4fbbae11536451350fa4422c536e075570de5a977d56fcdc466fb121e5d4ed25

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38724a5e331a098e4ca3f7d792b9caf0_NeikiAnalytics.exe
Size

451KB
MD5

38724a5e331a098e4ca3f7d792b9caf0
SHA1

697fd3f8bd7ea0ad04099940e684fe75fde3dcd8
SHA256

4fbbae11536451350fa4422c536e075570de5a977d56fcdc466fb121e5d4ed25
SHA512

4098d4a2b9c235b2ee16627923d0d5e620f36f1f5cb0702d1538a268015c833be1ec4ad497bdce2d4c48676fd1355d8eee7f762a5e4c2af39c8f400e156f738d
SSDEEP

6144:Y/3VuCN9Otopg5tTDUZNSN58VU5tTvnVn5tTDUZNSN58VU5tT:IOtoq5t6NSN6G5tbt5t6NSN6G5t

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	38724a5e331a098e4ca3f7d792b9caf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe

Executes dropped EXE 62 IoCs

pid	Process
2572	Hmmhjm32.exe
2140	Ipldfi32.exe
4916	Ibjqcd32.exe
3440	Ijaida32.exe
3976	Ipqnahgf.exe
2604	Ijfboafl.exe
3152	Imdnklfp.exe
4840	Idofhfmm.exe
2412	Ibccic32.exe
2924	Jpgdbg32.exe
4028	Jjmhppqd.exe
5096	Jpjqhgol.exe
4976	Jaimbj32.exe
4432	Jidbflcj.exe
2452	Jfhbppbc.exe
2640	Jdmcidam.exe
3464	Jkfkfohj.exe
5040	Kbapjafe.exe
2996	Kmgdgjek.exe
1792	Kmjqmi32.exe
1984	Kphmie32.exe
3908	Kmlnbi32.exe
432	Kgdbkohf.exe
4872	Kajfig32.exe
4992	Lmqgnhmp.exe
4024	Lcmofolg.exe
1072	Lkdggmlj.exe
4192	Ldmlpbbj.exe
4088	Lijdhiaa.exe
4384	Lkiqbl32.exe
1088	Ldaeka32.exe
3064	Lgpagm32.exe
3432	Lcgblncm.exe
396	Lgbnmm32.exe
540	Mpkbebbf.exe
2596	Mgekbljc.exe
4252	Mnocof32.exe
1580	Mcklgm32.exe
2704	Mkbchk32.exe
2932	Mamleegg.exe
4196	Mpolqa32.exe
3712	Mgidml32.exe
4228	Mncmjfmk.exe
3708	Maohkd32.exe
1272	Mcpebmkb.exe
1084	Mjjmog32.exe
1552	Maaepd32.exe
4736	Mdpalp32.exe
3144	Nkjjij32.exe
1860	Nqfbaq32.exe
1188	Nceonl32.exe
4948	Nklfoi32.exe
2952	Njogjfoj.exe
2580	Nafokcol.exe
4396	Ngcgcjnc.exe
2212	Nkncdifl.exe
3616	Nbhkac32.exe
3576	Ncihikcg.exe
4732	Nkqpjidj.exe
4984	Nqmhbpba.exe
2092	Ncldnkae.exe
4216	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	38724a5e331a098e4ca3f7d792b9caf0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Ijaida32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4564	4216	WerFault.exe	147

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	38724a5e331a098e4ca3f7d792b9caf0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2572	2352	38724a5e331a098e4ca3f7d792b9caf0_NeikiAnalytics.exe	82
PID 2352 wrote to memory of 2572	2352	38724a5e331a098e4ca3f7d792b9caf0_NeikiAnalytics.exe	82
PID 2352 wrote to memory of 2572	2352	38724a5e331a098e4ca3f7d792b9caf0_NeikiAnalytics.exe	82
PID 2572 wrote to memory of 2140	2572	Hmmhjm32.exe	84
PID 2572 wrote to memory of 2140	2572	Hmmhjm32.exe	84
PID 2572 wrote to memory of 2140	2572	Hmmhjm32.exe	84
PID 2140 wrote to memory of 4916	2140	Ipldfi32.exe	85
PID 2140 wrote to memory of 4916	2140	Ipldfi32.exe	85
PID 2140 wrote to memory of 4916	2140	Ipldfi32.exe	85
PID 4916 wrote to memory of 3440	4916	Ibjqcd32.exe	86
PID 4916 wrote to memory of 3440	4916	Ibjqcd32.exe	86
PID 4916 wrote to memory of 3440	4916	Ibjqcd32.exe	86
PID 3440 wrote to memory of 3976	3440	Ijaida32.exe	87
PID 3440 wrote to memory of 3976	3440	Ijaida32.exe	87
PID 3440 wrote to memory of 3976	3440	Ijaida32.exe	87
PID 3976 wrote to memory of 2604	3976	Ipqnahgf.exe	88
PID 3976 wrote to memory of 2604	3976	Ipqnahgf.exe	88
PID 3976 wrote to memory of 2604	3976	Ipqnahgf.exe	88
PID 2604 wrote to memory of 3152	2604	Ijfboafl.exe	90
PID 2604 wrote to memory of 3152	2604	Ijfboafl.exe	90
PID 2604 wrote to memory of 3152	2604	Ijfboafl.exe	90
PID 3152 wrote to memory of 4840	3152	Imdnklfp.exe	91
PID 3152 wrote to memory of 4840	3152	Imdnklfp.exe	91
PID 3152 wrote to memory of 4840	3152	Imdnklfp.exe	91
PID 4840 wrote to memory of 2412	4840	Idofhfmm.exe	92
PID 4840 wrote to memory of 2412	4840	Idofhfmm.exe	92
PID 4840 wrote to memory of 2412	4840	Idofhfmm.exe	92
PID 2412 wrote to memory of 2924	2412	Ibccic32.exe	93
PID 2412 wrote to memory of 2924	2412	Ibccic32.exe	93
PID 2412 wrote to memory of 2924	2412	Ibccic32.exe	93
PID 2924 wrote to memory of 4028	2924	Jpgdbg32.exe	94
PID 2924 wrote to memory of 4028	2924	Jpgdbg32.exe	94
PID 2924 wrote to memory of 4028	2924	Jpgdbg32.exe	94
PID 4028 wrote to memory of 5096	4028	Jjmhppqd.exe	95
PID 4028 wrote to memory of 5096	4028	Jjmhppqd.exe	95
PID 4028 wrote to memory of 5096	4028	Jjmhppqd.exe	95
PID 5096 wrote to memory of 4976	5096	Jpjqhgol.exe	96
PID 5096 wrote to memory of 4976	5096	Jpjqhgol.exe	96
PID 5096 wrote to memory of 4976	5096	Jpjqhgol.exe	96
PID 4976 wrote to memory of 4432	4976	Jaimbj32.exe	97
PID 4976 wrote to memory of 4432	4976	Jaimbj32.exe	97
PID 4976 wrote to memory of 4432	4976	Jaimbj32.exe	97
PID 4432 wrote to memory of 2452	4432	Jidbflcj.exe	98
PID 4432 wrote to memory of 2452	4432	Jidbflcj.exe	98
PID 4432 wrote to memory of 2452	4432	Jidbflcj.exe	98
PID 2452 wrote to memory of 2640	2452	Jfhbppbc.exe	99
PID 2452 wrote to memory of 2640	2452	Jfhbppbc.exe	99
PID 2452 wrote to memory of 2640	2452	Jfhbppbc.exe	99
PID 2640 wrote to memory of 3464	2640	Jdmcidam.exe	100
PID 2640 wrote to memory of 3464	2640	Jdmcidam.exe	100
PID 2640 wrote to memory of 3464	2640	Jdmcidam.exe	100
PID 3464 wrote to memory of 5040	3464	Jkfkfohj.exe	101
PID 3464 wrote to memory of 5040	3464	Jkfkfohj.exe	101
PID 3464 wrote to memory of 5040	3464	Jkfkfohj.exe	101
PID 5040 wrote to memory of 2996	5040	Kbapjafe.exe	102
PID 5040 wrote to memory of 2996	5040	Kbapjafe.exe	102
PID 5040 wrote to memory of 2996	5040	Kbapjafe.exe	102
PID 2996 wrote to memory of 1792	2996	Kmgdgjek.exe	103
PID 2996 wrote to memory of 1792	2996	Kmgdgjek.exe	103
PID 2996 wrote to memory of 1792	2996	Kmgdgjek.exe	103
PID 1792 wrote to memory of 1984	1792	Kmjqmi32.exe	104
PID 1792 wrote to memory of 1984	1792	Kmjqmi32.exe	104
PID 1792 wrote to memory of 1984	1792	Kmjqmi32.exe	104
PID 1984 wrote to memory of 3908	1984	Kphmie32.exe	105

C:\Users\Admin\AppData\Local\Temp\38724a5e331a098e4ca3f7d792b9caf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\38724a5e331a098e4ca3f7d792b9caf0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\Hmmhjm32.exe
  C:\Windows\system32\Hmmhjm32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\Ipldfi32.exe
    C:\Windows\system32\Ipldfi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\SysWOW64\Ibjqcd32.exe
      C:\Windows\system32\Ibjqcd32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3440
      - C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        33⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3712
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        63⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 400
        64⤵
        Program crash
        
        PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4216 -ip 4216
1⤵
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
451KB

MD5
e9a1b299a562a0951788cef41550680a

SHA1
d4226361de80c5605184866984ba4af743391c81

SHA256
44c90054322cfda4b0c3a9490baf4b460ea72c6604e99face8774b9ef4630ede

SHA512
6cc41c895a1fcaf7826a0dc8e9a2ef9a5340d8599281eba0c0245730c5309a972ca168872f0a76789be269353b2dcf1d41fa5b112789ae3a19f53c6f6b9c6553

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
451KB

MD5
4a7808f67404b83e3beadf5ef3efd0ad

SHA1
702c55c2a9202d6315c69216aac39b0c57358698

SHA256
75a85ca756a1e3be888c3303ac9c0fcf4e70bfdffc47df92ff83469d93ade3a8

SHA512
ea62aca5aa0f9f87ff4f3594ca242c3e9205df33a66531465458487aa7476112b6fbeb05bf1b8edb09a6a2d24edaaa8559801589525d3f5901fbeb5f09154203

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
451KB

MD5
32005deb9a14371ce9385c494121b636

SHA1
2288d24cda7abc89ad4767c00dfac4adcfd74d78

SHA256
47caca50a88c23c09cacbcf5f0b64f9f8247ecc763638948d05103dd4289d9f3

SHA512
18277f73e73c542e6cb9c683311fe7cf5f72411f2a51c15f927fcbe11973344cada3919e828e45e041ae5d0d786957bd93d45dc77d59ff22e177e186c7452a43

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
451KB

MD5
7dd8557e526b3a19aef7a86dc75e5864

SHA1
c4823d74e70466937346e73f1bb79210231cee87

SHA256
2fcd2326fbf0e5c93268e3d189a846594d01b051209849b457cce69dc42c5240

SHA512
babf02bbb5203d9269d014c0da3620dafdc368a8567f853b1222b46403ea39fd460c3e3016d8e2b42a50bb4631237107c0dd07b071840ecf9395503e86f888cb

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
451KB

MD5
46fa144b6beab5456ca88e23210205f5

SHA1
45488fc2bbd5c228095316684619fb745bcf9ebf

SHA256
f391b58660b3f9039850d29832af49d1f113be462f04e4acf12f0ca66ff30701

SHA512
fc442454834760a3522def0333cddf193cb42a53d98fca62603aebd5da2517248c3caf4c49cf19a6a5eb31eca632edc208c9a4a30371c994549ac7c8871fa270

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
451KB

MD5
76dc455daf4376a439aaa272c0dbf817

SHA1
6dbd8daacffae4683b64e1f1aef207168b8be8c1

SHA256
19d246e5c2e04d050371142142a15c90c3d362ffb9a8f86cf33df7cf36ce2534

SHA512
9ec9ce3a06732ddda7599d4d899cf98ee78cc1efd566a4f810d854e8748d2127fb5d2b0f35213be6de8d4079a91eafbd0890f2b8f5d61f91dd117afd65649934

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
451KB

MD5
490c2c286a0ae1391157036d8493c56c

SHA1
b3b3d161a5f68fe43e3ba41e500639065bb61921

SHA256
385d56de2fc27fdeba9034292331a1fb32090d205fed3f5963cceb670b3da55d

SHA512
050e71c8424de6b5fc86bc891740cea2afc1457d9516af9787af828cfadb5d4325d1a5b9d23d2d67d909f0f20063bc7b4e62129a2132ee223c6f0769be92202e

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
451KB

MD5
123156a4583d753810b637a5c9c64401

SHA1
ae6734062cb3983897036199d518e98b73fbcc0d

SHA256
bd4a3042c580380e822e0c18eafacb4e0305ead514a34f3eebe242161c5c945d

SHA512
843b01ce98c53dc5a243719405faa5f12cc7ca2ecc6e33de39e7d13ad2f400e03f083802304405a97e48d68898ab1816b79aafe7161a39aa84eac673c0f66a49

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
451KB

MD5
92dc06541ac9474ad073ad9d10a7f9b9

SHA1
0d29eb085693dbc20f59ca2b3d9e7202d0d59197

SHA256
30aefc2dcaadaa5f5643e1aa93d77e87f7f8a3c2b883b4a255e83c784c5ad557

SHA512
afab5e938f35114bec735d088fd5051915f25c74c4fdf622143d71a5279de0fc6fe4e53736b361ad48bcb071f7ed66f65b721023bc605f31d268e7a040d6cd85

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
451KB

MD5
e01269c6fd8e6ed95c296d524c5742d8

SHA1
555a3a53f3875f279cf89beeb266c66e97e425f2

SHA256
c068fe7ec26990c8a05be83da35947753348a00c85081def26ba418a3e443461

SHA512
ae2fbd28a207c8c9f714b5e51b352b0bcf7e9dc9a51ad7274a9808604baf0c6e886d5921081db9e62938cfaf84bbd1c22557033df3ebc5f1cf572225b47e5e7d

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
451KB

MD5
0652e720fe87999341942803f835ba89

SHA1
871ab09f61e2fef81325f3481c9bca0f846af835

SHA256
3333950ab1648ee58b10dea718079716ff5b3674b0635adf2b251e961cc2642d

SHA512
a55052a53e0dec864ef857c09414cf2b9a8eb88be56c3315b2b2f01a5f72981cc2721bfabbabb94f0b74dbb65392b4d8a1102906b8835c213fb7fcf1fb95013d

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
451KB

MD5
703f75168917bf58c4dd0fcbd3ce3b9a

SHA1
c85c0fec592fcdb8669b844996739dfb70ff6965

SHA256
ec694ce784cff29d055e6ea83e5637cd67487c297492befa255eb3633ddd2642

SHA512
0532feaed45cae019b6272d1d43c83d11ed68e17cdd34e38225b75b55ae1705004d398fb0b1d2d98d1c7f5666bdc28b40331d50b7ba2a31684449a5e848ef25f

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
451KB

MD5
5e08de524699dc862c3a90f7b18f2882

SHA1
e9e84fcc6584839153ef986ee4fa817b536a7d87

SHA256
d79d682c557c957d090c914c20d74f2472390f4a825f215810121c73d8abdf76

SHA512
7669b4bbb7b97a75253aaff081f0d2a65a5b69496c39b253495688e5cecdb225d9e96169990ecbf6856137eb29a9736df268ea935145702185202e8cb2e7ca86

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
451KB

MD5
ee48368f59bb41880236a1ec9e104df2

SHA1
6575b2c78558941bc39ebf47d29181c0bdb50b2b

SHA256
84c95c0416f2af3ab392dd13b9ddca035a5710177f5e08fd1c0d0e4ec582bce3

SHA512
54e767f59eada572329ce08dc5ce38371bb432e6aa92dbb3dfd01496404f86d3f7efce38457d8019393206098d5c223c2cbe114aa5590fdd59225ede5301e459

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
451KB

MD5
0f19fa2ff70ff8681d887e3fab4f83e8

SHA1
55f33b446dced2877f0920ba84cfc7ec21e9a0b5

SHA256
a0a3a4f6449790cb8de157e9eacc3628a8487f2660faeec88973f1d4968d8ddd

SHA512
41d1f2267548a268477b12ed3387f9d320030cb17c27e44b2c8dfa29ad5e954a56006e6b0d0bb24db3e0448c0b097c61f41935ea0e376d2b6043bc12173adf3b

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
451KB

MD5
9887c69e5fab4bff2d37b180ebb8ee83

SHA1
dae7d7f5374ef905a2173db34dad30c354df8830

SHA256
074bece90e4bd942a8335912bd2cef5ae01b2104fe1fa65e8b0b243a55bbf334

SHA512
866c4ae5d98c815bdd4a54041b6df10c58da0dc1056fd0304c9337f2ba8931126c131781b57a2ba76ff46a4b64b4ea008a275fdc571353557b62a77a66ccd7f8

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
451KB

MD5
1143c71510b36a8affc7dcd9f634fdcd

SHA1
bc8a908c3446e531558f9860a58e07eaec96f55f

SHA256
acaf8d133fd0b26cd136861ece88f1830fb5dba0f94369b7dff00846d295ef45

SHA512
b77b6fae9adacb4fc28b0be76cd79f63f36c6d2a45cb0324c2be69b22a162b89dfa490ebb5d0283e86e27abb717964f7163a8ac0b47019850e4a3ef643b2318e

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
451KB

MD5
0d4c32d8331541234505ed96b64d504b

SHA1
65e21f5e7393214ab416cd8c631dbda60a680c45

SHA256
c5990a5a6788430d32c060e380a4b8519dec09c42eb1f1f49347a55f0b982442

SHA512
28f06b985c14d7cc51de8699e2143a4f6e729febe2baa3238fd43abb0321009875698e7b16c2544bdb97dc76b0115e0817c6d9446759ab9cc6357a79ac2befd1

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
451KB

MD5
6a67958b8fa632800edb21a0b2ced836

SHA1
939fd31ddbdc1c8ff259db878e05aad8db366f98

SHA256
31b911e83b54038356d00a92aef7c9cdba80546a40dd6420379ae53ed05f4740

SHA512
baa406fdcf8caf3ff906a8a8cc6eaac766890f7140cedc9c0c29e189130643501c9e34a339fdd44c06963e715668529b3cbc62cc047a1b506cd9e9fee2767cf1

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
451KB

MD5
fc090e69824577f5a710415abea40ae9

SHA1
a80f28859b7da70a435b0ff73f34f2843dce6994

SHA256
b7eff7815bca0bbc02c1738d3fe393fe26b5c73fe8f5a3990458211069ec398c

SHA512
59798f4cdf9a904a4e05ecf6adb4df6237493e432ce1589a3af3381b59524f838f3087064cb87bc0fbc54b343cf29a5a42690b0d6909cd66baaf4abf1fce0edc

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
451KB

MD5
bb4ddb3fa03c9374a9ad264ccefdf346

SHA1
648d3e472c2a42e38985669823d27cb234a48556

SHA256
5c1efd8431acd612ae2a474c7c92deac23f46aec5af3ac131671dea2a25ae770

SHA512
50c6f89fdbe6cb12247ffd85aaa5bff5b4f5a7add94c14c768ced688c1ef89de91058de90cad8273af0947369416d3086abbedc778dd0606ed2b13570cb9bb04

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
451KB

MD5
f176f4761918a91109f738ea3c7746d7

SHA1
789c1cc8a9ca0e918aebb4b9198996eb54a22ea2

SHA256
476e36d646bc46f67626efe7bb81d273b10749e414f5537215d845b823e67ecb

SHA512
0416981304bbabbe4b8e1569f2f6327326280005f2f7f67f921e1bb9219134a6c5ae104d7e5cf789a7854179611fd2c2c4708230f5e67250b4db268014fc7e91

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
451KB

MD5
41680a995f94a01197d7057512db453a

SHA1
f4708d42811eafa40510fc2f246ddd504bc0c0ba

SHA256
669279d9fd9413745951f447044a43794b723958afe3e237d7f3be95a53c863b

SHA512
54553a127491a65a5cc8f72c3b99b38f2d2b47d2f9c1e6e0ddb9b44ef3ea043e1cd66f504d39130160fda5ec0d063a1dd0aa078a4f60aa3e5b6684b345cd7534

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
451KB

MD5
bab9d8b7ada7466c8d83e0e69fe0d002

SHA1
75e4724ca0a6f8224b63ff887ef55cf6c22c3090

SHA256
23b2027b701d32404519860d306d3ea04af21e31c42a4e69ac75b63a7229dd61

SHA512
0d0c15ad58c543203a02b6e3cd3d55a4f4a9d5da3d31976ac461482532208886f1ab40ce5bd97ecc688d28a541252200b52fe21c115737581d6f33e92aceadee

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
451KB

MD5
135598053140d8bb42e10faf38657632

SHA1
9f5544b6d8bc5d285d6e83e981bd57086fc4aa5b

SHA256
022036e747330506499c214987c954fa414b76d169df81c77d10820d7adae0a6

SHA512
1fcef7c19e5d93a215ff129a8fe1cabe8ec2dc6ff8b0e9027262b7f36d26d96ab84b4773bcae039918d84b34186c47f802e2d1022bfc7ee31c85b0a1b3b48180

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
451KB

MD5
e3dfa652a4b8cd32bb0eb10a347a996f

SHA1
987fefce1ebe436cb6789a284254f9f429a5d978

SHA256
7653394d3d87f3e52ba88a093bf1d4bbddd715a2d1c0319200dfa00f6e5b9a49

SHA512
25bb19bba890b86cca5b0bd0a248fff8ced65c6b87854544509f28640858e305b6c064c1829d38b2e5b8eba747bc22886193c55b4113915ae22966d558a70c87

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
451KB

MD5
4a34920f340253723915ee1e2c495957

SHA1
60553ca41e5291be6e8dc1be5d908264d492501d

SHA256
20b45a122317f178825589aa75a22da7d61005aaf9e23fe226a225c445717ece

SHA512
45c35c7f7a9bd20e2df8b0d62332256edaf72639905f34aef27d54554df92bd7a18046b9cd11c911d42edcf571c6309707da3cc2c8b1aeca3e462f1fec5aba59

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
451KB

MD5
cadda8fa44644ac5ffa3792d30ccef63

SHA1
689a07c433c976a015782c77e2bb52f5869aad23

SHA256
7a8fab37478c541902e6ef9157e2712ef2a481b7541f401e445e85c02aaa95e8

SHA512
78832df966a94287e3e24bbc474aa6c77420e3f34d4fab8c08a9423e3a80da300193a00aa6baa0b4ea06f552ddc82edd5d5e25512ea4572ba2a1d3169367e0b9

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
451KB

MD5
72e9e875900aacde417a2928c27e7868

SHA1
3da6b64b6f938b5017f2b6e4b969d1def6f6bb3b

SHA256
cb1b59839f9358ac87cc176a6d625c2852be247327223055c103dbae218710c8

SHA512
2c7841061d176bce7f84f46fd0b50474c30ce113504dde5a151b82fff1e0763915e7361bb881504986060cbb404bbbfc31e446998806addc7f0c312a5e3f1ebd

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
451KB

MD5
698a82074743158440b7500476c058e6

SHA1
4f9b1db9ee6ccebded61b25b833f419bcb156f3a

SHA256
933572097adf1d1562f9bd50c79065ee9dbd03755870b6508a5b6d5f60a278ef

SHA512
f4c0524bb296ea20c2794fe2903fb55559347b3c63713c4f8f59320c2c34ba03459068b9174115d20400ab862fe034c102b0d8ce01533e95c17b7fcdf71afae1

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
451KB

MD5
ccd474392b3bb526fff20cd39600254a

SHA1
49855b1d4816a6a0477eeeb615c2c614b9f850d0

SHA256
43d322da4b4b7f6d373a9a3f9f59dce87a1989e2b5b26888946beb00da2cde61

SHA512
d91bce52400b6b2f87dba0e19fc972889b6f169978ff484574ac0be84915b8c0cf1e72deab60474846ed37617a17b39f159b28b668d07ce168e93a43d5f07a85

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
451KB

MD5
49d2ccaa2ff8364c35efe1ac40b9f137

SHA1
67912c5b79e14ceec52dfd94b336b7837a4bd503

SHA256
474f8022b648e03c0364cd68f0f00e160b3052f08955f5f0baac6a3683b86bca

SHA512
187b976789d760f9e7f545258434d3ae1500d8edf44409328d277f1cfffd6efb0bc0e7a34a2e9b9aaed970aac13eacaa1594a6638cc79415e55246a3188549d2

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
451KB

MD5
f5ffcfdf5b6e22d1e16ff9819d0cc095

SHA1
ecbf47063138f887036714b77f8d7988296514d3

SHA256
20b7d886de405a1befe00a7eea6a9c2ce8df3a407be704b9648f7b3f0732aa40

SHA512
f7ac33da036f3e5461a3a117e7fb100af99a291f4e7cc5fe59add934c7034127d708ae552f6dae00f77ac58235e3f9cbdd914489038a1667b00af5c538297221

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
451KB

MD5
8d5490cd40c27e2543bf0c918ebcdb4c

SHA1
ba428fc0d5ba1d0f64045d1b8a5026508b674f37

SHA256
1252f07a263c101f23939f2e215b70d5c9a5b7136ba66839f54c7dae6a56103a

SHA512
2c5c92d95c53ea73506957ad8242bea8fb782bbd4c6f4e49c6d3a43380c69374fb9f92b03119ba92a45f328539541b4ad46a16382e34fadf679e36a5582e9e37

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
451KB

MD5
ddc03640055acb35a0cac792ce0baed3

SHA1
45a2fd7d6fad5b56a0a7c6cd28287a167c259eb5

SHA256
ab9415d5feaaadbb514e9fa52dcedd41ffcbfa2cec5b8908af0b7b7f634f7a11

SHA512
272675f716406b0682ed1c28a561a44af9053cf7ec93fd306b58066017eaf7a5f302c26ddcc954e82297ebb0d73d6394f2fd496732147363cd9a458e03153b6f

Download Submit
memory/396-458-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/396-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/432-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/432-467-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/540-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/540-457-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1072-220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1084-449-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1084-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1088-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1088-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1188-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1272-450-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1272-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1580-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1792-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1860-445-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1860-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1984-469-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1984-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2092-434-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2140-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2212-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2212-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2412-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2452-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-12-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2580-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2580-443-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2596-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2596-456-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-52-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2640-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2924-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2932-308-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2952-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2952-444-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2996-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-459-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3144-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3144-446-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3152-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3432-266-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3440-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3464-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3576-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3576-440-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3616-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3616-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3708-451-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3708-329-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3712-452-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3712-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3908-468-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3908-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3976-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4024-208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4024-464-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4028-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4088-236-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4088-462-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4192-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4192-463-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4196-453-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4196-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4216-437-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4216-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4228-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4252-455-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4252-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4384-461-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4384-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4396-398-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4432-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4732-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4732-439-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4736-447-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4736-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4840-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4872-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4872-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4916-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4948-381-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4976-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4984-427-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4984-438-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4992-465-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4992-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5040-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5096-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads