ae3ab66cb410399bf87ac6b67fe28b78183dc097030e42a76ad9e154d6ce34a2

Analysis

max time kernel
94s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 23:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

22f2a744b9cba9eba620d41d4cadaff0_NeikiAnalytics.exe
Size

448KB
MD5

22f2a744b9cba9eba620d41d4cadaff0
SHA1

13357d8fbda776d1277c7db12d3d6d541c8a81eb
SHA256

ae3ab66cb410399bf87ac6b67fe28b78183dc097030e42a76ad9e154d6ce34a2
SHA512

32f66f082943259ca2e30365c8861d1162a9954fab032006bf54d5f206cbef90f97ee5cc72bd7c0c5cc2a65befc5fcb21ed556157ffd2fb766f531db19756937
SSDEEP

12288:qjZIwAxWnsuLIpIwAxWDFQIwAxWnsuLIpIwAxW:WZxxn9mxxaxxn9mxx

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	22f2a744b9cba9eba620d41d4cadaff0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	22f2a744b9cba9eba620d41d4cadaff0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe

Executes dropped EXE 37 IoCs

pid	Process
2184	Idofhfmm.exe
2328	Ijhodq32.exe
2524	Iabgaklg.exe
4476	Jfaloa32.exe
4148	Jiphkm32.exe
1952	Jagqlj32.exe
2208	Jbkjjblm.exe
1284	Jidbflcj.exe
2396	Jmbklj32.exe
3048	Jbocea32.exe
2660	Kaqcbi32.exe
5052	Kgmlkp32.exe
4736	Kinemkko.exe
1964	Kknafn32.exe
3360	Kdffocib.exe
4264	Kpmfddnf.exe
1064	Lmqgnhmp.exe
5096	Ldmlpbbj.exe
4628	Lnepih32.exe
1528	Lkiqbl32.exe
1388	Lpfijcfl.exe
2508	Lnjjdgee.exe
3724	Mjqjih32.exe
2900	Mciobn32.exe
1976	Mjcgohig.exe
4536	Mkbchk32.exe
1564	Mdkhapfj.exe
1920	Mglack32.exe
1784	Mcbahlip.exe
1472	Nqfbaq32.exe
3916	Nklfoi32.exe
892	Ncgkcl32.exe
2960	Ndghmo32.exe
3888	Ngedij32.exe
3036	Nbkhfc32.exe
548	Ndidbn32.exe
3772	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	22f2a744b9cba9eba620d41d4cadaff0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Ijhodq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4544	3772	WerFault.exe	122

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	22f2a744b9cba9eba620d41d4cadaff0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	22f2a744b9cba9eba620d41d4cadaff0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	22f2a744b9cba9eba620d41d4cadaff0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 2184	4848	22f2a744b9cba9eba620d41d4cadaff0_NeikiAnalytics.exe	81
PID 4848 wrote to memory of 2184	4848	22f2a744b9cba9eba620d41d4cadaff0_NeikiAnalytics.exe	81
PID 4848 wrote to memory of 2184	4848	22f2a744b9cba9eba620d41d4cadaff0_NeikiAnalytics.exe	81
PID 2184 wrote to memory of 2328	2184	Idofhfmm.exe	82
PID 2184 wrote to memory of 2328	2184	Idofhfmm.exe	82
PID 2184 wrote to memory of 2328	2184	Idofhfmm.exe	82
PID 2328 wrote to memory of 2524	2328	Ijhodq32.exe	83
PID 2328 wrote to memory of 2524	2328	Ijhodq32.exe	83
PID 2328 wrote to memory of 2524	2328	Ijhodq32.exe	83
PID 2524 wrote to memory of 4476	2524	Iabgaklg.exe	84
PID 2524 wrote to memory of 4476	2524	Iabgaklg.exe	84
PID 2524 wrote to memory of 4476	2524	Iabgaklg.exe	84
PID 4476 wrote to memory of 4148	4476	Jfaloa32.exe	85
PID 4476 wrote to memory of 4148	4476	Jfaloa32.exe	85
PID 4476 wrote to memory of 4148	4476	Jfaloa32.exe	85
PID 4148 wrote to memory of 1952	4148	Jiphkm32.exe	86
PID 4148 wrote to memory of 1952	4148	Jiphkm32.exe	86
PID 4148 wrote to memory of 1952	4148	Jiphkm32.exe	86
PID 1952 wrote to memory of 2208	1952	Jagqlj32.exe	90
PID 1952 wrote to memory of 2208	1952	Jagqlj32.exe	90
PID 1952 wrote to memory of 2208	1952	Jagqlj32.exe	90
PID 2208 wrote to memory of 1284	2208	Jbkjjblm.exe	91
PID 2208 wrote to memory of 1284	2208	Jbkjjblm.exe	91
PID 2208 wrote to memory of 1284	2208	Jbkjjblm.exe	91
PID 1284 wrote to memory of 2396	1284	Jidbflcj.exe	92
PID 1284 wrote to memory of 2396	1284	Jidbflcj.exe	92
PID 1284 wrote to memory of 2396	1284	Jidbflcj.exe	92
PID 2396 wrote to memory of 3048	2396	Jmbklj32.exe	93
PID 2396 wrote to memory of 3048	2396	Jmbklj32.exe	93
PID 2396 wrote to memory of 3048	2396	Jmbklj32.exe	93
PID 3048 wrote to memory of 2660	3048	Jbocea32.exe	94
PID 3048 wrote to memory of 2660	3048	Jbocea32.exe	94
PID 3048 wrote to memory of 2660	3048	Jbocea32.exe	94
PID 2660 wrote to memory of 5052	2660	Kaqcbi32.exe	95
PID 2660 wrote to memory of 5052	2660	Kaqcbi32.exe	95
PID 2660 wrote to memory of 5052	2660	Kaqcbi32.exe	95
PID 5052 wrote to memory of 4736	5052	Kgmlkp32.exe	96
PID 5052 wrote to memory of 4736	5052	Kgmlkp32.exe	96
PID 5052 wrote to memory of 4736	5052	Kgmlkp32.exe	96
PID 4736 wrote to memory of 1964	4736	Kinemkko.exe	97
PID 4736 wrote to memory of 1964	4736	Kinemkko.exe	97
PID 4736 wrote to memory of 1964	4736	Kinemkko.exe	97
PID 1964 wrote to memory of 3360	1964	Kknafn32.exe	98
PID 1964 wrote to memory of 3360	1964	Kknafn32.exe	98
PID 1964 wrote to memory of 3360	1964	Kknafn32.exe	98
PID 3360 wrote to memory of 4264	3360	Kdffocib.exe	99
PID 3360 wrote to memory of 4264	3360	Kdffocib.exe	99
PID 3360 wrote to memory of 4264	3360	Kdffocib.exe	99
PID 4264 wrote to memory of 1064	4264	Kpmfddnf.exe	100
PID 4264 wrote to memory of 1064	4264	Kpmfddnf.exe	100
PID 4264 wrote to memory of 1064	4264	Kpmfddnf.exe	100
PID 1064 wrote to memory of 5096	1064	Lmqgnhmp.exe	101
PID 1064 wrote to memory of 5096	1064	Lmqgnhmp.exe	101
PID 1064 wrote to memory of 5096	1064	Lmqgnhmp.exe	101
PID 5096 wrote to memory of 4628	5096	Ldmlpbbj.exe	102
PID 5096 wrote to memory of 4628	5096	Ldmlpbbj.exe	102
PID 5096 wrote to memory of 4628	5096	Ldmlpbbj.exe	102
PID 4628 wrote to memory of 1528	4628	Lnepih32.exe	103
PID 4628 wrote to memory of 1528	4628	Lnepih32.exe	103
PID 4628 wrote to memory of 1528	4628	Lnepih32.exe	103
PID 1528 wrote to memory of 1388	1528	Lkiqbl32.exe	104
PID 1528 wrote to memory of 1388	1528	Lkiqbl32.exe	104
PID 1528 wrote to memory of 1388	1528	Lkiqbl32.exe	104
PID 1388 wrote to memory of 2508	1388	Lpfijcfl.exe	105

C:\Users\Admin\AppData\Local\Temp\22f2a744b9cba9eba620d41d4cadaff0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\22f2a744b9cba9eba620d41d4cadaff0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\SysWOW64\Idofhfmm.exe
  C:\Windows\system32\Idofhfmm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\Ijhodq32.exe
    C:\Windows\system32\Ijhodq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\Iabgaklg.exe
      C:\Windows\system32\Iabgaklg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
      - C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        38⤵
        Executes dropped EXE
        
        PID:3772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 400
        39⤵
        Program crash
        
        PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3772 -ip 3772
1⤵
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
448KB

MD5
7b51875d00533a948f45e3d869905a40

SHA1
fd4033ba4c8bc94fdabeb88d7930cde8540213ff

SHA256
496e1a616e4a24be70de086d0336e27e3016474d21492aeb181d179c6c53d377

SHA512
1c92f3765d9cee0a0f9e93346bddb1d4f7e0059121b1eaf0e99e8e081e318c85654432931e50e3203e5f25e4f35da1e4f323b64a6bd8016e0e41bdfb43c841f7

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
448KB

MD5
f0b9c6fa9dd680e31b8727fb887c557a

SHA1
68cb63d51daacc1dbf5c489d88b8e2e7994f5c82

SHA256
ee110e8bc0e630279c21dcbb6ebcfe339894ef7a7999b17b616f06261928e221

SHA512
92d504f86a77a1e7161faf81ae0b2c31862f1ce4222084b89942dcbfb20834e57448f82687f1b344afeb376f6380c3188dd88ec8643186f4dc75f2929da82ecf

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
448KB

MD5
813b8f5a5d5b298514c6349d1b145969

SHA1
1b4467b61dc45c2b381db98d758dc59587873909

SHA256
e6c1e5adec0a29455bb73f42c4c2e3ef461a4923c99250afe6fe8fd9e9f2e41f

SHA512
6947cc964c95311e2fcdd664a53985a00e8702a6312141f939fa41bbf31266b21b83d5db69236c18f00fa0150730f8949091ac044be051c8816ea070f4858b1b

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
448KB

MD5
2d07f8eb3a3c8a4456bda9da58a08750

SHA1
bb53fe6861eb4124aa24bd37b45cb7de54ee7dae

SHA256
5e4fbf142a0dc19eeb34087886f7d0eea5593aae41d74641df6a16109bbd80b8

SHA512
20abe821ef586c271789e605965132c905adcb11f44e76d89014a367c763221a7b98d430b5eab32e5e9a7b59ac1aa19ef5c440ae88d1fabd6e223ac0222de187

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
448KB

MD5
3f9dbf07d5b44b7c02fb63786f33a2aa

SHA1
0019fdf3f65c5d6bc53451ac4f5d907d25e7e817

SHA256
32827a384f70fcd418986af88fb399c4e1048dc2b30e66c48010db6fac5cbf71

SHA512
3dadbbb5316b769ef59292f5c8b287721b761b5109646b4403c7d27af0fb4876a9b0d39ff0818f62668540c6b82ebd66ef25769a0ee56be35a2f6d425587d4bc

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
448KB

MD5
3c814af0d8ec5ce99af15d8c8a1cf0b9

SHA1
48afdd1362b879b80177636af4df3c1c5da9640d

SHA256
52e5c60aea3c6aee5e9bb8efca9e55b979b239469512d8b09f08b2011d1dcd50

SHA512
0fbcd3037bb1faeb04ea11a5ef98e100de4b9cdca639053d646ec2b80a492d27e0d1f66c65647343538e07c25bf62e5c75c455488110fc5537ca777e4ae360cc

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
448KB

MD5
61bc401c9a37e40d1e83eddff63ed76c

SHA1
5b27243e0cfe08501110ad0f0b417259cb36e68d

SHA256
8375f31c16a2a2f8ac81443d5dcee7da2f8abd2cc9f2a12f71589e807a4692a8

SHA512
31531c2937f4a1974fdd3d36777cf67aeb5345ab3ba76a7cf82a435d5bbf7b7cedff025324f36c34068a33fb548259409840ee2a1919627db48081aaf146d809

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
448KB

MD5
8bd958072c7c0499c9b0832e2c9e27eb

SHA1
fe6b60fef5a1cd65978a88c444fced5388e069fd

SHA256
fea297bb465780801833bbc00bacd9f8b345f4ec990d1a6491a1588faa48b032

SHA512
66050938fc72bcd20c55e960b86873f137a78257758565b19c7928d17c6b2a12bcebb78a613f49cfc96788946259b187a04bfae8bc086b0757f901a1949f9fd8

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
448KB

MD5
4048e4f36b0168cd40b599d5678878e3

SHA1
3bf59c6e42cae7386b8ef4b93709adac9a632151

SHA256
f6c2283fabc9f8c1d22396919b3fc41fcc369a98c6e9edd8366bf1ce0e1879ac

SHA512
8b29f1870d2900aa2475ed83542ab61fa7498f09fe0b72459d3d1c99272eba66e729b504d6fc407e38bb8b039ad779990c654be1d6a1058ec74e8453fc8c00ee

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
448KB

MD5
e15020926e0f921f98bce92343ebafe9

SHA1
7312f72d09879ba245bb9c2561d9ae68cbf1c88e

SHA256
22e1daa14750f34f9af99179d600d783b4fa0705bfef3278b6c7a1401aefb6c1

SHA512
5a15cabe4486ea6fed70210eb62b0e87240953b0c75d6847c6cd35401b4a5322a81eb064e69a1c56a15eef9be82670e6f0f2e102808e2fa966bebc8c6ff4c0c1

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
448KB

MD5
f15364c2adf4d56773b9c3e98c30ce2c

SHA1
020d34178855d4fe1bb3aa3aacd5578002db6701

SHA256
ff8ebbd6a27baabf97e9802ba8da7cf742e835db050fbb29d71479f200b344bd

SHA512
a8a608deafed5a11d25b5413c16017906eaef4040c4ddd9c293c5faf574a65cf1991726a5925314e1ded079c8f8e8e1ce9697dd08df2d25cda2b2f6b8ef9707b

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
448KB

MD5
2c60e7ee6bda9ac341fc32588fb48274

SHA1
73f83db1f3097520ef6356d0444138593024d948

SHA256
8096755104153834a9f85b40ed6d4c91f137a0f2157da893e254042316c73b84

SHA512
74ee6bd03df63bcbf281df42f54c8f4b36c8471f63b33eb8d0157df880e44eb0b892fac65c03c275585857996ced6817f2e73169ad710358fe1442cf2996dd46

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
448KB

MD5
c9d07acce1dca4da96d16d8c6b5c4878

SHA1
5e332fa559969d528b2202d34426bd9fe096baa9

SHA256
9c1d79f938daa391075e1f79633665d50d4a962fe5afcd144f29114d3f1d0b13

SHA512
94a020dbd18e73dfd4fe794035c88efd1d31bc888c6907f2163296785e59b66456c6a5e9fea9ee9144ae3a9224cec2ffd32c8bfb4935102a2e5b107293a01769

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
448KB

MD5
56ba8f3f6e76bf81b1744586c96e28af

SHA1
283feea5c334500305ac959a611df8c20369e4b7

SHA256
bb4e4dd60d70a095bf60f42df12300cf54b812ad2bce8ce68802a5e2907b7bba

SHA512
c4b4db0d35dbed9177577d3a27b5f2eabcbedb99ae4e7e21f18ca502514a026f8f139b9fcc7e4aa960d819a03a4486973df991ebfa4aaf89baec0d2ec6c3cd35

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
448KB

MD5
2a05ee9bfc70833bb984f14a00ffc9aa

SHA1
94f3264cfb2b195a5049078a2a978e1d9f17468f

SHA256
852287e031b43b4ab37ce2e9403e3bd7920cc2f5d18dae705c60e248b3728caf

SHA512
39d17a50d62ca56af104b499b6585ac4e7370aff396b157ddc81935966f66a3630149ed5509f59fa931528d05c217cedfc85789e13519eb17b6de406967ada8a

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
448KB

MD5
56fd092a78b3d834fad68218657f7eda

SHA1
1efa9fc73276a46cd33bd7dcb3e23cf3cdf3db13

SHA256
03597f0f4b3d53e5c2e598299d5c9bd36d056b80ea044c188fd45b4b7fd65c93

SHA512
5756e0772868881c930e3ea002e909a38c5ee515379e85747c8a922986b985db31db636777d0fc1a06ca348add1e4bd507e1b1ed3864c8408105ba0c7941878b

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
448KB

MD5
c181be3e99819eaf9b7ff37ee7f3bd4a

SHA1
948de3aad2baf2b1c4030bfa72d973651021793b

SHA256
fe997a75523e29740d0d668744ec1923dd42c0fc083d3831fc7fc080508bcfd6

SHA512
ed6964951e3b94c53f0dd48e777b3d421515a6a953db286483bc6202e18420424b902ab63b11c5645590ff38c5f1420be46abbf4880ae8c91511b3551fc9becd

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
448KB

MD5
6b2543b203c8241e5664f65c08d33c6b

SHA1
af34125f1c2b7f17b832977d2760df5c844daa1e

SHA256
5db57088d0c8cd69f420e287f9ecc23c3f8fa67d69f7bb616649afaecd0942ef

SHA512
08508fb6692364e1032bd3cbc0e602cdf407646bc228df3327c390d90c2be5fc374baa1aead4a0d6f1efa01a2c4c73b647363e242a572fa44da8d914759cfa4e

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
448KB

MD5
9b806ea37501636acc934ea8daf05b34

SHA1
d13dda31fe0e9cc9b1fc11aa665f98055ef299cb

SHA256
92d4966e98c05ed7f1dd639630cd3b968e8417862df5006df4765d9b9e4d7a1a

SHA512
a10115ab8d97446f11ca72e4d1e53a599af7655494c156abda9cb4e124981bdb1662e3adf2e5db408a1619ef5adb58a25103a94996af1cf5db85424d0b29a688

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
448KB

MD5
52edc8d8ab58bcc90e37710a8c5488e5

SHA1
2af7cbbe5ef7f945a234504c1df26963e2d95b59

SHA256
356284547df1225b04a6aa0e8aa1ba1ccf675f24dd882193396e4481db633d68

SHA512
a138f6566850089b61fdc9228d4bdcb937fa161c8790e8b6da583aea5e0e8f9613f020193f4db284d84d414135b22592711af4fe35d6a0e04f3f020593f24d09

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
448KB

MD5
1ed5106e05b1ea169d667dacccaf414d

SHA1
8cb1c755a8452c013f3e06be17084135ae5335d3

SHA256
75e909eae84b0c1efe1eba1febedf6abcfc21181e84d6269ee457758a1bced19

SHA512
1cf09cd5ad2d486b26e062dde56e0405f3cecf4286b6f40b03aef5e67904fec8159a55be0d9282abf6c9c2340afdbae2befcd1754441650e534610d671d79d90

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
448KB

MD5
4255b79f00aee104811ef2a77dfa7e99

SHA1
3e5d4b7c5334d7ddd0f24fbf3a6e5c0b0d7aee66

SHA256
1a68971040ad805aa56742ab38cf5a88dde87dc5de272e16325f4f09fd4fd151

SHA512
8a9f7619f1a61b2e15805b65791fd3d97e605551242196e4f78983eaa063ea2909d12a58a9252bd058e7d543ce5963a2828caab6d3c7edfd0a5362de158c3dac

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
448KB

MD5
52cc7ffd138027bd280618c80c5b25e9

SHA1
e3ec9cdeeda36055fa7930d1d04b40aa0514e89a

SHA256
da805a865461cdd42a8f2a585baf80b7c01e24e8aee93d323d203888b9a8f588

SHA512
360baf58934c783d49ac8c6470b0a25b6801120c19eaffc8be3f550d7cb8f08927da04b2d6c2551e095b97b4da848fba6e70a4aa5b6b348ed584b115d27b36fe

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
448KB

MD5
c984a0ff1755feed0253188c32d3b435

SHA1
45bf51cf23b4a219bba21e0ce0067cea881edc46

SHA256
4d6c70d15d1bf00f269d990dab1ff68b5cb6e3e0b00a34f9d77a88144a8e7cf7

SHA512
ae8b05eeedf6bdb4e59efdca2cbdc2f0df2b352ad22331fddec5d9cba5b0a0ec6269cc2052c86c0c078777c37a1709665a93f5ec719b209fa3d8e900675b28c2

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
448KB

MD5
4d3492dcef1c9627f3585683325d15e8

SHA1
0d19bdbec823ad5dc8e097d210657c83181a2f2f

SHA256
8d9c1c3c1adee7ca6035a4416c28f142903da6312dc72a9606fceb2ae27f99ab

SHA512
8bae13d4ea5e6a1dd05112543adb38e204637e8f83db0e4cbba52e09e60fddfe929e87a7d16392cc27363ea1d36229e105f947f645fe17e44c770707f5c7a21d

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
448KB

MD5
980f56a0915a94a04cf31cc6f2b5a2c0

SHA1
c254c7d6b9b4c7f162a766a79a7472668f6042c7

SHA256
405c29b68d599d1814be573d08888e83ca71f93c4be41aa8f5b8df419fcda60c

SHA512
64e6b2f2a3e8f5bc4bf6e5642431b7d7166098ae165798c59f27e5682dfc74fcbe15ac6642101d3baf665a2bf226fc32d5d65ac41964adb01b68117386e8dc43

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
448KB

MD5
e57be5669fd1d357c00da4203905c4cd

SHA1
20d42350d0f108abdbf8a2856fcec7a8d6497069

SHA256
4a75c0885990defc617e9d0c31074f426f554b3b801e7b817dfab79a1883eea7

SHA512
8e3a995b9d611e8d644f893e59274a8976011a583e3ae6223a041e3be6313c96325620d494a2116344dbe00176a1841df29bfd306c0cc16d35ccfaa4d8842e32

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
448KB

MD5
73e8ab5f3f7443fe54102327a66e11f9

SHA1
0079fb060a15397a7a1aa557931bf72ad05b9b7a

SHA256
ce3a4bae4dee49e643e9feaeb33312c704a2e5201cb10f34cf6cf353563b2b0f

SHA512
c2035c1924a8b6fe78bba41aa837aa609bff6eca1eed01ce8b53d1926c2cb38372b8e262b6d93ee7102b96507f52804fc5afac7bbc17e64ae83c4037579996f0

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
448KB

MD5
0cecb1dd5b0d7e2c8ecda01c5e0e411e

SHA1
ad00c663096720297a2705deccb2d13388ca0ea7

SHA256
89c3efefb2093ca01b49526f71bc7e0a25f5e900a47be346fdfec11dc5fad530

SHA512
64c15a409a6511d3c1d33b30981597134618f84a366cecbdbf1dcccb2ebcde94ff42f0bd9459d399359015de27c763384c42d67b9469fe273e579dad080d65d5

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
448KB

MD5
fec82ba7347f7c7cc16bfbf89eca34c4

SHA1
8cb652e60a7444455da783981f3c3ea849d68ec5

SHA256
9633fc1e7dfd7fddde685b82e1d62a11bb22fc0e651420e663aab0be20a3bc76

SHA512
7d9c87ecf31505c313b080652bce56433db906fb6f04673517ddb6d0bed15aff399cab4d9ed202157383aad77a7621f554c3245278eaa970b2fcc9ed079266cb

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
448KB

MD5
5a09ca705676b0e6c167c69fc62124e0

SHA1
d42292a2a422ae2468f229de994d4ab15f773f82

SHA256
3eeb1306c0eff5c456e55cc6b28a06884622ed331fef1dba700b6872c9e8d11c

SHA512
5f7e7f66f0da11f8a40eed195dea26b985f12562f77af229cc0a079ffe21e99706f455391c8ab054a6fe6bf4c2f58b256a9edd3529a5f7ecc76409eb98eb86ef

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
448KB

MD5
5c721cb240a7e4f5438b9d836df2d0c3

SHA1
af7ec54a3e34ac7de38c56b45a7838a6e6da092b

SHA256
eab4e87bb087fbe7034374b6481dac702c44c1915716fd22d32fa1b69cb1cfb7

SHA512
6b827e42d043f81d694d695158ab097291d36cac0a2bbb82f6647c6fcaa5afbccf08e3771edbdd16e146ea2f63a98a2d80c6bd765081b1529662e211b7758599

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
448KB

MD5
3f88d366eb54b8848e5c1b4a43e42bce

SHA1
0e4baeccfd111b12b1b4a49d5986326c6e02007d

SHA256
2cb881f3aba00efb046c652a1ef6a31a0b2e2aca10a5d3b939f63433b9682371

SHA512
d74568d8a4755f7e588d42ee97f64a540705ce733bfba94b7defc6d09f0799f60602200c5947c160f98ce1559ee37f5c8bac85f215243c732e568d78697be9c4

Download Submit
memory/548-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4148-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/5052-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads