7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe
Size

72KB
MD5

a117c6cd25f370381bfcd86ce981e810
SHA1

a13d1797772ac0aa11b8f2b813aab5fa9d36c14b
SHA256

7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728
SHA512

296b118d4d79b6fa1c9e4347e4cf9a642f827b3db7c03a02d7052917721a87494b8c4053a6166e90416e5d78b6c6b9f84c3fc131977c834ded5c65f507484d63
SSDEEP

1536:Wgh36PNAjqYJK3Y6b1PuogzSBmIZ0aH9RQjDbEyRCRRRoR4Rk4:Wu36KJyvbFuoJms9eTEy032ya4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe

Executes dropped EXE 57 IoCs

pid	Process
2588	Jfffjqdf.exe
1464	Jpojcf32.exe
2888	Jbmfoa32.exe
640	Jkdnpo32.exe
2580	Jmbklj32.exe
620	Jangmibi.exe
1016	Jbocea32.exe
1320	Jiikak32.exe
412	Kaqcbi32.exe
4576	Kbapjafe.exe
1588	Kilhgk32.exe
4308	Kpepcedo.exe
1580	Kbdmpqcb.exe
2488	Kinemkko.exe
880	Kdcijcke.exe
3372	Kgbefoji.exe
2596	Kagichjo.exe
4872	Kdffocib.exe
1240	Kkpnlm32.exe
4716	Liekmj32.exe
1388	Lalcng32.exe
1500	Lgikfn32.exe
1248	Lkdggmlj.exe
4256	Lmccchkn.exe
3356	Lpappc32.exe
1516	Lgkhlnbn.exe
2444	Lnepih32.exe
2688	Laalifad.exe
324	Ldohebqh.exe
1788	Lcbiao32.exe
4996	Laciofpa.exe
552	Lgpagm32.exe
4392	Ljnnch32.exe
3964	Lphfpbdi.exe
1040	Lgbnmm32.exe
3308	Mahbje32.exe
4556	Mciobn32.exe
4728	Mnocof32.exe
4748	Mpmokb32.exe
4848	Mnapdf32.exe
2428	Mcnhmm32.exe
380	Mjhqjg32.exe
1852	Maohkd32.exe
1112	Mglack32.exe
1520	Maaepd32.exe
1532	Mcbahlip.exe
3728	Njljefql.exe
2956	Nqfbaq32.exe
2544	Nceonl32.exe
3104	Njogjfoj.exe
4216	Nafokcol.exe
432	Ncgkcl32.exe
4932	Ncihikcg.exe
4400	Nbkhfc32.exe
3412	Nqmhbpba.exe
2952	Ncldnkae.exe
2424	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lcbiao32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2968	2424	WerFault.exe	138

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 2588	3940	7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe	81
PID 3940 wrote to memory of 2588	3940	7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe	81
PID 3940 wrote to memory of 2588	3940	7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe	81
PID 2588 wrote to memory of 1464	2588	Jfffjqdf.exe	82
PID 2588 wrote to memory of 1464	2588	Jfffjqdf.exe	82
PID 2588 wrote to memory of 1464	2588	Jfffjqdf.exe	82
PID 1464 wrote to memory of 2888	1464	Jpojcf32.exe	83
PID 1464 wrote to memory of 2888	1464	Jpojcf32.exe	83
PID 1464 wrote to memory of 2888	1464	Jpojcf32.exe	83
PID 2888 wrote to memory of 640	2888	Jbmfoa32.exe	84
PID 2888 wrote to memory of 640	2888	Jbmfoa32.exe	84
PID 2888 wrote to memory of 640	2888	Jbmfoa32.exe	84
PID 640 wrote to memory of 2580	640	Jkdnpo32.exe	85
PID 640 wrote to memory of 2580	640	Jkdnpo32.exe	85
PID 640 wrote to memory of 2580	640	Jkdnpo32.exe	85
PID 2580 wrote to memory of 620	2580	Jmbklj32.exe	86
PID 2580 wrote to memory of 620	2580	Jmbklj32.exe	86
PID 2580 wrote to memory of 620	2580	Jmbklj32.exe	86
PID 620 wrote to memory of 1016	620	Jangmibi.exe	87
PID 620 wrote to memory of 1016	620	Jangmibi.exe	87
PID 620 wrote to memory of 1016	620	Jangmibi.exe	87
PID 1016 wrote to memory of 1320	1016	Jbocea32.exe	88
PID 1016 wrote to memory of 1320	1016	Jbocea32.exe	88
PID 1016 wrote to memory of 1320	1016	Jbocea32.exe	88
PID 1320 wrote to memory of 412	1320	Jiikak32.exe	89
PID 1320 wrote to memory of 412	1320	Jiikak32.exe	89
PID 1320 wrote to memory of 412	1320	Jiikak32.exe	89
PID 412 wrote to memory of 4576	412	Kaqcbi32.exe	90
PID 412 wrote to memory of 4576	412	Kaqcbi32.exe	90
PID 412 wrote to memory of 4576	412	Kaqcbi32.exe	90
PID 4576 wrote to memory of 1588	4576	Kbapjafe.exe	91
PID 4576 wrote to memory of 1588	4576	Kbapjafe.exe	91
PID 4576 wrote to memory of 1588	4576	Kbapjafe.exe	91
PID 1588 wrote to memory of 4308	1588	Kilhgk32.exe	92
PID 1588 wrote to memory of 4308	1588	Kilhgk32.exe	92
PID 1588 wrote to memory of 4308	1588	Kilhgk32.exe	92
PID 4308 wrote to memory of 1580	4308	Kpepcedo.exe	93
PID 4308 wrote to memory of 1580	4308	Kpepcedo.exe	93
PID 4308 wrote to memory of 1580	4308	Kpepcedo.exe	93
PID 1580 wrote to memory of 2488	1580	Kbdmpqcb.exe	94
PID 1580 wrote to memory of 2488	1580	Kbdmpqcb.exe	94
PID 1580 wrote to memory of 2488	1580	Kbdmpqcb.exe	94
PID 2488 wrote to memory of 880	2488	Kinemkko.exe	95
PID 2488 wrote to memory of 880	2488	Kinemkko.exe	95
PID 2488 wrote to memory of 880	2488	Kinemkko.exe	95
PID 880 wrote to memory of 3372	880	Kdcijcke.exe	96
PID 880 wrote to memory of 3372	880	Kdcijcke.exe	96
PID 880 wrote to memory of 3372	880	Kdcijcke.exe	96
PID 3372 wrote to memory of 2596	3372	Kgbefoji.exe	97
PID 3372 wrote to memory of 2596	3372	Kgbefoji.exe	97
PID 3372 wrote to memory of 2596	3372	Kgbefoji.exe	97
PID 2596 wrote to memory of 4872	2596	Kagichjo.exe	98
PID 2596 wrote to memory of 4872	2596	Kagichjo.exe	98
PID 2596 wrote to memory of 4872	2596	Kagichjo.exe	98
PID 4872 wrote to memory of 1240	4872	Kdffocib.exe	99
PID 4872 wrote to memory of 1240	4872	Kdffocib.exe	99
PID 4872 wrote to memory of 1240	4872	Kdffocib.exe	99
PID 1240 wrote to memory of 4716	1240	Kkpnlm32.exe	100
PID 1240 wrote to memory of 4716	1240	Kkpnlm32.exe	100
PID 1240 wrote to memory of 4716	1240	Kkpnlm32.exe	100
PID 4716 wrote to memory of 1388	4716	Liekmj32.exe	101
PID 4716 wrote to memory of 1388	4716	Liekmj32.exe	101
PID 4716 wrote to memory of 1388	4716	Liekmj32.exe	101
PID 1388 wrote to memory of 1500	1388	Lalcng32.exe	102

C:\Users\Admin\AppData\Local\Temp\7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\SysWOW64\Jfffjqdf.exe
  C:\Windows\system32\Jfffjqdf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\Jpojcf32.exe
    C:\Windows\system32\Jpojcf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\SysWOW64\Jbmfoa32.exe
      C:\Windows\system32\Jbmfoa32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
      - C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        36⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        41⤵
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        45⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        59⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 232
        60⤵
        Program crash
        
        PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 2424 -ip 2424
1⤵
PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cpjljp32.dll

Filesize
7KB

MD5
41f1b2900477c5713f3255683f264813

SHA1
67ec8c8c7c24c7cf7967282917562c3c7c23cd90

SHA256
2160a05048189f99aa28d43e7d3bd2894f86865fa6ae66199738ecbeaaecec1d

SHA512
265a63e7da1b4d7139a6de72b5245b07973f8f7bd64d3ccc80e9cf4e6beec547bfdaf59b7aeb94a74bed22bca908600ee4bd98bd1e3054a2e5a02929bdc7ad9b

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
72KB

MD5
f8faeecb91e0bc786d9442c4711d5574

SHA1
d93d05ece949215d6cf8f8f137d44bbaeac61780

SHA256
afb76427ef1d7f3b6605ad36d18ae0d1052df7bd715274fd0e71e678f99385f6

SHA512
a99a44268a409724d05fb1304cc52a5c2797f2211c3773c8c0ad0359fa2f217572fd26ad7247c5753e3c639064cb4742a86c2d00e531cd1e20307b90601c45f3

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
72KB

MD5
dd3644bead6afd3264e070bafcb519e1

SHA1
deb0b3b1da4bdab214f8e30f14f5b01810033fe1

SHA256
d6fdda5f349b66e2fb6eb23c997fcaf6d98f9c5079113eefd20ebde0b49b271b

SHA512
ec1cbc4b2a81f42b87740ca0df76d130764dbf55dccb63e36cb2f324357a4b4e69a9a8b5001b5860fb5368808867453d5484388f690b9998223fd87ff05105dc

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
72KB

MD5
2ccde48e0485cef44df74b18351e41ed

SHA1
fdd75be51af15fa47349818734b47934f67c6c20

SHA256
be41c64dca2ecb4e5024f5525a085a9f55e696e0659bb2560586dd87814324b0

SHA512
6859e2d7ad53ce1d5f10bd13fd9c1879a3103d7c70d17cd77680ee21ace413622e65bc245c1481b7ac8804158acf1db00e2970b0212c05ce6658c875c3e9e42a

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
72KB

MD5
9fa0d8f554b5f2293fbf6f23f7212ab1

SHA1
e17711bb5cf50022c59bb04c15c353df8bb30cec

SHA256
77f0ad97d94e2d0ccb2daeb16d20e399d4a7b7cad65bd7c4beb649764cc95dcf

SHA512
8f73804059d9ff851f50069fbcfd552dbef01528286c08beecfc17b5aa20e99e97287b6ad37e5ca1c0f87a8ec1761c19925f1ae162fe01ea6a4df5ce993bea76

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
72KB

MD5
8ff7672932a19e988e32b6ea8a558642

SHA1
158c660bea53683f5d34063043e7ce8f886a18b5

SHA256
b0d625fec7a06e440dabea892e74c9d346cc65e3187f1caa82c925b32581fbd5

SHA512
a2ed91b4cbec2f1a419e2c16e97395617ed916926574f01abd434d15a95db0c84856f51f903351563eb4902eef6154ecd879df8df226bb652263074a9cd53f34

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
72KB

MD5
aa787adb0f5c16cce7f610c602a2bc2b

SHA1
2b9125bc861bf613c8646a3cedad6d2d7646a66c

SHA256
504679f17ae495a458e5ec8e6aae1123df7c585107fd8e426b8057dfa4fa4be1

SHA512
ee77897e69102a48d3653b5f34bc6bbbf9c97781ea2e6c1fa7e09e0152f5acbf52c208e9cef2f44b676131c0d3261a3e4eab56be69c5206cc5095145eee66857

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
72KB

MD5
63215fe42feac08327536ed21f4a01e5

SHA1
494dcdbe79b23918aae1659ede1768a252daad03

SHA256
cfbf00df17ccfabda3781e2b126258c48d26ba81a82fc47e6d09bc8f394bf540

SHA512
319ee67eb17aeb555a26d8faaf67827ce97ba84816cb068cea81326d3aeeb0081b7ef30fa5b4069dc10bf186f5bcbc3019141c00783e2d8000a03f0a7dbd6b5d

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
72KB

MD5
48be80703196d1cd56f21ebc29c6dd1c

SHA1
21d5eaf0c791459516b241da4f91f26001f9c058

SHA256
9ed71ccb8ae315e2f60b58c67dd97062cec6e58444eba717feb75f89955fa33f

SHA512
2d664fc97a7f3617bec527f17825a6ed80976f3ee7fd28dc547f129cccc7642c6f3b4e2ba3372a31c1025bdbcca611570530856e166baebb5a41981a6ed3eee1

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
72KB

MD5
c8ad16dfbf4f5652dca4a9032a6922d2

SHA1
3dc0dc5792154e7488086a06ecc1dc0aed435c62

SHA256
5e957e5971993cba098a899860d9d4b69645003ae9b370918360abcf3db2233d

SHA512
36dd52d12ca5025cd15d3cfc1f250522253c391a224b596117216c93f58db9a81519ed8981c374eb785612bfd11f7b4ad1966d8f23f7d654ea93fdc5e90d8536

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
72KB

MD5
6dd67dd2b6791c7a21128c9ebecf9313

SHA1
a8f7324fca355aeebbe3bd52f2dd9ac02f3ad7ac

SHA256
96caa95245c17fba88568fb08c4e5b0a4eae6c107a64ffc93b79ec3ae913f374

SHA512
78b7d70aad23027f9eb51e00c12597db422bc1b1ca7f323a73628bc470421e39e3b152ebbb177c0ecac355135378aa824ce2f85ab6308e8061e52a02331b84e7

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
72KB

MD5
a904e5a6851d922c2917a1f1657cef2b

SHA1
bf5b473065f76d8fefa8f3f4abbb566b3345642d

SHA256
6c06d149c8e78bc6d0480c39591e336cb5daad70f22996ab53cb88a351e9c342

SHA512
c970e0970a12f5b466af56b7846ef69149c29092ec0ede29877249dde20959a1e14eb3b172d27e3c1d551b5a537dd7e7c8605a4f301c8a89a2d336069bbb5fa7

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
72KB

MD5
1425be26a7f61a8bc2ee00545b0024c4

SHA1
04c1f128d9d63e89147e85bdfb2390cbbf412378

SHA256
ab686645e1fa2c5c26fca8bb75ce0ff2b8442c522bfae3963e92c5adc2cf2427

SHA512
d385f0adca8756883f6d3d3786e86b807e7aa149ad78c6ee69a5d6a39c1f63ab0406b67986418c80f20f2f7b083cf647608244369eb044cf4275e23a5424ce6e

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
72KB

MD5
69b9ad722e783a2539c596fffd1c700c

SHA1
2a865a2a55a656f3b4675d8d724c768a4dd52d54

SHA256
d50a8fc2b1f7d73d49b4d0bb0c031fd1a1969d6fa627421973005b1f83d885ad

SHA512
a679086b251bcadd179d9c06a7f7f55ee81a73007a8a16135106b1eca4334cc730e85499eb4f612d97cf93cb05f63dcc34d2399cc877b3ecc9bc502d8fc7b96d

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
72KB

MD5
000ef6f611d0a6ac77bd2bf060f4c327

SHA1
b9734d49cb904a28c1ef1edd9d7e9cf5fc3cc5ba

SHA256
296c88f6603f0a7f0b869bf414f89291647385bbcce3f1219feb7cec7be81b93

SHA512
f419d61e04c0b9557c99e79def9737ad9600e56719a8296f4c1d16db790cb9e4ab379b44a5746299fa4fbc8878379df6a617cf72275692ddb62f968a937c5633

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
72KB

MD5
b193742f7ecdc513fd605aabfc67d2b9

SHA1
77d6626066f19ab757ea02c21f130bb2d2a30816

SHA256
33cb06caad54079c36953a8c153589bff0fe8469621cf376dd957cb303e36a49

SHA512
66190117299a494dd64181260c28611919bddefffffeb0e7d770149e0e5f6aca1fe1a1009d2545c395726718cdf44ec1580fadface167363a7255e15c152bdf3

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
72KB

MD5
0f6454367c44790580fd06aa3a8972d4

SHA1
bf05c9158022296fdd841499bf27fe7dd219419d

SHA256
e61f6340d450407a68462e9d015ed199196bf62b125f4fde41aeb586473f3dd6

SHA512
a6329d0f2bb6ee5e6d36564b8982507ee9502a93b9b224f469d1ced82ef6dccbfe0ee78b5b0b5b6a8976de3c36180c967416b9dc95251b3ca386f4c3dc79413a

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
72KB

MD5
8c7ee693d8220dc4dc0194dbd72fb28c

SHA1
0f3fed22f78c5bab8ff7dcc3d434c1a13b34b9ac

SHA256
f074fe548ed861661bae4cfd2981ba7e15aefc8172445bd1949370f82e0e1943

SHA512
d5252ee6187f390eef8a7a099a2d4e21cca61fe3dcfdcb21ccedca822366233048db735a7b77f6c7575709dc9ba918316c592be06391ad2e140bf125ae6c4a24

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
72KB

MD5
fa7c8d32d129e1b8225e82b00923308e

SHA1
b84892ca7e3b470e4262f17b0bd14aeaa4cb43f5

SHA256
d8a00ce694d59f069151231a8db5d05d68c066926b65fa873cee949896f260cd

SHA512
ac42824017c3e199c33a1fc27bd2eee9a0b1c042c576901ad8220bab94f037c8f7d27745e1fe6198bd3d725b76858ca0174998724b5e85500ab257fd96a7c7c4

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
72KB

MD5
f4055066d6581e765ab26261b465cb60

SHA1
21ef486c4a4944b09848b074f0cf2080eb04442a

SHA256
d5144bfd87922dc9217f3519600b1f92b2cdcbce40ec3c02e911b29eab359b61

SHA512
e561c3a0311f0e48f874625035056616bd4e13c1bf5d43fdad63353eee2c45e540492cf3f3c88804e581aa69aaf02997c13a0c7c65b35a61cc2397cd81fe5c32

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
72KB

MD5
bc0803b9380109c2dc5b6271b9495f6b

SHA1
0f9cdc0761a95fdd00ebec0186954180c0707e96

SHA256
b903853621bcc7b51a48485a12e847fe613304ad8016816bfb9e1b0c817943b8

SHA512
da22af6f38de9dd248f75d8ae09b45dd0d0d7ab887872bc2aeef08d59c606f032aa3ee41601f8b6994aa49328c061519f4e51138304b488c0344d4782af9e575

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
72KB

MD5
05436c990be12f5e99fb087e8af99cb3

SHA1
84d6cb4b5c1732bbf8e899a4192910936fc9c9cc

SHA256
d7695f5abfcb7a6361995f187191a22fcb640343114da86ccc6a76ab9155a4c4

SHA512
303910cec37131ab39f3cba723b4ba077e25831b0eaf78ce16dba57bff99403d5b8434a041d2463c87737547590265f1a6b63fa24579ec3c96e52f2ac430decc

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
72KB

MD5
3c318f8d55b791c7fc6ebd0e9c4e050f

SHA1
e463ac8011cb2f87c30cf4ab284879f5f9f1f229

SHA256
dd2f916398e24f2a40ea440512587dc1215456f3d47a6be8b838b43dc3684fe3

SHA512
85cd5eb7e2b4879323d4297f869f0f859671e1e23b298754c6138cdabb02f1a633175cf9b1ce9610483b9bf456a16d054309e7923d378c5f68a6031f40b7c2e3

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
72KB

MD5
793ba86300ead540d6966a3ebe26da8b

SHA1
8988ad5f2d819beabaad067db6bbb5bf5c873fce

SHA256
7ce8099ae7003582e8f247259523b1c5cbf20400a444eb97407ce775c2520b2b

SHA512
4f4e1328b18a2be63f14559c08403e01dd13091982b14ec39a68d5eced14b9c6ad91c2a8e5260733e8f8c1825b20393bfc9b38ff5a1c005c37f6b23fd2608f26

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
72KB

MD5
753ca2e4853b07ca478be073afa51c3c

SHA1
58fb08e0ec16d0b7a607321cdc15c556ef074d05

SHA256
917ab9baf81178e8f6dc407289837254a7e110fef49572e00f79106037445e98

SHA512
3f463fa10123ba599dad9a86e12afe2515b3053f3cda919be24ab17521a3c6894434eb1270c9c10215cfa6b898497a7c9c558f364bc19e66c738c979de855e27

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
72KB

MD5
aedf11a91491dbc4b368ac0aada5c4b1

SHA1
2ade0901d0ff561c72fc13a7d945723d770a0007

SHA256
97d64b74d11cf72519b29c04691713ab03836f75ab62fb80623c9e736594bc9d

SHA512
485b084447d09b030462b9d3f82e829fe9a5787ac959a427f06420611cd3096e1960719a2035e9d2ba2e4d4eb66f1763087e0576d1bdcff58cc59ac4a54b24e9

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
72KB

MD5
ce13e487b128602838bd7738ce91ca39

SHA1
49af2ffaa8407d1e129d6e75025766983de1fc6e

SHA256
9e850c19aff50405ecc7bc06d773ece42b1d3a9b33f2cd661763edc9a39823e4

SHA512
5ac20ee604f95c79b36618ddc07fe4f32d59d9ee3d758a3b16b5ca2df8bc2130965969fe033cacb2da598520ee109181d203f76d648dc8b64336d9a257fc3d90

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
72KB

MD5
0b22ae00b6bc962804b11ca1f027470e

SHA1
58a90271a730d6ba08b5e44ab92dcd334782d001

SHA256
6a63c45f3be62337c0209ba6381aeb30061425fb6c42ca25c635d6f30b313700

SHA512
12b4d868a50ef1054c55920dec8b3c70f76f2a234cb11f80dc7e94ad11bf1ada4149fe54316560cba4ef5d12215e57c4b216009ecdcb817db3715049be79d168

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
72KB

MD5
36e90b29324c7886445d0e6e718ecb17

SHA1
77446346fdf536e8db258e22509e6747adb738ad

SHA256
21ae527657335af31f7ef09027638c25488173214ed019bfc99833fece714d8a

SHA512
94cb33ba6e656d30df90eeb9c4b953c6373a161e86672819ce40f88db52c43fe2074898b823bc9375aec8b16e182786f45b68ba63e496bace11a62e34a315241

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
72KB

MD5
70263974e2058a548b1fe7039e625e7e

SHA1
2309fa5991f090cfc7f2e860d01d15826b0bc0cc

SHA256
5183d2387d5f9432adfb9aa3c9bc3e09e914a0c693c4958324e998ef10150f9c

SHA512
02a7302a976d11cc5cba391181fd5557fd7a94c834a1dfa97867eb65f91be2ea780a05dc6b2c3602ddc4086f3972cf290193671d29b6a096d108837f9a4b768d

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
72KB

MD5
420d503bdf36f227c90f7fa4b059dcbc

SHA1
2d65d32c772a538f4072bffdaf2605c9001db374

SHA256
73dd47bab4aa47536ce55cf9bb7e9a5f7450b61c0dbe089b7b58d0d63ea3dc35

SHA512
82c4ecf433e9a28b1bc429e1cdd72504c70e3bf5817d284f7d3d1ea6e940edd2f52aa8714b9e8b1e814c0b0b1285c5eee8908db5b1ef3ed7e18748483358574b

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
72KB

MD5
26aa21c1fcc9a63564760b05113d325c

SHA1
d1215bd4ef0b3c54f43604c2157d261bd8bc58db

SHA256
d11d021e6a1693f901161930a809fd8a1abc921fdd4070c9fde7baaed6b4f199

SHA512
4e68ea5ef2a453b9341561db144f70f84622d3b7b78bc3f61e6471cfb236f57f732540e08adae08a5c2a1a25c71ca39a4013a083032ac024a3d9900552bc61e6

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
72KB

MD5
7469e525f1f8a8868f590b39add96d83

SHA1
5116a4d95ada95502590d7394e1652c5dfadb099

SHA256
0c8bc9197cd53ad5934874957463a08bef1c770d2e8e63dc67e02a440f0daa99

SHA512
7c260b83c9e16add72640dcd8746f8beeafb5817adee97500849ddf71a1ca1d771bf792b621f69890a6c2bdf1b6ba699cce9963d71ca605066eeef9e12579419

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
72KB

MD5
82079ec5889e708cb9cd1cca4821acd3

SHA1
c727a1e18922c38c9f8a67176578c513edee2227

SHA256
701dd0edc6cd9192b0061a644edc5e5e077697e4c92557405a9b26c605ce7d74

SHA512
8c92f4b05391667e59a2d4a3a2f241088ce06053cc1e3cfc94a63795e6cb5bf54fcf0331dfa841c09b231a5f3bf4179ac377aa2792d0edc5747ddb0962812bf3

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
72KB

MD5
3779321ecc59acadef2630c43b1b285b

SHA1
8f9aeb227ca81f59e18453cecba8c9301c105eab

SHA256
534657d347b8f9db5c9f027c7cf1b25a154338776ce52ae59f46800181c5b579

SHA512
e122128745fa51029f0d14466b3ddf0b579e7e55d030b21187b259fd338c3699173cb92bc2fe170c3d8b096b5152d39eb7c478fd0f36d1d959ddd4df79d395f1

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
72KB

MD5
e0d8f30d876f7e367c06f8e1dc20096d

SHA1
538ba60d6af67837ae808565183cdd16d67af10e

SHA256
3c267ceddf74fd006f7c180f1497fdeeee0770ec8ef051bac066fa62dbad07aa

SHA512
6a2a245a8aa34bbe6776fb297888b99faaed2491b8ac696c57d6d007180a2bb4cb9c62974f19620efdb676e8bce7c6c8b174bfb3e84c62111636f27a9816b71e

Download Submit
memory/324-434-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/324-232-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/380-317-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/380-422-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/412-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/432-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/432-414-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-432-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/620-52-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/640-36-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/880-120-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/880-443-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1016-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1040-274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1040-430-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1112-329-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1112-420-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1240-151-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1240-439-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1248-183-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1248-437-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1320-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1388-173-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1464-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1500-180-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1516-213-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1520-419-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1520-335-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1532-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1532-418-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1560-425-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1560-299-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1580-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1588-88-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1788-244-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1852-421-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1852-323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2424-407-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2424-408-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2428-423-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2428-311-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2444-435-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2444-216-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2488-444-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2488-112-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2544-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2544-415-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2580-44-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2588-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2596-441-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2596-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2688-228-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2888-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2952-405-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2956-353-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2956-416-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3104-365-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3104-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3308-429-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3308-280-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3356-200-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3356-436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3372-442-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3372-127-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3412-409-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3412-399-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3728-347-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3728-417-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3940-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3964-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3964-431-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4216-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4216-371-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4256-197-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4308-98-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4392-266-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4400-389-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4400-410-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4556-428-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4556-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4576-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4716-438-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4716-159-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4728-427-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4728-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4748-426-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4748-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4848-424-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4848-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4872-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4872-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4932-383-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4932-411-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4996-433-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4996-247-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads