c82591f6f13bed4b69a0f9d80fa3fc91caae463a3e98787816b16b0eacc79f9b

Analysis

max time kernel
136s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905a14158440f315b2691f08ce87e7a0_NeikiAnalytics.exe
Size

80KB
MD5

905a14158440f315b2691f08ce87e7a0
SHA1

007288518f804a74225d648100330b457d5d5cb0
SHA256

c82591f6f13bed4b69a0f9d80fa3fc91caae463a3e98787816b16b0eacc79f9b
SHA512

f2d9bba9178e70b2658236b65cc32ddc9cf15f50318a5a33fbce9db9687606a6b9a2fb585033ce5f7d1263bd8f200f7311e2c9f1f8b2a031d0a8fc7804980d02
SSDEEP

1536:2qJRWFCSu4eBAwt59dpsj2LdJ9VqDlzVxyh+CbxMa:2+RrPNPdJ9IDlRxyhTb7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	905a14158440f315b2691f08ce87e7a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe

Executes dropped EXE 64 IoCs

pid	Process
940	Jagqlj32.exe
2088	Jfdida32.exe
4712	Jibeql32.exe
2448	Jaimbj32.exe
4916	Jbkjjblm.exe
3472	Jidbflcj.exe
1784	Jpojcf32.exe
2672	Jbmfoa32.exe
3420	Jigollag.exe
464	Jdmcidam.exe
1284	Jfkoeppq.exe
1660	Kmegbjgn.exe
4228	Kdopod32.exe
3324	Kgmlkp32.exe
3724	Kmgdgjek.exe
2408	Kbdmpqcb.exe
436	Kinemkko.exe
2860	Kphmie32.exe
1952	Kgbefoji.exe
1244	Kmlnbi32.exe
1212	Kpjjod32.exe
3328	Kkpnlm32.exe
2268	Kajfig32.exe
3208	Kckbqpnj.exe
3380	Liekmj32.exe
4188	Ldkojb32.exe
4844	Lkdggmlj.exe
776	Lpappc32.exe
2096	Lgkhlnbn.exe
4816	Lijdhiaa.exe
1988	Lpcmec32.exe
1776	Lkiqbl32.exe
4884	Lnhmng32.exe
4476	Ldaeka32.exe
3512	Lklnhlfb.exe
3100	Lnjjdgee.exe
648	Lphfpbdi.exe
224	Lknjmkdo.exe
1612	Mnlfigcc.exe
4944	Mdfofakp.exe
5064	Mciobn32.exe
2572	Mjcgohig.exe
828	Mnocof32.exe
3696	Mpmokb32.exe
4748	Mcklgm32.exe
1008	Mkbchk32.exe
2728	Mpolqa32.exe
396	Mgidml32.exe
1664	Mkepnjng.exe
4960	Mncmjfmk.exe
1272	Mpaifalo.exe
5088	Mcpebmkb.exe
4724	Mkgmcjld.exe
2420	Mnfipekh.exe
2092	Mpdelajl.exe
3112	Mcbahlip.exe
2208	Nkjjij32.exe
5084	Nacbfdao.exe
1672	Nceonl32.exe
632	Nklfoi32.exe
4804	Nnjbke32.exe
3212	Nddkgonp.exe
4340	Ngcgcjnc.exe
4392	Njacpf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	905a14158440f315b2691f08ce87e7a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lijdhiaa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4500	3768	WerFault.exe	157

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 940	1488	905a14158440f315b2691f08ce87e7a0_NeikiAnalytics.exe	85
PID 1488 wrote to memory of 940	1488	905a14158440f315b2691f08ce87e7a0_NeikiAnalytics.exe	85
PID 1488 wrote to memory of 940	1488	905a14158440f315b2691f08ce87e7a0_NeikiAnalytics.exe	85
PID 940 wrote to memory of 2088	940	Jagqlj32.exe	86
PID 940 wrote to memory of 2088	940	Jagqlj32.exe	86
PID 940 wrote to memory of 2088	940	Jagqlj32.exe	86
PID 2088 wrote to memory of 4712	2088	Jfdida32.exe	87
PID 2088 wrote to memory of 4712	2088	Jfdida32.exe	87
PID 2088 wrote to memory of 4712	2088	Jfdida32.exe	87
PID 4712 wrote to memory of 2448	4712	Jibeql32.exe	88
PID 4712 wrote to memory of 2448	4712	Jibeql32.exe	88
PID 4712 wrote to memory of 2448	4712	Jibeql32.exe	88
PID 2448 wrote to memory of 4916	2448	Jaimbj32.exe	89
PID 2448 wrote to memory of 4916	2448	Jaimbj32.exe	89
PID 2448 wrote to memory of 4916	2448	Jaimbj32.exe	89
PID 4916 wrote to memory of 3472	4916	Jbkjjblm.exe	90
PID 4916 wrote to memory of 3472	4916	Jbkjjblm.exe	90
PID 4916 wrote to memory of 3472	4916	Jbkjjblm.exe	90
PID 3472 wrote to memory of 1784	3472	Jidbflcj.exe	91
PID 3472 wrote to memory of 1784	3472	Jidbflcj.exe	91
PID 3472 wrote to memory of 1784	3472	Jidbflcj.exe	91
PID 1784 wrote to memory of 2672	1784	Jpojcf32.exe	92
PID 1784 wrote to memory of 2672	1784	Jpojcf32.exe	92
PID 1784 wrote to memory of 2672	1784	Jpojcf32.exe	92
PID 2672 wrote to memory of 3420	2672	Jbmfoa32.exe	93
PID 2672 wrote to memory of 3420	2672	Jbmfoa32.exe	93
PID 2672 wrote to memory of 3420	2672	Jbmfoa32.exe	93
PID 3420 wrote to memory of 464	3420	Jigollag.exe	94
PID 3420 wrote to memory of 464	3420	Jigollag.exe	94
PID 3420 wrote to memory of 464	3420	Jigollag.exe	94
PID 464 wrote to memory of 1284	464	Jdmcidam.exe	95
PID 464 wrote to memory of 1284	464	Jdmcidam.exe	95
PID 464 wrote to memory of 1284	464	Jdmcidam.exe	95
PID 1284 wrote to memory of 1660	1284	Jfkoeppq.exe	96
PID 1284 wrote to memory of 1660	1284	Jfkoeppq.exe	96
PID 1284 wrote to memory of 1660	1284	Jfkoeppq.exe	96
PID 1660 wrote to memory of 4228	1660	Kmegbjgn.exe	97
PID 1660 wrote to memory of 4228	1660	Kmegbjgn.exe	97
PID 1660 wrote to memory of 4228	1660	Kmegbjgn.exe	97
PID 4228 wrote to memory of 3324	4228	Kdopod32.exe	98
PID 4228 wrote to memory of 3324	4228	Kdopod32.exe	98
PID 4228 wrote to memory of 3324	4228	Kdopod32.exe	98
PID 3324 wrote to memory of 3724	3324	Kgmlkp32.exe	99
PID 3324 wrote to memory of 3724	3324	Kgmlkp32.exe	99
PID 3324 wrote to memory of 3724	3324	Kgmlkp32.exe	99
PID 3724 wrote to memory of 2408	3724	Kmgdgjek.exe	100
PID 3724 wrote to memory of 2408	3724	Kmgdgjek.exe	100
PID 3724 wrote to memory of 2408	3724	Kmgdgjek.exe	100
PID 2408 wrote to memory of 436	2408	Kbdmpqcb.exe	101
PID 2408 wrote to memory of 436	2408	Kbdmpqcb.exe	101
PID 2408 wrote to memory of 436	2408	Kbdmpqcb.exe	101
PID 436 wrote to memory of 2860	436	Kinemkko.exe	102
PID 436 wrote to memory of 2860	436	Kinemkko.exe	102
PID 436 wrote to memory of 2860	436	Kinemkko.exe	102
PID 2860 wrote to memory of 1952	2860	Kphmie32.exe	103
PID 2860 wrote to memory of 1952	2860	Kphmie32.exe	103
PID 2860 wrote to memory of 1952	2860	Kphmie32.exe	103
PID 1952 wrote to memory of 1244	1952	Kgbefoji.exe	104
PID 1952 wrote to memory of 1244	1952	Kgbefoji.exe	104
PID 1952 wrote to memory of 1244	1952	Kgbefoji.exe	104
PID 1244 wrote to memory of 1212	1244	Kmlnbi32.exe	105
PID 1244 wrote to memory of 1212	1244	Kmlnbi32.exe	105
PID 1244 wrote to memory of 1212	1244	Kmlnbi32.exe	105
PID 1212 wrote to memory of 3328	1212	Kpjjod32.exe	107

C:\Users\Admin\AppData\Local\Temp\905a14158440f315b2691f08ce87e7a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\905a14158440f315b2691f08ce87e7a0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\Jagqlj32.exe
  C:\Windows\system32\Jagqlj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\Jfdida32.exe
    C:\Windows\system32\Jfdida32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\Jibeql32.exe
      C:\Windows\system32\Jibeql32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4712
    - - C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        28⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        43⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:828
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        56⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        65⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        71⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 400
        72⤵
        Program crash
        
        PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3768 -ip 3768
1⤵
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
80KB

MD5
11fcd5d9c0588a733739ee7820089524

SHA1
1d788af1c46588c931030c197ffef0f4be558a7b

SHA256
389331762b04e72f82d21a184ebc42bfbfb6ba65f6d95bfbafe55285e2c110fb

SHA512
406c2ddef356ceaafc216dd4d0d35d52a31a503851be3014dff0f24ad561fc90dee8bddac6b44a74247fce55d4279db93ec57a29df558e475d85619c229527a3

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
80KB

MD5
9a50674d14469f6bdb56ddd76512416b

SHA1
feea79797ac3100c52f9eac59eb4ef26c03dd8ae

SHA256
7c117444d43a7f6254e19bded12c92db828f951633b0c1e725bab73d618f920d

SHA512
c4e396eee5db320a815201ab2051a81aea3f40644150c454ec63b299d9826fa7cc921ab90b8f13162359d7ebc383a1476942bfb5dc51701980457e928b29dfb9

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
80KB

MD5
a846a60394eabc0eca13bb183cc144ff

SHA1
71d20378606d68c1236b5ebb1fe2e2dd50247d67

SHA256
4346add47220fe5f77173b7f39ede8d90dc47ca906038f05a79f250ab67aaa61

SHA512
147c8f3b89234f9da0fa6a9e1da1401a2226f24f65bdbaafe3c4895432d198170dda9769b7858fac7c7ea0685a3cf98243239f6cba32fc345486108a865ff3a4

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
80KB

MD5
0abf6bc062fccafb673c88c357e75d5e

SHA1
0d15a1163f9e00f9418bc66341f647d8a7427983

SHA256
515207c1dcebd1aed7f48a2bd68b9f394f9844be620d86626fbe92de7647af3f

SHA512
db43aa5a74064e0a30f0a6995334727acc0f26e87d0a5f978cb821fa7777f8126cde2487fe2567fcd10b6e78354b7f49829edc1fbf8e1fb4008dfa024b2c773f

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
80KB

MD5
616d87d6b62c71f44c5a846f778ded8d

SHA1
a93be9eda3b55c9e57d8eaf6a26bd7afb86bc2d2

SHA256
fdbc6d87c0ff7585b7e00cf6dd7cd33ba9fe22845cc7ea22de87365f0fa16039

SHA512
f54b234dbc7757e37aa0219d3b977e7c5db2f4665da016395d7a7291035897e7095e38fac61cda7a24beda796dd8cdabb39e5513a8ba410e142e4732bc2e9d6a

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
80KB

MD5
ab938cb3cc42ca2959f8f089616b5670

SHA1
fd9468d893ba4b4a0fd9dbf6c437bafd07cdf250

SHA256
170a0377b01252712a5588132ed1929a65bc775ad088f6788eb15f66ef8fe87e

SHA512
337e0a0039cccc81ae060e514c9d7d69dd62a1b56f50cb4aec41a5ec4bb53fb1717b8db17f31ba2d32f551c0143878d8efddadee0ce43f888694c7d48c22c2b7

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
80KB

MD5
f3c6628ed5cc675b249a069a63b0964a

SHA1
2b826a1643676a2d77bfd6678be993c5134e141f

SHA256
bb4d205bf7afefe5a57f2c6b0d6281164a35303036b3faa5a6c6ae611fbaf29a

SHA512
b75267fab2cf7c545d071b9627d2fcf2542b8e1c1634f480a803d89ffede10d639630e7f01983d444c15b43dc17c69c44d74e83525be7bc1bcf611055bbc6b23

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
80KB

MD5
a648379564687f84224ee745b4ab9e1c

SHA1
bab9ac605fbecb908fa75ae8a49f0e2611a89ce0

SHA256
02189ecc157398803cdf6ce7798f6fcdac926b7c9f596a38e4f1e47254070711

SHA512
7b41c567e29f06699ff7ddc93867fe93c99b7c5ca2154c5b4786a568d390767061370b5a3376295165c3de64d113496d560887e684a0859d72e5989ab2149fe1

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
80KB

MD5
6b7aecf7e61f9cfccb764f6039580283

SHA1
84bd7f60d24a25ec97e6a36f5bfa4cd3f4a77706

SHA256
127627816960389a833147df78311ea3390ffd50566cebb03a1f3b7592208d08

SHA512
616f50a12970d4c0b8becfcf3888e803366c79f6ba7b27c535bcd0ab9313acba59cccf3d9f19274fbf4f78a3ea9e5a09b908e127311dfe61b7ed741ba9e5bd78

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
80KB

MD5
765db444c1d8ca29916079a8db99d3f9

SHA1
edbe2533bf05ef64df815fa244f8aec49971468d

SHA256
d46a3a10413f1eeee47fd405fac2b92183d7cbe78e4ba2760cbc3b3bdec4f680

SHA512
f0acc57613c92b99b7bfb936e14c0173861f0d723fef27fbf38591428032c3c8d2c3a48c5cd875f4baaf025ec4b6b7c25ef986f3dba248a9ad505f0e1aa3c484

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
80KB

MD5
6838668a47c4f08350f6d38a0004f383

SHA1
4044e572e4c6df8a1fee0d06d63ecbd0ee86f13e

SHA256
7ce3aeb226a00fc81ed521b7a05abc168bd3921016dcb0860674b22854793e5d

SHA512
c126201bb1fa2e58c0649a39ae90efc7528ff3be0115a962a8b4e312b81a162eec50f976ff000fbc9d42fffe59ce76b09959e8a11e46bc43ef888d011b1072a9

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
80KB

MD5
70b62919fd6f62249b9446e4a911f7a1

SHA1
cc5011c591f6b16b920fabeee0871242974c36d5

SHA256
48046bfaac725c6cd3164854de531f5df45fcfba6cdc1677acb27813f0a990f1

SHA512
3bb2c8d17ca89f880f5f004d6378d8cd926b4b3e3c41505d6b9aa860a67badde9306f9b6818809eec92e21204e9ab619acdcf6a10c1f820c2e7bedb2a98ba01e

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
80KB

MD5
4845c092473828d8397d9057d0b6b300

SHA1
7d57b7c5e0bf42aeba92cfc72b353fb4bc98ae1f

SHA256
9a3622b9f7c9959f23db4f6c02f9d7f1742ceb224eb56269dec19bd1c427776f

SHA512
2169967114b176f80b9d912bd2d1b5583133061a8bda47a92ecf72b493acdc0956ee7f759ce3df5ca86087de6a2f710ae1a092b6893400e285374c1e49689283

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
80KB

MD5
3374406c2dc6b6bfaffaafbcca3c2f20

SHA1
35c8daecf0d1f1dae8993664025843eb74aa2d43

SHA256
24bc0dd1f96d97a19d63b875ff8a2ff229012c8206fa7e7e4becc617e0cbedc7

SHA512
662a4dcf1a183dc228911751ee719a7ff2fec6cb6bd113dbd9d3d2d1e4d5a90cfba4250a785a4dfb55e5ef446b5e938fcabc15fe52fa6409c13bbdbc57609c42

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
80KB

MD5
10a8e3dcfdb17e01449f86fa1cdfd676

SHA1
16c551193eafc05a5f157df28b1e6de9ad7a9f76

SHA256
1eeb06c1052c95298b52ea0f35b297c83b3fcb8b7a5eb980c4eea31e0fd1b230

SHA512
ba917a1cf58386b92ee083e79952d5f0953e93e5125ff23e988c8fa44d3af9aabc423ad69ac6d5de0c63749f0e474f63fe46ec2d3214df1b70ac0a2ef334f8e0

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
80KB

MD5
e55a398a23ca28d97dcc3f5403c01a9e

SHA1
c7a483e60067fe975bf2b5c10de2b2aaa0e478a5

SHA256
c0393c5817eda595774bd3912225c061103a6d425972371ed7b54ced5201df1d

SHA512
6d34dd0d7e09982399919e13d0ac17349e2e13ec2c1aad47df2f41b7a0e6ef0c885f0da8fee3f2d036993db421e8784e9cdc3d1c3a233c28414abb55f8bf60d3

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
80KB

MD5
6d89fd0239ca0106dcccecd395bd20e8

SHA1
ee1c98ba6555f57813860f37c1f2a64177a9a5db

SHA256
1aaf93e8fca509f9026f4d3d3c9eec9ccf1f8edb3239b74e2d960f1dd1c50da2

SHA512
161d93327093bb1ec8712534fc39c1fdbc2198670a700ddcd94e189a06d9587a405f135e278ef1b4b20f792660a122e75870318b8efa4873f1348124e068c145

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
80KB

MD5
2c509450e5ceae55fe129bc81a10752c

SHA1
93d6673d2a1239e0c6e1142c79960d8a8abf9a7f

SHA256
19fc40e9880b2fb65c551229dff79b51176c3043d37661f85d4f6e1cf811e60f

SHA512
eaa30666d4d62791da2efe216c7a48bf430079b1e4a5083e563a93ba47e2d1384dbce9489e3ecd4baaf459ed3833c702b841d3506a53ccc882f51bcb592d33e6

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
80KB

MD5
96fe65a4d60fb052eb3f89f5fff45f33

SHA1
8c068707172aef3e42467f3355fc1113a9f43744

SHA256
44f253677e288065de55648794743e196c4c57bb2b2f95b40f353111f07aec38

SHA512
7a57772bbeadc668f323278522a40f4469f38bf1931a5cfe264114d55b7aee3de659c708f9b430e654124089ce4839f9360f47df9031403a56d2a18b3fec40e9

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
80KB

MD5
cbc62dad29d9372e48127e5e74758016

SHA1
3dc785df86442eb3b807dc5f6be14b610be27d64

SHA256
5207ed8e39ac4fe2b131a692e15614f5a854f3c879f52225bc9b8f6b3ddda684

SHA512
6760372dd0a7af5c6fe8f0dde829522aaa08dd4cb0e8e8f394b55256f573c17eb00fa186bcb14fa88463128ce973b0e4ee28efb43d091b7f69440e2450b61f87

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
80KB

MD5
4f79f01aebf1d8c2ca94d07e912f6522

SHA1
99c8f31f8e4db2ea7d81ec86a1d10681d607696f

SHA256
da12a800a85f3cb890a4b2a99de5eb00156830970e8dc28df54de7e40a815cab

SHA512
76b87f64018a47779c17c4df415d7d475ca673f38fd4b029d89ed2439e8501a28f35d3282fcbf4cd6cb9fca8ff34e4967ee93e526d74381b1c54db17f5903662

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
80KB

MD5
d7aed919dc72e894ee84f0e0b04a5faf

SHA1
4383e31d895cbec243aaaa0f74e4d18a0482c85e

SHA256
c8750b1a605a8f5760d969f500bd2173547b4266f3387acfab7a7049fd0fa692

SHA512
74ba241efa0e264bc379ad79ac62db1f34da33b82f45f853643ee06ad84cbe834da41d754be607c76a2f9f731fe92db74454d1171d075900bc2521b2ac81036f

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
80KB

MD5
ac0e37f8f2182225234089477536a936

SHA1
bea13a2622452370a08743078e1a6c1bcc92c5a2

SHA256
7be123c5c452e14bdc865832a74aab8812c5ce8e67437985d00aff4c2ac3db23

SHA512
50e2b395fa053ea8ff5bd68c3275f3d871bb5b511f88017ffd8dd8aae6ab48ae495ad552f99efd39f34ab8fc88dd3c481bd8e5401c656d608b29c68bdd94d12f

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
80KB

MD5
add8f2d82d070f0fdcdf064c11d151c0

SHA1
103e5535be01c97b7602033deaa5652aab88a43a

SHA256
ad6c6eb79576536a29768d1e78f7205d720e73bfc3b3f8494255c6aa54774986

SHA512
ed182f228cf0058c1dd33983798f25183da878192df8268d050ce8fe4de2257bc929ae54d02d6758580602f098bebbdad9b5e7179e24901b7c834184a78a316c

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
80KB

MD5
5a56207f62b67e7a25e0dae8f71e0fda

SHA1
e4a3d1dac4bfb9b718c51cf7f6c25f8ececd8a5b

SHA256
8da724eef8990e703358a491dd272e842becda94904dcd5f9a4d242f48013bad

SHA512
42bdcaa9dda8a2594cca862e06038a62d50d592a2a97816ca7d07b52b4cd26350d0b2b0edf7fb7177d74f2e1a0d80bc067375f0b5b2c280e25143e4615cfc7bf

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
80KB

MD5
d778e0b1cd5dcfa8711d7bd13cbf7402

SHA1
68dc091584f094fa83b213725a767213a7a619b6

SHA256
19d96f9c9bb7a36afee85248d42e0edc8dc34c5c2a0a431e2621c8e89151adbe

SHA512
1c2ad0a38ff132bffaeaf6736e61a79720c9c2ab96ca342aa76f8f0e2816551f597041d5c987ff3faa6baa52e025c359c4c6830c6398a6d1999f9e82a0531142

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
80KB

MD5
57a2562322d1e06c6a21294ae44b0e3b

SHA1
55b419daecab6111314ace11e753f4c1c4511faf

SHA256
9d370aec68253332d05360fdbfdc146ce4ebc1c2fcbb6b78cac0cede97514ae7

SHA512
bff27ae131f322e449f22872cde80fff7dc9e82e2bf7c1ae37537bcf58ef4e757f2b84221c87c8b8b9d7be166ad8635fac6f0431b384c66b0032c42ee5207454

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
80KB

MD5
48f43949987b320f305dd7993a92e3b4

SHA1
475bdcecbbbaa4113280f2315d10e8fd048a9726

SHA256
a584c3cc4b4078b7790b06359003d93598f36abe342fc06f6baaf2871112dcf2

SHA512
9a3d9ecf5108f45eb41201c290c0f56e98871aefd89e0222c12908a71012c9ad0ae5763ee4e2459c23d74ce59d1d8fd2bf200293ed2bd01ceb60e0013383d724

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
80KB

MD5
acf73ba9ccdf4c6753c0bf549d2b45a8

SHA1
37021d32e413e00d13820c772f1c07d4f0e363b6

SHA256
02c9f423fb170500c334c4da92a1e7820d35039030ce040423c734f032cbb48e

SHA512
bc76f1a21e311d911ccf2b1c4e1a113e23d362f3a984d4c3418ff60828a6ca97b4480d48ae7a034dde881408b70c8e6636b69a78306eff80afb7506f66312b67

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
80KB

MD5
3a2e1d844fe92ed334e92b93ff9a8ef8

SHA1
8885331d8841926302875fe946abc3053c79f009

SHA256
dc052e75ebf6691d918957e5d3fa78d84455a44b4e2705b22747296852e2d838

SHA512
f4bc0238ae136b7cbd0942340cbd3d661fc1a00759bbdbcb10629e7ae5f928cbfc15b0ed17ab188be2acdb364f1671976797e4c0dabf1e07807a26f8063c0a98

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
80KB

MD5
176960f537845a5bb61aba8fea08ad7e

SHA1
ac1984540ab58547ebe777968db1e1a40254b0da

SHA256
123823684110a3c66677128c63d3228f8f922b40acbf867f528bc3550ed1ca1c

SHA512
7f198d1fef5aac8491568276deba18f04f550a9a811183878e6e4cc66318003816a3b6683593277f26ae92f141117ed0e68f995101aec4b4f5723ed7773c5905

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
80KB

MD5
c05a64ca311b1676415c35ce20fc707a

SHA1
e67298bdb6e7f3db1191dd1dfbeebd886711b9c3

SHA256
717ab6b8cb99a1569fc86580f56322f2de3f9881d353672d5ee71b80892adc6b

SHA512
89c3a8989b84ec7d0d82f45667d5722e0ec114d15fb78a16659b4302c3efc74276165fbb7fe586199715fd0d123b4446c71f410959f7ef6f549c8ad07a2b896a

Download Submit
memory/224-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-502-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/464-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/632-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/648-506-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/648-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/776-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/828-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/940-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1008-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1212-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1244-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1272-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1272-499-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1488-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1612-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1612-505-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1664-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1664-501-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-493-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1784-59-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-495-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2292-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2292-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2572-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-507-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3112-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3112-494-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3208-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3324-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3328-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3512-508-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3512-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3696-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3724-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3768-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4188-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-488-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4340-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4340-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4392-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-487-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4444-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4444-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4724-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4724-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4748-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4748-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-489-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4916-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4960-500-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4960-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads