dc545d256a25bc7e2d54f3606725a5125ea48af43262cc94e0180bd947eb186c

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b9ec7c3af22db2d3bee263cb8635e80_NeikiAnalytics.exe
Size

242KB
MD5

2b9ec7c3af22db2d3bee263cb8635e80
SHA1

0a9b05b5a8107e6042795de63f9fca083e911e87
SHA256

dc545d256a25bc7e2d54f3606725a5125ea48af43262cc94e0180bd947eb186c
SHA512

99c14828236c4123163370630cfb00a770afb6fea97c214565579e00012783fd4f68b473243779a40715504181f456cc715e65649b3621cc534a33aa5181f6fc
SSDEEP

3072:Uk+d36KFxNXl1PGwV6V8ZLB6V16VKcWmjR:Uk89XlpGwV66LB6X62

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2b9ec7c3af22db2d3bee263cb8635e80_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2b9ec7c3af22db2d3bee263cb8635e80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe

Executes dropped EXE 52 IoCs

pid	Process
1692	Hbanme32.exe
1036	Hjjbcbqj.exe
1804	Hadkpm32.exe
4952	Hippdo32.exe
1912	Hibljoco.exe
1608	Haidklda.exe
2996	Iidipnal.exe
3040	Ibmmhdhm.exe
3316	Iiffen32.exe
4872	Ifjfnb32.exe
2624	Iapjlk32.exe
448	Ipegmg32.exe
4456	Idacmfkj.exe
3912	Ijkljp32.exe
1768	Imihfl32.exe
1980	Jplmmfmi.exe
4328	Jmpngk32.exe
4032	Jangmibi.exe
4892	Kmegbjgn.exe
3004	Kpccnefa.exe
632	Kkihknfg.exe
1916	Kpepcedo.exe
636	Kkkdan32.exe
1720	Kaemnhla.exe
1592	Kagichjo.exe
4272	Kibnhjgj.exe
1420	Kpmfddnf.exe
3228	Lalcng32.exe
4048	Lgikfn32.exe
3636	Lpappc32.exe
4308	Lgneampk.exe
1784	Laefdf32.exe
1288	Mahbje32.exe
5052	Mjcgohig.exe
4548	Mpmokb32.exe
2612	Mkbchk32.exe
2356	Mdkhapfj.exe
5020	Mgidml32.exe
2012	Mjhqjg32.exe
1488	Mpaifalo.exe
460	Mglack32.exe
2564	Mjjmog32.exe
1904	Nkjjij32.exe
3444	Nnhfee32.exe
1936	Nceonl32.exe
2556	Nnjbke32.exe
1560	Ncgkcl32.exe
1296	Nnmopdep.exe
4888	Ndghmo32.exe
764	Njcpee32.exe
2152	Ndidbn32.exe
3380	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hadkpm32.exe	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	2b9ec7c3af22db2d3bee263cb8635e80_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	2b9ec7c3af22db2d3bee263cb8635e80_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3920	3380	WerFault.exe	134

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2b9ec7c3af22db2d3bee263cb8635e80_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2b9ec7c3af22db2d3bee263cb8635e80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	2b9ec7c3af22db2d3bee263cb8635e80_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2b9ec7c3af22db2d3bee263cb8635e80_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2b9ec7c3af22db2d3bee263cb8635e80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ibmmhdhm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 1692	4728	2b9ec7c3af22db2d3bee263cb8635e80_NeikiAnalytics.exe	81
PID 4728 wrote to memory of 1692	4728	2b9ec7c3af22db2d3bee263cb8635e80_NeikiAnalytics.exe	81
PID 4728 wrote to memory of 1692	4728	2b9ec7c3af22db2d3bee263cb8635e80_NeikiAnalytics.exe	81
PID 1692 wrote to memory of 1036	1692	Hbanme32.exe	82
PID 1692 wrote to memory of 1036	1692	Hbanme32.exe	82
PID 1692 wrote to memory of 1036	1692	Hbanme32.exe	82
PID 1036 wrote to memory of 1804	1036	Hjjbcbqj.exe	83
PID 1036 wrote to memory of 1804	1036	Hjjbcbqj.exe	83
PID 1036 wrote to memory of 1804	1036	Hjjbcbqj.exe	83
PID 1804 wrote to memory of 4952	1804	Hadkpm32.exe	84
PID 1804 wrote to memory of 4952	1804	Hadkpm32.exe	84
PID 1804 wrote to memory of 4952	1804	Hadkpm32.exe	84
PID 4952 wrote to memory of 1912	4952	Hippdo32.exe	85
PID 4952 wrote to memory of 1912	4952	Hippdo32.exe	85
PID 4952 wrote to memory of 1912	4952	Hippdo32.exe	85
PID 1912 wrote to memory of 1608	1912	Hibljoco.exe	86
PID 1912 wrote to memory of 1608	1912	Hibljoco.exe	86
PID 1912 wrote to memory of 1608	1912	Hibljoco.exe	86
PID 1608 wrote to memory of 2996	1608	Haidklda.exe	87
PID 1608 wrote to memory of 2996	1608	Haidklda.exe	87
PID 1608 wrote to memory of 2996	1608	Haidklda.exe	87
PID 2996 wrote to memory of 3040	2996	Iidipnal.exe	88
PID 2996 wrote to memory of 3040	2996	Iidipnal.exe	88
PID 2996 wrote to memory of 3040	2996	Iidipnal.exe	88
PID 3040 wrote to memory of 3316	3040	Ibmmhdhm.exe	89
PID 3040 wrote to memory of 3316	3040	Ibmmhdhm.exe	89
PID 3040 wrote to memory of 3316	3040	Ibmmhdhm.exe	89
PID 3316 wrote to memory of 4872	3316	Iiffen32.exe	90
PID 3316 wrote to memory of 4872	3316	Iiffen32.exe	90
PID 3316 wrote to memory of 4872	3316	Iiffen32.exe	90
PID 4872 wrote to memory of 2624	4872	Ifjfnb32.exe	91
PID 4872 wrote to memory of 2624	4872	Ifjfnb32.exe	91
PID 4872 wrote to memory of 2624	4872	Ifjfnb32.exe	91
PID 2624 wrote to memory of 448	2624	Iapjlk32.exe	92
PID 2624 wrote to memory of 448	2624	Iapjlk32.exe	92
PID 2624 wrote to memory of 448	2624	Iapjlk32.exe	92
PID 448 wrote to memory of 4456	448	Ipegmg32.exe	93
PID 448 wrote to memory of 4456	448	Ipegmg32.exe	93
PID 448 wrote to memory of 4456	448	Ipegmg32.exe	93
PID 4456 wrote to memory of 3912	4456	Idacmfkj.exe	94
PID 4456 wrote to memory of 3912	4456	Idacmfkj.exe	94
PID 4456 wrote to memory of 3912	4456	Idacmfkj.exe	94
PID 3912 wrote to memory of 1768	3912	Ijkljp32.exe	95
PID 3912 wrote to memory of 1768	3912	Ijkljp32.exe	95
PID 3912 wrote to memory of 1768	3912	Ijkljp32.exe	95
PID 1768 wrote to memory of 1980	1768	Imihfl32.exe	96
PID 1768 wrote to memory of 1980	1768	Imihfl32.exe	96
PID 1768 wrote to memory of 1980	1768	Imihfl32.exe	96
PID 1980 wrote to memory of 4328	1980	Jplmmfmi.exe	97
PID 1980 wrote to memory of 4328	1980	Jplmmfmi.exe	97
PID 1980 wrote to memory of 4328	1980	Jplmmfmi.exe	97
PID 4328 wrote to memory of 4032	4328	Jmpngk32.exe	98
PID 4328 wrote to memory of 4032	4328	Jmpngk32.exe	98
PID 4328 wrote to memory of 4032	4328	Jmpngk32.exe	98
PID 4032 wrote to memory of 4892	4032	Jangmibi.exe	99
PID 4032 wrote to memory of 4892	4032	Jangmibi.exe	99
PID 4032 wrote to memory of 4892	4032	Jangmibi.exe	99
PID 4892 wrote to memory of 3004	4892	Kmegbjgn.exe	100
PID 4892 wrote to memory of 3004	4892	Kmegbjgn.exe	100
PID 4892 wrote to memory of 3004	4892	Kmegbjgn.exe	100
PID 3004 wrote to memory of 632	3004	Kpccnefa.exe	101
PID 3004 wrote to memory of 632	3004	Kpccnefa.exe	101
PID 3004 wrote to memory of 632	3004	Kpccnefa.exe	101
PID 632 wrote to memory of 1916	632	Kkihknfg.exe	102

C:\Users\Admin\AppData\Local\Temp\2b9ec7c3af22db2d3bee263cb8635e80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2b9ec7c3af22db2d3bee263cb8635e80_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\SysWOW64\Hbanme32.exe
  C:\Windows\system32\Hbanme32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\Hjjbcbqj.exe
    C:\Windows\system32\Hjjbcbqj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\SysWOW64\Hadkpm32.exe
      C:\Windows\system32\Hadkpm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1804
    - - C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
      - C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        33⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3444
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        53⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 400
        54⤵
        Program crash
        
        PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3380 -ip 3380
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
242KB

MD5
6f57ffced4155443a21ffbb519b16ebf

SHA1
6c08fccbbc05e719afd87aee00f53b4db1ca3c3d

SHA256
bf5679a6cea25582acdcfe4ba3ac1bfcdbc1cb517dfbe694e2ccec690af98f71

SHA512
3995f5b0b49f281e81a5b635362a7b64b38a7ec56cba543aa0baed0740811d1eec8af15d1157031ba3ffa10c7a0805b86cd874808567d6c2761b734afb84b356

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
242KB

MD5
f4c54050bcd134a40007ba68ac3d2542

SHA1
ad3dfd2d3357a940565f5ae3ddf618b82874b730

SHA256
2743292ad6afd7aeca081867d301251fb978145991be70d6323dbe72f0367bf0

SHA512
3666e2046bb62680f1fa3d09f31865e99fe19fe1f000b1ff5e8868332599869a72cf0faabd9919029b05a155c5e7073199cdf8986981fa101bcf989d8e2603fe

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
242KB

MD5
2b193ad3d4d5b0545650d510d27c289c

SHA1
65061895694fc0d5709cb52daa401a1447e00e08

SHA256
edbf6a475f57ec47beabe5e2beb5e347142bba575f3bb9e2a87548fa14e9f557

SHA512
c3e864614e0c0e2155ebce3eedce33190274ca31b792852ce63e9a376928224978bc4c0432cfd4cad75b3fc0eae4d34253ed4233f91e78cd9cb961e4f49d683a

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
242KB

MD5
8f520d82a039cb5a0b96c02aa160026c

SHA1
79c01387197ec3bec90506dd378ac7704c997fa7

SHA256
44b3422892f3e8b6e6062a895c5ed6e8c7e7cd886d3b015d454d085825e52e2d

SHA512
51a77b777c81f2ee3215f58a0625343ba633edc7070a25dad67894bf7a44cf82518e2c5aa4d94364f0b402b5c74ddee5baa72afffd18af3b135a57665aa5a781

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
242KB

MD5
731ae191f3ebe222c415a5f35fb2c501

SHA1
5d674fbc33eba6b9ef7382acd5040e1a4be926a7

SHA256
5eb1b0ebcbc534e5dfb29434f7ffdca7e96655520fe30466a16bc7b34726b9c5

SHA512
77b67c177f8ee419d0f1c55c4bf89dfd05da3eb144f5da7e92b3ca4f20ba76e8542555288deb3e22f82498134dd18dade2627ecd68fc76669981f69eb326e1f4

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
242KB

MD5
1185da3e8cc1a327c333d13d51c8fb47

SHA1
2204c257a744662a815409ec33f0daddeca00e95

SHA256
b4c33a2b1a2847c8a7d82ab3f7927f64b2d485ad027d30a511f4d31fc6cde6a7

SHA512
e173f6cc61ea1ce38afb20c3d7ddd7281fd34eb2754e49f6753d3a2243607630a6d76b9ddd5d4452d1b38d2157dd3552d32668015d94720c8fa5181297059be1

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
242KB

MD5
351986e5147fb1fe3ddca6167b524144

SHA1
4af1c3f6a7e3c9aa348f6c8537c35db13b502b70

SHA256
8251d8b3f4eb423867c0eeccd89a5b818659a19faa8c0cc704e39a7773d709ac

SHA512
4de30d1286fa1d453a17d48e74573d00f929f5bb17fecb6ecb9ae7027bc6da0cffdf6bb414d2c145b2e55a6c3755c2c4f377da8d052cdd7d9a00955a8bfd6c15

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
242KB

MD5
75eae0aeaa491b74949c0a49a147e858

SHA1
5aa04a26f70eccbc5e2ff1fc14595f15b69a62db

SHA256
06ca7ff4b8f255c9f150dde002d135a2c1d80f97f3f675244ce2af4f8285fa17

SHA512
8a201f9e9c18c2feaf22f725b14680bede5d787e44dd2da08376fb9ec55c7ff89633b4486fffe5ddbc22175267e14d22e609d0fe19ee24fc3fb89a2b2a6517de

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
242KB

MD5
03c7595fb7cc1f3a2d11303c4085e1a3

SHA1
cd83ba717ef31621fd6cd31f6881c5568cb1da81

SHA256
c9045d114c79d6f885e74e0dc0494e60441a097141401fe3e76a2cac028a53c8

SHA512
70025ec2b86a1ab5dfd20c6502fdf1e683214124a7107645fc04ed09a08b61add2a602262a372e7b59d3257fe446f8207aedfefcde7e29586f34c190f47f42e5

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
242KB

MD5
09a9ee398986d5def6244bf28d7c18e3

SHA1
1f814dc24ef47dc79e313ae670c96269d1ab0914

SHA256
0fdbc6f0b1ea14c23b6025db1d30cf9a4de44b60ee0886b11950a1bb05319647

SHA512
610ae36e781792c1c17158e9a3d99622bd454b4fe292e71e8da292d5a5ba18efaabaca091d9e0f82fed8a2c650327631a6343f4af2547017b06c30abdeef39d2

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
242KB

MD5
e313c4dbba94d1171fa1a2691c5f3490

SHA1
167c0cddc4fde2b79330d3b7c4adc84a7c0b1ce7

SHA256
add8b251eb13fe661c17b22cacf355e332bcba1f937adc0617d3287a72d7bda6

SHA512
d4cd10268350d705c4dfa875e5b520eaaef1c61ad8b0e9c76d0a255747f11655c52c617b5cda211866c4814812f6046bb5f2ef453f304215b7a86eae31d4db19

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
242KB

MD5
356aa0af101c26a72869756f0ebe70da

SHA1
a7c5ecd67a9c994786aca005aa8a981439604c35

SHA256
f53fbb90d7b9eab34f40401c9c864cbe8846c0469ced711f4b80aac78b8b677d

SHA512
ef3baadc1d2e399284859bdd2e564b83a90aaa540de1d951af05895372af87859db83180666f1dff1c4ac47996cdc985510d83d8acdfc1177ddb15707a1a1773

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
242KB

MD5
f07d3193b832562cf718361550303ac1

SHA1
17c5a16daae5f9acb9940ecd1cb02728de0aa38e

SHA256
c46f9dbb3a4a20b856a2ebd0e27c295736356d70f2d4baee6e81012ae486743b

SHA512
263c604589b603e6aa41d04e9c84206d52231db3067396e2a57500c21d5fd6415c20a6039664a9ab0564ba8c10cc941041a0436d98d9a04151318b53d1163e8a

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
242KB

MD5
5c340d178f66048d740a3d4a382a0df1

SHA1
b3cd8dbb5a6d9a359c27fe4bf419954ad1228b60

SHA256
ce54b1e9102b60c963ed76b062e00071fe5b983713263df1136976617218c5a3

SHA512
5d016acdefb86c356589bccd211d499a49d48ab1e54df7a11b0cbcaecdb75aff6362a69f80775cfef13f9cacf67fbeaf4b9ebce1d835ef5419f0e67b86e90bc7

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
242KB

MD5
6e9baf349f8872c5d1a6101d477fa8c6

SHA1
d6ecdca86d0ec02dc0131327b58aedfc98c8a4d3

SHA256
8a3a5c9ef4e6fe1fd294fa86514dc27638b054deb316cbd26ee9e77eea1d5608

SHA512
a9b588a3367ca3b413efb4a771d1e948fe1025e1e3e07f74b9cac3a738cd39fd17a4224872de80f2838ee1f5d7d9d7742da99d9e67db45c26e22d26643bcd7b3

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
242KB

MD5
afbebe7c2e723b733709cfec5cb95a4b

SHA1
4cfbbfa93a4727375e15c4a180f94dc5abbac4a6

SHA256
d0dae2e5e96672c8edde6abf2b0092e6c724d46400de618112bdeab96de83c97

SHA512
e140c6b3fea6bdbccd0f134d7df8dbfb06d23540c5d9806ad5c53d5d405ab35284aaf2b9c43f1d5534aebe709b50b24f1e475cee157fbb52df4aea0ad3f6de23

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
242KB

MD5
448d673f6967fa26b21efa9a2b64e361

SHA1
85a9c1eadd4bc7ef3a1d7820cdc6d6044ff3d876

SHA256
f3fc9af10c0a05023711e2a291202fa356c6687e17ecf84cb332883e635da4c3

SHA512
90cf666ecc33ab9710e4d600c804a8f03741afe4e3c5f56559880d92bfb08f585a77f6812f086bb7b1048539e5e52ce4aa3141451569e2ada5cd5c996312b1d3

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
242KB

MD5
d833ab3e3f558cb4f375b64239f09224

SHA1
d1bec2055410af4b57e030c5258994e823614ae0

SHA256
c99c38c8ed36d0de494bf334539e1546a53acecf86043d78622b2fa6681b312d

SHA512
5b94b99ee43b669ada2e8dfa04aedec9cc29c14aeed4505532f7657c7dda52c844ba7d53855dc35932f393d3c8a57a0e6f6455441db2189fbb5660f16bcffcf6

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
242KB

MD5
483b136ce438e3dc88f93e3cb514d015

SHA1
5ea6223c2561cf9d367650f0c93b6a42c41430f7

SHA256
601157855676a53b21a2e4d9c3797930203c198c092cb025016b722bee76b100

SHA512
26abc758b1af559d1ea6df3bf2784662ecfc2e9e2237a69fe60d6e738663aae419f4c49cff31db00632429d41d6ee392dae31aa5678a6fefeb5ef61a420b17bc

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
242KB

MD5
685bf43e6bca063d199985cf240d7228

SHA1
7e337c51ad3bb3e2934e9ee7bcf3ab764baec2c7

SHA256
5afcbe3fb997c19613c96b39e59522bd5e9b43f1c65039d2860bfd6aa78d43a1

SHA512
8423939bb7f13b7ec35b6b363f92eeebece3030640b365c6df1d7251abc3944d351c20373a2b6b867dd206eb32928aa0fc424193cccf283b7083c8510c7338f4

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
242KB

MD5
4477e737321256e847d07bc2017ab415

SHA1
ebdaf94e0b3a4ae60380952157439ba54f84c333

SHA256
cce05dbe05f3a6837894fd8065b39189985ebe6fc9f9697564a12244b311b042

SHA512
3eaea8d059f162a0ce8e707352465ca4de2794f909bdca9fe48d2583f91f8eb22f4c3a9855164f4259ccfd757565a6b76af01ac156c3640535847074195129d3

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
242KB

MD5
b52ccd1d82ae205c8b45995b63769d54

SHA1
bc0fe4c3940f360ae25d9ecf03b0dcc907c68933

SHA256
7e71f08d3e2e886ea759c96cf4561c3b73da5bf098565425c75a6e9923320ac2

SHA512
6b203d2d151a08337640870b2043e783383584c104ab9563e427091ec20b44b7cd6bcd2e71310078a667a6719ccd9aa048a616c5e245f8bc3767e25286e1f81c

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
242KB

MD5
faf4189fa198d3a68f12d52d1e277f8f

SHA1
617844ab5a289ee86deda25539abb9dfe41cba0d

SHA256
72e27ad3d9ee158b0416e4b022dc96f6b75f14aa53e62155f176ef85e3a23e54

SHA512
927e0eb65da55f4d98892ac83520ff4aa07fbce2ce5e9b9c2feeefaeb1d6fd7db92136bd46f9761af49ccdc2d5e14b9cebafd452617f39171bc882299a14c4f4

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
242KB

MD5
9b647e79068ef186796d5eaa2d6bccc4

SHA1
c29e74cc0a096e8e6808c893c7f6f1cf3a20b066

SHA256
7ac9368ff15d0e17d24480b4797a0acf3cc52f129ce6e826701da8d50141b87a

SHA512
c411b4f3d45d3fe06399e9a32d81d29cdff0df44b1ee26742577a9aaaa8cd00fcce4edd6358be5955ccda333cf20f4b0f3be27755700315182e935a672c23c2f

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
242KB

MD5
be5e772156a26f55154e7ea0ccf2db87

SHA1
47af04dd9bd12000ab5a0c82a1bb9bf002ef690c

SHA256
ca3d0a1ec11cecc4f45075316f214654c9d80a9aa708da54c504370ff255cb77

SHA512
729c427041222a761b0724dfff448a99d387ff9a6cc1b93987c5c66d8255b0f749b89b6cf0eca4c901def02b371ac99df1cd119bcc27ac9848ecf7110513205c

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
242KB

MD5
9f170fecb2a4e347971b0392f0ae24da

SHA1
6316b6dfcca40aff1b18964a32fa18f171fdc591

SHA256
8f4f9d944464735a815aec6f69984fc318ee452fb6252fc4c470fbd93501646c

SHA512
b087b47f3ec7c2b2ced810c97d718a0d9a63db3ca9f3633b97073f92d218e3607fd41398255ae767754363718f3e7cc6f7c506ae690b6b2ceb11b19923c53cc2

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
242KB

MD5
552e84d0c15962766bfd016dfe73bd6e

SHA1
e9f4b46da40edaa35c0eac46e15a4b38124a37f6

SHA256
fbea188cf4114ba63d1645eac2ea076306abec391b86cc2281b2bcd945e8fbb9

SHA512
8f558bac161f2534e49fbaeaf5179183ed3715f06b383b49f77951a656798cb18f7188e0373e589583f8d16064ae09a7ad36768d8819796bfce9a573347424c0

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
242KB

MD5
5b429593c2050db90170bf0198b7282f

SHA1
1f474ce0c00718ae42890597abea2e9f214a1f54

SHA256
8f85939c2b6667c89e4c920d3542bfeb0462e5ee0435853be75a304f79a79aa4

SHA512
f48e6c6da6093a89b81a10ce46a2d082c14379594c564922280c0c54c1a0ec1d1961cbddaf16f9adf6702fd558d04afaac7ae3b7290b29f45f51df7bdc473f38

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
242KB

MD5
4fbd8c1d22965e486e7c753d9f56398e

SHA1
bb6b05b4bde081d0c35e7426c26e0fc2ddc0b95f

SHA256
842885d5eee1ab6599594524af03dc330b85c620947eb97701e36de4bad7e49e

SHA512
03393f24e7614a8f5097fd8dc7866b0bbbd58b383de9aecc0627b3be75ad7b90e771820204d5bc3b307fc162a3c1b53218b036da80272f828ae3a79e0240ef5c

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
242KB

MD5
d597ce395a6cb029dc95688488a614ff

SHA1
8ac3dcee796e9f8b3f3b00889eb5945d72bda01d

SHA256
6b858fd2e48e298a7b1c0df60e03e2a0f4b742e1ecb3fcd890747745266ccd48

SHA512
05989af3e580632e70c33bd09f0c64a0bb6e077679e3692d4228115d66979bb2d798745cf88afb2ac2b090517a0301ea6d3090e20c77d4fe6b78de68b53f49c6

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
242KB

MD5
7ea152c52c8bfd422679c3d2d4dd6432

SHA1
b239a75a906332dfbeb90ba0d29ef6349598c90b

SHA256
6c9d43354ece5d33814d040a78a35efecc2d3da32931234a493124e1a3f9fe75

SHA512
d77211d0412735337d9b197dcf0b8819b7fdae5f3878959345b7e3c5e1cbe3857f6898fddaae87cc0387f1863ab9293c9affb65a0d5110e82a127dfb7014eb1e

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
242KB

MD5
e17befd3f8ca8e093779585b6e8ec8b3

SHA1
a479fe85e6c0ce0db0e9431f7819c0940a31757d

SHA256
d91bbe85062393ae013e720bd44e3e02b6934f1aa3342f2bb0667e81ed6626ef

SHA512
60a60624f7a7d4925c2fea89e8041d85b016f635bbae232042360d522a257a87607b21d18595c17f4fe2f4dc19b533dfcc943c7e6a5dec385cbe8a637a6f6d2c

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
242KB

MD5
15421dbb65245bfc32cbea4f09873547

SHA1
2cae3343ae9b0fbd9c181955d3a20c1d2753bf37

SHA256
fdb78821d4849158d0894bce1cef71b98a94b01f7511a365964b9ceeb5175ee8

SHA512
002cd47c7907207b1710dc896c9e0a3ecdf8de1dbbab58555385502810f90a7c84e2ff42e0053e432b8d352a1a3fbe48a2db3ae3cffe4c3934e230c529316848

Download Submit
memory/448-456-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/448-97-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/460-309-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/460-399-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/632-169-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/632-438-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/636-185-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/636-434-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/764-363-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/764-382-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1036-21-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1288-263-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1288-414-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1296-351-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1296-385-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1420-426-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1420-216-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1488-303-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1560-387-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1560-345-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1592-200-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1592-430-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1608-49-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1692-9-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1720-192-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1720-432-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1768-120-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1768-450-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1784-257-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1784-416-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1804-29-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1904-395-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1904-321-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1912-45-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1916-436-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1916-181-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1936-391-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1936-333-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1980-128-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1980-448-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2012-402-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2152-369-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2152-379-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2356-406-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2556-339-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2556-389-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2564-315-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2564-397-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2612-281-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2612-408-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2624-88-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2624-458-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2996-57-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3004-161-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3004-440-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3040-65-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3040-464-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3228-424-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3228-224-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3316-462-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3316-73-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3380-375-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3380-378-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3444-393-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3444-327-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3636-240-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3636-420-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3912-113-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3912-452-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4032-444-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4032-144-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4048-233-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4048-422-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4272-209-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4272-428-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4308-418-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4308-248-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4328-446-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4328-136-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4456-454-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4456-104-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4548-410-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4548-279-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4728-4-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4728-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4872-80-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4872-460-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4888-361-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4888-383-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4892-442-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4892-152-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4952-33-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5020-297-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5020-404-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5052-269-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5052-412-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads