82582d6199eda4947228dacdaaa018476d9daf5bf519f03fc712ed2c052108d3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cff6ae620497cb1c60a62238dd9380e0_NeikiAnalytics.exe
Size

243KB
MD5

cff6ae620497cb1c60a62238dd9380e0
SHA1

057acb639727fa8eb8f384a65649d4f228e9df35
SHA256

82582d6199eda4947228dacdaaa018476d9daf5bf519f03fc712ed2c052108d3
SHA512

d978abf5950b31fa59a08b3e48d9cff13409876ab63db0791401d0052807e43c1c2e03ca6efdf34a0fbcb3a0418595482612261fa8673a3287d20a11c64ede91
SSDEEP

6144:BMj+ZKzwesDzjhZAKqDuvlU2zlNgwTnAWtlhjQ:BXzliol5LhDAalhj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe

Executes dropped EXE 64 IoCs

pid	Process
3612	Jjbako32.exe
3100	Jmpngk32.exe
2948	Jbmfoa32.exe
2920	Jfhbppbc.exe
3936	Jangmibi.exe
5112	Jpaghf32.exe
1428	Kmegbjgn.exe
1616	Kdopod32.exe
2180	Kmgdgjek.exe
2900	Kpepcedo.exe
904	Kkkdan32.exe
5068	Kphmie32.exe
3672	Kbfiep32.exe
1652	Kgbefoji.exe
4692	Kagichjo.exe
4508	Kdffocib.exe
4264	Kcifkp32.exe
1808	Kkpnlm32.exe
2444	Kckbqpnj.exe
3856	Lmqgnhmp.exe
4016	Lcmofolg.exe
5104	Laopdgcg.exe
4084	Ldmlpbbj.exe
3168	Lgkhlnbn.exe
2980	Lkgdml32.exe
3652	Laalifad.exe
384	Ldohebqh.exe
1168	Lilanioo.exe
4024	Lcdegnep.exe
3324	Laefdf32.exe
2044	Lddbqa32.exe
1272	Lgbnmm32.exe
2268	Mnlfigcc.exe
3548	Mgekbljc.exe
4588	Mjcgohig.exe
4712	Majopeii.exe
1524	Mpmokb32.exe
3172	Mgghhlhq.exe
1980	Mkbchk32.exe
3740	Mnapdf32.exe
1512	Mpolqa32.exe
3468	Mdkhapfj.exe
1836	Mgidml32.exe
4820	Mjhqjg32.exe
4256	Mncmjfmk.exe
1920	Mpaifalo.exe
3496	Mcpebmkb.exe
832	Mglack32.exe
5076	Mjjmog32.exe
1040	Maaepd32.exe
3484	Mdpalp32.exe
2284	Mgnnhk32.exe
1772	Nnhfee32.exe
2272	Nqfbaq32.exe
2228	Ndbnboqb.exe
3332	Nklfoi32.exe
1936	Nnjbke32.exe
2156	Nafokcol.exe
2096	Nddkgonp.exe
4452	Ncgkcl32.exe
4520	Nkncdifl.exe
5116	Nqklmpdd.exe
3436	Ngedij32.exe
716	Nnolfdcn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	cff6ae620497cb1c60a62238dd9380e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4956	1348	WerFault.exe	155

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cff6ae620497cb1c60a62238dd9380e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	cff6ae620497cb1c60a62238dd9380e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ngedij32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 3612	4472	cff6ae620497cb1c60a62238dd9380e0_NeikiAnalytics.exe	83
PID 4472 wrote to memory of 3612	4472	cff6ae620497cb1c60a62238dd9380e0_NeikiAnalytics.exe	83
PID 4472 wrote to memory of 3612	4472	cff6ae620497cb1c60a62238dd9380e0_NeikiAnalytics.exe	83
PID 3612 wrote to memory of 3100	3612	Jjbako32.exe	84
PID 3612 wrote to memory of 3100	3612	Jjbako32.exe	84
PID 3612 wrote to memory of 3100	3612	Jjbako32.exe	84
PID 3100 wrote to memory of 2948	3100	Jmpngk32.exe	85
PID 3100 wrote to memory of 2948	3100	Jmpngk32.exe	85
PID 3100 wrote to memory of 2948	3100	Jmpngk32.exe	85
PID 2948 wrote to memory of 2920	2948	Jbmfoa32.exe	86
PID 2948 wrote to memory of 2920	2948	Jbmfoa32.exe	86
PID 2948 wrote to memory of 2920	2948	Jbmfoa32.exe	86
PID 2920 wrote to memory of 3936	2920	Jfhbppbc.exe	88
PID 2920 wrote to memory of 3936	2920	Jfhbppbc.exe	88
PID 2920 wrote to memory of 3936	2920	Jfhbppbc.exe	88
PID 3936 wrote to memory of 5112	3936	Jangmibi.exe	89
PID 3936 wrote to memory of 5112	3936	Jangmibi.exe	89
PID 3936 wrote to memory of 5112	3936	Jangmibi.exe	89
PID 5112 wrote to memory of 1428	5112	Jpaghf32.exe	91
PID 5112 wrote to memory of 1428	5112	Jpaghf32.exe	91
PID 5112 wrote to memory of 1428	5112	Jpaghf32.exe	91
PID 1428 wrote to memory of 1616	1428	Kmegbjgn.exe	92
PID 1428 wrote to memory of 1616	1428	Kmegbjgn.exe	92
PID 1428 wrote to memory of 1616	1428	Kmegbjgn.exe	92
PID 1616 wrote to memory of 2180	1616	Kdopod32.exe	93
PID 1616 wrote to memory of 2180	1616	Kdopod32.exe	93
PID 1616 wrote to memory of 2180	1616	Kdopod32.exe	93
PID 2180 wrote to memory of 2900	2180	Kmgdgjek.exe	94
PID 2180 wrote to memory of 2900	2180	Kmgdgjek.exe	94
PID 2180 wrote to memory of 2900	2180	Kmgdgjek.exe	94
PID 2900 wrote to memory of 904	2900	Kpepcedo.exe	95
PID 2900 wrote to memory of 904	2900	Kpepcedo.exe	95
PID 2900 wrote to memory of 904	2900	Kpepcedo.exe	95
PID 904 wrote to memory of 5068	904	Kkkdan32.exe	96
PID 904 wrote to memory of 5068	904	Kkkdan32.exe	96
PID 904 wrote to memory of 5068	904	Kkkdan32.exe	96
PID 5068 wrote to memory of 3672	5068	Kphmie32.exe	97
PID 5068 wrote to memory of 3672	5068	Kphmie32.exe	97
PID 5068 wrote to memory of 3672	5068	Kphmie32.exe	97
PID 3672 wrote to memory of 1652	3672	Kbfiep32.exe	98
PID 3672 wrote to memory of 1652	3672	Kbfiep32.exe	98
PID 3672 wrote to memory of 1652	3672	Kbfiep32.exe	98
PID 1652 wrote to memory of 4692	1652	Kgbefoji.exe	99
PID 1652 wrote to memory of 4692	1652	Kgbefoji.exe	99
PID 1652 wrote to memory of 4692	1652	Kgbefoji.exe	99
PID 4692 wrote to memory of 4508	4692	Kagichjo.exe	100
PID 4692 wrote to memory of 4508	4692	Kagichjo.exe	100
PID 4692 wrote to memory of 4508	4692	Kagichjo.exe	100
PID 4508 wrote to memory of 4264	4508	Kdffocib.exe	101
PID 4508 wrote to memory of 4264	4508	Kdffocib.exe	101
PID 4508 wrote to memory of 4264	4508	Kdffocib.exe	101
PID 4264 wrote to memory of 1808	4264	Kcifkp32.exe	102
PID 4264 wrote to memory of 1808	4264	Kcifkp32.exe	102
PID 4264 wrote to memory of 1808	4264	Kcifkp32.exe	102
PID 1808 wrote to memory of 2444	1808	Kkpnlm32.exe	103
PID 1808 wrote to memory of 2444	1808	Kkpnlm32.exe	103
PID 1808 wrote to memory of 2444	1808	Kkpnlm32.exe	103
PID 2444 wrote to memory of 3856	2444	Kckbqpnj.exe	105
PID 2444 wrote to memory of 3856	2444	Kckbqpnj.exe	105
PID 2444 wrote to memory of 3856	2444	Kckbqpnj.exe	105
PID 3856 wrote to memory of 4016	3856	Lmqgnhmp.exe	106
PID 3856 wrote to memory of 4016	3856	Lmqgnhmp.exe	106
PID 3856 wrote to memory of 4016	3856	Lmqgnhmp.exe	106
PID 4016 wrote to memory of 5104	4016	Lcmofolg.exe	107

C:\Users\Admin\AppData\Local\Temp\cff6ae620497cb1c60a62238dd9380e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cff6ae620497cb1c60a62238dd9380e0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\SysWOW64\Jjbako32.exe
  C:\Windows\system32\Jjbako32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\SysWOW64\Jmpngk32.exe
    C:\Windows\system32\Jmpngk32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3100
  - - C:\Windows\SysWOW64\Jbmfoa32.exe
      C:\Windows\system32\Jbmfoa32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        30⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        48⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        61⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:716
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        70⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 408
        71⤵
        Program crash
        
        PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1348 -ip 1348
1⤵
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jangmibi.exe

Filesize
243KB

MD5
cc8534827f04fd73eb8979e5618e13a1

SHA1
e753cfc0c79bc8a8dbba6938670e4a6cbcc0b658

SHA256
f02327049eb161074a9fc1865a056f8bde4210f96d7a3e20d6177c14c6243490

SHA512
788f4e3ad25be0015fe90556eac5524b9569db4b2b7dfcd483197868b20b6df2f1fa15c5dd631d79cdc9ae791bb5674d2a95abe543f1bcae920738c347a4e434

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
243KB

MD5
f59adbedfa40b1997826758b3cb36b38

SHA1
90f2ba7166eb4356bd65b380c4b4c2c8332bb240

SHA256
2f600204584cf6af97358397baf0d5fad5c9408b8d7c559eb18f2caa56e2db93

SHA512
589a8a86bf0ff7ab56b908dba310fc644aaf03e3594f698c1c6b8cd1ac7a6be38a1adb04fd7b00fcfe11fe0392f3f6a3226088f6ca36592c6f2989aaa7c0ae6a

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
243KB

MD5
43425933cc394b3b97602f587b001493

SHA1
1bb752ded4c34327d556d69360eead0650fa04ef

SHA256
9d42bea476415f88a6669c28667a59db01c6f56cfeb53363de0b01cd50337e0d

SHA512
3113344186c6887057803582d2649676f200a60e636f62e9b180612d21d9bffd839b9af1c0a7f94412c20225bd7b6dbddc2c95f7f74e7ac61d379316855f08e0

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
243KB

MD5
19b408cef112d4d67a57a2094fac7d5b

SHA1
9db674fb39e25739adcf018f4ee755baec7970d9

SHA256
dae7d50d0e90bb7fd0abc066373d2f88cb50b2c453d49fad532b309e255df5ff

SHA512
ab6e47c2f2a2ca5b4857b170fd0d6a89881b1e3166368e29ac87b674ecd1524bf0d86bc1196e5e20541170823786121a21f3513573aeb68af206dee3dfb7b271

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
243KB

MD5
8c576143e487520e11a5701f81fbdc48

SHA1
984b81a8a39152625291bc71e9db64f33a6d56ed

SHA256
07a21b91f75d2502820183432c57d4a53766f3f163e6a1876f27a33e67e1fd2a

SHA512
c1dfbcf1ec231c1801c0b47b350d1563c671e6159ce39a22c874e4f7c513047888d1605d943469761de51775caded480777a6ce743597c667608e2d7f9c7f68b

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
243KB

MD5
1ab53d4bfd6cf191bdd0c27ce6354f97

SHA1
d5e43fa2484756b5df2d0efba4d1fe850750d613

SHA256
e938c8a1bbc157217ee82c9ead20e7da0b556c01e96659cc458b162a3b9985ec

SHA512
bcb2907dd840b090f94607bdca96e14a6674a97cbb44fb3159f698b373a04c33d1a6de78c88662bd78d16bf41acd6b490b7c696f0ba1dc7cc7a12f8d9d02da94

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
243KB

MD5
b49dc278b1c7822a640c0ba84466a2e7

SHA1
380f259614c22884929345ea5f2f14c5462e2a59

SHA256
ef2e3718204a589fcb0c74c755dd7b1d23c0d4ef9fd045bd55e97dc748845df9

SHA512
bc17fea8b4264ef5762c613fa4f02662d1a21eea1d9eec63a8a9c3c81ecc30b0ba3a17c6ac2b31e3270b9c1c79703156289dcd15d813208369d6190733958172

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
243KB

MD5
6734df21af1b049fa8bcdb20cd70b863

SHA1
b1f2f978c94bfb0cbc0043c78046b04e43099f13

SHA256
38e7e79995bf82c50615fc6f73fa835b13e700ffecf9960140664d8639fa3b22

SHA512
b1c8e2b6f17a6c9beb783024aa28cb73742091995a7f8f014f8210d7c1ab75ca7d986b5b7bf03ccbef1f1dc12b7d35f7a0aa000f9c1e05b4e86844359a8d865a

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
243KB

MD5
1500155a900f0e69e57745a347f7e45b

SHA1
b31a802f05c05724050170239c3363a66f5923a1

SHA256
e46ab0c44235cb19cda8c76c44e78b4bfea125bbe29f27c611d783441f165581

SHA512
6f4eb650b6108d82953d51bfd6822e5801df3f4574084f1b6e58de7438e50aace622d53d01238b3761df6490486d7d1533359be46b4d412d9d2cda49800ede53

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
243KB

MD5
47117cb014c140a06a7089800c4c9820

SHA1
7822feeaaf994358024115a2f0ef774d4ac09f6e

SHA256
03bfbcf37ca71ff03cead5cf5d3c24457999806c994d4d5baeceee95f53eec9f

SHA512
ba222beadcdacd482446910c2fef6411d344a96a8f8dde687ec1c2dbc51d8d07f29f56bb74fa606096331fdebca5c77841aea2067cb64f9da08697ae0fef4f9b

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
243KB

MD5
93b4d2a782ad7bdf68a7fa8f7cf28068

SHA1
f51720bbdbac758d8aba05329d0e54fbb5dfe603

SHA256
7b1ced573fd8a8c30459664d33072a8525f30b146b96dfc2fb11fc6017707674

SHA512
fa06fdd80312b9e25a1e37532b007fab57d17ea689fa752d28f5c54b7bf08e10ea251a37615296b8110bdf39324fad70f3905b935251f54ee6777766a8807c7b

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
243KB

MD5
29891bd6478d862727eb7d43529495ed

SHA1
602c4e69dcae9f04e6ca1a47a0f30b6a7dd2fd94

SHA256
9eb0bbd922c02675e678c76007c067c46280fadc2798cb0900d4498b5f49c02d

SHA512
9c9e2e1e2ed14cbdfbbdff6e881cc41f54219b40df6bed01768dbe101c0542fcd888765ac752f2ac4dd76cc5cb7b1ce75c0c11ec398bd8f7cc9afa67a5b06a01

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
243KB

MD5
827b9779aff8dffcf8596f05313ff47c

SHA1
2b282690e165f48c2b2d32eba92928b471f7174a

SHA256
0fd2e38b8ae05e3ed7a8f657f4d713f6a486e26166664ee717d2f24e84f015c4

SHA512
1eb1dc0a571f8e9a106f350ee8d0ac7a8a41d55b150720e665468f51799d34fb6ac6d4f1bcc2773b55cbfcd139a25c20bfa3e5c21403aa9f73c39525b642b9d2

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
243KB

MD5
f7a24e517ac5722b140160857419dfa6

SHA1
e437d00556c9337bc8f082c07be1c17a5ee698d0

SHA256
731699b484976af8b34386eccad55900bff3fff2bb1a542d6a5f35acbf41afd2

SHA512
46672debc08184203ec004493a5de10f3cb554f4ecd9362c1eb6759386955819e4f1adc7486e84bfda2d039f83d8963efa38f64d52c72fad7f219fbb78dd84c4

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
243KB

MD5
4c626a20a8c987e98b32c159ddca722e

SHA1
41407fb5ede81e3f0608b5cddc4be76e6869c4c5

SHA256
bcdb00582116b287e9264b147f2ea5002d07593e7ae6d2a35a17565d942b4ad3

SHA512
62dcc2cc34c3d1763eff93c0872bdfd192cc20f55fbac964a47df86afff8d4f0009aecbf9307e0e8bf9e43d5acd209d7c5ffd4e0afc34f364fc1f2fc969e0421

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
243KB

MD5
2134118ffa61cdc694381d58cc9b72e8

SHA1
16cef503bb1efdb7fc591074ee116fb62e037112

SHA256
77be34ea3929f0b1e4b48436805fbc45578b47fe95a7ece2261bd5f2368e7e17

SHA512
fdc8e018702aa6343be264559bc55db613847ae866a4af70e12a0337b2a20f03ec9b12e62aceab0dac6bf2e556401d533cc863fc066a04e8b78e1a96bfe1831b

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
243KB

MD5
6b72cda5d482c82109642b655e634406

SHA1
0b29ee24e4a53b6734f47cc5e3a545feb5d47ea0

SHA256
f4994fdf915cb827eaa57dfaad58684c2a451337792a04893864412d82cda74b

SHA512
ede68c180c0867cf8d56108af1fc3d77817038563fcde7e9179378fdee0f791049847766a0183ef07538543c9848df00a54e138b4a7561f531e832432a958126

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
243KB

MD5
f41b8098fc7bb70241687f69690ca9f0

SHA1
e51adcdaaa1cb118fdf0ea2e19b6954d88e1f75a

SHA256
50d88bf9113dbfe4b1610a3c37f2d3b67bff3a49645478aa3df18cf39ab703fd

SHA512
61c4a5ffd5d547ab37b72bf6aded17307bf92bb48f87ebaf23696d2ed4757c969ca6e70889ddd5323a0759d71738c903f746bee6fc5daf5a0e97e43f2be02ded

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
243KB

MD5
b1181f177fb05b791c20511c3b1c8e69

SHA1
960323c2f7c53cdd6f575f5d8637e0151b43c138

SHA256
8ec1f48af44e4492f436eaf2345c9fe2d933a35b3b0da070135a9f2d040cede5

SHA512
a4b95c80318fe03d5744f8e81f702a67651790e2d8047b6304dbd2a6e40d0dfe23ce185b0628de46798f9de0766ed54c2fe09e5c0b1e062b0cd9e8b5efb16f64

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
243KB

MD5
ed19a2032b35ed44a1265cf5b724485a

SHA1
db12f67d38d917ca60931af69173bcebab4dee40

SHA256
20d6c21d79a1e09fc13220a995dc2563ddf997f1dc9e110acdbe3c106bf98c88

SHA512
2e5babf8d23b03c4297f7d2eceaaa6d67befc75751d36a9a78e208c3e1b480bae5d54aa34f6ea167ba9692e92b9d5ec153a11d61dc6d5ec5bb1328f8192644b0

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
243KB

MD5
955d840934008f4269e208cd2eb61f18

SHA1
c11b3c4c315950370c0d0a316fb434c4fc0e371e

SHA256
29a40345f10eb70a0916df350685f8b3e5cf24b9a049075d5449d688f54486db

SHA512
f4e122f56205ce34e3af7bed00bc59c288025ff64362ef1715fbf54f60042cf2c34efcc484ba06d93862fefffea108c2b7f441b04c55160d44316546b4c4ce90

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
243KB

MD5
72d803908fc3070631d298d9d3c66a29

SHA1
5a00648d735d868e655f57b2830b9e9f358735e8

SHA256
ed28ab29ab2f0e90e0a85b057f893d4e2099284cadb378da1eb5a9f464104018

SHA512
e433d632b59b0bee32028977a0254d6176ae756a0cfd1bd9b8d912066d057f9f699fc89920d064ea73427ebc59b20f0fd4d03ca4e2e070f9cf5517c3831f0cf1

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
243KB

MD5
6ebe3df0edee90e3a1f18561e403e1c1

SHA1
e2bf514c076a56de31779ad36dcf68109c111d77

SHA256
dd8f72f3022666bbb965118a829291fd54938615eb7a8827b3ac0246d05eb1ed

SHA512
759f186f3846acaebdaf71d8f8c17f393b491271222139ef307eace73824766091ecb131dc31dc537373d2f21d1db897e87cc896efe67d957984282f7f130ecc

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
243KB

MD5
c353c142f92d4adfb1b9f9533217a430

SHA1
9a1540d02078fefc774270305ebb709a10673ae0

SHA256
bcc6712bfb3a5aef48e3433249c7cce2e4fc9d5badb283091ce70697afca3a82

SHA512
2bf2e661fc8c47de08547356e87608df925088fbf2e5e0a0e31becd70cbb70d2db2843ae467e3127ad6ec22aa47a734febaa4d8ef71a91bf471783b196e714e2

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
243KB

MD5
8d8daab25ed37dcb4881df453b98a6a5

SHA1
43f1bc063c0040cfde13c7c8b15424cc00a03e54

SHA256
bf29cd23f3197e856836babed27c89ac3bb03180de5424d2e87d2fa7caf183ef

SHA512
ccc5edf89d83af45ab4f809e1f92a8b04df6683bfb3304df90fe6131d78edf1cffaa7f9cedda6369b6074ce0cd1e95947856128e120f9f1b31aeb38e62f37db0

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
243KB

MD5
ebcb702923bb315437d76f2dddb4b4b9

SHA1
8682c885d5b6dbfab4042087c08474d897785af5

SHA256
69936836190521582ace584406af19da7867b4ec90a2bc51673ffd9700b2826a

SHA512
b535bc811c9d5f427f2712519771134b1995b2d9db445eb8c536c7abe3e26174bb710595e23b80853c16fba9548213291586eb08686ff91ab88794a493479e19

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
243KB

MD5
84fbb43b1c256a6a9655d95e7bec016f

SHA1
dc88184569e0c40071e98b12ecdcb4ed39552e01

SHA256
f57ba1e2ed1c449a2bee580800074fa9729e4ca97a643dff77daa7e12f3dd541

SHA512
7303345d395cd6bc363c65d3e08a20165534c24601ec71402f491b3e67af2e5071e81d74a6ef7480525402f8fbc8032722720c40e4f6919d33a1c99b8f18bec2

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
243KB

MD5
5ea370b939eac320f67484d9e67dc9b3

SHA1
719c41c7aea1c667fa1fbc506938756a30ea7a03

SHA256
1da99693ac465b2c56a2b1c307f955c7ffb68ad05d0bba1525604a8c541dc005

SHA512
3cb4976f83c321d74613d9b7a7d5e33d5a7f1426fff53d3fed321863ce1357232cf9f59c0ad8411eb59fe8aa7a1da22be38199f725d42c9b8270d5b932e2e699

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
243KB

MD5
5b09272f6c5bcaf8387e38583c541faa

SHA1
bb35e3f1f9c1e8dfe2a0b3103fc550fda8acb500

SHA256
78336a5962eeeaacdba617377cb6b73bb783913283687652fdc68a6396e34ccf

SHA512
ea00096446fe2e9369a14743966ec266f6cde6f836087a80a6534c272a5e4d4540a204eb2b6f375e76b631180955253d949ea5be2d0d587bf00b4fe6cbad8586

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
243KB

MD5
5f5cf1c022491d74c34ddf9bce1ce1eb

SHA1
c8a191fdaed187215504b6120521e891fcbe8de3

SHA256
6a258dacbf0253e3eee736e8bdb21feaab0e6832c99eed0add6ee5554a007335

SHA512
c5f3ae29dd85e5cd4c343afd3bf8190662618505fc957135025d8e59529cb33a92e65c6d2f95c5f2310e3cd4156f221b8b2ee775d06a4c6a4d99208397d6986f

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
243KB

MD5
23b64fdc30ab59fca7abe285aef85154

SHA1
4c00632208d71b64e7d85bb1646bb4d21144cc7c

SHA256
2c2d84f0ca8db50db1040a22071da60325a292b9b8c2c04a45d7d9a250db1ae6

SHA512
262b15d167baad3e6968a13db845ba4f1ff8c6b7101c87333e7d1c8d9343b8dd45e566ea3c6a1f5d4df3781bed5e6f219c7e3f14d6377729a126b3d70f1a7f63

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
243KB

MD5
45f4ce4343abc4234c62aa9bd732084b

SHA1
9e27d7b276beac4e67c43b9b4c8b495dfe9bfb1e

SHA256
4698d9cc34ef0e2153dcd3ff4c7373d89cbdb70c693d6e4e43c4ee7e9c7ae11b

SHA512
ef3484b0cc935284961bfcdf6f0826652f82321eee502b387219f4655c1f563e0d75fbb4f1e2ee70622f49fcba5043e751a8730040918014872957782dcce302

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
243KB

MD5
ab651eabfa1f69bd13714a64e03c600a

SHA1
dbb674585b994b1b0932eda7cb99246b9cced954

SHA256
cd002e3a689c0d92baa41af030def4a1b39a4afd5a601cac26b62181378d21c0

SHA512
d52592eb4c4f107102749b0b8fc9d9df22876f4e485c64aa0c0324874bccdf7b3afd0ef1e05ebfc4aa8f8ae528e9620ab6df6cfcc505d6c9bbec1b8a121b6ac2

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
243KB

MD5
dcf5bfbc3cf46355d9302615f1052584

SHA1
54cf03da4b2be9d367cd6d6a56443c0bb64d7b0e

SHA256
3d99cdad50fe53511cba9d357c56e946a95810715642b0b0ba8768c5e04dd10f

SHA512
c457cb796bbc1ab9f567be1c38f6c51c8d74fb9b6b98b7a120ca4017cde3e980364f2849b6854280f822149baead6a8b1df1d61b7a3d23c031b7eb08bd5d375c

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
243KB

MD5
649d415103c49277c302c10f515bda46

SHA1
2fadc18aaac59b195e0a1b260f8f0165750bc103

SHA256
ee00fc4978b24f1fcef99083ef7f981b7c5a7447dfe291d84794220e6454d3be

SHA512
3d4f7c69973642bfc2d4590b98043ff32617bc9fef750a79cb554e905b234c48338ef86e6058756ec54eb33bfd607b876b8fa6c9aee9fde3ddd1972b872946db

Download Submit
memory/384-219-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/716-437-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/716-476-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/832-502-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/864-466-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/904-88-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1040-498-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1168-221-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1272-258-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1272-534-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1348-460-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1348-462-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1428-57-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1512-310-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1512-516-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1524-282-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1524-524-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1616-65-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1652-116-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1772-492-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1772-373-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1808-144-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1836-512-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1836-319-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1920-506-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1936-401-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1936-484-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1980-520-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1980-294-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2044-536-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2044-243-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2096-412-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2096-480-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2156-406-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2156-482-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2180-79-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2228-488-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2228-385-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2268-532-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2268-259-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2272-490-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2272-384-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2284-494-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2284-367-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2444-152-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2744-459-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2744-464-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2900-80-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2920-33-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2948-29-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3100-17-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3168-194-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3172-522-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3172-288-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3324-538-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3332-486-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3436-471-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3468-514-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3484-496-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3484-361-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3496-504-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3496-343-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3548-265-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3548-530-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3612-13-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3652-211-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3740-300-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3740-518-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3856-159-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3936-41-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4016-168-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4024-228-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4084-187-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4256-331-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4256-508-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4264-136-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4452-415-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4452-478-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4472-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4472-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4508-132-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4520-424-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4520-475-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4588-528-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4588-275-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4692-124-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4712-526-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4792-448-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4792-468-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4820-510-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5068-97-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5076-500-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5076-354-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5112-49-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5116-472-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5116-473-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5116-426-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads