7a9b680c1e85e01d1c8becdef7c6bed0dbe276324d52303e6905ebf484c9abc5

Analysis

max time kernel
135s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a9b680c1e85e01d1c8becdef7c6bed0dbe276324d52303e6905ebf484c9abc5_NeikiAnalytics.exe
Size

768KB
MD5

4bb57d8f1b6e7b1134bac54c50424f20
SHA1

8c0fabbc47cb85419fad4de1fe55c01cf6953bb2
SHA256

7a9b680c1e85e01d1c8becdef7c6bed0dbe276324d52303e6905ebf484c9abc5
SHA512

979e1a6575de795b2a42828c5f66e047a389005dd1027f98ae38ee62365eb00d96100f4266eea0889322a53ad0514372f72da730dbfa25bb2e39b0b05377fb5c
SSDEEP

12288:4XXCMvE6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4g2:mXCrq5h3q5htaSHFaZRBEYyqmaf2qwiv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7a9b680c1e85e01d1c8becdef7c6bed0dbe276324d52303e6905ebf484c9abc5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe

Executes dropped EXE 45 IoCs

pid	Process
3744	Ibagcc32.exe
740	Ijhodq32.exe
1148	Iabgaklg.exe
4876	Ibccic32.exe
5060	Ijkljp32.exe
1104	Jfdida32.exe
2904	Jbkjjblm.exe
2832	Jjbako32.exe
2872	Jigollag.exe
3512	Jpaghf32.exe
1080	Jiikak32.exe
2856	Kmgdgjek.exe
4444	Kdaldd32.exe
3380	Kphmie32.exe
2020	Kagichjo.exe
2660	Kgdbkohf.exe
1000	Kajfig32.exe
412	Kkbkamnl.exe
1676	Lkdggmlj.exe
4884	Lmccchkn.exe
1836	Laalifad.exe
1976	Lgneampk.exe
2312	Lpfijcfl.exe
1492	Lcdegnep.exe
3244	Ljnnch32.exe
3464	Mahbje32.exe
1004	Majopeii.exe
4448	Mkbchk32.exe
4752	Mdkhapfj.exe
4496	Mjhqjg32.exe
4156	Mglack32.exe
2088	Mjjmog32.exe
3528	Maaepd32.exe
804	Ndbnboqb.exe
212	Ngpjnkpf.exe
1760	Njogjfoj.exe
5076	Nqiogp32.exe
2152	Nddkgonp.exe
4836	Nkncdifl.exe
712	Nbhkac32.exe
1800	Ncihikcg.exe
2136	Nkqpjidj.exe
4388	Nnolfdcn.exe
4980	Ndidbn32.exe
1688	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	7a9b680c1e85e01d1c8becdef7c6bed0dbe276324d52303e6905ebf484c9abc5_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	7a9b680c1e85e01d1c8becdef7c6bed0dbe276324d52303e6905ebf484c9abc5_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3668	1688	WerFault.exe	132

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7a9b680c1e85e01d1c8becdef7c6bed0dbe276324d52303e6905ebf484c9abc5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7a9b680c1e85e01d1c8becdef7c6bed0dbe276324d52303e6905ebf484c9abc5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 3744	656	7a9b680c1e85e01d1c8becdef7c6bed0dbe276324d52303e6905ebf484c9abc5_NeikiAnalytics.exe	83
PID 656 wrote to memory of 3744	656	7a9b680c1e85e01d1c8becdef7c6bed0dbe276324d52303e6905ebf484c9abc5_NeikiAnalytics.exe	83
PID 656 wrote to memory of 3744	656	7a9b680c1e85e01d1c8becdef7c6bed0dbe276324d52303e6905ebf484c9abc5_NeikiAnalytics.exe	83
PID 3744 wrote to memory of 740	3744	Ibagcc32.exe	84
PID 3744 wrote to memory of 740	3744	Ibagcc32.exe	84
PID 3744 wrote to memory of 740	3744	Ibagcc32.exe	84
PID 740 wrote to memory of 1148	740	Ijhodq32.exe	85
PID 740 wrote to memory of 1148	740	Ijhodq32.exe	85
PID 740 wrote to memory of 1148	740	Ijhodq32.exe	85
PID 1148 wrote to memory of 4876	1148	Iabgaklg.exe	86
PID 1148 wrote to memory of 4876	1148	Iabgaklg.exe	86
PID 1148 wrote to memory of 4876	1148	Iabgaklg.exe	86
PID 4876 wrote to memory of 5060	4876	Ibccic32.exe	87
PID 4876 wrote to memory of 5060	4876	Ibccic32.exe	87
PID 4876 wrote to memory of 5060	4876	Ibccic32.exe	87
PID 5060 wrote to memory of 1104	5060	Ijkljp32.exe	88
PID 5060 wrote to memory of 1104	5060	Ijkljp32.exe	88
PID 5060 wrote to memory of 1104	5060	Ijkljp32.exe	88
PID 1104 wrote to memory of 2904	1104	Jfdida32.exe	89
PID 1104 wrote to memory of 2904	1104	Jfdida32.exe	89
PID 1104 wrote to memory of 2904	1104	Jfdida32.exe	89
PID 2904 wrote to memory of 2832	2904	Jbkjjblm.exe	90
PID 2904 wrote to memory of 2832	2904	Jbkjjblm.exe	90
PID 2904 wrote to memory of 2832	2904	Jbkjjblm.exe	90
PID 2832 wrote to memory of 2872	2832	Jjbako32.exe	92
PID 2832 wrote to memory of 2872	2832	Jjbako32.exe	92
PID 2832 wrote to memory of 2872	2832	Jjbako32.exe	92
PID 2872 wrote to memory of 3512	2872	Jigollag.exe	93
PID 2872 wrote to memory of 3512	2872	Jigollag.exe	93
PID 2872 wrote to memory of 3512	2872	Jigollag.exe	93
PID 3512 wrote to memory of 1080	3512	Jpaghf32.exe	95
PID 3512 wrote to memory of 1080	3512	Jpaghf32.exe	95
PID 3512 wrote to memory of 1080	3512	Jpaghf32.exe	95
PID 1080 wrote to memory of 2856	1080	Jiikak32.exe	96
PID 1080 wrote to memory of 2856	1080	Jiikak32.exe	96
PID 1080 wrote to memory of 2856	1080	Jiikak32.exe	96
PID 2856 wrote to memory of 4444	2856	Kmgdgjek.exe	98
PID 2856 wrote to memory of 4444	2856	Kmgdgjek.exe	98
PID 2856 wrote to memory of 4444	2856	Kmgdgjek.exe	98
PID 4444 wrote to memory of 3380	4444	Kdaldd32.exe	99
PID 4444 wrote to memory of 3380	4444	Kdaldd32.exe	99
PID 4444 wrote to memory of 3380	4444	Kdaldd32.exe	99
PID 3380 wrote to memory of 2020	3380	Kphmie32.exe	100
PID 3380 wrote to memory of 2020	3380	Kphmie32.exe	100
PID 3380 wrote to memory of 2020	3380	Kphmie32.exe	100
PID 2020 wrote to memory of 2660	2020	Kagichjo.exe	101
PID 2020 wrote to memory of 2660	2020	Kagichjo.exe	101
PID 2020 wrote to memory of 2660	2020	Kagichjo.exe	101
PID 2660 wrote to memory of 1000	2660	Kgdbkohf.exe	102
PID 2660 wrote to memory of 1000	2660	Kgdbkohf.exe	102
PID 2660 wrote to memory of 1000	2660	Kgdbkohf.exe	102
PID 1000 wrote to memory of 412	1000	Kajfig32.exe	103
PID 1000 wrote to memory of 412	1000	Kajfig32.exe	103
PID 1000 wrote to memory of 412	1000	Kajfig32.exe	103
PID 412 wrote to memory of 1676	412	Kkbkamnl.exe	104
PID 412 wrote to memory of 1676	412	Kkbkamnl.exe	104
PID 412 wrote to memory of 1676	412	Kkbkamnl.exe	104
PID 1676 wrote to memory of 4884	1676	Lkdggmlj.exe	105
PID 1676 wrote to memory of 4884	1676	Lkdggmlj.exe	105
PID 1676 wrote to memory of 4884	1676	Lkdggmlj.exe	105
PID 4884 wrote to memory of 1836	4884	Lmccchkn.exe	106
PID 4884 wrote to memory of 1836	4884	Lmccchkn.exe	106
PID 4884 wrote to memory of 1836	4884	Lmccchkn.exe	106
PID 1836 wrote to memory of 1976	1836	Laalifad.exe	107

C:\Users\Admin\AppData\Local\Temp\7a9b680c1e85e01d1c8becdef7c6bed0dbe276324d52303e6905ebf484c9abc5_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7a9b680c1e85e01d1c8becdef7c6bed0dbe276324d52303e6905ebf484c9abc5_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\SysWOW64\Ibagcc32.exe
  C:\Windows\system32\Ibagcc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\SysWOW64\Ijhodq32.exe
    C:\Windows\system32\Ijhodq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Windows\SysWOW64\Iabgaklg.exe
      C:\Windows\system32\Iabgaklg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
      - C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1004
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        46⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 400
        47⤵
        Program crash
        
        PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1688 -ip 1688
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
768KB

MD5
e04b0f935a7d3d2ef7d0ba155fe9a6cf

SHA1
d6e5173deca61c04f102ca2dea0965a26f57a656

SHA256
71f89aaa5b546d8937b00344c9311ba16925ce00f851d1be1a24479a82078a13

SHA512
73d54915c0195f139eb138c97d37729aa9577f9643b677fb69b0300af5eb3c50de1cd95af4bd5776004e156483840bbc9268b57d808f2ab344613a04e9326072

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
768KB

MD5
7220fb7cccafc999431a62f598cdff6e

SHA1
a27d8725313eb6280576dfbe55a7908d39b8934b

SHA256
0e0f5e0a6de0ad62bbcd3b72debf0bb7aa158cba081f8f6ba9daff70394e8e77

SHA512
c30551cff0a94a75b490d23c8afea146e0076cc2e9090c39ce87ac5227bf6fab7677fb7dddf22f290a85ac8046edafcffd81518dc6377b13c437d0089e1bb59d

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
768KB

MD5
ad1d0fc8421a4ddca5ec57a0f1e04023

SHA1
26c116a84cde7122b51a037d09a139a087eee7c8

SHA256
ea36eda0dea5113dd5f0f7bd676e69a6f44dc45ae83c1ff4a295a30d4c729708

SHA512
3808519651f44ddad76d91d841a798e80846d0f4b9ea41f4bdfe6e74cbcf735ed6c50af908a0bc2709c872d62df1db7bb11d5246ec8f70018a36e98839c70ab6

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
768KB

MD5
d25d201758c3da3b1586b42cb44d9c55

SHA1
c5c0c9e2205f713047c128a75bb039c58a7860b3

SHA256
c61ccfccd5165ba48708a986f59d3a7792dd9004012352b469ffc11683d73cad

SHA512
24a69da92fd1d9c645a39a59db5cf9e8f88c869e1736a57789a1b705d6ac8471d288402834b3f39d1a0dd98ac678e88dfcb3ee54538ea7ceb106cda9d42e49a1

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
768KB

MD5
1ebf70a43ad433ef919a76650e20e10c

SHA1
5cc80bc394c7b80fd494d2af981ff617d0fe5f3c

SHA256
0c38376a3a6489997e7bf486ef3418a41ca4b9507d04f5f7aee4383cd536efbf

SHA512
a7754eb18545e50deeae2ab59f3330a4349cbe0222ed76d752d92ba55766bb97ca0bac827390817ba71634d997644b5a2f8e303fa630cdaf895e30e14ada9720

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
768KB

MD5
3ee4c7b5e9c61fe5cd7db439def2d84e

SHA1
582774a74e42ac17cf75db047d71341a6aadffd5

SHA256
9ce00f526765274c31c9546c503c0a64202ef3f214e63ef3b07895bbd90a4a06

SHA512
b465e05a3bcd15ff76d99f8b700fd11cea504ef1d97ac4dbb422f3ec4ac0a54a5fe3da437ffcdf622c5326f9f145b502563171e3c1d1f6632257f5fd8211eee6

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
768KB

MD5
b2f169b6ba585608ec5f8f924748ed8a

SHA1
47840c9f17c091491af1605f6e71bb25d6608c5a

SHA256
f63b1631e5e88958198dfb9dccc5a8895bc2837d2ed696b0e52b6736ca27b079

SHA512
c664fc03992f472670f121a3e0e92bf3999d3531594372a8f9a67fc62e782e8a81ae6bfaaab92c5ba02381444675c1d5dc6aa06a846359eb63891b0f92198eea

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
768KB

MD5
a019171ac39892c7d3a0466ba2c1ea23

SHA1
dbab66b1e2f9131a13fd648ad491235ee814c307

SHA256
4e3eb4876b0a22b867036538e3c39ea506970462c3322a7170e49aea34d87876

SHA512
fcd379b598ba71e61e11347843fb0ff8da2dd66b8112da9bf2883c98611926745ed0f25af0499a3b378de9dfc50ea76be6510cf7c53e4bbe76b93e9ece90904d

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
768KB

MD5
4fef907aba5d157899926f2570b8469d

SHA1
9ea675bb8151f54b1c820b9ed3f050472626231d

SHA256
cc7bd6733f551ea41adda3b1237ece8f06fe967dc2d9dc2d2d1dee5bc95b5e94

SHA512
462bb769f8f786a4aefd0ee1c6f7d340207c9b73963aa267177c55d3c36b45350bf6c5cfc97d8f4be8ef829de51c57da6b96f4684d65d760e29cab1542cbc086

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
768KB

MD5
5d36f0c2b6072ff2678dfa34ef9f63f3

SHA1
fd757f2963225eb14ae26afc8933fbad0e50eb3d

SHA256
40c2898e55924158f273245a17a360faedcdfca01e741a3d26cfc3c46419e90f

SHA512
5727e02a6bd13cffdecf94821a57ff6be72c20dcf5515d4be4ebd1fd89ab83d27e493671a5d643e53c22b76b18e5b82c4a0e5a18c1c7bd9bed54c190e43ec88d

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
768KB

MD5
4007a37f3b27903e9bb5a344ca1b993e

SHA1
083f6e68c99a184cea73b898b931e176de6e23f8

SHA256
14f25fef9d8c3e84d69464f8c57cfe0370950634174aed5c65c6d413c033ac50

SHA512
e9a743c1f746ae70c328ee1a1e97c2e2c03698c253a7a1f5823ff958dc51be503909ff8c6f7639390d76fe4fb69176575d30992a18ae8140b852846ea30dca62

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
768KB

MD5
fe829632924948df0f844540d251227e

SHA1
80cf27bfc5e958330bcbf358efe27bebb4b2e0b7

SHA256
e9fa53ea1f6fa4d7d44ae4bb813e214ba7a69de0328d33f13fdd67251b525845

SHA512
9445f8e464116af3f4e244b27fbc156334a256301105be58d882a475b2064eda9613dd4c76d239aad4a2c68fc40ac907c85160f0bea7ef81a3723e2e94c81e91

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
768KB

MD5
357723b60af795f94f3ea84fcdb909f2

SHA1
d53c38238d27791269047c4cafbc6b8e2375ea92

SHA256
13819db12779682bb80cc86869d7a95050396cf3ae1d8d0ecf8e8a28b460b16c

SHA512
d348140ec5f8b2e62546453aab1da11e5cc986c02e4fa3fc251361c2860e43f841ced321fae84be85f6f89b8efc3d44656ec206845cdfff3d3f7f30e492776cb

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
768KB

MD5
9c4ef913e07d7b0fa376ae99642e7d75

SHA1
51b0ee39fc79bfc820b6f83f9a9de99af76a00e7

SHA256
61976916f1794d23239576970affa74e49567404ec8b7b3b55e60dfad814a08c

SHA512
bc15e55e3845eec4002c4470dc4ddf9ad79e5365edf6db8bf2159539fb7144cccc15f6b0ca927032c228eabe5565e6b1dbc5d9b8c3322c7f85237f11131c6044

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
768KB

MD5
70182ad3606acdb8c79daa226c92e811

SHA1
f74fd0b6d4b742c7aacdbe9dee82929cb6e0f7bd

SHA256
4b7eec044d7ee763ce192ce8cead2ebdb34e546e507b5cf9b5bd867e85c326f4

SHA512
395330b6a0ba51f769f7efeff4b3217cf3c717dc937d01303b7bd4071120361d79bccfd03c69c721e46b294aadda44e04a9c10cdeae996aceaf2c1c1b0144c66

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
768KB

MD5
703a0b53f667bf99dac7940ac81488e6

SHA1
ababc1d44f5d4e1961c81f6c889e0bbb49a1097a

SHA256
1cc1a91e400c75b3a5e3158a77cdf2524832c86c40fda926a5db8a61b4d945b3

SHA512
a9979d9b74c55a87496f38ee3c0909badb0e2fbcacfd25cb40089a6e755299fe3ea1f981942308708aabdfd0e0ba0d8be20ef94342bbba6e76e0562231e20686

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
768KB

MD5
f1b2f1be95ca75f36cd6a9fa8eb217a2

SHA1
7e3dc9118a15239c2a83609220e842e30a0e2111

SHA256
97850d0e88d32a09bf1ef0fd187f57ad754cb277171c5f8e7ecd73e5eb7c87ba

SHA512
5ce450c07ab2d2272b5620b936eaf87a8370db61caf74a7bd37da9d660e580ab567fb036bc517de0c37f07fc336c0db3c9e6cefa7085d8f3bc20fe9eb587ce5d

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
768KB

MD5
f684725e3f2072085bdc11232013e02c

SHA1
4cd6deee769ab68cac70210b35cb0bb07eb06a22

SHA256
42b509e682d5e4123ac90ced35c50f33eb5319df8c734e80a529897a3336fb2c

SHA512
c8c4a259a71b4505ce77b342f87d00d8ffd81223c47c999e54fa7b5d8dcdcf51106e3e54b0d8e35ac69590dfc7b192852dbcf474dd6f895e23d91bcb547b69be

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
768KB

MD5
2fb7dfabaf6920e5443d0f8f031a41ad

SHA1
8f6b56f25a4b750385b4b1743c05040f72b6b76d

SHA256
47dfa607bcf8280ae903404c7a6516e20d50b888e1c9a7c27bc010e609548b54

SHA512
c601fa02f6e4a51984f617ca7a51c9815347ecb9f86c2c92388c83314b10fabbf59b618b70a17cbf83b2f3b6273aa33ff8ef908671d0e2f41292e45c6a86d178

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
768KB

MD5
e905b99858c104202a6b2733e0e6c6b9

SHA1
f059e8bf877e00fe6759161d67627f4d2b8113c4

SHA256
2b3c6bfda48dcb8fccb271fd28206cf1de4f24e9f94125e277ff85bc623669da

SHA512
4f2e18bf95b7a856edcba35f4c6ddc2763fbf7ea15a2f5b635ed93b54143dac80aeb7428233dd58ea22a14c2eb8765c0b69d610592d262e3d700f3c88b038999

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
768KB

MD5
57e94d933ba4ae94be055db78a83e8d4

SHA1
3b7717f277a171837940ccce39937d85f07b55cf

SHA256
09833e7b413b27d79770a66530b829153d9f2ac68d04f9d4d870ca98e249e7e1

SHA512
889adbd743f792572675d2bcfa2243fd92fae861cb0b455e739a284e4afdb776b02d06354b6c4e4b7984eb359783d5a149b4027003237acf3ee460cb2bd153ef

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
768KB

MD5
3cc91b75c4a9aa8eceb04e8233d52fee

SHA1
f45049ff0c2fd8617cce16dd2d28617d0e16eb5b

SHA256
0b1370e1769dcdb8bef77cae0a07ba060328efe93b09fe414cc526caf852b6f7

SHA512
58ed641f7f12f0d2118a27b3cd20d2ad48ff7e82ff50a44ba2e1b98c7e6cdf8fe0edca0dd49a92cb6683e776c2c07772db8352922772b9df0aa595feaa876fb0

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
768KB

MD5
040b386f62a7aa1e790784dee0300749

SHA1
4df5ed319b6b48844d5de126ac1bdbf16e391c1b

SHA256
79041927849dddb72d8a8f9ae21bd9078339c652b47be9a8dfd914179eaf0a25

SHA512
27fa4e90187b9995df1b24c4232c49d3d64293c070d3768ac753040add2874abac5b0e575d6298418be16683a2d90690f3354950c30476689b326d9d83851a62

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
768KB

MD5
ae1141951dcdc9ae34520fa2fd5af8f6

SHA1
5bb02a833980d4904f7da0180a7c3d207344a0b0

SHA256
b5dc28a8efccad2de61fb9ea0f8e79cfa44c99517dd68cf559326eec50f29b2c

SHA512
b27b4397aa3e10550ad463020eba6cc75cc856ef9012b928c55790d528a3c17f64ec967d943211c45eb43abec6ebbf2a493383cb03db4bd3bedf959ff45d2aa4

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
768KB

MD5
76094c3ec195e75139c2e110f6397b91

SHA1
c5d7ce1d6d20fe9aca746acc9d5df6203fe427d7

SHA256
48b9d32fb8cc5b61a7cdad78a0a7ccb8e4cc2bd47c16c80233a7492151413a71

SHA512
5145dce20bfb2f45290797eceec9fc42aebfdcac39d0ab505390b0c696946f8d7e096218f621fa0d8f7ab34f0ddfba04778a390817b7ba9db8754a688161dc2a

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
768KB

MD5
f35aad67bccf4bd39fd9f623f22a9da9

SHA1
6d3cb55efa65ceb593578df499acf8f370c50133

SHA256
19fd2f5f3277beb776d9e62b2d59ac2a12d090cf83f3fab5b03fae926ac72618

SHA512
6a1515bf504cf88ead37d645bf89150d67b4b078c6918f6df57a2c802f1d04f81a7d91ba6c352a0786b01055917932763ea39c57ffcb404d6ec61b4d3a0e9a90

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
768KB

MD5
69506c097e1d361d7a050943c60e6a10

SHA1
3dd2137b8ef4898e3b1c97360a99b407cefdc60b

SHA256
4cea38b6caa63eb0d17dc8757025ba02dc2a0fd5833ec254c315a200fb64d729

SHA512
d6d57ec34ce869f0f7e628120529597f05ede0cf01c69447e9184f3a724128a6d94df27263938d8b2a0c3e5b41bbdbc6cf87c69126e1d75550342bfc0f0e3735

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
768KB

MD5
0591c67a74738900a54e7fd3f2555183

SHA1
cc3083995090e9df6ed88e4be5703a0aaa36e054

SHA256
79e3b30f1e91809927bda9fdd2a4ac5c35d10d9bf360080d0ce9aeaf72215ade

SHA512
2ea1ea39ac6a1a0e6cdfc80d8ee542276781580656c7d512a6426c0f104148a78c36a45a9be5c831f00fe6d6cb30cf168842f827cf52a2f21610db4070abd1cd

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
768KB

MD5
955fb8e7941005f4c51f57a63718c04e

SHA1
0649d5286eef1fb296a863a2ce6d2b4fc1af2fdf

SHA256
38f8149f7c19c4b486811b0ff07ea8001181c52a370be3ee378b91391ea5006d

SHA512
9b63e230e5f79dde6ef30555e8a1a04e735794468244d7d1294319e6d35436e9760d7eac3a03877ace94204a4428a95c0b88568af9638226d8a1a18714ae8ce5

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
768KB

MD5
d7aa918f6f581940e9872a4602255827

SHA1
d9d7484c5787358461ab79c7c6e33c59bdf52547

SHA256
9d8d32ea0abb75f3caf42f334a92613ec8a4943d222413fb731c5b1a9d563fc2

SHA512
7579b01aef40ffc30608ddabe6fd125ccdc25bc7021ae6cf9aeea104a9b9f5c71eaf5c4db301542caae2356e48a2b1a773b2ba0f84cf322390257ffcb94e2c8f

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
768KB

MD5
3ea15cb410ee43ed92e9cae2a36d6b5f

SHA1
8bbe7aa5e459ad7cebee76b43c150cd132bbedde

SHA256
b1b0f82a20f0cf9e121cfa8ed9c56c79a6f192ef6a4032b3199d1a150516837c

SHA512
4d4f11a6638a4d5d48193145397b0a7ccdca3e1de58549cada5b14dc2321b7510fa37f44bf11c99e16aff8f1c0f09fb07b1527ad98735b7ea57c916f88c321e5

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
768KB

MD5
25a2ef5e8a51c29d0dd81e8f80138d35

SHA1
d83d56e413788c306c379d1bde666ee42fbe0103

SHA256
e06d26499feed8fbeb16f4dacd603b7abf5cece3db99785df04af5270d3f86af

SHA512
00c6edbf6e0a5efbae17d9f4b1e73c1e2530f2fcffbe58863017ce6a20464f9b01d37659480b017d9ec2a98f5b273ad3cd33098c4b7b49d9c581c2b13363fbef

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
768KB

MD5
ebbd2af4f6229e7467f5cd7818f80092

SHA1
b3cb70e46b850340adc85775ab48277d042ce41c

SHA256
31a61f703c8de542b338cd640994b16b828c1010720a4922cfb03ac8614b93c0

SHA512
7fbc94b9aeddc8ce4e3fef009fa64b48e841e81a6baffadb501c34445c3ad40090dc63962b6026050905043a8cfd4cfd2370993f81d22f83260d81681079b913

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
768KB

MD5
f879c257b9e05782703cccbe50f08cc7

SHA1
f83fd2415c56eaffc3f8241ba08769a62a1eb119

SHA256
f346d8ee4e4a3898e828228891afb532b96deb04d54f3f7d5e56e4620649b7ac

SHA512
f9cd3ec067c10711fa98681f28b80d6ecbb857094550d0c6476057aaf8cb06c9b1931c1a0c2e9b376c534384a16a77478568e0d586121f7fab1a77d742bea4bd

Download Submit
memory/212-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-2-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/656-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads