99f20d158e2d2a5884b6d5dec5eb810a5d13e5650fecf9110fc24f6f9f82a186

Analysis

max time kernel
92s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68ecb8ff9b608c4d591a2e16b817be00_NeikiAnalytics.exe
Size

79KB
MD5

68ecb8ff9b608c4d591a2e16b817be00
SHA1

c6fc0935bd8c09b0ca0d8b97b05ec6414118a4cf
SHA256

99f20d158e2d2a5884b6d5dec5eb810a5d13e5650fecf9110fc24f6f9f82a186
SHA512

1b57cdf91330e6e1b54b828027d274d4595f924cedb92ae3b7a029261af71371e074fb4f244df6fe9147b681e4e65b65fc9bf7818c51f9dc78cc6ea1de085c3d
SSDEEP

1536:m7wssS9SKf51GbB5bnKjWi0qEmd6A1qUEQXiFkSIgiItKq9v6DK:MwplQ1Gd5QWi0qEmd6A1qUE+ixtBtKqr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe

Executes dropped EXE 52 IoCs

pid	Process
3076	Ijhodq32.exe
1920	Idacmfkj.exe
4732	Ifopiajn.exe
1036	Iinlemia.exe
2056	Jaedgjjd.exe
2208	Jdcpcf32.exe
4788	Jmkdlkph.exe
792	Jpjqhgol.exe
2340	Jibeql32.exe
3100	Jbkjjblm.exe
900	Jaljgidl.exe
2980	Jdjfcecp.exe
1888	Jigollag.exe
2556	Jpaghf32.exe
4224	Jkfkfohj.exe
3060	Kpccnefa.exe
972	Kilhgk32.exe
5012	Kkkdan32.exe
4144	Kbfiep32.exe
4016	Kipabjil.exe
3380	Kcifkp32.exe
4536	Kajfig32.exe
1148	Lmqgnhmp.exe
4472	Liggbi32.exe
4068	Ldmlpbbj.exe
4836	Laalifad.exe
60	Lkiqbl32.exe
3292	Lpfijcfl.exe
3936	Lgpagm32.exe
3284	Laefdf32.exe
5044	Lddbqa32.exe
3232	Mnlfigcc.exe
2256	Mciobn32.exe
3820	Mnocof32.exe
4384	Mdiklqhm.exe
2760	Mjeddggd.exe
620	Mpolqa32.exe
2540	Mkepnjng.exe
4756	Maohkd32.exe
2608	Mcpebmkb.exe
4484	Mpdelajl.exe
4556	Mgnnhk32.exe
4988	Nnhfee32.exe
5020	Nqfbaq32.exe
3348	Njogjfoj.exe
3344	Nqiogp32.exe
1912	Nkncdifl.exe
2564	Nbhkac32.exe
4116	Ncihikcg.exe
2512	Nkqpjidj.exe
1164	Ncldnkae.exe
3372	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nphqml32.dll	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	68ecb8ff9b608c4d591a2e16b817be00_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4532	3372	WerFault.exe	132

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	68ecb8ff9b608c4d591a2e16b817be00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	68ecb8ff9b608c4d591a2e16b817be00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	68ecb8ff9b608c4d591a2e16b817be00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	68ecb8ff9b608c4d591a2e16b817be00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifopiajn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 3076	4672	68ecb8ff9b608c4d591a2e16b817be00_NeikiAnalytics.exe	80
PID 4672 wrote to memory of 3076	4672	68ecb8ff9b608c4d591a2e16b817be00_NeikiAnalytics.exe	80
PID 4672 wrote to memory of 3076	4672	68ecb8ff9b608c4d591a2e16b817be00_NeikiAnalytics.exe	80
PID 3076 wrote to memory of 1920	3076	Ijhodq32.exe	81
PID 3076 wrote to memory of 1920	3076	Ijhodq32.exe	81
PID 3076 wrote to memory of 1920	3076	Ijhodq32.exe	81
PID 1920 wrote to memory of 4732	1920	Idacmfkj.exe	82
PID 1920 wrote to memory of 4732	1920	Idacmfkj.exe	82
PID 1920 wrote to memory of 4732	1920	Idacmfkj.exe	82
PID 4732 wrote to memory of 1036	4732	Ifopiajn.exe	83
PID 4732 wrote to memory of 1036	4732	Ifopiajn.exe	83
PID 4732 wrote to memory of 1036	4732	Ifopiajn.exe	83
PID 1036 wrote to memory of 2056	1036	Iinlemia.exe	84
PID 1036 wrote to memory of 2056	1036	Iinlemia.exe	84
PID 1036 wrote to memory of 2056	1036	Iinlemia.exe	84
PID 2056 wrote to memory of 2208	2056	Jaedgjjd.exe	85
PID 2056 wrote to memory of 2208	2056	Jaedgjjd.exe	85
PID 2056 wrote to memory of 2208	2056	Jaedgjjd.exe	85
PID 2208 wrote to memory of 4788	2208	Jdcpcf32.exe	86
PID 2208 wrote to memory of 4788	2208	Jdcpcf32.exe	86
PID 2208 wrote to memory of 4788	2208	Jdcpcf32.exe	86
PID 4788 wrote to memory of 792	4788	Jmkdlkph.exe	87
PID 4788 wrote to memory of 792	4788	Jmkdlkph.exe	87
PID 4788 wrote to memory of 792	4788	Jmkdlkph.exe	87
PID 792 wrote to memory of 2340	792	Jpjqhgol.exe	88
PID 792 wrote to memory of 2340	792	Jpjqhgol.exe	88
PID 792 wrote to memory of 2340	792	Jpjqhgol.exe	88
PID 2340 wrote to memory of 3100	2340	Jibeql32.exe	89
PID 2340 wrote to memory of 3100	2340	Jibeql32.exe	89
PID 2340 wrote to memory of 3100	2340	Jibeql32.exe	89
PID 3100 wrote to memory of 900	3100	Jbkjjblm.exe	90
PID 3100 wrote to memory of 900	3100	Jbkjjblm.exe	90
PID 3100 wrote to memory of 900	3100	Jbkjjblm.exe	90
PID 900 wrote to memory of 2980	900	Jaljgidl.exe	91
PID 900 wrote to memory of 2980	900	Jaljgidl.exe	91
PID 900 wrote to memory of 2980	900	Jaljgidl.exe	91
PID 2980 wrote to memory of 1888	2980	Jdjfcecp.exe	92
PID 2980 wrote to memory of 1888	2980	Jdjfcecp.exe	92
PID 2980 wrote to memory of 1888	2980	Jdjfcecp.exe	92
PID 1888 wrote to memory of 2556	1888	Jigollag.exe	93
PID 1888 wrote to memory of 2556	1888	Jigollag.exe	93
PID 1888 wrote to memory of 2556	1888	Jigollag.exe	93
PID 2556 wrote to memory of 4224	2556	Jpaghf32.exe	94
PID 2556 wrote to memory of 4224	2556	Jpaghf32.exe	94
PID 2556 wrote to memory of 4224	2556	Jpaghf32.exe	94
PID 4224 wrote to memory of 3060	4224	Jkfkfohj.exe	95
PID 4224 wrote to memory of 3060	4224	Jkfkfohj.exe	95
PID 4224 wrote to memory of 3060	4224	Jkfkfohj.exe	95
PID 3060 wrote to memory of 972	3060	Kpccnefa.exe	96
PID 3060 wrote to memory of 972	3060	Kpccnefa.exe	96
PID 3060 wrote to memory of 972	3060	Kpccnefa.exe	96
PID 972 wrote to memory of 5012	972	Kilhgk32.exe	97
PID 972 wrote to memory of 5012	972	Kilhgk32.exe	97
PID 972 wrote to memory of 5012	972	Kilhgk32.exe	97
PID 5012 wrote to memory of 4144	5012	Kkkdan32.exe	98
PID 5012 wrote to memory of 4144	5012	Kkkdan32.exe	98
PID 5012 wrote to memory of 4144	5012	Kkkdan32.exe	98
PID 4144 wrote to memory of 4016	4144	Kbfiep32.exe	99
PID 4144 wrote to memory of 4016	4144	Kbfiep32.exe	99
PID 4144 wrote to memory of 4016	4144	Kbfiep32.exe	99
PID 4016 wrote to memory of 3380	4016	Kipabjil.exe	100
PID 4016 wrote to memory of 3380	4016	Kipabjil.exe	100
PID 4016 wrote to memory of 3380	4016	Kipabjil.exe	100
PID 3380 wrote to memory of 4536	3380	Kcifkp32.exe	101

C:\Users\Admin\AppData\Local\Temp\68ecb8ff9b608c4d591a2e16b817be00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\68ecb8ff9b608c4d591a2e16b817be00_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\SysWOW64\Ijhodq32.exe
  C:\Windows\system32\Ijhodq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\SysWOW64\Idacmfkj.exe
    C:\Windows\system32\Idacmfkj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\Ifopiajn.exe
      C:\Windows\system32\Ifopiajn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4732
    - - C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3820
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:620
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2512
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        54⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 400
        55⤵
        Program crash
        
        PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3372 -ip 3372
1⤵
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
79KB

MD5
11147bfb4ad332a38d46900cc9560eaf

SHA1
47c20dbf8a3bafdfe0e3b71679e5c7b4674b1636

SHA256
a5168fa67bfe5a2b83c6f35a78d46ee9e2668903c9bf3c5e81a6b18db63cc39d

SHA512
2c54b3631c6bf48faedde2fb44b686dafca16470ba3b46db001ee065840ab886c076a37b80ce27861bc5371789ee66f13a3be117679a7c6be075589da8ae1a86

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
79KB

MD5
98e8b281f0865062ed3c1a8cdb4f2e87

SHA1
1385647b189cbc7f4a2b8c9d6e43168cca40f37b

SHA256
40b32e9d27f3a7e6a4f7e445862f445a179c1b2e9261d0474295bd640e727372

SHA512
6ecf3e113f636090eb7e5935a0bddc99c8441c12cd71d088fce20406aa312f641f45f111ba281e31d6ca4ab65f04ac83cf83a0dc4974d6a33326e0192443a8ab

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
79KB

MD5
db1022e0fa565ec0d079d72f0af557e1

SHA1
1cc97e86a2c38ee813f81d3473747923b9210fe9

SHA256
9ce00132577ad596ca4bc3ddb5aad411c5c7e0d603eb8b33651c29e5899ffe50

SHA512
1cb7d6d9e5a3505ba7ad563544a7da8f04b9f8fc26fadc3971c964f72b85ada59fd84c2715082970561472e455780cbdce22d2db25b262c72e077382f41888a1

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
79KB

MD5
0d8106662d42dd32294af9b86f26f1de

SHA1
8c845a2b20c537634bae14ffc63104bec66c8e02

SHA256
69fe39cb40ee31292bac7be222b5c1132ee341b5ba9a5a5861cee2049fa4e9e3

SHA512
aca310a2f5027032039b403abb9ba5bd08f17309d3fb39f8b0208cb6084ff4a6a30eba4b2cc91330a4b6d70eb9b5f8c9be4e0ee899bfe6263a62cf848a83c56a

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
79KB

MD5
9534532a6fa6e965ad1a617c9d014a34

SHA1
47ae648036e458067492d282e72e79b585dbd32d

SHA256
0259172464d5a3ca75943360410f9f597d35c0d24436e997266be6dcba4a6e5e

SHA512
a58d6ea5d0a486aab9ae45fb883dee4ff2a58a28907b2106a9059e25b4b2e047dd55dd84a1e3d3ef384dd1faae914a32ad31248e152f9e59da17716d1a174938

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
79KB

MD5
a534f8f327fc196a2fccc98310c07e2c

SHA1
3884d1b6492bce28f14a525890cd8d90b5638f81

SHA256
848ea88c16ec025263fb7628f5dd925c883ee2e2b01aadcc9b3c2e00e029136e

SHA512
0c0183f0f9a639fefb1896c9c67f6d9c0fe0c20b41faea256fa1f7b2ec2e12fe3add640638479d0cc8cdf03a5f3852407bd967a98f7233f075428ad149e0ef39

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
79KB

MD5
d13ccbfd85d99bb06a1071141c7cbacd

SHA1
77fb4739923b27928cdb95070a69839fd64bf210

SHA256
b015e7ef5e4d34eb93bfd235f467abbd6e13bba69bedbd5431797a36b3d3064c

SHA512
80bb9d4cadfd4201f566663a13d5faac7fcaa1fb459db0854cdaaee0f1ff4c888ed5e3340cea25ac76403a6ceba6ceca9bb164a6ac3a37ab4d8c642fa43c22f6

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
79KB

MD5
66208faf8009b743ce3a4c40c8379179

SHA1
81d2e36bc54969c29ba72c42f40a1e28e9ef71f5

SHA256
68aa2cdc1bf5f5daebda438d9f56b8a8b2256ecf4b509d8d8f383eb97a903610

SHA512
60530ea3ef30b05e9f8351276bc267fa0376955d8a7f5dd0826db4f563266e6a00d3b6f95be28df11dd15a0d0b29aca73ff2d4c56d99be0768fe35f8b2c13949

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
79KB

MD5
7265c6c2ab983c4ec6034adea5cb3248

SHA1
7d7d582cf4e76199c6b7f108be5058826dfc54d9

SHA256
603eb8ceadba6780c804a252018cfc3e73ba91df5e57b464f42e96afee3f8c80

SHA512
e4cf4dd63ae942a3c3bd3ed1ee411e44dfe4b72cb1e9969f83043805969a3f2236f0427f05f1cea62ba12b1e899093ac03dc0c0de9e8817a3de4a05db336945b

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
79KB

MD5
db863290c1fc332cb7661ad8d0c032fb

SHA1
83abc123c01ab2058cb42b84c07f02a6e84bc74b

SHA256
22aea778d2c88bf9591d8887bfdb019692ae1896b6926773bb654544ff56f74f

SHA512
3baa64ebc213761996fd842eb1b4db700c4bc1cd9be2c0147424f83aa3a3ef25f165683a225abc7a9eedf49a63a28a3236d58697bd2f89e6ea7180fc4a99360e

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
79KB

MD5
49159860f3eba6f97ed6236484edd11d

SHA1
fecf28c447a34c3f406c496c1dc6830f00ea7cd4

SHA256
32cc521fa25be093ddd3cdd24bf10785fcca86ce18c0350b542d0149a57a8595

SHA512
7a8b2fca1dff527a0992b256c442bde8686e9369ce2615eebcca997cda18c204867878640d96a4d605dc1a595f8ef0c26433555218de516d5ed44ee5e51e2aec

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
79KB

MD5
0975d00c11b9ec23a730541aff51b8f7

SHA1
7780c75631b3a15dba29f0fbef7d21fde279dbf4

SHA256
5dc94eb9106d975136160c30ce0bd0c56abaf00d6a0e1dafc0ae39df9bdbf3f1

SHA512
7c8e2cae3428623de39c92a45df06891873e9c84a7c594c7d4412c68ac4f63b220164636da09a81af4647e0518f2ea621c366e2f3d86b1e245ab6fd5ee07e5a1

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
79KB

MD5
1c7231504438c94b2446727fdef43c41

SHA1
e52d9099ffbdba68a97df7bd0be8bb1a54a9a0ac

SHA256
f6e84f1297ad0bf27248d9dd30ec3c40143bfc3a81db296bf7a4f827d835a17f

SHA512
e53f1fbcea03279867df99d5469712ae86c9e5f39bebe3aec17f30dfc086eb61ab555314ad01b6fd67885f2112f7e85b0cdc3e54edbe805ced0931ef1527fcad

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
79KB

MD5
6d3f1a1bdc15ce6ad39a89e15f44968f

SHA1
a049b3e6beeead4eb7584acadb7ac26396fa9687

SHA256
6da235537fc8e5e8adbd8b472dabee4997555ff05171426fa898c53cf4a68cb7

SHA512
f8bd841bbdb0287d2e946bd653eb96f905003bbcbed08ec3a96676eaf5205a64c422f442f1273cb592510a29b19616722b9f245550201b2c118a4cac9a135df4

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
79KB

MD5
6344354e23bed9413e36cc9a66df9463

SHA1
10da94c5c06d6ef7838c6b88522514ae38651acf

SHA256
7c26f77f39598b0c5a73d3d4d7b20d7e9d724e7bbad55e1f36c0064943d21992

SHA512
6b91eb46b42cbe389bac6015cd9923cc6976a1bbed789c596ceb4fbfad4fe66796eea4519f1b1978cfc901c7d1bf07eec867de99a9734672b0b9f86ba270e6e8

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
79KB

MD5
40b09e87ddd54f48e83fa895ff97c5ff

SHA1
ed20a0de3b221e07be77c94a06f0d15845c9a0a4

SHA256
70fd53b3f328ad0f23dded3680d813b17a2d3ba17572b5274179ad3441a4fc4f

SHA512
8a6c5ac7b88f348bc12690a3a3b31da8d46474a639e8be070349da492a1db50e0c89cd6d03ac92efebf6bbfdb9826cc6f4a9aded6d4d6a22c148ebe8c628263e

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
79KB

MD5
dd0250260295663d9968de6c80f72d41

SHA1
3461466d60bf9be0a329ea93bf6b1e33d52dac2b

SHA256
7e34ffd9f236593caf576765922134a6e7730091b07fe9f98d897d07762dbdd4

SHA512
fd67c18a2ab8b8686203887fd4a0a0db1844bf9fa077436159233858dec5f3bed4b73ce47b0539447f319880dce8e5df4e72491a5101001fb4c0c414f72dc292

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
79KB

MD5
20a82613e11dd5554191afbae6b3c848

SHA1
e1132a468fa527696cfa3d59730a7e734bd088a2

SHA256
48d4fda3b9dab6a0d50a41a93f1310a79040f4725b71ab6fca812afe59cf7896

SHA512
1d1670dfa884d60c9de0e085383322f8220c97d555b00f01320c212dc3146f2a275ed3d3b7eba99522dfcde5f06a9089b002a0609cd85dbbd470028f16671460

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
79KB

MD5
03befc13d775895bf64faba07822a04c

SHA1
091c303f1e8de1190482bd5ef1548502c3596e8d

SHA256
2be38d32a6bf0bebd56365014a6ec21a2bceb96d914d9d9d99f64f0fa936c605

SHA512
5aacd8f94cbc80d0da37215aff3dda287c844de5aa4d5ebbecbdf504841908cbac2f70c44e29aa82968ffb5e336425d22b66e97cc7fa29c575e32cab3dcb238e

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
79KB

MD5
0e365d2da1d2eb2bea8d46126c4f7950

SHA1
c41410b75e45b6b01cd338e1baf42984e8dddb28

SHA256
e2f230fe57e869923bd4df70bc0a7f83a6578b304ffad12f4b983b7e99a22bf4

SHA512
26bd115c4133cf30b8a0d8aee59a8a757409b717268e78ea318fadbe96bbfe0c9b686c779ad1888791c823794ac56bac08ce6cce2a93b8d272414e5f80432aa0

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
79KB

MD5
255b06535349eb860df1371477c4942d

SHA1
fe1de1a08aa964896a247e3bc0506562e55c6611

SHA256
4a92819a9943e1b11b5d01f35e5d649f8a97f42be7ff710f83e5f3dd7266f091

SHA512
aaaeef3e5cf72e02d416662d90df0ab0244b0f3355a4c2f884c5991fa42a4da24c1fd4797e539953ba8c2ada8600902f9d9d760f98eb76bcb2e0488e461d560c

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
79KB

MD5
9136c4a11aeb92f718ac33983349de7c

SHA1
a19510546a8b1967c1101951c742c283184d7c59

SHA256
d75ade52bfc808140898fbde040d2120cf5616f49288efa1cb1421ad75bc38dc

SHA512
6b0b6ae511d5e4567243cf99f639e42ab794b12fe334a4e9318009ba63b92a8029802c8079918be72cd4c663f5abdf543fab1835c63d19378e6f913a7540a2da

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
79KB

MD5
2ebb744a8c94f7471fa1f3d541dbdef4

SHA1
a55438781b2c270b7c520d02de62ce310a3e18c2

SHA256
3e4f009db4588a5f14991645fdcc8b4faeeb2efdc90d701eafe661ca5e1447b5

SHA512
29963e587ade91f8e47184476a1864db3e7fb9019dfbe2be9f04c6b2a7cbf1aa09baaec9740b2352d744fd60d6d74ec128c378b2b233e0fe4f0ea7de015d9980

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
79KB

MD5
20e9d5accc3b98c82b278f063cb6c756

SHA1
813c572305244cd4d9266c949dcc85139c31e8ca

SHA256
be1ca66b770481183339bc0b8aadf94b26b3d412f09af463286875f4a1e88c2b

SHA512
c45c52fc71b11b1718b53284a63ba50e7b5c6be381ad6e42c124d786e2065a2a4f8253f73fb24eca79cb28aede5a9e9c6d89eaad2d3d519a1b83343244aa7047

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
79KB

MD5
888d9de01c2c67053b633c180a21421c

SHA1
9d3cf80f85ba3d52d6cd1703877e304484f2124f

SHA256
5421c787b89760deeb1be6e773da23e797208fbe9bf8d569c07336ad40637666

SHA512
d59dc0cbc77874dd0565f9af4c772b6180bb1608d34519ee9502a9e119fbed1941b440db66766ad0652a0f7d83491eff3d17ea35ec62b180edd88215ef0b5e0d

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
79KB

MD5
9fab00538bb4b7270d8540b6323729e3

SHA1
295bbc0236672a55ebd407d0c3fb3568aa340d25

SHA256
e94039ff448b7d832583255e4e705c775f56669fb6be60e6bcf6b73bd4c91336

SHA512
db93eae2039214494539cb6aeede6a4bacdaa34d936f9199065237dab2647e528212e2edfb71ca799f8eacb20502e22e4fadc3e3f4fb483ebf3a04e0f9daccb5

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
79KB

MD5
4e01162bd17e5ab83f49e5c5dc87acbd

SHA1
7d60b236541f938cc018f40351dcd016c4a781db

SHA256
ca028b789ddfb63a86bd14e8402bfe2e6223dc9f26a4c568a0c7c2229c1d5af5

SHA512
a92390a002fc373728a77722827a61481485a675313e743e108d73de43f81994f048d380ab6c21a9a335c45a0887d5a2537d82ec902c4f1e1e762150d8aa6973

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
79KB

MD5
48a310d1f378c7f222e88270ea5f2b91

SHA1
9705ca7517a2e31d8840e9dec829bcbd92f7f3fd

SHA256
32f0fb94838b0c5fc207a1ca2fcffa2bb4a04b8fc62bfb60a5d4c57d7ed8d313

SHA512
f54bb4a6dabd85f10e47f61534af29b2ddf1d09b855432731a16724d5e9f33ba5694efad8a2cee2280666bd6a99064f147c893452d071fe6e06c6ad40123124a

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
79KB

MD5
1d324ffdf3cf6431d994e62532edddaf

SHA1
11db47933333368b850a3fe06d3ba3bafb2e290e

SHA256
2d8229b7b78a3ba94d116c2f0611dfb102f9601d51446aa02f375e3a53300913

SHA512
6827597b51e66a63275f6d69c3fe069462819577cd83d9b97a1d7581cb2724d258db10d27b4021bb1c5d9793e9ad0dd5ef6a6e27907aa7d94991f84b131dcec5

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
79KB

MD5
7c64800b5b40fa4107b0025f26d3f705

SHA1
e501c69a09d75f31fa9bf18b67ecc1ea964637c6

SHA256
5185fdceadd8b07d789cd37437d01effc24b3d765a8406819a3f5749a376ce2b

SHA512
a17caaee2582245ad932023b42373a34bae21f82d042db182819020cb7e97e849c35ed3ad33e817e3a02f8d83a1fef9ef983d559dd3421edddf7dfdb7ec1d669

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
79KB

MD5
7ef39b623bcac402fb7143041d482c25

SHA1
3edde1549b2e935007ac0b5057853382bdaf4cbe

SHA256
768446b22e887be97be909f076261bc8244888356b49646dbf645503edcf2b7b

SHA512
1b187427e2067cbf2374023d7c204cb219d15803d5c0d6a8537a65d70f2784fdc2c1473e828696d53e8c9ac92b947f437a2493c82bf9dcf263bd640f2bc860f3

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
79KB

MD5
d5db23d3c8fc2abcdfc96891d4fdaab7

SHA1
88f7593681ccd279ab5bcb6ad4fbcef912665a38

SHA256
6acea27088f05781edcea6222d13132e2e51abc3b304dd5f95b8d0f0b3dee384

SHA512
4e29974f896f4f87c610eb0ee30c05189b270dbab5b4de010278780abdcdb6b1dd5fb8e0f6021c9723879de2a9a2cad8b108636d4894c3d5ebdc5f3ba6ce8f86

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
79KB

MD5
7aead7716949e378e616783bc9bd8c84

SHA1
e3ae2475e0bb598f18cd73755f56304dbcdda200

SHA256
5c3b9a8120533105a05535bdb464eb28d00aae7c7a6b16a88c7eb1482b0b5d82

SHA512
4694fea7170896f4191e300bb115264593ebcfd984667c5dc762d614e76c990767304ff9041a8579a2a9edc0d4a54d3f2e8f35073c09415800b698061bd022e4

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
79KB

MD5
e7a6934bb182bd63ced6c5b5cf85bbd7

SHA1
45b3082cdb0f7fba1df3df86865f3aec345a2abe

SHA256
2051e523504e26aece53e36d2345fcbfc24e9ea9c05210cabcaab06a13e153c8

SHA512
6329b5f5818840debe4e9ca57e4f7c411088b003cb0a1884253a8dd4e2d072f0c5a020ce2a63231a2e5a2ea01c30c6a4182f783ecb6324bb23647ac3f246955c

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
79KB

MD5
57fce8299fb14609da50d14142c480f5

SHA1
d50a7e9adaabaf0ef452549fd9d9a1b0b34d3ec5

SHA256
755f3e73fff6c2af500aaf5e1c78640a8ad854745fc74a38e094023c9ee030c1

SHA512
7ce40fd322b63e43cc37d00ed5712159a98071da48d4299869dfb05d8ce8061664211b2dd20051d6f7e85655b1bcaad2c9732921cbabd1c02cf33bc78620caad

Download Submit
memory/60-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/60-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/620-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/620-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/792-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/900-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/972-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/972-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1148-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1148-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1164-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1164-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-385-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2256-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2256-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2512-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2512-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-392-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2760-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2760-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2792-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2792-391-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3232-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3232-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3292-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3292-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3344-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3344-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3348-386-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3348-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3372-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3372-379-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3820-398-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3820-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3936-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3936-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4016-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4016-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4144-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4144-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4384-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4384-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4472-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4472-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4556-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4556-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4672-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4672-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4732-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4756-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4756-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads