d3a07d398cea2dce7dd6c83f122ca3dd5f37aa36ab0a439d3c6cf0c7e1d12a32

Analysis

max time kernel
136s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 09:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d9a9e4249a1c09797fc9e76b690a6240_NeikiAnalytics.exe
Size

280KB
MD5

d9a9e4249a1c09797fc9e76b690a6240
SHA1

91d890521c9a2767b4988f2332567827579b0c3c
SHA256

d3a07d398cea2dce7dd6c83f122ca3dd5f37aa36ab0a439d3c6cf0c7e1d12a32
SHA512

2dae1f88c1ee067cff1a7d156f1406bb37ca53e8d4d8a21aadb948021abb76909a156c271140d62e3a308fdccd22ba98adc0252bf7b7176103a077f6eba6fbaf
SSDEEP

1536:TIHR1Q/P57QIVP+G3BTH5NRuqWIcyohseMUKPeoxZslAGhZxPBljjGs8f7hG6q+j:kLQzlOq4hZK7xVG9Btj676ZBI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d9a9e4249a1c09797fc9e76b690a6240_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe

Executes dropped EXE 41 IoCs

pid	Process
684	Jplmmfmi.exe
5496	Jbkjjblm.exe
4800	Jbmfoa32.exe
2524	Jfhbppbc.exe
5060	Jigollag.exe
4628	Jmbklj32.exe
1828	Kaqcbi32.exe
1416	Kmgdgjek.exe
4652	Kgphpo32.exe
5208	Kmjqmi32.exe
3428	Kdcijcke.exe
3660	Kknafn32.exe
444	Kdffocib.exe
4348	Kkpnlm32.exe
5508	Kckbqpnj.exe
5980	Liekmj32.exe
1220	Lcmofolg.exe
5604	Liggbi32.exe
2692	Lknjmkdo.exe
4072	Mpkbebbf.exe
564	Mciobn32.exe
2696	Mnocof32.exe
2600	Mdiklqhm.exe
4056	Mkbchk32.exe
3496	Mcnhmm32.exe
1012	Mkepnjng.exe
3552	Maohkd32.exe
5268	Maaepd32.exe
4944	Mcbahlip.exe
5156	Nnhfee32.exe
4400	Nceonl32.exe
4888	Njogjfoj.exe
4388	Nddkgonp.exe
5460	Nnmopdep.exe
2200	Nqklmpdd.exe
3636	Ndghmo32.exe
3272	Ngedij32.exe
2672	Nnolfdcn.exe
2660	Nqmhbpba.exe
1496	Ncldnkae.exe
1596	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	d9a9e4249a1c09797fc9e76b690a6240_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	d9a9e4249a1c09797fc9e76b690a6240_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	d9a9e4249a1c09797fc9e76b690a6240_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jbkjjblm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1608	1596	WerFault.exe	126

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d9a9e4249a1c09797fc9e76b690a6240_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d9a9e4249a1c09797fc9e76b690a6240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nddkgonp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 684	3408	d9a9e4249a1c09797fc9e76b690a6240_NeikiAnalytics.exe	83
PID 3408 wrote to memory of 684	3408	d9a9e4249a1c09797fc9e76b690a6240_NeikiAnalytics.exe	83
PID 3408 wrote to memory of 684	3408	d9a9e4249a1c09797fc9e76b690a6240_NeikiAnalytics.exe	83
PID 684 wrote to memory of 5496	684	Jplmmfmi.exe	84
PID 684 wrote to memory of 5496	684	Jplmmfmi.exe	84
PID 684 wrote to memory of 5496	684	Jplmmfmi.exe	84
PID 5496 wrote to memory of 4800	5496	Jbkjjblm.exe	85
PID 5496 wrote to memory of 4800	5496	Jbkjjblm.exe	85
PID 5496 wrote to memory of 4800	5496	Jbkjjblm.exe	85
PID 4800 wrote to memory of 2524	4800	Jbmfoa32.exe	86
PID 4800 wrote to memory of 2524	4800	Jbmfoa32.exe	86
PID 4800 wrote to memory of 2524	4800	Jbmfoa32.exe	86
PID 2524 wrote to memory of 5060	2524	Jfhbppbc.exe	87
PID 2524 wrote to memory of 5060	2524	Jfhbppbc.exe	87
PID 2524 wrote to memory of 5060	2524	Jfhbppbc.exe	87
PID 5060 wrote to memory of 4628	5060	Jigollag.exe	88
PID 5060 wrote to memory of 4628	5060	Jigollag.exe	88
PID 5060 wrote to memory of 4628	5060	Jigollag.exe	88
PID 4628 wrote to memory of 1828	4628	Jmbklj32.exe	91
PID 4628 wrote to memory of 1828	4628	Jmbklj32.exe	91
PID 4628 wrote to memory of 1828	4628	Jmbklj32.exe	91
PID 1828 wrote to memory of 1416	1828	Kaqcbi32.exe	92
PID 1828 wrote to memory of 1416	1828	Kaqcbi32.exe	92
PID 1828 wrote to memory of 1416	1828	Kaqcbi32.exe	92
PID 1416 wrote to memory of 4652	1416	Kmgdgjek.exe	94
PID 1416 wrote to memory of 4652	1416	Kmgdgjek.exe	94
PID 1416 wrote to memory of 4652	1416	Kmgdgjek.exe	94
PID 4652 wrote to memory of 5208	4652	Kgphpo32.exe	95
PID 4652 wrote to memory of 5208	4652	Kgphpo32.exe	95
PID 4652 wrote to memory of 5208	4652	Kgphpo32.exe	95
PID 5208 wrote to memory of 3428	5208	Kmjqmi32.exe	96
PID 5208 wrote to memory of 3428	5208	Kmjqmi32.exe	96
PID 5208 wrote to memory of 3428	5208	Kmjqmi32.exe	96
PID 3428 wrote to memory of 3660	3428	Kdcijcke.exe	97
PID 3428 wrote to memory of 3660	3428	Kdcijcke.exe	97
PID 3428 wrote to memory of 3660	3428	Kdcijcke.exe	97
PID 3660 wrote to memory of 444	3660	Kknafn32.exe	98
PID 3660 wrote to memory of 444	3660	Kknafn32.exe	98
PID 3660 wrote to memory of 444	3660	Kknafn32.exe	98
PID 444 wrote to memory of 4348	444	Kdffocib.exe	99
PID 444 wrote to memory of 4348	444	Kdffocib.exe	99
PID 444 wrote to memory of 4348	444	Kdffocib.exe	99
PID 4348 wrote to memory of 5508	4348	Kkpnlm32.exe	100
PID 4348 wrote to memory of 5508	4348	Kkpnlm32.exe	100
PID 4348 wrote to memory of 5508	4348	Kkpnlm32.exe	100
PID 5508 wrote to memory of 5980	5508	Kckbqpnj.exe	101
PID 5508 wrote to memory of 5980	5508	Kckbqpnj.exe	101
PID 5508 wrote to memory of 5980	5508	Kckbqpnj.exe	101
PID 5980 wrote to memory of 1220	5980	Liekmj32.exe	102
PID 5980 wrote to memory of 1220	5980	Liekmj32.exe	102
PID 5980 wrote to memory of 1220	5980	Liekmj32.exe	102
PID 1220 wrote to memory of 5604	1220	Lcmofolg.exe	103
PID 1220 wrote to memory of 5604	1220	Lcmofolg.exe	103
PID 1220 wrote to memory of 5604	1220	Lcmofolg.exe	103
PID 5604 wrote to memory of 2692	5604	Liggbi32.exe	104
PID 5604 wrote to memory of 2692	5604	Liggbi32.exe	104
PID 5604 wrote to memory of 2692	5604	Liggbi32.exe	104
PID 2692 wrote to memory of 4072	2692	Lknjmkdo.exe	105
PID 2692 wrote to memory of 4072	2692	Lknjmkdo.exe	105
PID 2692 wrote to memory of 4072	2692	Lknjmkdo.exe	105
PID 4072 wrote to memory of 564	4072	Mpkbebbf.exe	106
PID 4072 wrote to memory of 564	4072	Mpkbebbf.exe	106
PID 4072 wrote to memory of 564	4072	Mpkbebbf.exe	106
PID 564 wrote to memory of 2696	564	Mciobn32.exe	107

C:\Users\Admin\AppData\Local\Temp\d9a9e4249a1c09797fc9e76b690a6240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d9a9e4249a1c09797fc9e76b690a6240_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Windows\SysWOW64\Jplmmfmi.exe
  C:\Windows\system32\Jplmmfmi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\Jbkjjblm.exe
    C:\Windows\system32\Jbkjjblm.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5496
  - - C:\Windows\SysWOW64\Jbmfoa32.exe
      C:\Windows\system32\Jbmfoa32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5208
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5508
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5980
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5604
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        42⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 408
        43⤵
        Program crash
        
        PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1596 -ip 1596
1⤵
PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
280KB

MD5
03ba47f56e56e59c125a636a771af456

SHA1
35c8c36116b2d073209966ecb0cb0ba728956d61

SHA256
047fd2a29adbbc26ed85f13680794b29a4b6d8ae7486cd0b471aa3392b0ed224

SHA512
80cbab555b8dd4c475b3f0efb5af4ac9de129362238e5f48fb368726e72d7cae30185c23ffaeb8b46a36c0f2c94f57ff12a9bac31c44851fd4b34fd4cbf672b1

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
280KB

MD5
5ecc00697132e84409f8e0bb8c1d6733

SHA1
1dac3a10077647d854c54746631e1fbe6bb8163e

SHA256
c25f4d13c6df04e616e2dc2c366daed1445cc9dc791e10ee0c788b3a12231e80

SHA512
32041f34c11f7c554f7e6ce39b27199b27941f745044921da9bdc650cf08301a6fd8e9f3f1bc4ebc2fac253d45783770f6f4483af3c3a3e8c37c359230f10ef1

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
280KB

MD5
73aea3541ac0223d1342b3091fdf8e89

SHA1
e36bc5eb0abec0aeedcbc14bcf4e20dbe6065569

SHA256
64fa22737c27a9e9e9e77e1ce11293be3950b3871d741706c2fa4e850e996252

SHA512
5c3cc0dc886047251cd7145bb6f89019b70dd5beaaa6c6e04da19de619aff2c081cdcc14f498a901fec22830dd3e8c7f76d3feb41ebb2ef0aae86b7da11e1d4e

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
280KB

MD5
0f64e02c8204d9d74b87039e6d73574b

SHA1
186bea1ee540d9c5481734868460eb74725797d7

SHA256
87a46ad4ffcb119e60b754b29a0697e6cedc6144a17f94c3b3a42ac2faabceb2

SHA512
e415be7c493dbe44abcfaad62e78bd56ca3063c42f1bd8e2e119f0eafb2292923c88bbe8f7a7189e80824d4536ac0beb643b621adbdef3bdee48475e0aea855f

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
280KB

MD5
b2f1666791e2666ef3f95f76e082107c

SHA1
bf006c418b1e1b2288396c7cac7d0f85b546501c

SHA256
ba98fb1ca3adfa38a3a74009eaa60cdc032cdedb9902721607868211b851c6e8

SHA512
3093cfc10d9664327b9c3cf4cfe47ec004fb4852ffd8ee20e2f48690b252034c59391d2d3e72f74b71448195512c660cad50ae1e67bd98f2b53e064a8191ff1f

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
280KB

MD5
2757632c79069b65fd694607512745e0

SHA1
5e7125f5de9ea5e9ac8adbd23f11c5b8e83f42ba

SHA256
5cbcad62b0cdc56f1744b49f7bad61457cecad1356196f63fba3cee5b749697b

SHA512
f51d1555dd23371374fe9b0cd84735df40919307af02f48f680310efb3f4fa87ab8fe4c0604eb0c3ce4fa0819c3e089f97aa0d50815bf766b714d2f149bf6591

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
280KB

MD5
5bd5dfa6477c8a156541f06fa3929da9

SHA1
ddb29cec1ec3a90c98ae35e2041580d1f8438c97

SHA256
58ef0e07b11e6e2fcade018b2e9859fb5b27838a8a3bc94bebabc8f5e56002a9

SHA512
fceda7520f081db7ab081e5a9eae3ca5e2ea0866ba63d8509661a946cd59560561b1b4f0e0eb590bcdcf697a76470af63db19c7e0eed24dd635839fbb30d0e1f

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
280KB

MD5
f48279843af0a97bb39f945c30c8f58c

SHA1
f2491c423979264ce2cc989145754309683e7915

SHA256
a477a2d692feabb3173fb4ee814430d36aa822fb44af9f3e5d3918141489ba22

SHA512
97c8d6453bbc6b5cb86dae865bbad78f6267e59f740cc17590432a39b2bef5c8fdda228325ee5a377b4f5701c5b429e6144a97f69825b4aa4512efea503f2619

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
280KB

MD5
e2925918dc721a2897f5e3ddf3670be0

SHA1
442c58b583e9feadf32c98ed64c015e0c5e3bc35

SHA256
be5b2ed3b9d4a16dcbbd4f70f3afa00342397eca0543fe91235172d222120d6d

SHA512
5e6d199e2561dd33457eae4453a88b4949297eed05b75cd3592d90ca3c46f7d15416a2c69735bb8fbd97b9a22dc146f12690337fc7d137d803822a694bcefba6

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
280KB

MD5
663a099f5cd98a420327e69f6f2f1235

SHA1
48f57654666df92720b4e1d36e2811baac10633d

SHA256
2308c2e5acd16fb4a91c6ecb47201168d378993aa5b63a822e7bfcc03aac7e24

SHA512
49a752f6670b2ab31b23ad9d0c5585593912080264b1f188ccb923fa969431a7f7a254cfd5ec0d1ccab7850f838f86dfdf839ba3149eb06320e9f4da43cbb9ff

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
280KB

MD5
aaf3affe3feded30c75d3ee1603cfe43

SHA1
58880e11412dc1d61af8250e196d075b4ff7262b

SHA256
abfa9fb715e1905980454660059a7ac67bfe4ca87c960c4ab60843726c6d0b4e

SHA512
4e06a497c9fe9465fc3fe0f99e09e37f8546cb0656fba365f31357d71d411c85d9d2903a2fc645c3e16b50abc11a725ccf2e7d68a1a243e41107cad3553e0f09

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
280KB

MD5
3f5eccf98f6784ab23021733b3ad889b

SHA1
394b14b428d678c048bbf8f69172a768fdc0b65d

SHA256
5a928c461147021e8b6a1c3c22257e7bbb054333151c9f1e009af8d066b87e5f

SHA512
2b493116d809f03785621e853716f95c363e8b95950ca2de5d93395742c7dc4e7401f139d833c24707eeb98e07605c425cdba1863aefd43e7d2d6063d6d3aa40

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
280KB

MD5
3ad11a9045d406f25cf7c051720fdce5

SHA1
59623f44b28daf9f664047ee946cf91aa2a94d65

SHA256
6f1611a63cbb62bfad0d6f30abcf9dcd97d916c9faa2f3d793d2840035f734b4

SHA512
478dbd93f4c1bf672ad962cf5dd80f9063a3dbcecb286d9397f360c7078ed084c419ecc01747d32b7b379c1f07ed49f70d8932938406209db937d15a28b3b6bb

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
280KB

MD5
f9b33af40bc3ae730ed60ef4114f92cc

SHA1
78df3e06e027e0aaf348071cea664a949a44e45a

SHA256
e713e42b5f21a28f0d1e0d96d15a3c63fda19a19e0e131d02b414d0acab44211

SHA512
8abc86fd88aed67952c48d04032b2c025b60705cceca92f256787f97f8dc2140abb2faf7959421870642a819c2b110c2deb99cf4375f6d0ae7bfadddeb8eeb90

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
280KB

MD5
e14aafe5ecacc1644e116ef91ca0d76f

SHA1
c5935067b141082ef5caa51901e4c8f10bbd9c91

SHA256
dbb472b4241bd91d556718bed534e2fc447e42d33f143ccae4cb486cd331838f

SHA512
cbe99d5147f2ac276320559c81e9e6cd84bc6657248f5054ae64ba5a6d031f0df73c2a1c9f1845cb324e5a92d8a64068acad01542dc2fc227343c391fc33c2b4

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
280KB

MD5
c7fa8ed470c09cc780560a36b95bebe9

SHA1
1e1893879dbe091e91eb182c043a848ce6b64b63

SHA256
04b8adbff83c2869549a491b067a2bc56771e7c5e2b0d890255e4b2416c4245b

SHA512
1d35940dffba19d9a573811748d9cfe616785dfe268a0765675260641e4aa5eb67b2b74d18079700196e7c763c29ff7868d0da83b0f71e009da0c05d160878f5

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
280KB

MD5
6d6f5c5c231d98521cf62c53986d797a

SHA1
0b4c8e2f8f179c037345c33747e81666b86c0840

SHA256
be87865b8f70f770a212725047344ffb2197beb08b526c36eb5045f55c277e2e

SHA512
4d0068374dbd753c10e125770d5b93b4b8cfa27906f58c9ed3b3754900776ae79463d650801061a07683521d1e2ac6989dd9f6ceafe0ecbb0a39eb1f1ed1170c

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
280KB

MD5
3de9f6e35e178cdaa9c6b57ebf44b7c1

SHA1
dc6ed94df60e692d39124f67f920d29868b7b0d0

SHA256
4610ff8c4f39151783858721d2531537e79ca7ed40c32a4b6f997b6ec0e7d78c

SHA512
1dcece26489c6397917afb417ff4d2034a5fa31d9f5a718f591052ecd3c041f816a0450e31c26d62f6a8e9cfcfac517e44172b342a7701b01ef8dd0a121672d8

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
280KB

MD5
f7321cc20cd25e7bc2d018d2c13847a9

SHA1
debfc373eb15e68f9028772d93ad4643cb674235

SHA256
304c6a36f41c4412df017c9d0cbdcac167dc2fcd106de58897df45f964d303c2

SHA512
aa12d59bb3042bf878e395adcc88d0d1c6beee57b8dec964f8554372e5a2b7a7c0f4176ea7428753d92709d169f391b22e9508fcafbed664e8cdab19af654067

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
280KB

MD5
0c101ab3de80571aa9a318496ff1639d

SHA1
ffda065b1df811283c5b809b5fb1702e467c291c

SHA256
40c2bf3a5719043004ba40f5040841246ccc4e7bdf7cac187ba4b373ef574021

SHA512
6199d03a7fbf0f1733e74c884e6dd9f7da1daafe91664924b5b5b65e987e96ea90c64fd386d49adab72dafd20e7822ed3e6c038dc35b865cacb338001314c37e

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
280KB

MD5
644a9a9ea7ad3f5c4dd93f213ef37cbb

SHA1
84cd55cc1426f07d7d642eaac0f02742c7cdec75

SHA256
f1ba919487f60f66d907310394ed1015128b92e9132960915c54d1ae4958ab24

SHA512
39fd7774dd617e2143a94bdbbb252207bfb88e3b1fe44803214632805ff9302d294f6e2427c58b043ad6948d4e52e2cf2cf89188498d7acb778598387b89d256

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
280KB

MD5
cc561bffbe92ed3c7dc8f40b4550d4b5

SHA1
d9504a796ee2316e0e8f9dd9fe7fbbc98de00030

SHA256
72dc0d9ef7a5e150599488fea9cbddc6aa29a01e0d756ef53f8ee4871bc68509

SHA512
201b42a65f5d64df6e69452701a8f8de26ca2a75147ef67a1a0fcd40e5bb9d3e32fdb0ad1195fd597088b33d98c736850919c65b30f83c5ef2142caa5b0c1bfe

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
280KB

MD5
e31b3443496d5c619f1d0a9c6e79a999

SHA1
b54bc8b783d825e85caf596e77907557936cd934

SHA256
e34729f702046ca05d6985d21780c9388f1b3c79670825200f47b319bdd18959

SHA512
78be6757a5d25faa717ae5c00dbc90a34d8c7f6569c3e6489ee5525ff2ebefd75888ded3a81f37e2221552df1dcdfc6745439a36c26dd4fecc36d64dc3cb4875

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
280KB

MD5
d1b852d560202b4e233d557cc3532d59

SHA1
0369a27a20ac3dce702702867f0ffd1e40420fa7

SHA256
af476d0a71d79a287d10778225cf97121031e3b0b0bf32bb94a23cd865a589a5

SHA512
0f2e212afe9592e28fd55b1001d6a5a452f7fe2a0f7d746ee0c1bb9759e6b638bdc45ca5fc52405d7e2f64f599156b1f055adc8667e7c47e3db70fb0585de1f3

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
280KB

MD5
e52b9c9839178d9abb9fe650293be0df

SHA1
c8333b2f0ea230a45daef7155c51b7d641ed5fc4

SHA256
42d12f554bb0483ecde3d9b7e51552d34bb6c456a5b2757b2e8e9f7c06eff87d

SHA512
658347b6953794e9b1983938cd869d0ecd80232685f680b8343e7ee499fc2323010f319bf58e7c1ba0e6f6fd133ee3d176013886a88604f2636986e3ef04d735

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
280KB

MD5
e738b900e2df9d029e96245b48edede4

SHA1
f8f4562c3dabb0403169d69073e8af2fa0589603

SHA256
89498b704c653ec87844b2914ed27e7f43bb76f4627a883d28b4f17f5b961f33

SHA512
cee6d9a50ffce1947988ee841a7cafe93745c3bc0004fd52b5ed34889f42c578803be340798badaa799ea465d2c6e74b9647bd29f4e6996e9cac7419cc033e5a

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
280KB

MD5
bca1efab0fb05d3c96c65c11319841f9

SHA1
ffd675ab1fb3d59cc1f581f4d13baf4d2832cbdc

SHA256
fc42422050b4dfbf68562f8911a41886a75e77f36fac727f9f23d500cf8a1ac2

SHA512
50dd8813bacfec323a7b400acdad16a63bcf1d8ed0deff4f35cd6a745ab3c5edf5f84c3a17646e3502bdb90404dfbc5b0d579850c21d88e6f22f636765ec2b2a

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
280KB

MD5
c249bb847afd70ce35ad29e576085bd2

SHA1
5cb25f57067f972970f5c6c794ae18402c691e8f

SHA256
6ce904405c71824e0ff5ffe32853a8d042220ea2af37dd40668e0152036484ee

SHA512
e03e3400fae2f2608398d7ad0d6b429607fc58621c9eb6862c0d73dbd8a6e7b6b3c7de3ceab9251b0aebd200ef816da4f878c8c7c8eb098883e6432d8db8cc02

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
280KB

MD5
253314cbd97086fd59e2ff49fe829671

SHA1
cf8dfd3d6a101588721d56053be506404794aa4c

SHA256
ab26bee93bafb637237a0aecdb126a5415496f48b23fc7d0186f692e67b5ec81

SHA512
c849f8f08ec536dabd5439b0fb22acc0f079a923d4549853516521d39e64f2fae7e33997a8bf682e3ed0b674a7a64da464f6858602429f3483d1399bdf0fb687

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
280KB

MD5
fc933b859825888eeb3c0d66ecf352cb

SHA1
4c63b1caa1382bf7b68494084dcb4d99b5cf9acd

SHA256
51a0f92ed4418f938c081997bc0c879a986589c65659b3e714c94ee3baf99202

SHA512
e7484283df170423a89142ae8ad9794b69ba31d67b632bfb6e3ef14d5508a4de52524bba5875b81eb0cec1fee49df1fc0d7be8597d5a5d79c7c593da5e86f0ad

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
280KB

MD5
0938ff8701a4ecfa2747e8f0b46135a1

SHA1
e5ee1319a43b9e4da0c39e5337d13d80aec4beef

SHA256
aa4603be96471600d3d48afbdba9ba274b40bcc17ca0f88cbb5c27eb740de8bd

SHA512
ea027cfd386b684abcdc9e2172ceb3564139d507fbd31ec8aab9ba489ba17d8e08d533d5cdfd183e91103fd225987aa7aef4eac78b92031357255906f309e03d

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
280KB

MD5
742216c0f82c3a8b66897667700e818c

SHA1
71ce2f5086fa845e6a83bc2df6b05a0ea5d0759e

SHA256
8852483282235aaa794c68d0d3c092353fed4a8055dad32657352fb429767572

SHA512
bbf9175d3d6be52fd75def0ce7496a27dcc03d5e62b83780bde2b95e7c82bbf762733c99d6ccffb2648a3e6910c582346203e0145eab05d651bd57d0466f3bf5

Download Submit
memory/444-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/444-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3408-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4800-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4800-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5156-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5156-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5208-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5208-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5268-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5268-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5460-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5460-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5496-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5496-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5508-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5508-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5604-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5604-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5980-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5980-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads