b40e3c348caf1b25e7c40bdaec1b552ec04d4a3e0ed8c2d8c7f86546c2b59cf5

Analysis

max time kernel
136s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b644bd41bcda6b9ddacfb7e75d76870_NeikiAnalytics.exe
Size

80KB
MD5

9b644bd41bcda6b9ddacfb7e75d76870
SHA1

f4fe1eb6bb8209cf6d3dba47ead07e4e22f1eb2c
SHA256

b40e3c348caf1b25e7c40bdaec1b552ec04d4a3e0ed8c2d8c7f86546c2b59cf5
SHA512

dc4e8b5eb86700452d5d3d7b66807c031e1a0d6c2c6e92f7585d9e8bede6955863c41e31d0ecd290f06435836fa6736e825919147b1bb3c67c5365c86872340c
SSDEEP

1536:+cOf8ykDRXtMJ/UcaKZrCcyW6r/pALo7YHJkjj5YMkhohBE8VGh:+n8ykFXtMJzaKZ2UfmYHyFUAEQGh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9b644bd41bcda6b9ddacfb7e75d76870_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe

Executes dropped EXE 64 IoCs

pid	Process
1852	Jjbako32.exe
792	Jmpngk32.exe
4788	Jdjfcecp.exe
1404	Jfhbppbc.exe
3484	Jmbklj32.exe
2012	Jpaghf32.exe
2956	Jfkoeppq.exe
4704	Jiikak32.exe
4056	Kpccnefa.exe
392	Kbapjafe.exe
2180	Kkihknfg.exe
3888	Kacphh32.exe
3520	Kdaldd32.exe
2652	Kgphpo32.exe
1240	Kmjqmi32.exe
1032	Kphmie32.exe
1212	Kgbefoji.exe
1500	Kknafn32.exe
1972	Kpjjod32.exe
4564	Kcifkp32.exe
3588	Kmnjhioc.exe
2444	Kckbqpnj.exe
3568	Lmqgnhmp.exe
3652	Lpocjdld.exe
2360	Lcmofolg.exe
4572	Liggbi32.exe
4892	Lpappc32.exe
3760	Lcpllo32.exe
4812	Lijdhiaa.exe
4876	Laalifad.exe
2756	Ldohebqh.exe
960	Lkiqbl32.exe
1708	Lnhmng32.exe
3224	Laciofpa.exe
412	Lpfijcfl.exe
3576	Lgpagm32.exe
3788	Lnjjdgee.exe
1696	Laefdf32.exe
3912	Lddbqa32.exe
3936	Lgbnmm32.exe
4052	Mjqjih32.exe
2240	Mnlfigcc.exe
4624	Mpkbebbf.exe
2400	Mgekbljc.exe
3296	Mjcgohig.exe
1928	Majopeii.exe
3292	Mpmokb32.exe
3620	Mcklgm32.exe
2040	Mpolqa32.exe
756	Mcnhmm32.exe
1804	Mkepnjng.exe
5080	Maohkd32.exe
1924	Mdmegp32.exe
3056	Mglack32.exe
3380	Mjjmog32.exe
728	Mdpalp32.exe
4452	Nkjjij32.exe
4264	Nacbfdao.exe
824	Ndbnboqb.exe
1748	Nklfoi32.exe
376	Nnjbke32.exe
1052	Nddkgonp.exe
4872	Ngcgcjnc.exe
3844	Njacpf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	9b644bd41bcda6b9ddacfb7e75d76870_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1496	2876	WerFault.exe	158

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9b644bd41bcda6b9ddacfb7e75d76870_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1852	2020	9b644bd41bcda6b9ddacfb7e75d76870_NeikiAnalytics.exe	83
PID 2020 wrote to memory of 1852	2020	9b644bd41bcda6b9ddacfb7e75d76870_NeikiAnalytics.exe	83
PID 2020 wrote to memory of 1852	2020	9b644bd41bcda6b9ddacfb7e75d76870_NeikiAnalytics.exe	83
PID 1852 wrote to memory of 792	1852	Jjbako32.exe	84
PID 1852 wrote to memory of 792	1852	Jjbako32.exe	84
PID 1852 wrote to memory of 792	1852	Jjbako32.exe	84
PID 792 wrote to memory of 4788	792	Jmpngk32.exe	85
PID 792 wrote to memory of 4788	792	Jmpngk32.exe	85
PID 792 wrote to memory of 4788	792	Jmpngk32.exe	85
PID 4788 wrote to memory of 1404	4788	Jdjfcecp.exe	86
PID 4788 wrote to memory of 1404	4788	Jdjfcecp.exe	86
PID 4788 wrote to memory of 1404	4788	Jdjfcecp.exe	86
PID 1404 wrote to memory of 3484	1404	Jfhbppbc.exe	87
PID 1404 wrote to memory of 3484	1404	Jfhbppbc.exe	87
PID 1404 wrote to memory of 3484	1404	Jfhbppbc.exe	87
PID 3484 wrote to memory of 2012	3484	Jmbklj32.exe	88
PID 3484 wrote to memory of 2012	3484	Jmbklj32.exe	88
PID 3484 wrote to memory of 2012	3484	Jmbklj32.exe	88
PID 2012 wrote to memory of 2956	2012	Jpaghf32.exe	89
PID 2012 wrote to memory of 2956	2012	Jpaghf32.exe	89
PID 2012 wrote to memory of 2956	2012	Jpaghf32.exe	89
PID 2956 wrote to memory of 4704	2956	Jfkoeppq.exe	90
PID 2956 wrote to memory of 4704	2956	Jfkoeppq.exe	90
PID 2956 wrote to memory of 4704	2956	Jfkoeppq.exe	90
PID 4704 wrote to memory of 4056	4704	Jiikak32.exe	91
PID 4704 wrote to memory of 4056	4704	Jiikak32.exe	91
PID 4704 wrote to memory of 4056	4704	Jiikak32.exe	91
PID 4056 wrote to memory of 392	4056	Kpccnefa.exe	92
PID 4056 wrote to memory of 392	4056	Kpccnefa.exe	92
PID 4056 wrote to memory of 392	4056	Kpccnefa.exe	92
PID 392 wrote to memory of 2180	392	Kbapjafe.exe	93
PID 392 wrote to memory of 2180	392	Kbapjafe.exe	93
PID 392 wrote to memory of 2180	392	Kbapjafe.exe	93
PID 2180 wrote to memory of 3888	2180	Kkihknfg.exe	94
PID 2180 wrote to memory of 3888	2180	Kkihknfg.exe	94
PID 2180 wrote to memory of 3888	2180	Kkihknfg.exe	94
PID 3888 wrote to memory of 3520	3888	Kacphh32.exe	95
PID 3888 wrote to memory of 3520	3888	Kacphh32.exe	95
PID 3888 wrote to memory of 3520	3888	Kacphh32.exe	95
PID 3520 wrote to memory of 2652	3520	Kdaldd32.exe	96
PID 3520 wrote to memory of 2652	3520	Kdaldd32.exe	96
PID 3520 wrote to memory of 2652	3520	Kdaldd32.exe	96
PID 2652 wrote to memory of 1240	2652	Kgphpo32.exe	97
PID 2652 wrote to memory of 1240	2652	Kgphpo32.exe	97
PID 2652 wrote to memory of 1240	2652	Kgphpo32.exe	97
PID 1240 wrote to memory of 1032	1240	Kmjqmi32.exe	98
PID 1240 wrote to memory of 1032	1240	Kmjqmi32.exe	98
PID 1240 wrote to memory of 1032	1240	Kmjqmi32.exe	98
PID 1032 wrote to memory of 1212	1032	Kphmie32.exe	99
PID 1032 wrote to memory of 1212	1032	Kphmie32.exe	99
PID 1032 wrote to memory of 1212	1032	Kphmie32.exe	99
PID 1212 wrote to memory of 1500	1212	Kgbefoji.exe	100
PID 1212 wrote to memory of 1500	1212	Kgbefoji.exe	100
PID 1212 wrote to memory of 1500	1212	Kgbefoji.exe	100
PID 1500 wrote to memory of 1972	1500	Kknafn32.exe	101
PID 1500 wrote to memory of 1972	1500	Kknafn32.exe	101
PID 1500 wrote to memory of 1972	1500	Kknafn32.exe	101
PID 1972 wrote to memory of 4564	1972	Kpjjod32.exe	102
PID 1972 wrote to memory of 4564	1972	Kpjjod32.exe	102
PID 1972 wrote to memory of 4564	1972	Kpjjod32.exe	102
PID 4564 wrote to memory of 3588	4564	Kcifkp32.exe	104
PID 4564 wrote to memory of 3588	4564	Kcifkp32.exe	104
PID 4564 wrote to memory of 3588	4564	Kcifkp32.exe	104
PID 3588 wrote to memory of 2444	3588	Kmnjhioc.exe	105

C:\Users\Admin\AppData\Local\Temp\9b644bd41bcda6b9ddacfb7e75d76870_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9b644bd41bcda6b9ddacfb7e75d76870_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\Jjbako32.exe
  C:\Windows\system32\Jjbako32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\Jmpngk32.exe
    C:\Windows\system32\Jmpngk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Windows\SysWOW64\Jdjfcecp.exe
      C:\Windows\system32\Jdjfcecp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
      - C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        40⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:728
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:396
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        73⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 404
        74⤵
        Program crash
        
        PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2876 -ip 2876
1⤵
PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
80KB

MD5
5f032348157753deb54e42b72a5d467f

SHA1
0b79a9a6caa08cf348c6e3af6b2a126202ef7397

SHA256
f9302354bdd9e6ad245afc81bd3379f16802263162dcac6215796ca8f0397501

SHA512
ad4e46b09327d08183115e482604f224d98b3105fdcb86fc4a8d1ca0f3d24c6200f7f76ac28694ee47b363c7ad238f8f850f7d5e054fbecd0bf768788879a0da

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
80KB

MD5
04bfd43a64d0f57d7194216e8556b291

SHA1
5d757e8bd3099b2000da082c3710c18fe908e1bf

SHA256
4cea47372f5fc71842ace58de0bb432705159d3798d3291aa930c72e9d9e3204

SHA512
ce1df47fd3f2c7b35ad86eead42a0fd7d3f365bd0187ae8bd91180c0d8b021d36270b9623b551c70c64c363da3ac48e8b098734713a3fb315deb7a5f58b6f785

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
80KB

MD5
e28fb939c04a9c2cb1d84284db600161

SHA1
2ff33d3de385591bcf00f795aaaae0705597fd37

SHA256
a1a9af6f29cb2f2e2d89e7eaf22f9bb2597ed4b516684cc5fcf50de6a2076b12

SHA512
1c2715b0328e8b63633d2aa132fa2d4a66541611fead7c59be94cb5a54638313a8fe0077d5632bf64dfbd81101e7ac77bda0d97d392af773aaca2f792fd3c250

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
80KB

MD5
8fba5913e50dd1c130e39dbd95effcea

SHA1
c3f53bb8ab7995ae09ef99e9d0950b21a5161aca

SHA256
8e9b5c8efea026abbdc5a3e4f732c7014a5b40266ee7e12dcbc79a933ea0b26c

SHA512
e20b49c33b5208ecb24d3b462f1d60d97fc0cd0c9c250a7f6d9a752621bb1c1a700a71d0a73013ee1fa1e38cd669b227a12bfbd5ae15022b446e4e8ca092846a

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
80KB

MD5
a19031e7b3be573bdb7a2019da9fd382

SHA1
a9fdaeaa22a46e471e25cbd043a1deee59402e78

SHA256
3fb355a121f791b4b5002ad239ac22ac1b232d95a6ba7da7be3476b8d155b6f4

SHA512
2e6d602ef28a182b24b6a90a9f65cf20324e670e3da85dbdd68d313db88cd586e479a1a645b691815ec206abb06d18094256aad244de907ff345aff6762b8007

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
80KB

MD5
8868fcb9220a99b94db3fd454e1d2fae

SHA1
eadfbd0f6180a9b5f7d562afd6c66456d3da2782

SHA256
69f658dbcbdf0219bd313fd3b6edc53bb5699111b06a31b69a099976220983d8

SHA512
97489e7bcd0158cee8bcbac6f09de697db08215c9a2bce392beaa59c425178d11a4d6c38e8b18c61dac897b2cc192d873930668f0a780eda632a5776fec5a1f2

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
80KB

MD5
5433afa4ae069db5a62baa9fd3266495

SHA1
a2adbfe2d22e694ffcebe4a4e922d319bd82c9b4

SHA256
05547cf93263a04e33b3839e15db2e6e43bafac889efc441b579c76dbe425c7e

SHA512
d647d320033078b5d2a1b2825c6f6708efdfb5ca4f329b82d995fd45813a5cd79c06e85649553261d54cb3abb99cab20dcfc8eabbeadcd55a152d460bf1f12a1

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
80KB

MD5
f9b77a13666dc1bf6ee32d2eebf21522

SHA1
bd2926e8b58cb8726393125aece573ba569977b5

SHA256
b399bbb407d99487ca6b4b8d39d2d2a7eb657fff7e0ba7319cf3eeb77035f302

SHA512
f46f3fe46751aef789c1516d1cab80bfb0ff37f90303d7026b7c3726fabf4487f13b23448bfa4e956e67a636317ea4b3b6d8d590eef6e0fcd83c77124eacbf44

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
80KB

MD5
1b2afc4f146b8d455601f53b383f59ca

SHA1
972c96a430b92d5928fc738641b77552684d7963

SHA256
6220fa9705c6e18e89599a8d92127b69aadb7b40087991cbcce7ad5fd87b52ae

SHA512
73f373ec8ad2ecdd07ce7d2bbd0edad6e68d801a79631a000d309cdce30f3e4380b98ca5484787a68653dae6e422cb867c6285091de2d9a36cc7e981c577b9f5

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
80KB

MD5
c0ce29fe3c35b8c632afe153c81ccb8a

SHA1
379798bfdd2f88db4a2240d20d7b3e2682f2a1a2

SHA256
cef421993c139c4f39f443a67e06e7d21593c2e55bc75235b58e18ac599e6670

SHA512
bb64d78baf2dbc04cfe5157bb87c867fac8685f004cd23ec820ccdd955ee394132fc07b43c97359546d31694d2c51e27deba6f1b72f249d232e9da3b6c3c7b44

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
80KB

MD5
80306a82db433f69c0475252a192d96e

SHA1
84de0b3b9aa138cb573f835def159c9ad4bb1d8a

SHA256
b7256fc7c9e53880e957a64039abd037fc2e2c45b18d522d81884641fa9bc310

SHA512
e6ecc04a6d3b0f5c7127b516f3c8a44cce6715d3198160773b2637ed2be0307123c57b848483fcd442d3a18aab51746ba551fcfacf80349eefbc41916960a51c

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
80KB

MD5
9d31d696b25146cf2b32e5953273ce63

SHA1
2fcd9ba24d4aca636881b6bf8ec058a8a6c91a89

SHA256
026f1ec4f75505a067dcb96c3596b6627d8541be65cfe39f143207830df75eed

SHA512
df420005991b9713ecceb48cf7e5807384dcf4a45cc9f970bf553fd6e1ec10d28d125dad90ec27a83a72fd2e94320e30733afc37f4f14d1fb317096ea8195a77

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
80KB

MD5
7724d7b3d3fe67637d6d9c2cc75e502e

SHA1
02f5426ef24442f8f5e8a5979b5f80ebacf7f417

SHA256
fd091eaf7571ac3e170fef0b6f80c047bd974f60751256d319d3737408110bda

SHA512
ddc46abff89681e7980ea167369c3ae91fff16ca6d55f520be7cbf26f584b81d5668afd8e91c44fa454bc55eb794541e29d30c36e1418bfd33e39f778d064334

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
80KB

MD5
bd80103978fb0041ee879fde3ee27249

SHA1
180b1771987014940dce6db1119b86f3ed984acb

SHA256
405e515cd47c70f8076b899b370e02f1c229b98c4afb9328e00aef416c8d7bdf

SHA512
d9906c255f7758100ee511276c4093e3b88e7cdbad29fbefd4cc8478dcc55f5f11f54060f83b74b49ae18c0f8dd7298316e8dba5c0c62bb9488a237cae5c680c

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
80KB

MD5
3a183101fadc1e1c32396b56cdbd978e

SHA1
8be0bb3e93d192f104313ba9a14622d8d951ba39

SHA256
20cb37f8d233b1e3011792c10c798d3bd2fd7b1aa7a86100004ddacad23dd5d9

SHA512
81b767ee9dd8c14559208df5553c29d651fde76ade45179006f5da1799808e207465dbffdca62886762cc835b4d1a8a621560de7d653f0861c0aaab5d6848aa1

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
80KB

MD5
1861f2f570b8c4d68f3a029c7afe24b0

SHA1
614666c6cae82853133110565f1995ecd2d87795

SHA256
423ed423c1aaf87830a6701a5cfecd8010af0a05b8bf0ba7e5ecc064cda259b0

SHA512
40446d39a9fe57ebcc74909a8c2bca1371cb5a075543b3ccf40adc68bc68b5fb1e5f20cc06279a8715031c79fbbcbe2732e02cc9334679f6a77685ccf0abf548

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
80KB

MD5
694994640fc8c6d0639c318dbd61b769

SHA1
ce80c93049f45b6f62e53f4df05d0f09bb271f66

SHA256
5d253a26fcd5b5a0d3283a66a8cabdbe3d58555e78a1ec74c13bc6600e548828

SHA512
5837d047a1597c4c39897ae01e7e004a5f384d2f504187432d0f88d0a5937ffd93788c1fad97f259a6c4e906c8c0d539f6ffae673b84f70fec578a5778111045

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
80KB

MD5
7b0a01cb5c18de6fba82187df5dede4e

SHA1
e1cefe9aee75a1a2f3a2ff741d6e0b3bd55c8fef

SHA256
b21d597d3528d98c42f1865b284052d49aa6b1c9381b25ccc31a02719fb221f9

SHA512
9e65aba97ee9e6be7fd62ebe6af678800ee509d646b8d258d750f527148974a3befacd219381bd479e8225c1110546bc4da1afe8fdc1f478f55713e26e363573

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
80KB

MD5
3a852f58b7dbd5a3fd586e893fd5c70a

SHA1
c2adfc09f7de0367cff5259314760d09169b4789

SHA256
8c349028d49f28b6573cbeecdc23d61f13a000edf1dae84e596ac65da8b684d4

SHA512
7864fb1121826d0a0678ad526bdfc031a8a427a4e68cc3a3b522ce00ff5b57d5b6dbaeeb17c055f38de1fb9b3f71de49d4d93a089cbb2e442c3e578071bd7edf

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
80KB

MD5
359abf288283e259adae72a49f4a2563

SHA1
d613ba173a6e0924649222a988433fd63eb071fd

SHA256
979f39a67050ec862824f38a342c952e0bbda391c69e9150688f5da3bd155ae2

SHA512
5af981674137247ef4f8822c444ebf95f648ef2afc96e5ad9bba86b388de5878f45768477c35a3d7e6b0b0a8f6974b7652b2194c8f1bd848eca9e12e1b8e3704

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
80KB

MD5
6ae99b34ee89984b18c1c920d23124e8

SHA1
f41b64f60ee86a750b89d03fdb2f816e84a9cc09

SHA256
d693d292f2608cac66387c412e0f4dfa94fd9028f595113b2dc48f5efc80b216

SHA512
0e8325b28a91f52459d223197527e861ebbef524e890698b73544170c8d16906f7552623fbca9420cceee7bfbd42e946d8baf9e99d8692ddd24f21a813a60f1e

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
80KB

MD5
93476ffd4bcdf36806c2a00a08331516

SHA1
58e72a1ed2e9d50cdc8b5acd5203288c7560e434

SHA256
e9ba721bb9f5974417ed03c2742010ed66ddf3d9d4575cd464d164267dbbda9f

SHA512
54168ee04a1a106dedcc713424c99b45bf331038a86632d6e85398b7a311a6ce4fcc51c1687522fac4e540bd4f7928a96e1da9a7b963e3283663b8823ed15c9e

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
80KB

MD5
c98b6000c9c3683d54255eb2a79ce2b5

SHA1
7c515e66983f61a3260c3c9034d3b4cf948cffe8

SHA256
b7cca856bcd951d57a4e2416c5520266d66389f5561b5d8774534ce4519c1872

SHA512
4fc37ae41ecbb3b6a0e98b0e997a82088ca2da04eb8b1a59a651e8eb69317a6caf202dd3af040c20e64ab512fdff9c29e375300ddff87c1e0a6055920bdd6bf2

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
80KB

MD5
76daec922db19b44782d111997c73e77

SHA1
be7a9031ab80f5d27361c77c0e191c1b59ce3fba

SHA256
193fecc2d9f040aaba7fd7057e8f3e248bf40a74ebad6377499586a4782e911f

SHA512
2b992b28343d9ec0d5c5be85c22c9bad4aeeaac80f27302e531ebd9f6b0b34beff40bbc7c2976b1e359aa17c06f1644e212efcc4d060dfc296c275a327c54e4b

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
80KB

MD5
3c79f45dcded4143016f53923b1b1c40

SHA1
8d198106e5a1997e8645e115aa0a6ac2130e3512

SHA256
e7c99ac14859e141906be6cf1190fd76af2f54254fc81f01cce9d3604a3052ab

SHA512
ca7b5d758ee1e59d71e118ef38905a0b5637316e68139174c34dbe4349aec670fcca1de69ab323c5b34852f732e834b7099ac8df008de98106d813b5d1e8783d

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
80KB

MD5
52d98ab178806b3a02dc31e001c53c16

SHA1
88bafbdcac055c2929d362279ac7258d239586b0

SHA256
a752cdb987fcb54e03c1bb7c5a7692913d7b2746dffd18f8ea4a3be25991df0f

SHA512
ff401f1640772f29ef3c8fc28b174740d54ad8122c2698da0a70c6052cc04b74b3c0c475da461424a7ae260f3b38b83f452426a85ed83ef9e2b6c60de450e281

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
80KB

MD5
3d2ad4a6fa576ce0315a692e3b2dd97b

SHA1
ec2f2c6d860219c2638fc8e9012ee5690dc6da22

SHA256
c79c33d8cb06711aa7db4ce6d268ab16c48085c5461eebe37b630dd0a02e5b18

SHA512
5bbc072bc3fd20fde7b3b2ca5e06358b9189a1cc2576862e311321c33e34121c1ca5fed68c466421888bd961c2cdb296a226fdc282d2504bfabf1d2e6273e8b4

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
80KB

MD5
f83834ccb316f1b7d0c3a7b0af54b7a1

SHA1
e58a94f5b6b623cfd3fde0100670fbf77e56adeb

SHA256
e1c40caafc5ec29e6c3a0dbac441315f62bfca6d39617d965740335a0d95c8f1

SHA512
11025d7830bb92779eaa12e62f0e697ff4fb3423b61bae8ed0407124584bbe4612db84ba306beb4b0c6309f7c2f5e21d0684a53a1f1d7b7d7b6fab74be7bf9b3

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
80KB

MD5
ed8ec0cf5de4d53f32a11dabbaf4080d

SHA1
e3a59aa82e1a9a442373921a059e27ba62f14107

SHA256
5e3393fffb2cbadd69f2d446c811ad6834ffb2bced13e0b802fc5a7de7ce614d

SHA512
101d0264892bc75d697c64fc6e128d97fa41c5bf59d6a184d8d5a9e6be6555068628a79e0fc8842dbc1f08527e84168804b1e77c3a1c9828504001e8edc20521

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
80KB

MD5
1d246d6c687515de0b01b2780519fc9d

SHA1
d8544a995242f37a4132167aaed0649d448edcaf

SHA256
c42229ad51be433d1a45d4df0d18d1133355b265d818a27d40849cd980bf6a03

SHA512
56df42c4063d89a5d240a82cfac688e9f03c23cfeffc0ade23311aa3b7992d1ea9c8488ba79e626de06fef51436aeebb39209dfba92c89173ab626d3bd0a9114

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
80KB

MD5
265dabfcf0a0f228f45c297d8e4d9820

SHA1
c4d7742cd628304f3eedf2f7ca9e7f3940a44abf

SHA256
dfb74cdaa11698b4ffe0a939e4ac2abc31484e3f50bcf72d72cbf9aeac47fe74

SHA512
4e78c659ed1d7dc108fea466f193f760b294a576eb2ced69bf344b5427fedfb8e4fdd1a595507a457aa818a06d6a2a469b5da44299670141744d1d1284530b78

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
80KB

MD5
91790da12ff4a84a226a830cfbb5931d

SHA1
7d8f1ce9cd97c1a8d312616680a891d2f661fecf

SHA256
c3a29198b9c61d2bac85db406bed3510c9a11a1deeb2ccd50990bce23ca41a2c

SHA512
a02016448f019c271dd8dae1a723413125885714abadaa4a7e0f21a0cd83af72d4e1ff404c4f3a0c859775e4a3b1001352cf8017486fbc04d7d3d1f3cf798aa5

Download Submit
memory/376-506-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/376-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/392-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/396-476-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/412-279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/728-511-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/728-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/756-517-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/756-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/792-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/824-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/824-508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/960-260-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1032-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1052-505-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1052-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1212-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1240-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1404-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1500-148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-267-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1748-507-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1748-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1804-516-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1804-374-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-466-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-500-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1852-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1908-460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1908-501-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1924-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1924-514-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1928-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1972-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2020-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-518-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2180-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2400-332-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2444-175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2652-116-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2956-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3056-390-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3056-513-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3224-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3280-502-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3280-454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3292-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3292-519-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3296-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3380-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3380-512-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3484-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3520-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3568-183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3576-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3588-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3620-356-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3652-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3760-228-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3788-290-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3844-448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3844-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3888-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3912-302-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3936-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4052-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4056-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4264-412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4264-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4452-510-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4452-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4508-498-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4508-488-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4564-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4572-207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4624-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-478-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-499-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4704-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4788-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4812-231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4872-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4872-504-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-244-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-219-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5080-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5080-378-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads