4902598cdb90f0af3e3e749a31a834587ad2cb1764bbeec7144aa55ff65b33b7

Analysis

max time kernel
144s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5af1b51f55ec0bb34c8ce051ef9458b0_NEIKI.exe
Size

896KB
MD5

5af1b51f55ec0bb34c8ce051ef9458b0
SHA1

2877e2035b1db6eac8cc25156e02a02e42941c23
SHA256

4902598cdb90f0af3e3e749a31a834587ad2cb1764bbeec7144aa55ff65b33b7
SHA512

8f291eab1159126026e7ac7b1a744ddbfc8fae7af19ccaf059440a7ae206281bea073dbc652c406e895220cca67e9f812bf9878143e0bdd88bf5852d0be12926
SSDEEP

12288:29cIFMusMH0QiRLsR4P377a20R01F50+5:RIILX3a20R0v50+5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5af1b51f55ec0bb34c8ce051ef9458b0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe

Executes dropped EXE 64 IoCs

pid	Process
1172	Impepm32.exe
4252	Ifjfnb32.exe
4904	Iapjlk32.exe
3956	Idofhfmm.exe
4560	Jmkdlkph.exe
1168	Jpjqhgol.exe
4356	Jkdnpo32.exe
1644	Jdmcidam.exe
3560	Jfkoeppq.exe
4432	Kpccnefa.exe
3168	Kbapjafe.exe
3620	Kgmlkp32.exe
3884	Kilhgk32.exe
1920	Kacphh32.exe
4080	Kbdmpqcb.exe
3528	Kkkdan32.exe
1848	Kmjqmi32.exe
1908	Kdcijcke.exe
1108	Kbfiep32.exe
4476	Kknafn32.exe
2372	Kmlnbi32.exe
3988	Kpjjod32.exe
3360	Kcifkp32.exe
716	Kkpnlm32.exe
3520	Kibnhjgj.exe
3940	Kajfig32.exe
3484	Kdhbec32.exe
824	Kgfoan32.exe
1088	Liekmj32.exe
3608	Lalcng32.exe
632	Ldkojb32.exe
3496	Lgikfn32.exe
828	Liggbi32.exe
2028	Lmccchkn.exe
3176	Lpappc32.exe
4320	Lcpllo32.exe
3100	Lkgdml32.exe
2436	Laalifad.exe
3440	Ldohebqh.exe
2748	Lgneampk.exe
4460	Lnhmng32.exe
4088	Lpfijcfl.exe
1012	Lgpagm32.exe
3960	Ljnnch32.exe
4188	Laefdf32.exe
3968	Lddbqa32.exe
4592	Lgbnmm32.exe
1468	Mjqjih32.exe
3672	Mpkbebbf.exe
3236	Mciobn32.exe
2368	Mkpgck32.exe
2500	Mnocof32.exe
4808	Mpmokb32.exe
504	Mcklgm32.exe
3428	Mjeddggd.exe
3948	Mpolqa32.exe
1656	Mcnhmm32.exe
1292	Mkepnjng.exe
228	Mncmjfmk.exe
5068	Mdmegp32.exe
4236	Mglack32.exe
1096	Mjjmog32.exe
1540	Maaepd32.exe
3624	Mdpalp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	5af1b51f55ec0bb34c8ce051ef9458b0_NEIKI.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe

Program crash 1 IoCs

pid	pid_target	Process
5284	5204	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5af1b51f55ec0bb34c8ce051ef9458b0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5af1b51f55ec0bb34c8ce051ef9458b0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 1172	1864	5af1b51f55ec0bb34c8ce051ef9458b0_NEIKI.exe	85
PID 1864 wrote to memory of 1172	1864	5af1b51f55ec0bb34c8ce051ef9458b0_NEIKI.exe	85
PID 1864 wrote to memory of 1172	1864	5af1b51f55ec0bb34c8ce051ef9458b0_NEIKI.exe	85
PID 1172 wrote to memory of 4252	1172	Impepm32.exe	86
PID 1172 wrote to memory of 4252	1172	Impepm32.exe	86
PID 1172 wrote to memory of 4252	1172	Impepm32.exe	86
PID 4252 wrote to memory of 4904	4252	Ifjfnb32.exe	87
PID 4252 wrote to memory of 4904	4252	Ifjfnb32.exe	87
PID 4252 wrote to memory of 4904	4252	Ifjfnb32.exe	87
PID 4904 wrote to memory of 3956	4904	Iapjlk32.exe	88
PID 4904 wrote to memory of 3956	4904	Iapjlk32.exe	88
PID 4904 wrote to memory of 3956	4904	Iapjlk32.exe	88
PID 3956 wrote to memory of 4560	3956	Idofhfmm.exe	89
PID 3956 wrote to memory of 4560	3956	Idofhfmm.exe	89
PID 3956 wrote to memory of 4560	3956	Idofhfmm.exe	89
PID 4560 wrote to memory of 1168	4560	Jmkdlkph.exe	90
PID 4560 wrote to memory of 1168	4560	Jmkdlkph.exe	90
PID 4560 wrote to memory of 1168	4560	Jmkdlkph.exe	90
PID 1168 wrote to memory of 4356	1168	Jpjqhgol.exe	91
PID 1168 wrote to memory of 4356	1168	Jpjqhgol.exe	91
PID 1168 wrote to memory of 4356	1168	Jpjqhgol.exe	91
PID 4356 wrote to memory of 1644	4356	Jkdnpo32.exe	92
PID 4356 wrote to memory of 1644	4356	Jkdnpo32.exe	92
PID 4356 wrote to memory of 1644	4356	Jkdnpo32.exe	92
PID 1644 wrote to memory of 3560	1644	Jdmcidam.exe	93
PID 1644 wrote to memory of 3560	1644	Jdmcidam.exe	93
PID 1644 wrote to memory of 3560	1644	Jdmcidam.exe	93
PID 3560 wrote to memory of 4432	3560	Jfkoeppq.exe	94
PID 3560 wrote to memory of 4432	3560	Jfkoeppq.exe	94
PID 3560 wrote to memory of 4432	3560	Jfkoeppq.exe	94
PID 4432 wrote to memory of 3168	4432	Kpccnefa.exe	95
PID 4432 wrote to memory of 3168	4432	Kpccnefa.exe	95
PID 4432 wrote to memory of 3168	4432	Kpccnefa.exe	95
PID 3168 wrote to memory of 3620	3168	Kbapjafe.exe	96
PID 3168 wrote to memory of 3620	3168	Kbapjafe.exe	96
PID 3168 wrote to memory of 3620	3168	Kbapjafe.exe	96
PID 3620 wrote to memory of 3884	3620	Kgmlkp32.exe	97
PID 3620 wrote to memory of 3884	3620	Kgmlkp32.exe	97
PID 3620 wrote to memory of 3884	3620	Kgmlkp32.exe	97
PID 3884 wrote to memory of 1920	3884	Kilhgk32.exe	98
PID 3884 wrote to memory of 1920	3884	Kilhgk32.exe	98
PID 3884 wrote to memory of 1920	3884	Kilhgk32.exe	98
PID 1920 wrote to memory of 4080	1920	Kacphh32.exe	99
PID 1920 wrote to memory of 4080	1920	Kacphh32.exe	99
PID 1920 wrote to memory of 4080	1920	Kacphh32.exe	99
PID 4080 wrote to memory of 3528	4080	Kbdmpqcb.exe	100
PID 4080 wrote to memory of 3528	4080	Kbdmpqcb.exe	100
PID 4080 wrote to memory of 3528	4080	Kbdmpqcb.exe	100
PID 3528 wrote to memory of 1848	3528	Kkkdan32.exe	101
PID 3528 wrote to memory of 1848	3528	Kkkdan32.exe	101
PID 3528 wrote to memory of 1848	3528	Kkkdan32.exe	101
PID 1848 wrote to memory of 1908	1848	Kmjqmi32.exe	102
PID 1848 wrote to memory of 1908	1848	Kmjqmi32.exe	102
PID 1848 wrote to memory of 1908	1848	Kmjqmi32.exe	102
PID 1908 wrote to memory of 1108	1908	Kdcijcke.exe	103
PID 1908 wrote to memory of 1108	1908	Kdcijcke.exe	103
PID 1908 wrote to memory of 1108	1908	Kdcijcke.exe	103
PID 1108 wrote to memory of 4476	1108	Kbfiep32.exe	104
PID 1108 wrote to memory of 4476	1108	Kbfiep32.exe	104
PID 1108 wrote to memory of 4476	1108	Kbfiep32.exe	104
PID 4476 wrote to memory of 2372	4476	Kknafn32.exe	105
PID 4476 wrote to memory of 2372	4476	Kknafn32.exe	105
PID 4476 wrote to memory of 2372	4476	Kknafn32.exe	105
PID 2372 wrote to memory of 3988	2372	Kmlnbi32.exe	106

C:\Users\Admin\AppData\Local\Temp\5af1b51f55ec0bb34c8ce051ef9458b0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\5af1b51f55ec0bb34c8ce051ef9458b0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\Impepm32.exe
  C:\Windows\system32\Impepm32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\Ifjfnb32.exe
    C:\Windows\system32\Ifjfnb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\Iapjlk32.exe
      C:\Windows\system32\Iapjlk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
      - C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:716
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        35⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        49⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:504
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        66⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        67⤵
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        69⤵
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        70⤵
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        71⤵
        Drops file in System32 directory
        
        PID:728
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1032
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        74⤵
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2648
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        82⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        83⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 400
        84⤵
        Program crash
        
        PID:5284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5204 -ip 5204
1⤵
PID:5260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
896KB

MD5
3d74b5187a91eb200b5249c22cbc5412

SHA1
2ddb6c9d12a4d49e336d6c9bf2a0b4d2becc1ebd

SHA256
322d3129a87750db01fd00eddbf69ae18f99deb84b69134b48a3475d504044b4

SHA512
8a03917f5b7286fa6b4cd852ac3f419090ec8c33f51d86153105cc9b7d474386c478fce2f512ae2c482d2efca1947edc174824f3932c9ab7950b09b4332a6611

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
896KB

MD5
a2ee05685044bf8d88ee75971bcda6a3

SHA1
3f34310eeb5e7fdb15dcae967099992ce8547a8d

SHA256
86a56686d6ba2436b84d9ece75cd509209b61b24a615a5e571d154310b073e31

SHA512
c265c363d53c0407520e484eff8a217586a72442d0fbbe4ec4a3848029b54d8a5d0d7a5f13b3ba8f155ae86440eae99fa2500a3b1e2a70e02f24018b4e7e1607

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
896KB

MD5
8e9b2e0430880bdba46792c6e660516b

SHA1
cc873f7016b466f9d0b126fc459952b24f2dc66f

SHA256
981fedd5b7ba79bc992578f7d4867e1ee17105ee86c5ecdd8a7193518b38acd4

SHA512
79cf403ff45e36725835f23d61bd18341fb3df6b1401a876852aa212b7b3a9fcc77777fde74ff3bee00942742fb908d23e58371ec2038c83843c0f51582a906b

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
896KB

MD5
9084e79c6c0e02826b8a179ea563b9cb

SHA1
7d21afece8d6c2fb1b9914b99d41cd5f44d6140f

SHA256
890ff55d4eb1b2ffd7f16094d6ce86c5457c5eab560ba323359285b8fabe4059

SHA512
870f01d866fa24767174e80def2499d9adebdb4c4bc890a738bd9160b1692e569222411654c72f692817b862793af60100a13c2f1d41f177087ca188c4f153b4

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
896KB

MD5
db91fc98dd88186e5d787c2bf5adcfb1

SHA1
23b64e38ede5edd59f7260347f440454f89f2afe

SHA256
ce9ecd8294f09ede3dbc0f067f5a7681fe6fcbdc22f484aafb55e23d105ca458

SHA512
367c2f47ffa88ffa3edd56a491ebb21f7ae6cb9c5b872a1b55088e152ebbbbf5bb6958b0b7cffae900f31db60c552e271ac52e607cee1e53abf2f5feef7255d9

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
896KB

MD5
5830f568143d51b877adcbdaf7bb2e86

SHA1
0d4fd5539c5f6bb07cb796dd959b2949f4300697

SHA256
70373e8869a2c35ec7811732b0d7ade81e81ebd6098f1ca23a9e11cf97c323c2

SHA512
b069ea621c90eac41e463b03b23d8200c99d983492e8653d6cfb564030dabbc5ce5e2eb9b0bcd216e10bd9cbc5cf7b05afdeb5db1d2000105237054f213e6a2e

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
896KB

MD5
ccee88151bbb9f976a247e4cb933efd6

SHA1
9a3832368fce72c4076c3e6c9a5cfa6307493600

SHA256
4155b329efb4a838f75bd80c9a0435efed112939a6138ddb34c2b777259734fc

SHA512
563338ad5db4906d39d858cb4d65aa13b7f5099b409b2d88fb82d58a841a2542ada208b4eb2c550d843c79e38f6734b8ffc8ce8adf347bf2b2c198adc80e8564

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
896KB

MD5
62325f6d442f8a8d2f4fc16377838247

SHA1
f5b86513debc414e2d0bcca4a9f21d89e20f4b76

SHA256
af5c26365c2b41f91ea296634028dde47e2e88becbfa3836188fd2a4008726ee

SHA512
5fe21b2aaa3efb2bf1b95f87476b8490209e7494e15147131dcba13423c51f571871d397cee075ae283cc8f919d9d7a1235dc5e7af8ef1467cb9190a224e4370

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
896KB

MD5
5c96f5cee1b261856395d65c02ae3449

SHA1
7a3655fe39c843bbba3595ab259cfa4db3ea5d65

SHA256
dfc63d8f717e8629df826a8f616fd4241efd9e38ad886a9511e82bc79a6f5288

SHA512
e99f3c4e55bef39bebf48bb3cac5680052b7733fd59af22e17b9848783c19a7298e0afb9e9ff8b491d2e8fcb8fbb7701d0a59485a529de8bd0ee3af2ececbdfe

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
896KB

MD5
eb97561b705497241a7d6cd862e8224e

SHA1
57f40a0b4322fb863598a098bda2205e4610edff

SHA256
eafec6d7d89e41fe9c883e364ee5c7be2e102cee2caf7a0a00080dc9752bf993

SHA512
295112d8e8de1f3617d0c523c2481f59dfe34d38b837be90b647758d0bca9bda8d382a3cb77282e7e9c9d55304ebda414dec2d31ec75182ce08f78bc4045e3b9

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
896KB

MD5
c5f9b584de32e4ce6af7eeb66d387dbb

SHA1
63577e3282a581aa7ee029723ea52198ba6dd7d6

SHA256
41e5b500683c8a21f6e674b264eae999a92e6344466d2ad1101c4f95931c75fa

SHA512
7aef1daa698863aec5925d137c659ba11159a82f691e990d5d9138aec59b909c57dc8a384ce0a838961cb413f3e5b238c801a815b5f3e06839d3f57209d626f8

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
896KB

MD5
04593233b4be9d455bb1c9ea05c83f0f

SHA1
e7d4a5c42d68a64c156c37e2d21e16f62775bb18

SHA256
b51e8867881231c4edeb622092e3407a0615d63f37cdd7bdb6dc095d5bd86a21

SHA512
a4498e851e031eb98524f2b805f1f335113616c9fd6f52724ef5a14a1809a211264a127dbf1b9f4404493857c7504b65a09e80843dc3447b47e46b2824988340

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
896KB

MD5
b144559d918063fab561e29a8518e07e

SHA1
ff1fb2dde47b768efb93a728ec7084466bb40a3e

SHA256
4a2e8c5dcddc89295ec1a29a084fcdbfe56ae3b973d230cec187aacfd0f583b5

SHA512
7a1d1392fc4605aec62d70af80773e3c651138d584af2175d8656b280912a1984cb9f5890a1aa7b7ae09b2c58666ae324426fb21d7be00952e278fa471483a38

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
896KB

MD5
74af5c90156450f75646179bbfcf7aa7

SHA1
6314a20b34b618378583bf5e93c3d0ac394fbe72

SHA256
4575eede4dc1f552103236b54e4359d3d949fa7a0ffa833be14c6043405ea9e4

SHA512
b348e34a91fe7e85c0c2ac29eafa64df035e696c8307a6ac093af373fb76e17e65ec5500101e60f3e959f9608b1038190db19735d77073ada7084e494e20d7fa

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
896KB

MD5
023a3ce03cb3540c911220973461f4de

SHA1
571d83ca23157b49ee6dbc7b6498d75a516485a2

SHA256
90f0cf9a8ddc6fcd7bd06e26268f8909cada18ae8a209517418a06420e4bcc50

SHA512
ef8793f62dade043e4a689de042dfa19b2c2fd20a389737ec3315338cbbaabf4ee891397eda89ab09c06dce9eb1c935bdc3ae9c616c76a7e8236cc7209d10bd9

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
896KB

MD5
e83e1712e2df79777a34624c7ce81565

SHA1
5b4b5364350ab53dda09538570cab59e6ff15b01

SHA256
cb8b16e702f7c9c9ca353d2ffae1e54bb901e737503f81b2d64e6920ff25970b

SHA512
e459e72eea6ee97a5e3459f376a1b190badae72589e5050bfab3b56ebd6fc6ae4e30cff003b4978569517219ad3c483a8484efa52f917809f91cb644f00fa5ef

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
896KB

MD5
ecf949f20a91cf9c9a6e52eba5670b50

SHA1
f55005a2905f193d0e13a2800b13718b870c184b

SHA256
fe7cacfad9f54f675418742e8877665dff4c0ac4cdbde6f669ca4a4db31d04c1

SHA512
81db91b610fa6317fe6e4f9c4f4a8b4cc1e3900a9efc515386671a8d28afaa7985af02ac3da2400fff76fbe32d59783909947ef5f3d9f76592a95a1d9eda435c

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
896KB

MD5
30de4bc87dba4d998a7c5f35ea33f63a

SHA1
57e7142e8d27f124642c4c8196c716136050650e

SHA256
22172ac60157f54cb5efe53605c78e8b1fbafbb49342ed73929c5f37d09603ea

SHA512
9b234bcc9624624a82a1f10103cb55c0bf38cafa83cf5da7a8b486aa7a08c934fab27a8a981048ae083c29e2b07b02e85a80facd605392e2c646701080ecd050

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
896KB

MD5
741139074d8daf81a65657f5d2b80ddf

SHA1
53f2e56463f15944a461fbd00fe3715d1239cedf

SHA256
a1ee5ffae6fe500b74dcc5238fffe1f07473df514c537c116ae30fac0d6df086

SHA512
6a35b8905eb0026d2da876baef7b94c18ece0262fa9cf804e8c0dbcc0ab1aa2a38e19993aa2c08967342b18be5dba6fd02e60458f430704ef01b1576500c6956

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
896KB

MD5
afbf2a8b2cbec9c91441124ae8370411

SHA1
6751cd0e3cdd1229c8f5e048db430b8d8cf003c1

SHA256
6f9a79937973906b7dcac865a5ba2b8aac027d1af9988e9fce1491c42717105e

SHA512
e890c5dfea540b7c6ce44ce160b4989e10d74716ed02c2d1ac19f287b60654e57a6666beafc61c3023c57fcb3af790f3fdd5b8d18bfd0585dd9017895fbc4c29

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
896KB

MD5
02ee08cda6ad8ccf66a8f9856d642658

SHA1
62e27d394299dd4f4139f214048d75dda5a34f91

SHA256
0b86860eb798f93e67b7cecfe5bd34b9b4293b450949063271d1904813a5642a

SHA512
319ba129ae8322c67046490dff35d88a25e3524b5e5590de80b7920bdb6f5d6d8d704e2709bb2cfae11d592dce898926854c28911683ca584c7058b7dc0769de

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
896KB

MD5
90ab9664e1a846528dd374a3c5770fa8

SHA1
0fcb038295e25f14f18e4544c0c8966fefffbf50

SHA256
280eced2717fc8ccf6c4829456cf0d5d48a199a2359ca0185aed9f8ea173fce7

SHA512
d60c74e69901a59f068351a4eab16cfc5e638306cc0955a2014df49b2fc8b0fa5a93541d8035fb629c7539bc93d54c80b838413837cc862c29ffe96def86a84c

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
896KB

MD5
30d7bdd033c5c3f9b346e8fad73ef8b6

SHA1
cfd4ab7c32bad8ea8eb64b17e8de73a4a7a8d686

SHA256
fe7b66f6dae6a5656c6fc6faf45f323d0b514afd0d743d3a75593a672c708135

SHA512
c19354e532d11db1d5fe98e853b0c636a9f2dfaff5dabc3cf9f8fc3a5655dd68eb84801efdd76c6bcc6d3860d0ed4baf9839cd166db7f52a3aad190b4db2cdf7

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
896KB

MD5
20b9d12e356f2cc740a002c8f76a57ae

SHA1
70e8ac0d3d617f4ced0b892323fa453fdbfbcb90

SHA256
69b275e4fc7935290e74f34465d172543e55b0b57acf819482fbc97491f89805

SHA512
c1cafb04233c34478b1ed48c55819c8775e5df347f4423e99b7f04e63a84ebc8139128fb1a285f7b01157d92dbd9c07602061051d806c18f0d2225e6b58403e6

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
896KB

MD5
8815bbb81bfc675d83675bab95383123

SHA1
52e7028bf2a1683a8e7a06d6a74ebc5eceb479c1

SHA256
3434c2efe1e04a09beb67ec1560d9a32f2ddf5f1d24cf283fd9f0bc095c4141c

SHA512
3b3233ca930b908f1f2209194e0b368e7812781769feb81e77e96c16ff72b65be8082cff7ddfb93fdd4f9b7fb2f738ca31df1bf4853764f5b613c4cd2a4d98e8

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
896KB

MD5
ed3cf1a74c8034f050b8505eeb401318

SHA1
eb5051b49d71253baeba77ac1cf488d4724c21f1

SHA256
31e055444994b04c60e5995828b0228f5ccc9077e90350a20d03efdb896e8a79

SHA512
7dce860e773dc3ef3272947dd3891a461a8be3ea194671f4d2546601c65df7ba15a063d8cef7d54132d8051dcea08ddbaa56cfed4bc82f25a09e4feca0e0fdc0

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
896KB

MD5
273ffef15f4204c5b5484441c9aea282

SHA1
c4b3ee56f15b7c054789ce191f0472c3d06d53e4

SHA256
b6e7df3125bddc26ec62760b840a7dd0ba05abc311cb379e2b31cc6bc376e5a8

SHA512
3ca3ff1217952eb0dacf253dac65809f95b445552b0339d740a4950d67855e82d08d68b08613e32407aa8e903eb747b9cd391f049894849459afd7ec98d4b2d1

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
896KB

MD5
840f34ee8089b3ed695130109a0a6a00

SHA1
7a05314ec5845672ea78f0ed51bfefe7641262f7

SHA256
db479c245335d978aba1181d47205ee0f6a7a831ffdad1630c1121624caf3c8e

SHA512
c67ae7683ae5ccd6ffa90138aa68e319401a7d4a60f46aea6f8c3b8d5f9e396243a6af537e835ea4aebbbceb54f80d042ecf7c28eece3d686642bc5c68ccf85e

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
896KB

MD5
2700312ea04098e89763b5ea0410efb7

SHA1
26563fba41217404ab25d2ba0b9621cb0c63741f

SHA256
41168a34ad991ea9f6a48edc17bd576d2212c613cddd7ddb4ab9bf03e942ba49

SHA512
1e5c6dca990dbaf02edaf02d79474ca3b0f38b49bf705140b85b9c822abbef4586e39113702e178867e7001b87d48a6d766b871f221e3a686490849fb393357e

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
896KB

MD5
3c771393045f66032cdc6f23105a8b28

SHA1
7028d0844c806383bcfcb174a4145a34d332b42f

SHA256
0e146c0e4114469373c193ddd1f9836ab2cc48b5e4e761a64a8c893fc3d5c601

SHA512
319d050acc72a0a7207d1bd466ed5efb52253ada46a845d48f96e77463f20d9cc45b9f6b26a09b6422e7e9f69fc797445ef1e6acf2dc78aa5e9126750f9e5d78

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
896KB

MD5
db3675f155670bf652857ceb132f3506

SHA1
66acd6c0509aaa5e53aeecdf768af33af38a9cc1

SHA256
d236ac1825898de5c91acbb10b9c09e5a88c36dea2d775701c7cdfb4aff39105

SHA512
a841378b159e7f17403f21c15d7a6e6ab3ed6d4d09dbd57e56ff68cbca903a239942af2bba79614469e5176698a50b939af0adc31f78a8e1f1a8b74884f64c1e

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
896KB

MD5
9319a27e0c4673bf27df5c758f0a0070

SHA1
d6e3bbd85e6a4c1f055962d64bc09261f5c3be03

SHA256
84e51825374825c5516c2ba8d19ebde1ec1917d0d25123beb9581253154421e8

SHA512
811a520aa7608aaccc3c27cace8352aa5ce9aa396306207d7aa7c0d7d1b78a5241da30f88f5bbd781bb13fb1f387a366eae981b828dc9fc7a01ef36b5bd6e6c5

Download Submit
memory/228-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/504-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-601-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/728-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-611-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-636-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-646-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-10-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-615-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-648-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1908-613-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-621-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-607-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-627-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-617-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-631-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-625-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-623-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-640-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-605-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-619-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-644-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-634-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-629-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-609-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-638-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-642-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5168-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5204-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads