5ae96774f86dd9c35b8304560a42ee1737a85f3b6b28a1ef6ef5e2ef78d0fb89

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ae96774f86dd9c35b8304560a42ee1737a85f3b6b28a1ef6ef5e2ef78d0fb89_NeikiAnalytics.exe
Size

182KB
MD5

7c39875b1dd6498587fcb19d4b7bcaf0
SHA1

edc7d5787fc0b40c058f532b18bfed97cb9f8c28
SHA256

5ae96774f86dd9c35b8304560a42ee1737a85f3b6b28a1ef6ef5e2ef78d0fb89
SHA512

a384a88499b3a8bc89e5bca8156461a8009354ef69e29999959c21258d494943daa219ce7ef134b70c5e8e84a024af3067eb493b6f02b695b2181a75d24a74dc
SSDEEP

3072:dr3gpPVW/iP3Hj4sorf+ebCAULMjv/i+iiDOcuoosorf+ebCAp:GpQcD4sE4ArjXpOcLosE4Ap

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5ae96774f86dd9c35b8304560a42ee1737a85f3b6b28a1ef6ef5e2ef78d0fb89_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe

Executes dropped EXE 53 IoCs

pid	Process
2152	Jfffjqdf.exe
1524	Jidbflcj.exe
4992	Jpojcf32.exe
4260	Jfhbppbc.exe
1496	Jangmibi.exe
4884	Jdmcidam.exe
1520	Jiikak32.exe
1404	Kpccnefa.exe
3516	Kkihknfg.exe
772	Kpepcedo.exe
2104	Kgphpo32.exe
2592	Kmjqmi32.exe
3944	Kbfiep32.exe
4540	Kipabjil.exe
3172	Kdffocib.exe
4568	Kgdbkohf.exe
1620	Kajfig32.exe
3288	Kdhbec32.exe
384	Kkbkamnl.exe
4404	Ldkojb32.exe
5116	Ldmlpbbj.exe
3296	Lijdhiaa.exe
4416	Laalifad.exe
1508	Lnhmng32.exe
1300	Ldaeka32.exe
3180	Laefdf32.exe
4740	Lddbqa32.exe
3108	Mjqjih32.exe
2500	Mpkbebbf.exe
3652	Mciobn32.exe
4244	Mnocof32.exe
5080	Mpmokb32.exe
4392	Mkbchk32.exe
3964	Mnapdf32.exe
2000	Mamleegg.exe
3056	Mpolqa32.exe
368	Mgidml32.exe
2376	Mkepnjng.exe
2024	Maohkd32.exe
4320	Mdmegp32.exe
1464	Mglack32.exe
1172	Maaepd32.exe
2916	Ndbnboqb.exe
2416	Njogjfoj.exe
1492	Nnjbke32.exe
5020	Nddkgonp.exe
412	Nkncdifl.exe
1664	Nqklmpdd.exe
4976	Ncihikcg.exe
4704	Nkqpjidj.exe
4472	Nbkhfc32.exe
4956	Ndidbn32.exe
4840	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	5ae96774f86dd9c35b8304560a42ee1737a85f3b6b28a1ef6ef5e2ef78d0fb89_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mjqjih32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3736	4840	WerFault.exe	133

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5ae96774f86dd9c35b8304560a42ee1737a85f3b6b28a1ef6ef5e2ef78d0fb89_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5ae96774f86dd9c35b8304560a42ee1737a85f3b6b28a1ef6ef5e2ef78d0fb89_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 2152	668	5ae96774f86dd9c35b8304560a42ee1737a85f3b6b28a1ef6ef5e2ef78d0fb89_NeikiAnalytics.exe	81
PID 668 wrote to memory of 2152	668	5ae96774f86dd9c35b8304560a42ee1737a85f3b6b28a1ef6ef5e2ef78d0fb89_NeikiAnalytics.exe	81
PID 668 wrote to memory of 2152	668	5ae96774f86dd9c35b8304560a42ee1737a85f3b6b28a1ef6ef5e2ef78d0fb89_NeikiAnalytics.exe	81
PID 2152 wrote to memory of 1524	2152	Jfffjqdf.exe	82
PID 2152 wrote to memory of 1524	2152	Jfffjqdf.exe	82
PID 2152 wrote to memory of 1524	2152	Jfffjqdf.exe	82
PID 1524 wrote to memory of 4992	1524	Jidbflcj.exe	83
PID 1524 wrote to memory of 4992	1524	Jidbflcj.exe	83
PID 1524 wrote to memory of 4992	1524	Jidbflcj.exe	83
PID 4992 wrote to memory of 4260	4992	Jpojcf32.exe	84
PID 4992 wrote to memory of 4260	4992	Jpojcf32.exe	84
PID 4992 wrote to memory of 4260	4992	Jpojcf32.exe	84
PID 4260 wrote to memory of 1496	4260	Jfhbppbc.exe	85
PID 4260 wrote to memory of 1496	4260	Jfhbppbc.exe	85
PID 4260 wrote to memory of 1496	4260	Jfhbppbc.exe	85
PID 1496 wrote to memory of 4884	1496	Jangmibi.exe	86
PID 1496 wrote to memory of 4884	1496	Jangmibi.exe	86
PID 1496 wrote to memory of 4884	1496	Jangmibi.exe	86
PID 4884 wrote to memory of 1520	4884	Jdmcidam.exe	87
PID 4884 wrote to memory of 1520	4884	Jdmcidam.exe	87
PID 4884 wrote to memory of 1520	4884	Jdmcidam.exe	87
PID 1520 wrote to memory of 1404	1520	Jiikak32.exe	88
PID 1520 wrote to memory of 1404	1520	Jiikak32.exe	88
PID 1520 wrote to memory of 1404	1520	Jiikak32.exe	88
PID 1404 wrote to memory of 3516	1404	Kpccnefa.exe	89
PID 1404 wrote to memory of 3516	1404	Kpccnefa.exe	89
PID 1404 wrote to memory of 3516	1404	Kpccnefa.exe	89
PID 3516 wrote to memory of 772	3516	Kkihknfg.exe	90
PID 3516 wrote to memory of 772	3516	Kkihknfg.exe	90
PID 3516 wrote to memory of 772	3516	Kkihknfg.exe	90
PID 772 wrote to memory of 2104	772	Kpepcedo.exe	91
PID 772 wrote to memory of 2104	772	Kpepcedo.exe	91
PID 772 wrote to memory of 2104	772	Kpepcedo.exe	91
PID 2104 wrote to memory of 2592	2104	Kgphpo32.exe	92
PID 2104 wrote to memory of 2592	2104	Kgphpo32.exe	92
PID 2104 wrote to memory of 2592	2104	Kgphpo32.exe	92
PID 2592 wrote to memory of 3944	2592	Kmjqmi32.exe	93
PID 2592 wrote to memory of 3944	2592	Kmjqmi32.exe	93
PID 2592 wrote to memory of 3944	2592	Kmjqmi32.exe	93
PID 3944 wrote to memory of 4540	3944	Kbfiep32.exe	94
PID 3944 wrote to memory of 4540	3944	Kbfiep32.exe	94
PID 3944 wrote to memory of 4540	3944	Kbfiep32.exe	94
PID 4540 wrote to memory of 3172	4540	Kipabjil.exe	95
PID 4540 wrote to memory of 3172	4540	Kipabjil.exe	95
PID 4540 wrote to memory of 3172	4540	Kipabjil.exe	95
PID 3172 wrote to memory of 4568	3172	Kdffocib.exe	96
PID 3172 wrote to memory of 4568	3172	Kdffocib.exe	96
PID 3172 wrote to memory of 4568	3172	Kdffocib.exe	96
PID 4568 wrote to memory of 1620	4568	Kgdbkohf.exe	97
PID 4568 wrote to memory of 1620	4568	Kgdbkohf.exe	97
PID 4568 wrote to memory of 1620	4568	Kgdbkohf.exe	97
PID 1620 wrote to memory of 3288	1620	Kajfig32.exe	98
PID 1620 wrote to memory of 3288	1620	Kajfig32.exe	98
PID 1620 wrote to memory of 3288	1620	Kajfig32.exe	98
PID 3288 wrote to memory of 384	3288	Kdhbec32.exe	99
PID 3288 wrote to memory of 384	3288	Kdhbec32.exe	99
PID 3288 wrote to memory of 384	3288	Kdhbec32.exe	99
PID 384 wrote to memory of 4404	384	Kkbkamnl.exe	100
PID 384 wrote to memory of 4404	384	Kkbkamnl.exe	100
PID 384 wrote to memory of 4404	384	Kkbkamnl.exe	100
PID 4404 wrote to memory of 5116	4404	Ldkojb32.exe	101
PID 4404 wrote to memory of 5116	4404	Ldkojb32.exe	101
PID 4404 wrote to memory of 5116	4404	Ldkojb32.exe	101
PID 5116 wrote to memory of 3296	5116	Ldmlpbbj.exe	102

C:\Users\Admin\AppData\Local\Temp\5ae96774f86dd9c35b8304560a42ee1737a85f3b6b28a1ef6ef5e2ef78d0fb89_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5ae96774f86dd9c35b8304560a42ee1737a85f3b6b28a1ef6ef5e2ef78d0fb89_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\SysWOW64\Jfffjqdf.exe
  C:\Windows\system32\Jfffjqdf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\Jidbflcj.exe
    C:\Windows\system32\Jidbflcj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\SysWOW64\Jpojcf32.exe
      C:\Windows\system32\Jpojcf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
      - C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3180
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3652
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        54⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 400
        55⤵
        Program crash
        
        PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4840 -ip 4840
1⤵
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jangmibi.exe

Filesize
182KB

MD5
8ba981e584e0cdf70c247fef35b90465

SHA1
78c0626cbdb27bbdf8cf9a3907a64321cdc66d1c

SHA256
d94f6dfaf59dec28701486fcc3f77fcc6a589cd88aa882e85f0f670970caf18c

SHA512
a7b2a4eeb1c636818c2d1a3abfbb3a6f8354c2536c6021c68a1a2ec61ce4947f99ff4ac6afccbf31264322d32666aa916d0f980b2ba1b7913c3f05a873d43f24

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
182KB

MD5
4f29f0308a6ecd515a8ad447838b7485

SHA1
eaf56034b1ef994b5bf7b7ceb7a8c625022e641c

SHA256
a8835a4b19e061da8a40a07c3a1b1ba7a212ccf08ceaa4d23eed40acc57dc09e

SHA512
94d0566b1b4cc58bdfd35ba6b63e7c96f2d3a107f5ebc27f16e1113bf2c538428f2f8fa8c10f9ae520c46bf83f4ae87c782e93626d93f31b4e45250737fdef1d

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
182KB

MD5
8610775d5ae7d64f890fda5b07f2b731

SHA1
31b2843cf8cd6af25ed2abb22bc267055a48ae37

SHA256
5ae2bbe772051a5a7296f8392f62e7f1891a3e70a5954f930200900c11c31420

SHA512
e531943249cfbd351bdd82c4194078cbab2ee59f169d0d41b95d13eadd7d30ec020a7bc72d99ea6058f97c88fa7fd867663174fd9ccc96ca296ec1dd5ea3f41c

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
182KB

MD5
b25e77cf501851cb6314d5c551c5ec60

SHA1
1e0959e9c5470d631019c500b7f1d27a4aad4c28

SHA256
3741447490e09e0450c300bbfe88e6030034ecc8dd52179e7d61bc7ec6072bc6

SHA512
6db192f36c116f999e5634430d8a980f64e2a723453994beabc2252af18fada42c9bc47b071358ff7a3f998aefde4a17ce219942f599b67bc140409514032240

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
182KB

MD5
2d00340c2c1ea0b923639ac9c159e2f4

SHA1
6c69ec5b6c9d6ebb794862b501f9c233bbd8c73f

SHA256
cfedbc40a4d1be4bc0cf116edb7c41147609292b1222b48610a0f3bde10b7a5d

SHA512
18ebe895d6ade18107205b04084ea1acd825357a6ec5619f302023a2325f7be2a21bd06c59cc67c16294640e7cf6026dafe03419cb8e5abc3c615491ff08d426

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
182KB

MD5
291fce0595311d17cdbe0dde2f386f23

SHA1
5b9d4ca8b41c190e182a4ece73a0fbdbc1d4f5fc

SHA256
f496bb580437236cfbc8a4b4c8fdaec0824037cca4ed604aaafc96a1b10eca6a

SHA512
e18684207975bd0e3d9d0828715734d8ec0a8d359b741203c2f0ded9c69e5b5fa839aaa74945899657a9a38ec88e797ddd8f897155d4b658bf9d5a3ca39e1f96

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
182KB

MD5
4596697e7ceccb96cdd672dca2f9bc3f

SHA1
4f04f3af62038dc9a1f855d39c8603a95314ec85

SHA256
b4bcc426cfd4ec7f202e1af201554de6c91a8712d5aedba29903e18b06d74b01

SHA512
935ff155064b5f13990dac386f69fa1d04f00028b2837491f03cec0c09f7fc04653c80699c67b739167be4351647c2c608296da5d691a4fb8bbcf34b3ad9ef71

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
182KB

MD5
7b100f7fe8403d790645c87c52b6492c

SHA1
9f9efcbfbde7bad6cdf9650b291246b6b648d82f

SHA256
dd487ff024737ab214148b877383ed6c4822b17bb2a5231633c1c5c1d821156e

SHA512
c81407024938ee3cfc58562b1ba51aaf129178b8a1cea6191ce575674ac3e6f633a58c9077a82e07590e98aa2653ed809f414a50957d7d97ba5fe0294d72ff39

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
182KB

MD5
733ee4da251945c68bf70f8912d9d31b

SHA1
cd19a0e03d69a8b09033d6970294e5e92d27c983

SHA256
23899564cc1d991dc80bfb4eabd4d84275d2a14ad1117a841755a7b811236783

SHA512
da537576822b774a0172b729572dc7e422b1dbadae1fc6385918a3a154fe93076748b33e7c1711c06f21ae0989e56bc690eec769969d25f281eece84ff709532

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
182KB

MD5
9ee5b2ed34d72866495f6b96ab7ba411

SHA1
615d0a8527c746092471af0ef095803b0218ebaa

SHA256
8bc77423d103766ce82445e758a46f28b999a557f54760763498731639953a6c

SHA512
5ebcbc671c6a04724e4e224d6eeee47c79f2a33c89573a9459337308801c95c3f7630edc2bcf21cf244c6b03ebd4911b6140b51f19773dcd71c45eb4fb726408

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
182KB

MD5
1fee68b7e0d1dcc3af49df574423b643

SHA1
d8723466aab4fe4224b08659dfb91f8ee67d7295

SHA256
e4f7261e3474cca9741df78e152f3b219fa53e7f2b9dab1a3895ab3f62b0508d

SHA512
eddf783bba61601d4ae024e70be254d80854ef910a2797d5fa0f1a0d665b1bebb6cb1ee5c1460fff9d3a2b1eec3ba55c7fa9d5226459819edc5fb627bbe7ef5b

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
182KB

MD5
5fcc6125a32c2d7ade98fa4463ddd32d

SHA1
d41b4ecdec761f8dc579e3ccf9e202e5ba5982c5

SHA256
b9905ecfe69b9ed58968869e2cbc9239b8c617fed78f437d52dc65598fb2e5e3

SHA512
a0ff33e7002462f6c6548eaf8eed3c83695c3d5450834c0c19dce32e820b332763baab1f3c28875c8476e6684922bdca6141b622ea13cb2e9a0c0016ba0acab9

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
182KB

MD5
822e9b2b5fc29a6a936cd3f9f148dd13

SHA1
b5a989020a6706c2214dd1b54aaef8e385d731e3

SHA256
e7121267738d33da3ea21e432b49fbfb3fdb4a4d3746610704cf97cf2330d07b

SHA512
80b0107a765ac3cc445db01e20f3edd1d43c861f9952fb2b702d2ab978d6c2380317a1f472aec53cab573256101f742a6d6c734a1cdfb801e9431ea09836603c

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
182KB

MD5
780ccb42d4a90ee82ac3d94067b3888b

SHA1
28df8db8b45e9508672aeca141874fb287c8289c

SHA256
125073e9df29ca8469709aaefb37532c45cc76c70d496866c3466e36cb04d223

SHA512
0c7e7df822d30a1e1170f0ed78bea588a289430bf2ac71751ce17ac6962b41af5cffd181a028c9fff2449c476c6f706e5595f6bf8dbac96706061a28677844a6

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
182KB

MD5
6a8bade441eb6400266a6ddca6d6506f

SHA1
a8cfa6ad54fff3b82a60c4aff9334a3355e19714

SHA256
fe484850369137af7b00e515557ddd98f9983a81aedf70c9814eea30340750c6

SHA512
6c743a1a038a8fa5bd33ed4e1d7f929c33f64627bad18c25484ca12e23a3649f401d67732c5dc1b01638f3c85aece7109ac1318807e50ceb07d40a9343ee3bb8

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
182KB

MD5
7499a2e59297840f5a4c36f9ee21fb9f

SHA1
0089f14ab9e314d851c51fb457f526570aea90ff

SHA256
f1e7b0fe8fa2be1c512ee996828669b6f452f18c0a584aab5b25b26b1c643381

SHA512
208e6e57a0fc888f213df0bb30107643948d577ca9f995ec442ffcadac9296356d29f3978080f4b7fe59b886c5783d15c5b04b5540966898b5467eb015e64855

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
182KB

MD5
2e68b47d548f0663ecb01d3defad8b30

SHA1
3c776e7334c9002469c715b659e03a835eef8aeb

SHA256
f1e38f5f8090e6d07166ddaac157aef61cf1193d6a43c41e50809db89ad0b3e4

SHA512
2b5796379cfc9be46cd7a35913219920f5c823d8e509f01172b9246a9f809ab8a5a6be6b48d0b756a7f93884bbba39e81e392922bee57bd2d1cf90c27b30d62b

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
182KB

MD5
1e137a0ed8eadddea24068ba0f34093a

SHA1
46c8254f0ebe09e8b2f1550e45bdc0c16b523565

SHA256
99e5bb6e123e9855421950d11d90ff9735cc2e8740a386631a00ca0c46c3db2b

SHA512
7f118f5d06cce6911b70b10629c1d9b4e871ced991255d83289523ac9794b1371b4f846c81de47ad9fa042a701f4ea9b42ec88dcf19ab367484ef0878cd33cdb

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
182KB

MD5
8b3b7af588db77b73e11bf7d71cbbcd3

SHA1
acb6bc14f3188b844509ca66a1273d11511e99ff

SHA256
3862ed4884adaaa9ad88dce001c710c1b595d6c70c4d706de6782c5e50d04434

SHA512
0ce6090be9d479f209e75db336111e29703c7113396917a09d7b80b5f795337a8ae7b9ee88029c51ec8802fc0524e4c731a0063b582e2c3fd095bb261bd4df0f

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
182KB

MD5
0ee21a39be47dd8dfec69e3171a7542c

SHA1
24d07f6f16881013dd4e4d1c4221a616e7526c74

SHA256
d4122ec104bde87bbcb3436177a7ea9d3f2aab906141579d48731c09acfe68b7

SHA512
6965476876731bdb5e7ff4b02fb2c9b506a9b4b3da87df7b1af6bf277f8afc4da96ed6a43dc66e62cbfac337dda3e8d33da03a0b7dacfea1ea481d9336575f12

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
182KB

MD5
7c6e9160457c29fbc0a0fbfb55928645

SHA1
7f4a8b0cc07cc6eca4aad253be6e89e56e9c33f2

SHA256
465ff5392d0a8a7f0dae56afd7283120dc9a53a6f2187796c3c1487b9a957932

SHA512
702b4a7f65d6db5a9a875c092f733059c1bd05e363525391576fe4fb82613e003fbe87f1e0ef3d27e44f1376f49e050bac5785c3313bf69da3521c3767273b27

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
182KB

MD5
2a38c793752dfb44ba69aca426b7bdb4

SHA1
9dc271f87a07eda2552e43698198d6750fce8e89

SHA256
4aa4eeb38f0137f6b1897a027f69152efe594c682f54c3c1982ba1ab0af35dc7

SHA512
9da8c5e9ede1d3ebc0ab3f961d9647e04fd01b2291734ee5e650e3946a22eff7f298fc66f986d103521d9651357727ca982eb60b482f9a9773e31579e2e4685f

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
182KB

MD5
6c0bcae50ee55825d6c62bf9bfbf60d9

SHA1
cf36a191d0abf5bce1e3f0bf2f1cb27ee40e67dc

SHA256
8d056a721573ad48e8adcb3ad654af478140b53fc823556eb68b9d44f6c52b86

SHA512
4ee4986d9262616c63ecb3bd66e9740d561ae572282f513bf223b4bcce30fe43fccfac0e69b0323bbcc6bc92fcd82a72f9eb4c722f97b73f3216b97dbf23b113

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
182KB

MD5
252cc1c6709689903a4f31a92b4b3abe

SHA1
7371cffebf0d2abdf3e5c0086eb861ada49bf8d0

SHA256
821e8aeb6672ac1b0f049d591f8612f99d4f47a88e09c8be49217f77ba57117c

SHA512
a7069d0f0749d53974c985b8fee3c988e782f72895195b73cbd18536bc93ee2ffae3a00e6b8848be2be0ff4916018b91ff0923b93722dafc7bf12fa423528ae8

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
182KB

MD5
0589d162bf56c964cf99bc1e7c96a47c

SHA1
17b0396f03fa57751d6a503e81ad93d862030997

SHA256
c29e08e502a3cd08c7caf118abee31bc121777823561ab186bbd1d3c96198876

SHA512
fe1c1d7b77b447e01b7b3cae5613c162379c5a526e5194f2fdef74c005be76e6bac5a5ef8a3f3d046ea844727f9f97c9fa5385faa94ec5c1f8038a4ed13eb598

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
182KB

MD5
a34f29642171170e4b56fd1a808ced77

SHA1
cbd0680aa996b8008f4229b2346c764cbc9809de

SHA256
fcfd6b9a4478923fc9708dd1e70ac70c2a2e45c2118956a5b6b4a99f4626ec80

SHA512
763bd832becce22f43427971539c6e66cd268b9b32840c51d2c81d4e384811121fb6146df52eaa8bceaf9c7252d23b767519ae87e3a5475aa7c85daa3b51dd89

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
182KB

MD5
83a8dbe76d17dd03d7cfac832751fb21

SHA1
4a753bcd6101f75599fc863ed135a76fedfcb738

SHA256
98280f2ec1aa9a07a454a959a142dee9b9ca7a3d85a9f679a24d9cd691de1831

SHA512
07bff405e5326a4f3a5400b536a6206b0cb66b798ee2f6e859355d0efcbe6bd7a5dad0478482cd19f7e414fe8c0514b18f5c001de2a22849cd73e717fe407886

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
182KB

MD5
8e1682444e8b1a0cf93b355a875c7cb1

SHA1
a152ec5d6d8f68c8f927a366d48deff633579f55

SHA256
8a7aa5e7fcfaeb16793ceb88e07e061edab1ada489c5b8cc4e4c396f18a004fa

SHA512
8ba163818ed5af68f805afee94a4eeb89790abbdc316574e5b5ad80812f3a7d61f22aed3990519f2d40a325ec2dc00d5a21c99848e8aa70409eb27f2c9d83ec1

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
182KB

MD5
992014f42aa8f010b19fac42fa60bf9e

SHA1
e96e549e7eb864cc4b2ce37d6d04cfbc82b711da

SHA256
627fe8e6fa2d6583e36bca2d1ac03ba70307b00be56423cd584ec9b52fbb2088

SHA512
b6f9865acb442906135a771d4fdcae21cd82ce7af1ea347a54825ceff8ad222b8a9ff29649b04821225e6a398aa31deb0a720214471220c6898d73ca356ed0da

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
182KB

MD5
7e7ed9041851cd4b7795eaf6080dd929

SHA1
94449081461a9b95b3eedab6147849b8ec10432b

SHA256
a2315bdec04c2ce03c4a111e0363c8c720a536bc5c7119db1ead8f985ffc6b0d

SHA512
a48dad8b1178f6edebf453c08b438e6020b57d2e9588468e1ab49716ee6be2d5c0c7cd0d5be5406e6e543b3c5604381e1ca75e388b4e86c80d64a0301fdf6642

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
182KB

MD5
d63087094a5147d1718c95cb871ce528

SHA1
c1f87183511af89b56c480e5014c68bbcd60bee1

SHA256
082ad291571a467532c05f75ebbccfa047acc71f6c9ab00fc745054f73cf4fc5

SHA512
8680e760ec61bc1e0d1860f57ee2cfb0ca4d227d6b18c9aa28b342d3f6f962b819f4e81e205cbec20610824dbec3e8dd280baed3a92f987c3eb76eaa88f96c2f

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
182KB

MD5
23fc5fa11f3f7d304ced0da2a2eaa89a

SHA1
625919b990da8c776bf358ae3746888636fbbe06

SHA256
7c4271398b437b19fdafc76cd68cfb3fa998d10e1f42bba7d9f26a870f03670c

SHA512
d418d2fe2a15c7f3a06751b22ec3c0ef5444c370bcd346f470a2652b3b05f3e4177bc803c88e105faa735713ddd383088ed00250d997276da0ab62ae579710cb

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
182KB

MD5
fa2fbb9e90fe77a9dd741f40d96c4e3e

SHA1
de4cd0aad73f79d66fad99ee31d1e12572d8d63d

SHA256
484dc9159e05146ebf1addb865dd5be3267f8417c8cd2b001a94658b380e9ac0

SHA512
7fe6ac5c8dfe49b74e07a87f1f79f38284579b436cc2aa5957c5366756dafa7a1b62d878e922432dd84e47baf7b105da8f3e1a2af1ee311f4b00efcc7dfd7a6d

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
182KB

MD5
9acb30cb6fa69e1b4ca7336e0c4e7f32

SHA1
32e4145b6c092dd88f176f2be01fe86ca6170e0c

SHA256
f6160ceecd1c6e861c83f9972f75c359bd3f8341c055e9ee9998e2d1b8b92bb5

SHA512
fbe523d3825a6fda647cbf7054d3e8973fc3b300e0836755ed319030bbd996bcdacbf842075e0e1f3bfaac73571e129568c38c4f5e92b77bf8e1733d0e0b3d10

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
182KB

MD5
183481210cf890e90832961da16f7578

SHA1
4492add6d8c8e9bb7cb6a2b790db31b70c5a2bd0

SHA256
3949e04570900f841cd203470bee32ba1f47c7438dfdf4d86e8f11ab3683407f

SHA512
17beaa67f2b6ff4a76cb42372e3dae4b51ddc6f2ec85f4c2898b09192bc8c96a59067f88b586c6e3f285d36ee18c7216d376059db86789dfd664d6c030791146

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
64KB

MD5
7259b1186e3b9f3c2a048e3335558f69

SHA1
38b5e08afe953ab4ed02074dda6412d1d54a7584

SHA256
b97f4ae61bd17a2b52d214681499f1281125beb270ee1fd23845c8739f8c713e

SHA512
1c2852a8bedefc024749dcadaaa91cd40c513fc5a99371d0f034a3574893870f2d4c105f01133ab5df61f44c14b2dc023cbb57997acc1be04bc2ddf8142bf8f2

Download Submit
memory/368-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/384-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/384-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/412-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/412-396-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/668-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/772-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/772-464-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-434-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1464-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1464-408-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-45-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1520-470-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1520-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-450-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-393-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-462-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-402-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-426-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3108-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3108-428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3180-432-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3180-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3296-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3296-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3516-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3516-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3944-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3944-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4244-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4244-422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4260-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4320-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4320-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4392-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-444-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-438-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4472-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4472-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-456-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4884-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4884-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4956-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4956-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads