684a77ca59109e021d1690d4547c2c2b0bf0d432ab7a3f5513ab4c67a4ec7672

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8bb8bb22cda0909fd58777a8a701850_NeikiAnalytics.exe
Size

128KB
MD5

b8bb8bb22cda0909fd58777a8a701850
SHA1

459c5d80b46f69fa5329ea33ecce6482cf956bc6
SHA256

684a77ca59109e021d1690d4547c2c2b0bf0d432ab7a3f5513ab4c67a4ec7672
SHA512

336aa50e944e68d27e13139b334916d363f3f65db4fa7f210e972d1da50e6a65c896f4d1452cb3e70058ff4ef4771874fe54d9d66a3ad55e1348c247ff3cb0a5
SSDEEP

3072:XZKjlySyWyqqqzBlTC6BeA+7DxSvITW/cbFGS9n:JuYjXMEAKhCw9n

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b8bb8bb22cda0909fd58777a8a701850_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	b8bb8bb22cda0909fd58777a8a701850_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe

Executes dropped EXE 64 IoCs

pid	Process
4048	Jplmmfmi.exe
404	Jdhine32.exe
2620	Jfffjqdf.exe
3680	Jaljgidl.exe
2064	Jdjfcecp.exe
3792	Jkdnpo32.exe
2404	Jdmcidam.exe
1272	Jfkoeppq.exe
440	Jiikak32.exe
3724	Kdopod32.exe
3580	Kkihknfg.exe
3684	Kmgdgjek.exe
2284	Kpepcedo.exe
1972	Kdaldd32.exe
1468	Kgphpo32.exe
4584	Kinemkko.exe
3740	Kdcijcke.exe
4548	Kknafn32.exe
4112	Kipabjil.exe
4436	Kagichjo.exe
2844	Kpjjod32.exe
1980	Kibnhjgj.exe
4068	Kajfig32.exe
2696	Kckbqpnj.exe
3732	Kkbkamnl.exe
3016	Lmqgnhmp.exe
2184	Lcmofolg.exe
3284	Ldmlpbbj.exe
3396	Lijdhiaa.exe
2272	Lpcmec32.exe
4660	Lgneampk.exe
4408	Lilanioo.exe
4664	Lcdegnep.exe
1680	Lnjjdgee.exe
4772	Lddbqa32.exe
3092	Lgbnmm32.exe
1216	Mnlfigcc.exe
4176	Mgekbljc.exe
2996	Mpmokb32.exe
4676	Mgghhlhq.exe
1672	Mnapdf32.exe
5052	Mpolqa32.exe
3168	Mcnhmm32.exe
4736	Mgidml32.exe
3944	Mncmjfmk.exe
3196	Maohkd32.exe
4272	Mcpebmkb.exe
4788	Mglack32.exe
2280	Mjjmog32.exe
4160	Maaepd32.exe
428	Mcbahlip.exe
3148	Nkjjij32.exe
3308	Njljefql.exe
4576	Nacbfdao.exe
4040	Nqfbaq32.exe
4244	Ngpjnkpf.exe
516	Nklfoi32.exe
688	Njogjfoj.exe
4136	Nafokcol.exe
4004	Ncgkcl32.exe
2188	Nkncdifl.exe
8	Nnmopdep.exe
3540	Nkqpjidj.exe
3444	Nnolfdcn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4104	4260	WerFault.exe	152

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncldnkae.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 4048	3024	b8bb8bb22cda0909fd58777a8a701850_NeikiAnalytics.exe	82
PID 3024 wrote to memory of 4048	3024	b8bb8bb22cda0909fd58777a8a701850_NeikiAnalytics.exe	82
PID 3024 wrote to memory of 4048	3024	b8bb8bb22cda0909fd58777a8a701850_NeikiAnalytics.exe	82
PID 4048 wrote to memory of 404	4048	Jplmmfmi.exe	83
PID 4048 wrote to memory of 404	4048	Jplmmfmi.exe	83
PID 4048 wrote to memory of 404	4048	Jplmmfmi.exe	83
PID 404 wrote to memory of 2620	404	Jdhine32.exe	84
PID 404 wrote to memory of 2620	404	Jdhine32.exe	84
PID 404 wrote to memory of 2620	404	Jdhine32.exe	84
PID 2620 wrote to memory of 3680	2620	Jfffjqdf.exe	86
PID 2620 wrote to memory of 3680	2620	Jfffjqdf.exe	86
PID 2620 wrote to memory of 3680	2620	Jfffjqdf.exe	86
PID 3680 wrote to memory of 2064	3680	Jaljgidl.exe	87
PID 3680 wrote to memory of 2064	3680	Jaljgidl.exe	87
PID 3680 wrote to memory of 2064	3680	Jaljgidl.exe	87
PID 2064 wrote to memory of 3792	2064	Jdjfcecp.exe	89
PID 2064 wrote to memory of 3792	2064	Jdjfcecp.exe	89
PID 2064 wrote to memory of 3792	2064	Jdjfcecp.exe	89
PID 3792 wrote to memory of 2404	3792	Jkdnpo32.exe	90
PID 3792 wrote to memory of 2404	3792	Jkdnpo32.exe	90
PID 3792 wrote to memory of 2404	3792	Jkdnpo32.exe	90
PID 2404 wrote to memory of 1272	2404	Jdmcidam.exe	92
PID 2404 wrote to memory of 1272	2404	Jdmcidam.exe	92
PID 2404 wrote to memory of 1272	2404	Jdmcidam.exe	92
PID 1272 wrote to memory of 440	1272	Jfkoeppq.exe	93
PID 1272 wrote to memory of 440	1272	Jfkoeppq.exe	93
PID 1272 wrote to memory of 440	1272	Jfkoeppq.exe	93
PID 440 wrote to memory of 3724	440	Jiikak32.exe	94
PID 440 wrote to memory of 3724	440	Jiikak32.exe	94
PID 440 wrote to memory of 3724	440	Jiikak32.exe	94
PID 3724 wrote to memory of 3580	3724	Kdopod32.exe	95
PID 3724 wrote to memory of 3580	3724	Kdopod32.exe	95
PID 3724 wrote to memory of 3580	3724	Kdopod32.exe	95
PID 3580 wrote to memory of 3684	3580	Kkihknfg.exe	96
PID 3580 wrote to memory of 3684	3580	Kkihknfg.exe	96
PID 3580 wrote to memory of 3684	3580	Kkihknfg.exe	96
PID 3684 wrote to memory of 2284	3684	Kmgdgjek.exe	97
PID 3684 wrote to memory of 2284	3684	Kmgdgjek.exe	97
PID 3684 wrote to memory of 2284	3684	Kmgdgjek.exe	97
PID 2284 wrote to memory of 1972	2284	Kpepcedo.exe	98
PID 2284 wrote to memory of 1972	2284	Kpepcedo.exe	98
PID 2284 wrote to memory of 1972	2284	Kpepcedo.exe	98
PID 1972 wrote to memory of 1468	1972	Kdaldd32.exe	99
PID 1972 wrote to memory of 1468	1972	Kdaldd32.exe	99
PID 1972 wrote to memory of 1468	1972	Kdaldd32.exe	99
PID 1468 wrote to memory of 4584	1468	Kgphpo32.exe	100
PID 1468 wrote to memory of 4584	1468	Kgphpo32.exe	100
PID 1468 wrote to memory of 4584	1468	Kgphpo32.exe	100
PID 4584 wrote to memory of 3740	4584	Kinemkko.exe	101
PID 4584 wrote to memory of 3740	4584	Kinemkko.exe	101
PID 4584 wrote to memory of 3740	4584	Kinemkko.exe	101
PID 3740 wrote to memory of 4548	3740	Kdcijcke.exe	102
PID 3740 wrote to memory of 4548	3740	Kdcijcke.exe	102
PID 3740 wrote to memory of 4548	3740	Kdcijcke.exe	102
PID 4548 wrote to memory of 4112	4548	Kknafn32.exe	103
PID 4548 wrote to memory of 4112	4548	Kknafn32.exe	103
PID 4548 wrote to memory of 4112	4548	Kknafn32.exe	103
PID 4112 wrote to memory of 4436	4112	Kipabjil.exe	104
PID 4112 wrote to memory of 4436	4112	Kipabjil.exe	104
PID 4112 wrote to memory of 4436	4112	Kipabjil.exe	104
PID 4436 wrote to memory of 2844	4436	Kagichjo.exe	105
PID 4436 wrote to memory of 2844	4436	Kagichjo.exe	105
PID 4436 wrote to memory of 2844	4436	Kagichjo.exe	105
PID 2844 wrote to memory of 1980	2844	Kpjjod32.exe	106

C:\Users\Admin\AppData\Local\Temp\b8bb8bb22cda0909fd58777a8a701850_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b8bb8bb22cda0909fd58777a8a701850_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\Jplmmfmi.exe
  C:\Windows\system32\Jplmmfmi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SysWOW64\Jdhine32.exe
    C:\Windows\system32\Jdhine32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Windows\SysWOW64\Jfffjqdf.exe
      C:\Windows\system32\Jfffjqdf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3680
      - C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        36⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4160
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:516
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        65⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        68⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 412
        69⤵
        Program crash
        
        PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4260 -ip 4260
1⤵
PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ehifigof.dll

Filesize
7KB

MD5
64e4d498e92da0729cf8126f3d7ad537

SHA1
8d37acfd4dc511a5923d016f417f7972ed18a2f6

SHA256
5a9932f8e510fb8d378f3dd619c15cdbaab71093a63e686446a5d643481a0892

SHA512
1b264cdab15e73aa9ed058bdafaf37366f3a6c9ded7695dd33cfb63de3b12100d5a13b4fe07a963cdb771ab544faa44f7fa38c387b05435a48a840f78026688d

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
128KB

MD5
6e3438fe9b5be3bdba0baba3c67d95d1

SHA1
5587cba8194ab2674cb2e602c6b29ef2acca6d29

SHA256
4a173ae713e559ca4744d77755cb71a3b10a40b59f9df4d5d7669f06f8b7c346

SHA512
19655213274beba753fb408ffac7dba21a903309163126893bf8f0f932a9bf1823797867b98cb9410835457b934b3eeba0ae31920cc4125b47b868f39f6415a4

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
128KB

MD5
6a5b04e43abcec2305028682ecd018e9

SHA1
9242b6ce3924f4451559ecac4fab807da37af630

SHA256
e5ab16e9ec9e25f2f4bc8a91aee558335f97733c80557b04714d89474634d6d8

SHA512
6d70522f94f95c812565348231678057262b807811acd8c43c80a1e7d67316efd5603215fe20c97b0dad54430ee89a1855a973661fcd5f787b5573490e6a738d

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
128KB

MD5
e4896240bc5e7ba7881eecd5bd548090

SHA1
c517f0d8aeee2c5d76989bb281c4e4f9f8bbc62f

SHA256
6fa7f6ec9008d9c7772510f5fc6bb577610e33726898611bb3b0002f85f0c0ab

SHA512
d67588cb3576150ac9290ea7b9d1a43525f8579382c16202d143e3b1a5c319fa8a8cf76fe7d35e249033c56e87fc0f3477d4b7acf0609739211a63ea70144eb2

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
128KB

MD5
0e406241c22c7a3135ebb460a3ff2f93

SHA1
d506ef7d8e30b741fb459b56073446bb4e070be9

SHA256
c4d3448331e04c802e272c3240add7e1fcd8abab0c222aca60c4d96bc3da3db4

SHA512
53c9d9b47ea5bc5220135c890824b492d3ce1ccbeb485ef107f0b5404188553dfacc538698d96d608efe53edffc131f01aa48320ed18cc1a6c356fcae76000b7

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
128KB

MD5
db92eb1fbf2553b6836da66ed28b7285

SHA1
11cca8cb64c8936e3a17c75c4f156cc455568a4a

SHA256
aab8208d6633735c343842257b1f5d27cc31fdf3ba33cf035adc6b9321e1e4cf

SHA512
81e37fd982f57328eb8d14265fcfc94fbe71a264a820d8bea50ef7d0502fce08dd46c4515a7179729cbcc9fd26148d917151f3882c28057c981b0ae16d179104

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
128KB

MD5
0a2b3e36018fa24cbb7190ae9e11db1a

SHA1
3212e8cbae4444e1200ba64a1b3e3db0b42788ea

SHA256
9326c94fa224f07c65885cf385d98c8797ba470781f6a82c07e7cc5d8fc45df3

SHA512
82ca04b8c4823ed4cc0232c68c92cc86644a751f7cf66103bbfec8f06fe9f4699d11fc22238ab901626accef80976f08ce798a9af4925205546c2dd555e25334

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
128KB

MD5
b6d8f53b225154e3dc3963e8a8348ae3

SHA1
69a8fe863c7f4088a56f384a11dbb00576cba88f

SHA256
33be3a6441ab1b7f376ab00b27a545c75ee3387927522cb2dc09f3d0f4b4fb5b

SHA512
50c9413236e38af1278effd6f316add05d713037485039f820a1f48bdb887960a168ed7ef5cc60e3040add8eb346e6ca2eeba421bfa7d73b173afa21befb7c4b

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
128KB

MD5
4381392b5fb84ea8409a0b04f205b5e7

SHA1
2f7362571b6d6d77835b58d0e57ff3116dac3c57

SHA256
0bf6d5750618e7605f22aec6db36c6b4ea67897af6a7af7be98a45b172209369

SHA512
e8f37de45fa449f9ad940a4a648a6e10b623404ec242e476ea35e58c1f672a7660317f2b0b094e8a291a40063535a45500ca0077d6a7a0f2151d5d5faa81f417

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
128KB

MD5
517a87cbf9a4da75255d34a30c1ee7c4

SHA1
d5b41c0e045c2b916b7d95b26968696b85a2e73a

SHA256
be3418fec83bb6a485117f8f999720d355d1b7bd2e398dee5b536c1c70d1ad0f

SHA512
9b51e7724f4d6a3b9fd4e0417d4c4e5ebbd1a8ceb3ee22940384fee276c6c154224cb38f5de4022d3b1edf6e586faa7cc4127e2d911d09f069bb0805f7b22416

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
128KB

MD5
699753fae124ebd9cc79d0deedec2c2c

SHA1
2e47fff28647570afd38e4438c54eeade6c93c68

SHA256
b2a333d866e66f502d089689d05943db93f248627fe5d16ee34d594b96a1ac97

SHA512
dfb06aedd665ed837dd9b23f6db8e2aef3d392230591b5f889100ab7a4487ae7d95c205900ccf46868c259debc024d3acf16eb9247ce056ef2200f30502f17f8

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
128KB

MD5
e9b0a72a37391c7e6ad5bdd45e380e19

SHA1
16e1d9a3ed3702717b7cc0689caaac7249e35c23

SHA256
81fe97a5ef58f2522f208d2e1fb866d3f41731319d1e46b2788f268a56150781

SHA512
72f78059ff0e6834e2b180e46f71681227f1fb4f83afb8d46b6d0448f00c1b1ccad725db0eb59244860f2ae2c5172245c510f4506814f398c223c6e1bf500c8f

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
128KB

MD5
c4802e83659d06aedc6bf82a59b8efe4

SHA1
56b045131c4e72624ad4fb3572115d05c863b1a1

SHA256
53a6c9be4f974ef35042383076140ecce988043ea34c2c9328a8044051acd5fc

SHA512
0ea4cf0823ee411c0d1f292aec3037d533c582cc382e560b88294d7e5a233a8835cdabbc820949c00cbc351712821a1dda69e812234070891d665b29b9cf206e

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
128KB

MD5
a221e2ff84498126f86bc48dc2fd8cf4

SHA1
de8e8476486450085fe6a6f9107d31403d4e7ed6

SHA256
5730e21c71145b65c68a5af7b4509418122573a9abf7f37ea241296f3954c882

SHA512
6435e77bd8b3e0010a8d4741b8080421467f15be6881d076b57b70f4b5e615b3c4e69ab803d1a76de9028f0a9bd7e81500a94cf44827334b3fcc0d12cc3766f9

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
128KB

MD5
2a8c294115c4d851d3012bf7500e5790

SHA1
101f72c7f09e386c1664ce5f7c551a8422bbb6aa

SHA256
9ce8ee56e9c60abcb1066d660628a849b4e29ba6f3afd72252814419b239d3b8

SHA512
8aa1670b507b95b9b792e5244adab99f0aeb375937702a1bdd700215e172de78d521d1ad3ef70d946c83baf738a2f169bc89e1766724a2870707ae0970677056

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
128KB

MD5
bab1be5267d9fd9be65a7cff7f153815

SHA1
c9a48ec813ecf8972f43f4e03c52cdd06f0f6472

SHA256
4553a6aef1ed253b23c573eed85f0bdce2c7b2ebf025a04b4dd3a7e14060512c

SHA512
cf47f9a7cfb0e396d55d3a7e06a2c4fbf33e9c951fb757b53ff47620be2a8b4c14a3f0b60a5fbf30b95aa99b783c1b2e991173ee3dd64a9e22db529c9ad3735e

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
128KB

MD5
b4aec3362245f53ba5127588383e2f8a

SHA1
6244ccc23c9b135f93af55f716e4865f65a9f7d6

SHA256
d73f1a4ae8f69943ad3d08122e073d088bf477f0553769266bb7087e0d5045fb

SHA512
d9485794aa2cc181942ae464a5cabf0d6ad59dcbea747017e520bc974b9b8b3dc4bfd49df0e7c77c3fb0b99e2ce281b5fa8fa9c736d3deebc423bb9ac387b495

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
128KB

MD5
d43771416c7cdfe438ffb8ea42170fe8

SHA1
7558a4bf7b30edeba693d9ac8347e96b8c55058a

SHA256
733cd1ea0c083c66f0ea680ea75dfa90d43f5a2965d964faea8010cc9d9e6a3d

SHA512
25b156086df982aedd60aee38afde68f4fcb1f75149198e3f8815be5289438fbf3fe1d73224685898c9becf65d814faf28d3e7f146049e37fe6ee07c18993887

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
128KB

MD5
aa4998f715eddd80e353c9c6bfb1c2f8

SHA1
ef6bafafd6f0a33e0f1d06409c2d32c6acbb57f3

SHA256
d193493aad69d2fe6eb021f4419ef07475f0722f34733605175ca4c9784d7640

SHA512
98a90d59c01d59a49ffb4a9200c8ddc2a750e97adbce66f5621f351d22ed9e22819817ec4dec396eef3273230bda0e4c511fd17c0bb259cda21db5e0c45ae032

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
128KB

MD5
41816eb395fab55d3c78198a606367e2

SHA1
4cff8e2dd618f3d9fb74cb48987525ecffa75d47

SHA256
99a267439afffc6adf256d115e115474c054869cda546257b4424f641406d523

SHA512
0e77417ada2e09545403ada2d947e22adf3843d0b50a33d4fba215022d4d5abef9019165bbded5a7239f9fcfa0ba7aaf7ef927fd9db43b85245ac281ddd4fb50

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
128KB

MD5
68fec9f9cb459211ec765550f3875b66

SHA1
658c5570e73c3833aa83f03b5763ed4f1335fabc

SHA256
d8e58c35ba7a613d410c5fb904a2d07e3eae39505821a9f18c5b63c3a4d9457f

SHA512
933a7263d560920949a188e2221b0a9357bc78c495062212ef2b83ac6fe643b9c7591272f5253c0d3fbfc8716225157189fb8d7cd78ad6f7113e83db07f8af84

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
128KB

MD5
7b2cd076aff415a6d5e7567d2b38f20c

SHA1
76a18215432b6679535077f19ca8b1582a10c0b3

SHA256
ed29d6dc6fdca9682ed0f2cf44dec66bee2c1e7e1e3dc77a041a6cf04c698b8c

SHA512
2291dc20b7a84cb5b0b707325d2245e19ea2ceec8efeffbc0cc741b9c703caf1a2dfd7387cdf04dcd3370b1b62452225daafbe2c1d4ae3f70122b05a9487c663

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
128KB

MD5
16684c537c7431ec9c0f42da9853c56f

SHA1
13f3664175fa2b8b6d15c35cd45cb44d555d3e41

SHA256
1dc6a25cf63d1d59abc7c26e0187a3512f5bfeeaa07e7221a733621783d35812

SHA512
f0db6469b15f813cd71122d06f0231e2c68ec4da4f27b5100a63d335567bbdb2494c024e44e09bca01bc7e576bab6280a153f1c110cd9d23038f861a2cee5c74

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
128KB

MD5
9ad731317eac55e0cfbf32def7380c95

SHA1
29cef60e62bc380779b4e3a460e8b88f1e22ea7f

SHA256
0521e818db6597bc3708d606a2ee4b7c0b40bf3805586f6806ae227d97402bf5

SHA512
035ccf20fdbeb9ee56eedf204badc82e5dbdf2c4a683ee5e738d9f071198048e8224fedbf6dbd2f048c568e6a3618adce10f559f2fd526df514d06e8d58ab853

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
128KB

MD5
434cd1e4f8bb34f45afe75d8487a8eab

SHA1
a7ab0394921b5572feb9ad229aa301090ab5c535

SHA256
ab2a179a5323ebf2926e9e307771938d577523cd8cd2f8d35b2081bc4fcea47d

SHA512
4e1c2aa7dab13a922077b65d847c00349c7e1d0903b73b4e14abc2ecfb1a6b6888a270919b6650787a8f07e94f91fd41d1b863f8701f4dbb8723543eb70d4873

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
128KB

MD5
dab3dc6e461a1cef4ee4363429028bda

SHA1
d38f2f30130514715cad1e3478df48ec63e22acc

SHA256
aa543fe8fc6e8d7e69d84dda1b9423136b6cfe99945ed49fbbf0c49344f0a2c5

SHA512
ba74c7d647fdf96d42cf80aacbb8597b512d2b407e5cd312ff479a15d45626b5daa820213b2568479c8e9551b11dcae1338e5a0c67344b3de52d5ef89077447c

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
128KB

MD5
74f9e7b6811ff06f3fb6e9bc32d4424a

SHA1
16c0d15a52811f9c11be51bb5132888b5d6239d9

SHA256
648ca4c52c827e04b33f22a42c9783a0814323387c5cb3b72813608849d0250d

SHA512
cd13a50bc20e240e415c2550ec5185175ed284a1f840239e936bd9f9afbed6fc2ef6a2a8c84f9fe2001e18c82e8538764c8d04f58dedcc0f7ca33bc51a6c2c0a

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
128KB

MD5
80e55162f95d0420166591282b5d889d

SHA1
5543f2b2275178c98ceddfcf189820a7622e1c66

SHA256
62eab5c10eb13855b0daeb2ae37817bf69e34e29d53bbb65830213765bb9ce9b

SHA512
8e991a0aa5cd053ee5250cbbbf39159ca02c60b33cdb589a4c10cc2b2cce50cd371b2b797aa46d2059666976e1c384024148544d83ca0221b2c1d85b86925581

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
128KB

MD5
136882c72f7bc8816e657883b47e0970

SHA1
ba99f84f14df831fc35d40d8e55fce6738cb1ed7

SHA256
9a9c48b8fddca14478adf5d48f7cfc7b9bfb4145b3d7f0548ba9cf73c7943ee8

SHA512
57f0ff656c27e547ac966e6910bf561990dc5943d0c6a6946827b15f331bfca04c742a4c569e3c40de959fd3ce4af8e7abed5f42248ed072d212941c9f914bde

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
128KB

MD5
af7e4eb7772d75f11d7fbc4d5a73ce17

SHA1
b5f5750d8fc2b9ad59d55609c0618623105ae9a6

SHA256
31b89458be2c2a8900d145e3d4bc4163f1436256d39f92a082b46ddf281759f4

SHA512
5a9dc4ab78ef47dc69c9d38b967a99c682d9931e8b77119e1dd56d47cd578f8e4bcd04b8fa620a045027f8b98d4fdc149311e0482457c4f294a91d56edd4b61d

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
128KB

MD5
ea0981c8ba3de5cea56401ce971a0904

SHA1
9af61763d1f4ec92db0d1a1708d13d5d4db8dd48

SHA256
03a667619c5f695d4b741d0617a49faf0e5a3922931d606232279bee3d98a287

SHA512
b2a8785446c472a28971ba06ed88d36c8ad12861af54c4d8e22faf9d85888d9a9fc069210d796cc98c6b97637871ab4d5e5e55f2c5077821356d0f22d28317e4

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
128KB

MD5
09ca94a309d325bb1e909b259cf347cb

SHA1
1bbca609498c1e7be95112370394744de440b0b5

SHA256
68cea0c1f2420e819c5295a48eb6b9c72b1ac9e5225e38b167665b060be9ba4e

SHA512
c7122d46bdbe6f677b27f4501f3c1b1e43953e8d943ae13eebf79d8857ec7aef7079fb3a8f7f03f8664a9e62adb39e7d192392dbcca3d21d55c4d6a3d2c53d3e

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
128KB

MD5
5b32949d3f06d6c1aaded0f5895df6d8

SHA1
80269aac015899d00f1f2700e1a5fbe36c2687e3

SHA256
335567d1ab1197a3ddc7d918d3ab2ff4f3411408aa7e91ce89a6ce321e3a96dc

SHA512
fc6c0116d9b1763da2fceaa3038015a58f9c7cffc70a5c8b915b399095dfcba36d8e14bfe39fc88e8c3465abaf63d7c30b08e279703834708e6abb0af8ce8562

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
128KB

MD5
c5d8fde7dc6c268b45e51429e60b44f6

SHA1
262f3b963ff3dfe7f10a7467b8dbeca5313efa1c

SHA256
149932ad7f1d64fb12a84f8e0d5e335b165aeddf72b9f29037c407cc69d20032

SHA512
d5222bed9283912d1d82925181f8e7e2176f85a60308161d2cefc1378119e1a18526d6f4c8070c870e0c27ea2be5278f5af23de88c075cce54feef2b7f07c394

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
128KB

MD5
f3aaf9327031ccd81ab84888038d9836

SHA1
a95917ed5a006da362dd88edf667c3063b53a400

SHA256
bb83805407b43b8e7c2fcf04390f41392a1a708fb696586705d8a9a09f96d894

SHA512
36f6c002dc4d2b35976594097859c654855597fe3a0a69454e6c63d4922efb794bd5f5ef940a42965b9e07d7eedbfcf3046107a849ec2edd94124f3ef0672aaf

Download Submit
memory/8-471-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/8-436-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/404-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/428-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/428-480-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/440-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/516-410-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/688-475-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/688-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1216-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1216-493-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1272-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1468-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-489-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1680-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1972-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1980-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2064-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2124-468-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2124-460-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2184-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2188-430-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2188-472-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2272-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2280-482-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2280-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2284-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2404-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2620-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2844-167-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-491-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3016-208-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3024-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3092-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3092-494-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3148-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3148-479-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3168-487-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3168-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3196-484-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3196-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3284-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3308-478-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3308-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3396-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3444-469-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3444-450-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3540-470-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3540-442-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3580-87-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3680-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3684-96-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3724-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3732-200-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3740-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3792-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3944-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3944-485-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4004-424-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4004-473-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4040-476-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4040-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4048-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4068-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4112-159-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4136-474-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4136-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4160-481-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4160-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4176-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4176-492-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4244-404-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4260-466-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4260-467-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4272-350-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4408-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4436-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4548-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4576-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4576-477-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4584-128-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4660-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4664-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4676-490-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4676-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4736-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4736-486-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4772-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4788-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4788-483-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4996-458-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5052-488-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5052-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads