06af392a45f3ae23076d0694138717f47e9eab43dab314dd69eaa5451266b9cb

Analysis

max time kernel
136s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06af392a45f3ae23076d0694138717f47e9eab43dab314dd69eaa5451266b9cb_NeikiAnalytics.exe
Size

80KB
MD5

70b4fcc2db300cccfc07d068693b8650
SHA1

a35c7ab4e260da039722b1fbbe4306106114ad59
SHA256

06af392a45f3ae23076d0694138717f47e9eab43dab314dd69eaa5451266b9cb
SHA512

5efbce2decfda2bfb205074eef8b45875f7678bb707444d81fb252de20e3da41d16f134d2978edf00f7cbea5cc714cbc41b86686fdc3e68205f5e12385824532
SSDEEP

1536:YVijAunavhJashY5G0/7xSUDliB2TdQblitibfgMuWdso+WaaRQACRJJ5R2xOSCX:tjA+KZhE/NHDoETdc6qgMuW2faeVrJ5/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbdmpqcb.exe

Executes dropped EXE 48 IoCs

pid	Process
2928	Jmnaakne.exe
3284	Jdhine32.exe
4208	Jjbako32.exe
3916	Jmpngk32.exe
5116	Jdjfcecp.exe
1568	Jbmfoa32.exe
5788	Jkdnpo32.exe
5628	Jigollag.exe
2552	Jangmibi.exe
3860	Jdmcidam.exe
2052	Jbocea32.exe
5376	Jkfkfohj.exe
1380	Kaqcbi32.exe
5228	Kdopod32.exe
484	Kbapjafe.exe
1160	Kkihknfg.exe
1980	Kmgdgjek.exe
4996	Kacphh32.exe
5692	Kdaldd32.exe
4876	Kbdmpqcb.exe
3544	Kkkdan32.exe
5576	Kaemnhla.exe
5436	Kckbqpnj.exe
492	Liekmj32.exe
564	Ldkojb32.exe
4548	Lkdggmlj.exe
1404	Mahbje32.exe
1152	Mdfofakp.exe
6132	Mpmokb32.exe
4816	Mjeddggd.exe
5936	Mamleegg.exe
5636	Mcnhmm32.exe
3336	Mncmjfmk.exe
5960	Mdmegp32.exe
4600	Mglack32.exe
5776	Mkgmcjld.exe
5292	Mpdelajl.exe
2200	Nkjjij32.exe
5512	Nqfbaq32.exe
3492	Nklfoi32.exe
2444	Nnjbke32.exe
2968	Nqiogp32.exe
3992	Njacpf32.exe
5732	Nqklmpdd.exe
2520	Ngedij32.exe
3056	Njcpee32.exe
4480	Ndidbn32.exe
3936	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	06af392a45f3ae23076d0694138717f47e9eab43dab314dd69eaa5451266b9cb_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jmpngk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4292	3936	WerFault.exe	133

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	06af392a45f3ae23076d0694138717f47e9eab43dab314dd69eaa5451266b9cb_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	06af392a45f3ae23076d0694138717f47e9eab43dab314dd69eaa5451266b9cb_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	06af392a45f3ae23076d0694138717f47e9eab43dab314dd69eaa5451266b9cb_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	06af392a45f3ae23076d0694138717f47e9eab43dab314dd69eaa5451266b9cb_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 2928	3500	06af392a45f3ae23076d0694138717f47e9eab43dab314dd69eaa5451266b9cb_NeikiAnalytics.exe	83
PID 3500 wrote to memory of 2928	3500	06af392a45f3ae23076d0694138717f47e9eab43dab314dd69eaa5451266b9cb_NeikiAnalytics.exe	83
PID 3500 wrote to memory of 2928	3500	06af392a45f3ae23076d0694138717f47e9eab43dab314dd69eaa5451266b9cb_NeikiAnalytics.exe	83
PID 2928 wrote to memory of 3284	2928	Jmnaakne.exe	84
PID 2928 wrote to memory of 3284	2928	Jmnaakne.exe	84
PID 2928 wrote to memory of 3284	2928	Jmnaakne.exe	84
PID 3284 wrote to memory of 4208	3284	Jdhine32.exe	85
PID 3284 wrote to memory of 4208	3284	Jdhine32.exe	85
PID 3284 wrote to memory of 4208	3284	Jdhine32.exe	85
PID 4208 wrote to memory of 3916	4208	Jjbako32.exe	86
PID 4208 wrote to memory of 3916	4208	Jjbako32.exe	86
PID 4208 wrote to memory of 3916	4208	Jjbako32.exe	86
PID 3916 wrote to memory of 5116	3916	Jmpngk32.exe	87
PID 3916 wrote to memory of 5116	3916	Jmpngk32.exe	87
PID 3916 wrote to memory of 5116	3916	Jmpngk32.exe	87
PID 5116 wrote to memory of 1568	5116	Jdjfcecp.exe	88
PID 5116 wrote to memory of 1568	5116	Jdjfcecp.exe	88
PID 5116 wrote to memory of 1568	5116	Jdjfcecp.exe	88
PID 1568 wrote to memory of 5788	1568	Jbmfoa32.exe	89
PID 1568 wrote to memory of 5788	1568	Jbmfoa32.exe	89
PID 1568 wrote to memory of 5788	1568	Jbmfoa32.exe	89
PID 5788 wrote to memory of 5628	5788	Jkdnpo32.exe	90
PID 5788 wrote to memory of 5628	5788	Jkdnpo32.exe	90
PID 5788 wrote to memory of 5628	5788	Jkdnpo32.exe	90
PID 5628 wrote to memory of 2552	5628	Jigollag.exe	91
PID 5628 wrote to memory of 2552	5628	Jigollag.exe	91
PID 5628 wrote to memory of 2552	5628	Jigollag.exe	91
PID 2552 wrote to memory of 3860	2552	Jangmibi.exe	92
PID 2552 wrote to memory of 3860	2552	Jangmibi.exe	92
PID 2552 wrote to memory of 3860	2552	Jangmibi.exe	92
PID 3860 wrote to memory of 2052	3860	Jdmcidam.exe	93
PID 3860 wrote to memory of 2052	3860	Jdmcidam.exe	93
PID 3860 wrote to memory of 2052	3860	Jdmcidam.exe	93
PID 2052 wrote to memory of 5376	2052	Jbocea32.exe	94
PID 2052 wrote to memory of 5376	2052	Jbocea32.exe	94
PID 2052 wrote to memory of 5376	2052	Jbocea32.exe	94
PID 5376 wrote to memory of 1380	5376	Jkfkfohj.exe	95
PID 5376 wrote to memory of 1380	5376	Jkfkfohj.exe	95
PID 5376 wrote to memory of 1380	5376	Jkfkfohj.exe	95
PID 1380 wrote to memory of 5228	1380	Kaqcbi32.exe	96
PID 1380 wrote to memory of 5228	1380	Kaqcbi32.exe	96
PID 1380 wrote to memory of 5228	1380	Kaqcbi32.exe	96
PID 5228 wrote to memory of 484	5228	Kdopod32.exe	97
PID 5228 wrote to memory of 484	5228	Kdopod32.exe	97
PID 5228 wrote to memory of 484	5228	Kdopod32.exe	97
PID 484 wrote to memory of 1160	484	Kbapjafe.exe	98
PID 484 wrote to memory of 1160	484	Kbapjafe.exe	98
PID 484 wrote to memory of 1160	484	Kbapjafe.exe	98
PID 1160 wrote to memory of 1980	1160	Kkihknfg.exe	99
PID 1160 wrote to memory of 1980	1160	Kkihknfg.exe	99
PID 1160 wrote to memory of 1980	1160	Kkihknfg.exe	99
PID 1980 wrote to memory of 4996	1980	Kmgdgjek.exe	100
PID 1980 wrote to memory of 4996	1980	Kmgdgjek.exe	100
PID 1980 wrote to memory of 4996	1980	Kmgdgjek.exe	100
PID 4996 wrote to memory of 5692	4996	Kacphh32.exe	101
PID 4996 wrote to memory of 5692	4996	Kacphh32.exe	101
PID 4996 wrote to memory of 5692	4996	Kacphh32.exe	101
PID 5692 wrote to memory of 4876	5692	Kdaldd32.exe	102
PID 5692 wrote to memory of 4876	5692	Kdaldd32.exe	102
PID 5692 wrote to memory of 4876	5692	Kdaldd32.exe	102
PID 4876 wrote to memory of 3544	4876	Kbdmpqcb.exe	103
PID 4876 wrote to memory of 3544	4876	Kbdmpqcb.exe	103
PID 4876 wrote to memory of 3544	4876	Kbdmpqcb.exe	103
PID 3544 wrote to memory of 5576	3544	Kkkdan32.exe	104

C:\Users\Admin\AppData\Local\Temp\06af392a45f3ae23076d0694138717f47e9eab43dab314dd69eaa5451266b9cb_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\06af392a45f3ae23076d0694138717f47e9eab43dab314dd69eaa5451266b9cb_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\SysWOW64\Jmnaakne.exe
  C:\Windows\system32\Jmnaakne.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\Jdhine32.exe
    C:\Windows\system32\Jdhine32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Windows\SysWOW64\Jjbako32.exe
      C:\Windows\system32\Jjbako32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4208
    - - C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5788
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5628
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5376
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5228
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5692
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:492
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        49⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 420
        50⤵
        Program crash
        
        PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3936 -ip 3936
1⤵
PID:6016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ehifigof.dll

Filesize
7KB

MD5
64e4d498e92da0729cf8126f3d7ad537

SHA1
8d37acfd4dc511a5923d016f417f7972ed18a2f6

SHA256
5a9932f8e510fb8d378f3dd619c15cdbaab71093a63e686446a5d643481a0892

SHA512
1b264cdab15e73aa9ed058bdafaf37366f3a6c9ded7695dd33cfb63de3b12100d5a13b4fe07a963cdb771ab544faa44f7fa38c387b05435a48a840f78026688d

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
80KB

MD5
66ad4971ef8e3945435f21f0e8f284b1

SHA1
a996fadc3690054d44066dc1ad1a59029bff22bf

SHA256
6caf4fe93ffd59c694a003ac097fa5214327383bc59a4407deef126d5e91f72c

SHA512
089b2fc1b7879aca5b230cbbe12ff1e602accfca43111871874aeeb3d6c2a95c2fd517c2bab2d81b439e3ca174ebb422b3f57f7617100a820267a1db2d9734df

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
80KB

MD5
a84182454b8056e491ded6607278f44c

SHA1
f11082379da3f3d7579fba0d8d089cdee2de5112

SHA256
b33398c56de295133b52c6df67deb17a77517fe3e8d135b8c0fd6098e6bb47e5

SHA512
831b3952dbea12e77f6d2c532e5d4bb421c45a8effa7b7e0979e3db5424cd246a9d1c5e936e52be11a98361d341cdbeb1e8035480731e17aa1f087ccd9b12050

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
80KB

MD5
e677ed64d773a2ab4f5b4bab63d95445

SHA1
3704a3d33d3202cd8360f142864c91f8a61a337b

SHA256
b68700b7446d1887209d7688824f95031c1c42f97f2492dc311d297b3e7a9589

SHA512
11834ec455de6925b0457237c0b1415e8f987e3a01fc15c5407ceb01c2923de67ef0012eaa6d60e3e28d5140304adf546d777b6c46e94226b32725473b71590f

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
80KB

MD5
26310dd18689ff0b68131ce0ac582a07

SHA1
f8e2da410b4292b1252a5ecc7b5f9b56ace5c0ae

SHA256
24ccd531d594be75d8a5de9011f8503852622a4eaf4ffd8a3d432fff448df8ae

SHA512
66b2ba9dd83e5ef641bea3ebc33f76ad26b8d5334a077da540e449990afbb6e25c807c81c5a017b1ab93dfbe7aaf25bf8c989501dc0164db6ae70e9a0c066c47

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
80KB

MD5
a75407488bf860fd9ea204fe76b839eb

SHA1
a23206606328d28e2cd882f153b9698f30829e39

SHA256
b49f9a71a87632ac35838cb35540ce6a8971c517cee60c96417e6744610c2048

SHA512
f78f08532a5797f0daf8d718c3b9395b75cd2da1b3acd4312b11039df60b3b281835a38eb4472e300c2ee6f0307ba23b14486882687c87b828e66ce850c1d253

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
80KB

MD5
7f7e6103b5042f1b02c637be18a752b8

SHA1
ba3b575c3180739f92614c6e7bf1c6a72d986ff8

SHA256
37c335a3abc9ca890d58cb6a9d969e4388de20539309e8ee0ab6d3634fb1d0c3

SHA512
16eadfc3be20143fe1e27f68be1412361e743c2925b4bc8e8ed7f943fdf3a3228378df6c008841316de87b6246a471d5494c84f3f2b970698675550c03b79e58

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
80KB

MD5
a9d48c0e54d0fda051ccdc97847be6d4

SHA1
7533e74bba61509934204401ba0ea25ddc78c255

SHA256
7648ab9991331084276f09c98795f9a86e8059a7fafa3ef9a430a6ebdc22a779

SHA512
70978cbc8c63f54cb1db51e8095f40fe6f1a0e121319c10061c71cd0cd760107dfdd97775870027a7baf46fa0837072ed02dd7fdcc3b9cd5c55474fc9567fef4

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
80KB

MD5
330b2723f19e276eb19f4b18a761d016

SHA1
e34667460e974f8ad5b791513b627316abff27b0

SHA256
aa504a2496149655ebb13f400da32f85cc41ead5ec10dc8f0fdb837b94e169fc

SHA512
176efabea169c4b9db2de93da3ecd8c301411170bcb13da41eb5bd32e4176a12e62aafb4925aa924d2677d63c01122903bed4aec0b79fe15e0d13e2dbbc68953

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
80KB

MD5
a80c2bacf6e11495a24d8a983f79c4b1

SHA1
2cbeff0ac98c80d22fe4a4222a7f9077ad052a4a

SHA256
a1a931ed1da5e4d7c8d4fa4acc1845384c83f57517c79d3416bdf0d1edd85dcc

SHA512
cad484e50ab536858068dcb6ed078ce88c6576394e2f4d611c9930495b7bbecadf4f37b9d786f9b0a2e361128ca036c47cfc7a7c612881cc04e13d660ab017e4

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
80KB

MD5
93120b419d68d92642bb6fadb7ce3014

SHA1
06abc3f520bf96f1d5adfa9a75d1fb0e58f18c4b

SHA256
168734498769141666355cc0f4a3a5ebb4eb016fb3fe80ae80f27ccbd1772611

SHA512
a57256654c736184269d27edc5cb33c1039294ddc94ff678ccb0a21c2c58c21b4f125607cf3ceafe213987345f6cb294aabff4351a74b70685a92667491f0b6b

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
80KB

MD5
d0d3e3b38ed3d58a5f6dbaf39f4bdf85

SHA1
e53f562c4114f8b38068cde4982cab28a2996fe9

SHA256
6cc5598f1e6dd69e3a37bbb001a7ddca09b4f88c3ca776d8024d3df5678b98cf

SHA512
fa066163212c49053c8a326b5092f97d7797b702204524e1dcf7065cd5df3e115a681838dc070f21377138d7bda2bb5dc245d3b6fbf1f7eafe89d36930552b88

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
80KB

MD5
a79a9d04ded3952cad11f46341e3e041

SHA1
d0f1d2ae627061354e4df032fb0b54f538abf843

SHA256
9a41158bdc6c38936aa593968f6388a33946a418aafe609373a95f4c3578eadb

SHA512
4974f80526b1c32fda94687b796408d777b4e29014058b3e3ef53b2c2b104dfaaac2dfdc3a27e92a326a5e49e79761d04fdad7582c40be7bb649f4d531fe1a5c

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
80KB

MD5
85ba6440e9b6eba108c2fba9074e6115

SHA1
9fef4ed43c988426f487f066fd88c11fe84d9c31

SHA256
f8f8bacb03b6cab69b5e695e71f86a129d58b1881d815186728a7fc0cad5b573

SHA512
7c41c6721d4c13963ee0db1d965f1a8b5d9ec6654b35413417ff7f89277c4b563f0534da757b21f6aaff3ad827081274142efc67953293e8e3fe04495d804734

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
80KB

MD5
ea2ff1b4db89d844d76da309dce34f3f

SHA1
2663f89637b6c0858b4fd5426a126e5a9dbca9d8

SHA256
641bf13267e60883cf6474d8133bcb128214a89b29c6c504544155b9910e26bf

SHA512
d58086471e00be12c05e9104733fd1f9caf1d02faaa1516a1314ac46d8363f4b048d5455b9e8eb8d485a7033d01d06ccee8b789d6051046260f5636009448ac0

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
80KB

MD5
1dc1bdb1db7ec1ccd78e0dcb9dd385be

SHA1
0f1811ce7fe1b6101c6925a51f759bcdcb0754a1

SHA256
a37d10f79f2b263af81eed9311574edcf5d036fcbec334cee0a3da80fdb55a29

SHA512
3f2b0cb8cf558fced05a202580fd8707763d9cf52a4fbb1a230cbede342cf90dc3213d3c75e7dedc8012020671f2256b6c3847edaaaf85806578b34ee1cdcc4b

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
80KB

MD5
7b353e58ac8db344807e26c8213508c5

SHA1
5e777e904c76e90763659cecac5db54c62e89278

SHA256
0159e4062fb832ee617111fbf3cbfd37a59e3aa39fb8e0d1d64119e7e550d59c

SHA512
6367a33fcc96d9f849e8f4223897b2f6f9ae52ef379bbedd4f7ef99ad73025f19a253600243a80d3ad41f40a178705aa628a287a5bb4e72552bbab6ef5868218

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
80KB

MD5
da6eafb2c87bb0cdd469c4be176cbfa1

SHA1
c6213d8d852cea7b6fe149fa656075abc7a53c8b

SHA256
d17bcd04062c234af52363dfd087254e7a534e4cb4a98efb66f3e5da7573b3cc

SHA512
17f1a26a357cad86253d6b9a1925e54f793134e9da9719b458e0a508fba197c3ef365beeed55684db6174f082a93fe43c88a2253ac1d68a385f07c87a59f9f33

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
80KB

MD5
47a7f8969970c8a13154f0b03990c365

SHA1
78f74b265bff222c04d806260482668ab36cae98

SHA256
68edcaf231985e579935db5443a7e306801e27af0ada9a2c6b3593f460b03694

SHA512
e07b05a00fe8323dea7ed1b9d2d1de92beab57fef9a9d9a41769a94566e295af92ae3fa5ad4eb92a5671b3da46278e4e915d259b827a9b67566307d9e47a963c

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
80KB

MD5
069ea46871563226e99662f3b03ab41e

SHA1
a6d68612c8741d6051a82595d2a88856baceb2e2

SHA256
d6fad558fa3a388aa9e0f25be9aaab995a946b4017048a56201963173e2730ea

SHA512
b8da8cb9f9073fcc4d64b9f526c16c111015adf442979f04d1d7851358d38952b9a22300e59bf87ed1ab65dd8c2137f6e1ba667d58e82ea4806d0870dbe82724

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
80KB

MD5
96e0176774759bac20a9ff32090f11c7

SHA1
fd63b5faf8ab205fe76a37ec4698bc4ac47d5dcd

SHA256
65912814a95dc991bffdbea8d9725b682a13fa69f3d92bc3467d790860482e65

SHA512
dc3440c3d214c89034c54a4c3647da6317aba222232bc4250d819163af3a094445177a0ce62794bfa6f3a7b2ca0becb0b18765020eea5a321e68e14865c2fd6d

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
80KB

MD5
3ec8d1d968cc961b57670c8cf6f12fb0

SHA1
3aca7352a2d0508193cdfe3dff26916327881b26

SHA256
75453fad3b7169df7d3003ea453ccffbf18e6e2d732d249f0ed997b3fdfa28d9

SHA512
980683d322a9bb88da3e651c08a2706c796dd2f831e6d476aa1c7c10ede3e043e4551af78ca52eb82bf61f9d13b6501c864513012f95d88d52a8e607f838c77a

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
80KB

MD5
e89dab36c5c3b88ee452cc75505a5224

SHA1
0c9972581f53f4a9f15a54c2611500b3c5f62492

SHA256
9066a0060cccaaf6d85b422cfd26cc5619b2347c44952bfdbc629f9b069b28f3

SHA512
4b47c513956db7e2556e341c2ca539c57c9bc9490da3b36d1178614850e4ee9e3c9e7a47eb9d9be0ae88621331f1c02299f2169baa6ebc0f7d5f88703438f3c3

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
80KB

MD5
aff467553ddee3d737311b112a3e36a8

SHA1
a88175dc7a4d79a31d0f4ebad8fead06447a0e17

SHA256
f0d7cc268b473992d36bb8617650603fd7f719e5313ee0392026d9ae78a4192a

SHA512
aa21a27d96cf36ec4281760f7b7b57401a631e93683fa5f1f29980bfe741caded88f47b30fbc408433935d745784a33ee2e50fe5228be27e08c5668f5c183d61

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
80KB

MD5
fd80b2eece68346522ee9e1e59aa256a

SHA1
2d198ced8450fa4d69d04e29ff5d9d6f7070f0ee

SHA256
aff072e26d2eed2b18c56c2378cd5dd103c44485cf306b4be7ab660b51a108ec

SHA512
95002a950f0c5c9765f0aa1ab50b7dc457354d20951a86b7078da70deaf9ff702be772043f34e924d067f91b31c05139a07b54f95ebccd36832d2ec6b272d222

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
80KB

MD5
5563a77fe585f497c7ac431d5bdda6de

SHA1
a9364074c7c6b1660da23d7c719ca9ed0939f097

SHA256
e3b2943f41d26426c27d68b01e7c968b90128874029311448b40aa7de92e8692

SHA512
5f46ca73425511cbb7ad51672d39a569016d3a345a23da17449e3106752511e00de6673986d166ed034fde250a464a7a64f46524104fbd4d8c9091408d2f4ebb

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
80KB

MD5
95420843133c0ff5eae46bc7c8f5b1e6

SHA1
556016c2e658d455cdd5194a64bdd71e6c8bf6fe

SHA256
8cda333985d9c234ee61266bd042e6fe8580565007c637310a18fc18d9f991bd

SHA512
e839bef7141e2853e595abc9efb6b8c879ba3cff5b53826e05c38154573eb8ea309632ed772841135bd2b4e7f389978636fc6038240f65067fb36915a098b47e

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
80KB

MD5
758e86c5a0098a5c6a54b737299df36f

SHA1
439747ef35a5f092ab3c3fa2a3b6afd0262a607e

SHA256
de6deb4708a807941b04c9c26aea01596dcece45eff6108a5dc8d2544d688620

SHA512
52f5bf5b310e41d9741483b2b95f8e6b140823656f514e6683fbff4c8e3647af2a04a3ac9f85191e100c5292fef91177b074118179c8025bc55c484dc85609f8

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
80KB

MD5
f63349bb3c784a123d5c7b882ab54b69

SHA1
33d6d19b231f656cd0f062f173daa4f7bde3a969

SHA256
ca17e577a476d2f22d6db65390194a96f331aa60dfbb8b78d14df49c92fc9eb9

SHA512
abee7c8ac4700ba33fb2242491b23262ff9bb1ae5e00903f5f69269bd1ee9b4471ea0ada3f0bde4b013310c5cc244e37084060b655979f123942d968cee9d274

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
80KB

MD5
0bd30661cc30b0c859929ffb32752f6f

SHA1
6be02e544e35fa6a4414751ef08e494c1ef9e077

SHA256
c1d6ed274c5e7a9128d78a1c8bf1cf36752f9b4ea040191180c8383d274e0da3

SHA512
91888f8f8a22cc757f15623bad3757141dac836dcf2bc60f6c1c77f76a5c9e57c36f42ce3c684cab94df11ffe5c219bd2f28b7ea3fb39548818aa8b80ec01287

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
80KB

MD5
42bec35298494103d82ca0b22ea0b255

SHA1
9717d5f2f0171cbb618580c6dff384c19b8a0b3b

SHA256
2fc8f02afd41a33b1622f0e9c55065ede89a721bdcf46b798baca020de80e4a4

SHA512
44d7eb02dcf7255ff9998464ae9d1ddf9c5501558a947f1d1f0784615e1100d18a6c0553a8e70131f63f9f0073f1e506361a4d16c63136f6557e43b4932977f7

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
80KB

MD5
7aae395f73ee9be2b74a67364f252481

SHA1
6b19a44bc51bdeef05cb4cf29c6d201693e9642b

SHA256
eede08ecf9196805ca1b3faa5506d399cf41b69d33f3ec1f8b4a6bba92185b84

SHA512
1988c440dc7998e99732d37c68a498602eb8b3dfd1e5c218a786c0748544f4cc3ec3b19f9e98eb5f6b36978333c4b87231cd89ebe21cf08299883d0c9c9c61f0

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
80KB

MD5
e76f4a520e68a5058ee8b4133cbe5f6e

SHA1
10233abf5b1696b361adc5c805ad43f060b1b278

SHA256
46baa3307c3f5f0397a557206b86e10106cd4d6247f30b7e23678c6053dadbf4

SHA512
7331ee0aa2787549186e89277956b49c8971d41ccd50e65cc2896307c97a785083a06c1a1364c32ef003cb55e2e75220ac966d3883fc541af401550623261a4a

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
80KB

MD5
60475ad50d829faceff1c0482206fbe6

SHA1
91bf03b3fa547d3667ea3df0fd2e656fddb4032a

SHA256
a08e2d418302e25e714cab25863caeed624d020d0da4f1f46fccef211a0fd46b

SHA512
a20567240e1c43fe4c2ce58021a140fbdef312cbaec241a28577a52848323186df2633b253a4fd3b0a48cedf6e989e50ac183e89367ea7df838c57f6b591c877

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
80KB

MD5
1d3d6d3763a3de3baefb2d2d6157e82a

SHA1
99bbb3d6ec657dcf414ad952ee6936473ea0709f

SHA256
5b889ffc2b60dedc3a873e7e22c8342910410536de94ecc74a3a6cd7df11318d

SHA512
6c4ea449576431a629efd563ef20b789a5a2811f9543d97ce05b8f4991a849f436f97f74463ecc41fb5a5d2a4000676db0ed0f423663e7ccc9e2eb603e668542

Download Submit
memory/484-169-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/492-281-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/492-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/564-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/564-201-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1152-228-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1152-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1160-170-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1380-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1404-219-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1404-301-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1568-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1980-171-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2052-250-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2052-92-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2200-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2200-370-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2444-379-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2444-325-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2520-351-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2520-375-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2552-86-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2928-209-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2928-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2968-378-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2968-333-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3056-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3056-374-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3284-218-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3284-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3336-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3336-270-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3492-380-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3492-318-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3500-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3500-200-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3544-175-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3860-90-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3916-235-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3916-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3936-372-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3936-371-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3992-339-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3992-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4208-226-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4208-28-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4480-364-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4480-373-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4548-290-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4548-210-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4600-289-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4816-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4876-174-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4996-172-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5116-82-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5228-168-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5292-302-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5376-100-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5436-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5436-188-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5512-381-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5512-312-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5576-176-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5576-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5628-85-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5636-331-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5636-262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5692-173-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5732-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5732-345-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5776-357-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5776-291-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5788-84-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5936-324-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5936-254-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5960-282-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6132-236-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6132-311-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads