106c658769da712dda20a2dc1cbd244c9103c5e6d36d44121f86954425e

SHA512
4988de09e36090a2300ffc78a95a2d1c05cc71dd68a2c56701cf4ef4b79d3493a0b540825bcebdd1d65f8c96559528b2117a3284e773660e7650a43c5b8ab030

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
104KB

MD5
049ee5ae48844f058fc1ae6d7fe4824c

SHA1
ecc91073d8ca1525345fc1261518d6a6161c45fe

SHA256
18bbe94e9b7199398bcc3f5543cfb9b858cb5dc8c15f75c41b0aa97102f05384

SHA512
c65e2d1ed8d6882be13d84ad1f95b1e70bba37344fab24e0e261e9ed9ad237a0abbce64ece83141c8f2f2599ea10d31c54143cc61225bd205d2585c5a1dec52c

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
104KB

MD5
318fedc55e6c45ca42f597ea68016513

SHA1
8e5988d29c67b5b86a33debb7a533e245f44ee7b

SHA256
788676020280e2dca460df29886f2cf64a64f4711b7ba0c4f6b2875b41fdbe4f

SHA512
638e9a35f9e9caab40d2b5f3a329a62144c73441838befa366a853a42a6a6e97d2680de6a882e1eeb7b4ef33e6f6433254ca9f7c6948fe4c27c6965773f9b3f9

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
104KB

MD5
0f86218ff6bfbf29cef73881300f9949

SHA1
11da26ea62541647ff3590fd14e4c9b958459932

SHA256
19fd34b206e6561f0e661ca17dd81d368613ad343206f4fa97569d0ab6821264

SHA512
492b48d149f8368c3e83c2ca711cb5bdb81cb0d7b617c247f26ad2bf8a9e0f6b25f462d98acc66490fd1ccfd12221ec029f725012c9f167f90c6db27e2901b32

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
104KB

MD5
a34c8e07bb0e6a318d8aac465911da6b

SHA1
dc5ff0335cdee0d0533e18a9fb678299b62d47ba

SHA256
6c175aa8941b890edc7e27e9338261e8d58f8f1fe8225283aea9cad44e9b7bd6

SHA512
a4da1f7d90a54f8fcd8315f4d193dc8e18502a4fed83cfc6b9138bd5a8391adedccd200807302159e934639e0a8b4d37577245a201edc46ac3e911a8143fb581

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
104KB

MD5
fd48277e7c750d7dbec29b82d178a3c8

SHA1
421c2dfff97351f894bd063a0ae5fd6cc6467828

SHA256
50ba3bcb43f829af985f36d0e24da6c7d918edc54fc2d4aae7017a486fa36043

SHA512
7856cc5a8152135a480de8e9db3035af4799b30b1d076622d1625827dc1b0c0791da1168d425c948221012534560c02ca4cc2e86c225477382945c819758c0c6

Download Submit
memory/364-408-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/364-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/452-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/452-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/636-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/640-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/736-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/736-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/956-420-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/956-211-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/968-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1012-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1012-396-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1060-433-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1060-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1216-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1216-404-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-427-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1288-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1356-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1480-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1480-399-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1492-415-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1492-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1580-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1580-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-429-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1716-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1796-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1796-421-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1848-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1848-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1928-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1928-423-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1940-402-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1940-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1968-116-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1988-411-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1988-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2252-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2252-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2304-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2304-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2328-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2328-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2368-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2508-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2720-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2720-403-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2832-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2988-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2988-405-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3068-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3068-434-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3220-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3220-422-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3268-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3268-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3324-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3324-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3364-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3416-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3416-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3464-392-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3576-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3576-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3644-426-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3644-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3720-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3720-432-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3860-428-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3860-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3908-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3948-196-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-397-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4164-409-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4164-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4264-417-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4264-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4340-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4340-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4356-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4356-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4540-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4540-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4756-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4756-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4816-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4916-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4948-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4948-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5076-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5076-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads