f00bb5197a7c4ad08c85fee63ad592a6da5862e63dc27e66cad7c5989547357d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 00:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

42ef84e0df181881bd19e67a1eb14680_NeikiAnalytics.exe
Size

301KB
MD5

42ef84e0df181881bd19e67a1eb14680
SHA1

6f741955ef3dc335f0d1d1c36c87d7834d717a85
SHA256

f00bb5197a7c4ad08c85fee63ad592a6da5862e63dc27e66cad7c5989547357d
SHA512

1da844fa38ea0402840e9351f27b4831b0befd95d0628134df6691c30cc661f8cdf21b93d8cfb095812c4b72c6e800af311fcdd17033d29d9e266e7b38c1c1cc
SSDEEP

6144:a4A2lemZfm+kte+MZmYm+DakBpvXBwNBezP:Jie+Y/+TezP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe

Executes dropped EXE 64 IoCs

pid	Process
2924	Ijfboafl.exe
2352	Imdnklfp.exe
4496	Ipckgh32.exe
3880	Ipegmg32.exe
2652	Ijkljp32.exe
3664	Jpgdbg32.exe
2988	Jbfpobpb.exe
1996	Jagqlj32.exe
864	Jdemhe32.exe
2236	Jjpeepnb.exe
4784	Jbkjjblm.exe
2368	Jaljgidl.exe
3644	Jfhbppbc.exe
4384	Jangmibi.exe
2596	Jdmcidam.exe
4968	Kmegbjgn.exe
816	Kdopod32.exe
1368	Kgmlkp32.exe
1760	Kmgdgjek.exe
2452	Kmjqmi32.exe
592	Kphmie32.exe
4024	Kmlnbi32.exe
2004	Kcifkp32.exe
4484	Kmnjhioc.exe
3620	Kckbqpnj.exe
1640	Lalcng32.exe
1532	Lcmofolg.exe
2968	Laopdgcg.exe
5056	Lcpllo32.exe
1812	Lijdhiaa.exe
2036	Lgneampk.exe
4104	Lnhmng32.exe
3376	Ldaeka32.exe
3904	Lklnhlfb.exe
4168	Lcgblncm.exe
4124	Lgbnmm32.exe
4184	Mnlfigcc.exe
2556	Mahbje32.exe
2872	Mdfofakp.exe
2020	Mgekbljc.exe
4448	Mjcgohig.exe
1864	Mnocof32.exe
700	Mdiklqhm.exe
2860	Mjeddggd.exe
4084	Mnapdf32.exe
3500	Mdkhapfj.exe
1992	Mkepnjng.exe
2560	Mncmjfmk.exe
2084	Mdmegp32.exe
4112	Mkgmcjld.exe
2064	Mnfipekh.exe
4404	Mdpalp32.exe
1116	Mgnnhk32.exe
3368	Nacbfdao.exe
1472	Nceonl32.exe
3440	Nklfoi32.exe
2468	Nnjbke32.exe
4064	Nddkgonp.exe
4004	Ncgkcl32.exe
2736	Njacpf32.exe
64	Nnmopdep.exe
2996	Nqklmpdd.exe
3400	Ncihikcg.exe
1264	Nkqpjidj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ijfboafl.exe	42ef84e0df181881bd19e67a1eb14680_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	42ef84e0df181881bd19e67a1eb14680_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3100	4108	WerFault.exe	154

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	42ef84e0df181881bd19e67a1eb14680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	42ef84e0df181881bd19e67a1eb14680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2924	1320	42ef84e0df181881bd19e67a1eb14680_NeikiAnalytics.exe	83
PID 1320 wrote to memory of 2924	1320	42ef84e0df181881bd19e67a1eb14680_NeikiAnalytics.exe	83
PID 1320 wrote to memory of 2924	1320	42ef84e0df181881bd19e67a1eb14680_NeikiAnalytics.exe	83
PID 2924 wrote to memory of 2352	2924	Ijfboafl.exe	84
PID 2924 wrote to memory of 2352	2924	Ijfboafl.exe	84
PID 2924 wrote to memory of 2352	2924	Ijfboafl.exe	84
PID 2352 wrote to memory of 4496	2352	Imdnklfp.exe	85
PID 2352 wrote to memory of 4496	2352	Imdnklfp.exe	85
PID 2352 wrote to memory of 4496	2352	Imdnklfp.exe	85
PID 4496 wrote to memory of 3880	4496	Ipckgh32.exe	86
PID 4496 wrote to memory of 3880	4496	Ipckgh32.exe	86
PID 4496 wrote to memory of 3880	4496	Ipckgh32.exe	86
PID 3880 wrote to memory of 2652	3880	Ipegmg32.exe	87
PID 3880 wrote to memory of 2652	3880	Ipegmg32.exe	87
PID 3880 wrote to memory of 2652	3880	Ipegmg32.exe	87
PID 2652 wrote to memory of 3664	2652	Ijkljp32.exe	88
PID 2652 wrote to memory of 3664	2652	Ijkljp32.exe	88
PID 2652 wrote to memory of 3664	2652	Ijkljp32.exe	88
PID 3664 wrote to memory of 2988	3664	Jpgdbg32.exe	89
PID 3664 wrote to memory of 2988	3664	Jpgdbg32.exe	89
PID 3664 wrote to memory of 2988	3664	Jpgdbg32.exe	89
PID 2988 wrote to memory of 1996	2988	Jbfpobpb.exe	90
PID 2988 wrote to memory of 1996	2988	Jbfpobpb.exe	90
PID 2988 wrote to memory of 1996	2988	Jbfpobpb.exe	90
PID 1996 wrote to memory of 864	1996	Jagqlj32.exe	91
PID 1996 wrote to memory of 864	1996	Jagqlj32.exe	91
PID 1996 wrote to memory of 864	1996	Jagqlj32.exe	91
PID 864 wrote to memory of 2236	864	Jdemhe32.exe	92
PID 864 wrote to memory of 2236	864	Jdemhe32.exe	92
PID 864 wrote to memory of 2236	864	Jdemhe32.exe	92
PID 2236 wrote to memory of 4784	2236	Jjpeepnb.exe	94
PID 2236 wrote to memory of 4784	2236	Jjpeepnb.exe	94
PID 2236 wrote to memory of 4784	2236	Jjpeepnb.exe	94
PID 4784 wrote to memory of 2368	4784	Jbkjjblm.exe	95
PID 4784 wrote to memory of 2368	4784	Jbkjjblm.exe	95
PID 4784 wrote to memory of 2368	4784	Jbkjjblm.exe	95
PID 2368 wrote to memory of 3644	2368	Jaljgidl.exe	97
PID 2368 wrote to memory of 3644	2368	Jaljgidl.exe	97
PID 2368 wrote to memory of 3644	2368	Jaljgidl.exe	97
PID 3644 wrote to memory of 4384	3644	Jfhbppbc.exe	98
PID 3644 wrote to memory of 4384	3644	Jfhbppbc.exe	98
PID 3644 wrote to memory of 4384	3644	Jfhbppbc.exe	98
PID 4384 wrote to memory of 2596	4384	Jangmibi.exe	99
PID 4384 wrote to memory of 2596	4384	Jangmibi.exe	99
PID 4384 wrote to memory of 2596	4384	Jangmibi.exe	99
PID 2596 wrote to memory of 4968	2596	Jdmcidam.exe	100
PID 2596 wrote to memory of 4968	2596	Jdmcidam.exe	100
PID 2596 wrote to memory of 4968	2596	Jdmcidam.exe	100
PID 4968 wrote to memory of 816	4968	Kmegbjgn.exe	102
PID 4968 wrote to memory of 816	4968	Kmegbjgn.exe	102
PID 4968 wrote to memory of 816	4968	Kmegbjgn.exe	102
PID 816 wrote to memory of 1368	816	Kdopod32.exe	103
PID 816 wrote to memory of 1368	816	Kdopod32.exe	103
PID 816 wrote to memory of 1368	816	Kdopod32.exe	103
PID 1368 wrote to memory of 1760	1368	Kgmlkp32.exe	104
PID 1368 wrote to memory of 1760	1368	Kgmlkp32.exe	104
PID 1368 wrote to memory of 1760	1368	Kgmlkp32.exe	104
PID 1760 wrote to memory of 2452	1760	Kmgdgjek.exe	105
PID 1760 wrote to memory of 2452	1760	Kmgdgjek.exe	105
PID 1760 wrote to memory of 2452	1760	Kmgdgjek.exe	105
PID 2452 wrote to memory of 592	2452	Kmjqmi32.exe	106
PID 2452 wrote to memory of 592	2452	Kmjqmi32.exe	106
PID 2452 wrote to memory of 592	2452	Kmjqmi32.exe	106
PID 592 wrote to memory of 4024	592	Kphmie32.exe	107

C:\Users\Admin\AppData\Local\Temp\42ef84e0df181881bd19e67a1eb14680_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\42ef84e0df181881bd19e67a1eb14680_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\SysWOW64\Ijfboafl.exe
  C:\Windows\system32\Ijfboafl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\Imdnklfp.exe
    C:\Windows\system32\Imdnklfp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\Ipckgh32.exe
      C:\Windows\system32\Ipckgh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
      - C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3904
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        38⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        40⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        57⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        61⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1264
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        69⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 408
        70⤵
        Program crash
        
        PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4108 -ip 4108
1⤵
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
301KB

MD5
66389bf84da09a36edd2eeacc5a742b6

SHA1
cc7a8161a394e45531cb7ae2f797a2e9b530ad05

SHA256
116790faabbfe30e500fd42a14cb41cb247c7e996ae2a55bd023ee9559db15d3

SHA512
0d71dd8c6a802d31f914c8d4cbb75bcb62ce90cf00b2dff838107a85443df5508b0af85aa60e10c5a9b4afd32d71bf83674a401f7f3dd2f1765a475e075a06b6

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
301KB

MD5
5db7c03f99cf97d89a95a851f4abcd06

SHA1
27e3f5a00031f683a086bbfbaeaa22f2d3feb34a

SHA256
285fd502f04da22eb61149908fcb10aa35a637ecbefeea7bd5e6d29440a56593

SHA512
8a3bf5be304a9cdb1ed02ddb9c1fe286e74061884ee0267ce254b40753557879e529eb1263ee7321d9a9afb4b8c3dab9cb56ba8c9f5c0924ebedb2fa3f12e8a7

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
301KB

MD5
4ae44bb5d3e5dba89734e9f2facb9803

SHA1
e590ced76d0cdefa8676f36b69bfa328acd8b397

SHA256
fbf235b27b7a897aacf447e537c470920d48704a62e477dd1e194550d69c343d

SHA512
a9c175309b955a97a17110d932731f036304195c1bf970b12fc33c5750fea569f34941de2c423a9709e8d259941a5d8ee57da4497f94c4bd91b4f2fce2d0635c

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
301KB

MD5
f229159b964071a9cb536d44abe0f17d

SHA1
86a68c121f5eb5bee4ab72940114086ade7d9065

SHA256
971176f9db2d316d6491f5f958bb3e972c86191c8aaa32ab0133047ccaaf8f41

SHA512
ce0fac7eb757eecf39751fa4af6f569b238bba7a16e3d7ce2a6a2e4ebd9dc6ab686ee8ea43465b5bd88943759ba072b2fa8fb24650dac413d4d5310a28aa6ff5

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
301KB

MD5
a88126fdb278691cd251da7f1a7a2205

SHA1
e738dc5e656eb99c23aae8330400503534ddb7a7

SHA256
7e15b6872cb836d3f7bb21c2e2a01399946af7dab7793e089784612fb7c860b3

SHA512
b481576785758348236e7c3e2ddd515cd2d4a8aff3540970845436960380a7fdf1cc419ed383ed9c049871c3a9028c54e1f8a9fa8f9fdf9a244ee29522460d56

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
301KB

MD5
81cdab80fbf1da399f07de33b90c449b

SHA1
e61f2142544c49c0d008cda6db46c965e1ba28fc

SHA256
dd433f3304a3b83ca53695bdf21c914aee393ff7b2c61083d86dd8543d33b301

SHA512
fad4c4f56f2e0e6a6b01df44673713397011cf3d37600f164d536ccd09b63f1586479630803d56e09f849f38c4313b115fde8f0c9f19fe1164618da9311d7789

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
301KB

MD5
02212b21fa6dc67e00a028f2a73e5072

SHA1
2c6bf89f5ffbcc7442d3ca623ed5d06a417109e4

SHA256
76fe1ecd96dc82f73fa78a924b0b02944b919be09af11d3018cf5fe84aece486

SHA512
4863dee0082b1613259a1cbf2c8a756123a45380504021b59b561fcb76a35e61e72c3a138c6031ea7664518c9fbd51d3acadea990605e6311e6a6ccd28f5f2ec

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
301KB

MD5
6f7b0f435b2b9c8859834c7b507576c0

SHA1
0919df622c5ccb94eddf25e13fac26472a55a726

SHA256
51620c7762fd63bf70582eea12d696fd28ce833baff562e9e9f2c4a4f1d016f9

SHA512
10a6f036564717b13f95d851fdd4171c37bd1977f9769a0265bdfbb3fc9fe5fefbecc90fbf045f40d0662819ce4f0cc35dc89412d2f52cafc05a0712d0eb0b04

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
301KB

MD5
0ed6a8160883afb3a9ed2c0fc179db4d

SHA1
303bc0147fd06f1b1edace89ceaa48a7925f984e

SHA256
230f11bc8c39f990f8c68f3358d81043c14381ea64bd9268c9afa78e37371b12

SHA512
489eb65bc44bd7ec3127291b60876f12970723f482c1f18d1466b526d187ed47131f9df9714d543533d42efff493fd2be65c8d418b36339ed856e31f3acb9739

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
301KB

MD5
c059a516000eaa85727b36967b100bdf

SHA1
3878954a3f0da1232db9a45620211d08784e41e6

SHA256
cf442e15e1cf1db7be3ed261941fd9acaaa3304ab9da9878c934fafc2056c2a5

SHA512
089c6050ee0702858b7016d1ac265a8eab01bf4aa307e1b65899c1ea2d8c501c66a491a12f3c2673bad827db974fb95134183fcf2d9d2adcf97a6b1bf477990e

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
301KB

MD5
4483a9bbe5a1579f1216284684cb9da5

SHA1
9b72f7697d67f99bde12858d2e12e0a3aea1359a

SHA256
4bf5f31421ab76721127f86bccf8257d84ed59ee82d8ace7b5a36ce25eb746d0

SHA512
4f53230b7c8ac2faf8e53619f0c54e95b13b7579a68dc3e3922b5e5f5ac0718fda0f5f7ca7d0e9ed403440c5c967a5bff296b01d02e7bc731384db88b9bc575f

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
301KB

MD5
386838b76b00cd3b4d176e4c06557812

SHA1
4f953475037e82a42bd25f983dd5778d406a5f4f

SHA256
7f436fa5394f25182090fdbe36fd3cc85d2a9eb9aad1f26a41aa84e66acd3b44

SHA512
d77be679baa12132946c574a1bb95f3657163d57a00088bc89c98d997332738c52d4bfca4ccfc70ee56dbc2628a8ea8ec77244a79bc60d0444154d09511be936

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
301KB

MD5
c8f12a399b33158ca5ae352388c9ed64

SHA1
118e058d86ba7784b6f02776018a996131c051d4

SHA256
85d05e39a2a1ef70fdb34e77a378df00d17de0f938f9b93411fba3e254842e58

SHA512
db2de826e9fed072cbf87b4e3401255d2750000471ea9e3878fb185a095d849bc2011bd00f010a477a34db760ec324a115afde97c50cc2b4361d014032803d1e

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
301KB

MD5
0d7a3b2d62be467f1db5619e0d65c847

SHA1
276f170fe4a92bb187a398b913fc362fdb090981

SHA256
915106ae4b45a6ffa57f48a4cec661439c43e5df65b3c0e075b8a14682eef98b

SHA512
24e05e41ff67b23d910b39c9a3881fb1a63aa22403a428d321d714d06ec52f807c694558cff72912366fb76b2b81e03845d92f2c7c5702f49f5e39c0f4618b0a

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
301KB

MD5
284d472025dcf012d96e5acc2665bf65

SHA1
9e6c1a9a11edc436449c09904fa0c27c49e97c9e

SHA256
aea7147cfe7fddb3b40b6cd3e3eb3c8ef750e0cfee5e21a48fc07746ca99d60c

SHA512
d4907a90673c0556302b01f01e5a902148e00449ab619e89c50e38e88ddebf840b0830cb5f192201ec1a94ae536a6ea15070bece5f7afb8be6b921ae70b4f59c

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
301KB

MD5
54a7f2d2b12ff83d93c39dfa60d281d3

SHA1
985c88c1e186574632b1a1568d0bc73ef860bcfa

SHA256
b16f7cde3271d4caaf2a2125366a9266cbdb421e50a6881567018314aa60d1d0

SHA512
96a08d676c078f937d136d36f9c036af7dc2a4c1d46db3e262772969223c50f1187c9622d31e23051f459e0ab88c93e5bb8a5112b3cf5c17832fdf8fd437a122

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
301KB

MD5
c29716e1c6d5552e38a29ccbab67ce44

SHA1
724c39bdaec139774b48679aefae820f175d7457

SHA256
bc88ca3b92dc383a07312c1093c4b9873b39266b90bb4924aa641bb354536ab4

SHA512
92843c7b61304577cd3a8cd5c68a1fafbf279217ee94631374919d902b70e526ee383b15e1f2d7a7324bf1225a5b055812e27d74f6515772e5775430d6f9e8cb

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
301KB

MD5
5a403704a92b7a7bc5b6627faa592677

SHA1
f38d7ed7c88219a8c4a950decf5b940dabdd98ee

SHA256
e985b78ffc3b86266175a5f1b31a86b1fe53c8c13e0bf75bf66fa84c50dd8053

SHA512
e3b2176408f26d4cd2723ac0757da36e60fff7da94432657a88ceff634e72016916acca1d56e184d19a3f27a936eb5062ded165797c9e26b1df3a02736619067

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
301KB

MD5
3fc326e87bbdd8ddc075fc51529cca26

SHA1
fd256682a19210fe8cfbd107d7c2b46d5e42597f

SHA256
1163662dad9a5348a4267fe44cd574480f8d4b03886ca6caa30ed3781ad19480

SHA512
27d44a2c54da9f976f1f72acfcea25f9e9df08d96ebe941a23182778db7a6120ea3b60d696af01f0f4231306ca0693f5a713ad5e7ca94c99906bbe17a237a72f

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
301KB

MD5
083ad6fa4b1a686bb9bc2e96c68e2a81

SHA1
c92f75b6f6287e0c62928fc1d47ad5cdf2672e36

SHA256
1618a014659ef11173250c4c34a525cd68007114c5fc1e17db0726340d204d92

SHA512
8afca98a85352735cfbae8e0a596aaaed3f38b4789b8b944dc2fc73662cd9b6e0242c1d944e92f70da3e81f47eb0b10aa9185b33c9b2cf9bddba9bc7da29ecdc

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
301KB

MD5
e8fc0399707970f04c916c35bee52bc6

SHA1
71209120689e98736a3506f4b302727c01b855a0

SHA256
0f4defa041cb58ec02b735e74143b4d660390564e20f0991a896557e078d3e48

SHA512
4f247a11dce2f3afd675a892691ffda2f88cefc4e54a0e9f1fc15673102a1da44127f7d1fe1a9d0038d33dfec9093e7d9659638e859aee04c8a82d8c7af3dd94

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
301KB

MD5
2a420625a766bf4ffc9b762f6b4d43f2

SHA1
1c878903bc2b863f0fd259655004626081504b6e

SHA256
6c3a5036149b2a12d23fa7bd2b8e3f14a074472d555c98c313182c76873d693c

SHA512
8c3cb681a9e27a89f2555307a51b93444d1c5343d2e1e99a35e59ff95d05ffceebf677c25757ba398ffd3896243ecd657b248234b587882c587d4a459da9b961

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
301KB

MD5
954eabe275f96d4906ccdcb3d9306be2

SHA1
bf9a37ca7a2aaf74b6eb273ce6d4a4c7b926070f

SHA256
921d3c20c291e130e6fb14a68257b9f59a5f4e27647249053d434e26bc8fd742

SHA512
81780e47da87b4d1ef56d592f0f5368b20c38a93ee14d9155e13ede15fefa095137941ad33311c1ca3df80a76fcefa6273a93108e71d0007727aa44fe9cf5bde

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
301KB

MD5
f7ceebead42a96cb44a6442d63fa4e4f

SHA1
b6d3e8e9d3d39e961060696bed0e1c393793492b

SHA256
3d743b85f6469916cda9a01eaa95dfa9d50bedc3d292d77bef48b20866a83f57

SHA512
1f80ecd661deb741b7b9aabb034d6cec25cdd996da889d3233a7711b88ca30a761dd61fa3d6bb7e5cddca0ea36b65b7911e2d0a2d9008c1a755b7dba5de89bcf

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
301KB

MD5
4cc3c63ecc596b997834417278b96001

SHA1
6a39a0be812a7bcaf971e30cfd4bdb4fca62064b

SHA256
c134054169257a8c27f33d8929ded46036b05429501e265e7b31e05d6d355e02

SHA512
f022b27ba74ec269f5243dfa26544e5324ddf2e41035c97aa942aacceee76058cb37c09de34f7470193afebfc7ff16af23e51ce23857c9fac7cd59e013cea4c6

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
301KB

MD5
07dfd1e259e07325a37924499cd95a6e

SHA1
75301c22b2accc8a686aea3da13575285714b15f

SHA256
82448dd28ca369a0eecb41aeacac5a16fbc4504d7b9b43474ccaffa0ae20a3e6

SHA512
325140c7a2517effb41021d0a0e43f93608d168f5fc817a683d0d9b919f49dc4c2ace4f0f274f6ac06a50bf9502a0a54660231e9b260c05efb8673d000439889

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
301KB

MD5
7e3eef6f4f182c371bee4da9608caba9

SHA1
11719bfb1c3d45ac0b75126234316afc5d491764

SHA256
4e0afe1b18e78e71e7cd3196f6477a061add029713e57f4d9c2d6c9ec8ddcc8a

SHA512
550d8fbbe4933ebb2230773ff79b761cd563d5f4e55b839ca7abdc4c01998e28b67a7e4d898b5102030c6e163ccea864736040681c71964f8b3871792b2a812c

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
301KB

MD5
07f7f64d48f7762ad903a6416e417299

SHA1
8f9ef88c91ea83c19a9cad37f493097c13ccbafe

SHA256
8b350dab247f9d3857fea5fc77345a1e5b2a405a08827a5edd5619a6f44e11ac

SHA512
2441dd45742543b9ceb039a3c1ea324ccfe56f224499eaf88d5f02697311b1469ea31861876f9514cc72f62877bfffe11d81ee8173e4d25a6836fbcd12b6a2a2

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
301KB

MD5
b30d5722954f47c0a31f670472c62e34

SHA1
b8802db5b1d03c563b3c5f8ce4f27f21a31b506e

SHA256
42f4ca055371f64acc2c67e5c0c1d89584729eeb6b557334ea8cf35a6de5b75f

SHA512
760588b5c474d36ba63d00eee6ca42f517be491bf8668fe68364b21c1430d5b8cfc6e388ffe368458c55bff4c764ce4e0f7f5396c384b9fd1bacf387c5299888

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
301KB

MD5
d73fa69cf01b96793b657781fda9265e

SHA1
12aae433b89ff577aebfbac65875e6cbc02c4785

SHA256
eb5c1fb52d17382b726cb1a7f5cb867ea4662ef45924ef1872f803f3e0327194

SHA512
95e6092cf8eb9d7cdb0d670be42a839c0672f118c341e53d9d04c5486b1365e3fffb89290609982ed76ff201bb436d831e529d068f5aebd43905bab62ff2fae6

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
301KB

MD5
0973f2aaa60a269ebc4361e5840c9beb

SHA1
dc0f7b1da9f064207ae0c6577498f9cc749545c6

SHA256
fbbf058793157ecdef0c855154e308e5254c1878492f2507aec1d09ff281fc1b

SHA512
fa69f19556d9936ba92b06167fcfde8084bb5554af0960a8379d2ab8dc1c0a7868d1b98e74ac04bea761eb9608211815ed4c39d784383cb43fd96390e2cfba5d

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
301KB

MD5
c5525918f69407a57a05267ff4781a79

SHA1
93a37a284f0622889ec3317ad99a688b96f4a92e

SHA256
e312241c9bfd4543945489b6910ee5b51a54434fa0a28b12c3a51937e0890c76

SHA512
20372017ea137d9a64c645a6e7b7a5f927496058dc9f6dbe1a49af1758868aa2d68c94cb2eb4c1e0cc2bfa7b35874792e170f9abf79170c0fcbfe0e2c7bfd6ed

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
301KB

MD5
9f61cca5d22cdb6289c04ab15e3fd691

SHA1
893dd458039d2bb381d89e7828826a0bdb2a83d7

SHA256
ef7f15f9128f2d97ca390a633a93c6b8415294d1b091c9b56cad2d6277b29933

SHA512
dce6d43eb27396ed115ec454321459e50e5e277641e472b27d3625367a43e46d513ed2227d955ca15f619cd86617b88039e90d1501f891be6f210e406d2f18c6

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
301KB

MD5
5c19cdacfb9a67a34d2e4cb14c956eb4

SHA1
099a0a5111abf0f0d3ed21ed4b03129941b10df6

SHA256
742a112d0114edbf06f6346762cd08eaeddd293c8d4bb12a62abc09ea31ee79e

SHA512
1ce6048c19038e1fbe943fc05101b2c3d73ba5fff368fe55b7260d7169139fde52aac378f93d0847c6dbe6f9dada0037fd9164e8998a2618e69549b0ca8e3124

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
301KB

MD5
a35e47e864ec87422eda2df8f8e820f9

SHA1
080832b0f9eb0d60fb89adc14f7a744c1dd8323e

SHA256
a105b511094374db1d8cf3b84af44da44c1b04caba56cdd4728045fe0ca0dad6

SHA512
ed0b6326143cb3fd7a41e5ec1923dde3f36facce6c812dda5ba2e1ff0c71b5db38455f88d8f8b511036555f77c23c36a361e823b9032630a106025402a3de3da

Download Submit
memory/64-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/64-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/592-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/700-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/700-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/816-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/864-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1264-482-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1264-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1320-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1368-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-523-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1996-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2004-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2064-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2064-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-510-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2236-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2368-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2452-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2468-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2468-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-512-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2988-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3368-500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3368-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3376-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3400-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3400-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3440-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3440-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3500-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3500-516-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3516-470-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3644-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3664-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3880-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3904-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4024-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4064-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4064-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4084-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4084-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4104-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4108-474-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4108-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4112-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4112-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4124-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4124-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4168-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4184-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4184-530-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4384-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-504-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4448-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4484-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-477-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4968-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads