4d3e99bbc40e62b93ad18b52d0848de0f38d313362dab93c41b59e51429c8f19

Analysis

max time kernel
53s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d3e99bbc40e62b93ad18b52d0848de0f38d313362dab93c41b59e51429c8f19_NeikiAnalytics.exe
Size

320KB
MD5

c5060eacb401ab23518ad24f5f6f7670
SHA1

a7bed65ff3e0a888904f14c162efcfb8e46a925b
SHA256

4d3e99bbc40e62b93ad18b52d0848de0f38d313362dab93c41b59e51429c8f19
SHA512

3a21ca8936d0c043442d696fd550b1f661f33275dbe431e3401626b55f156c5da45397313451c7773b1567b2820162cd60a880bd4282a8a7b626b233f7595f19
SSDEEP

6144:B7U68vlXY/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:i68vkm05XEvG6IveDVqvQ6IvP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4d3e99bbc40e62b93ad18b52d0848de0f38d313362dab93c41b59e51429c8f19_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4d3e99bbc40e62b93ad18b52d0848de0f38d313362dab93c41b59e51429c8f19_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe

Executes dropped EXE 37 IoCs

pid	Process
1144	Jjbako32.exe
2024	Jmpngk32.exe
4200	Jbmfoa32.exe
404	Jigollag.exe
3520	Jbocea32.exe
4540	Jkfkfohj.exe
948	Kmegbjgn.exe
3084	Kaqcbi32.exe
396	Kbdmpqcb.exe
2624	Kinemkko.exe
3104	Kphmie32.exe
1724	Kgbefoji.exe
1636	Kdffocib.exe
5064	Kibnhjgj.exe
4676	Kdhbec32.exe
4140	Lpocjdld.exe
4024	Laopdgcg.exe
220	Lijdhiaa.exe
2212	Lkiqbl32.exe
1468	Lklnhlfb.exe
4544	Mjqjih32.exe
2636	Mgekbljc.exe
3444	Majopeii.exe
4624	Mkbchk32.exe
1292	Mpolqa32.exe
2896	Mjhqjg32.exe
3800	Mcpebmkb.exe
3376	Mnfipekh.exe
1996	Mcbahlip.exe
2756	Nacbfdao.exe
4752	Nceonl32.exe
3628	Nqiogp32.exe
5000	Njacpf32.exe
4440	Ncihikcg.exe
2652	Nnolfdcn.exe
4744	Ncldnkae.exe
4104	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	4d3e99bbc40e62b93ad18b52d0848de0f38d313362dab93c41b59e51429c8f19_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	4d3e99bbc40e62b93ad18b52d0848de0f38d313362dab93c41b59e51429c8f19_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	4d3e99bbc40e62b93ad18b52d0848de0f38d313362dab93c41b59e51429c8f19_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mkbchk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1832	4104	WerFault.exe	117

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4d3e99bbc40e62b93ad18b52d0848de0f38d313362dab93c41b59e51429c8f19_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4d3e99bbc40e62b93ad18b52d0848de0f38d313362dab93c41b59e51429c8f19_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1144	1552	4d3e99bbc40e62b93ad18b52d0848de0f38d313362dab93c41b59e51429c8f19_NeikiAnalytics.exe	81
PID 1552 wrote to memory of 1144	1552	4d3e99bbc40e62b93ad18b52d0848de0f38d313362dab93c41b59e51429c8f19_NeikiAnalytics.exe	81
PID 1552 wrote to memory of 1144	1552	4d3e99bbc40e62b93ad18b52d0848de0f38d313362dab93c41b59e51429c8f19_NeikiAnalytics.exe	81
PID 1144 wrote to memory of 2024	1144	Jjbako32.exe	82
PID 1144 wrote to memory of 2024	1144	Jjbako32.exe	82
PID 1144 wrote to memory of 2024	1144	Jjbako32.exe	82
PID 2024 wrote to memory of 4200	2024	Jmpngk32.exe	83
PID 2024 wrote to memory of 4200	2024	Jmpngk32.exe	83
PID 2024 wrote to memory of 4200	2024	Jmpngk32.exe	83
PID 4200 wrote to memory of 404	4200	Jbmfoa32.exe	84
PID 4200 wrote to memory of 404	4200	Jbmfoa32.exe	84
PID 4200 wrote to memory of 404	4200	Jbmfoa32.exe	84
PID 404 wrote to memory of 3520	404	Jigollag.exe	85
PID 404 wrote to memory of 3520	404	Jigollag.exe	85
PID 404 wrote to memory of 3520	404	Jigollag.exe	85
PID 3520 wrote to memory of 4540	3520	Jbocea32.exe	86
PID 3520 wrote to memory of 4540	3520	Jbocea32.exe	86
PID 3520 wrote to memory of 4540	3520	Jbocea32.exe	86
PID 4540 wrote to memory of 948	4540	Jkfkfohj.exe	87
PID 4540 wrote to memory of 948	4540	Jkfkfohj.exe	87
PID 4540 wrote to memory of 948	4540	Jkfkfohj.exe	87
PID 948 wrote to memory of 3084	948	Kmegbjgn.exe	88
PID 948 wrote to memory of 3084	948	Kmegbjgn.exe	88
PID 948 wrote to memory of 3084	948	Kmegbjgn.exe	88
PID 3084 wrote to memory of 396	3084	Kaqcbi32.exe	89
PID 3084 wrote to memory of 396	3084	Kaqcbi32.exe	89
PID 3084 wrote to memory of 396	3084	Kaqcbi32.exe	89
PID 396 wrote to memory of 2624	396	Kbdmpqcb.exe	90
PID 396 wrote to memory of 2624	396	Kbdmpqcb.exe	90
PID 396 wrote to memory of 2624	396	Kbdmpqcb.exe	90
PID 2624 wrote to memory of 3104	2624	Kinemkko.exe	91
PID 2624 wrote to memory of 3104	2624	Kinemkko.exe	91
PID 2624 wrote to memory of 3104	2624	Kinemkko.exe	91
PID 3104 wrote to memory of 1724	3104	Kphmie32.exe	92
PID 3104 wrote to memory of 1724	3104	Kphmie32.exe	92
PID 3104 wrote to memory of 1724	3104	Kphmie32.exe	92
PID 1724 wrote to memory of 1636	1724	Kgbefoji.exe	93
PID 1724 wrote to memory of 1636	1724	Kgbefoji.exe	93
PID 1724 wrote to memory of 1636	1724	Kgbefoji.exe	93
PID 1636 wrote to memory of 5064	1636	Kdffocib.exe	94
PID 1636 wrote to memory of 5064	1636	Kdffocib.exe	94
PID 1636 wrote to memory of 5064	1636	Kdffocib.exe	94
PID 5064 wrote to memory of 4676	5064	Kibnhjgj.exe	95
PID 5064 wrote to memory of 4676	5064	Kibnhjgj.exe	95
PID 5064 wrote to memory of 4676	5064	Kibnhjgj.exe	95
PID 4676 wrote to memory of 4140	4676	Kdhbec32.exe	96
PID 4676 wrote to memory of 4140	4676	Kdhbec32.exe	96
PID 4676 wrote to memory of 4140	4676	Kdhbec32.exe	96
PID 4140 wrote to memory of 4024	4140	Lpocjdld.exe	97
PID 4140 wrote to memory of 4024	4140	Lpocjdld.exe	97
PID 4140 wrote to memory of 4024	4140	Lpocjdld.exe	97
PID 4024 wrote to memory of 220	4024	Laopdgcg.exe	98
PID 4024 wrote to memory of 220	4024	Laopdgcg.exe	98
PID 4024 wrote to memory of 220	4024	Laopdgcg.exe	98
PID 220 wrote to memory of 2212	220	Lijdhiaa.exe	99
PID 220 wrote to memory of 2212	220	Lijdhiaa.exe	99
PID 220 wrote to memory of 2212	220	Lijdhiaa.exe	99
PID 2212 wrote to memory of 1468	2212	Lkiqbl32.exe	100
PID 2212 wrote to memory of 1468	2212	Lkiqbl32.exe	100
PID 2212 wrote to memory of 1468	2212	Lkiqbl32.exe	100
PID 1468 wrote to memory of 4544	1468	Lklnhlfb.exe	101
PID 1468 wrote to memory of 4544	1468	Lklnhlfb.exe	101
PID 1468 wrote to memory of 4544	1468	Lklnhlfb.exe	101
PID 4544 wrote to memory of 2636	4544	Mjqjih32.exe	102

C:\Users\Admin\AppData\Local\Temp\4d3e99bbc40e62b93ad18b52d0848de0f38d313362dab93c41b59e51429c8f19_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4d3e99bbc40e62b93ad18b52d0848de0f38d313362dab93c41b59e51429c8f19_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\Jjbako32.exe
  C:\Windows\system32\Jjbako32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SysWOW64\Jmpngk32.exe
    C:\Windows\system32\Jmpngk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\Jbmfoa32.exe
      C:\Windows\system32\Jbmfoa32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4200
    - - C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
      - C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        38⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 400
        39⤵
        Program crash
        
        PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4104 -ip 4104
1⤵
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
320KB

MD5
4453e786f085069046283885f732e3a1

SHA1
1b7025a8b07ee429b1ae77ffc3259eb84d6a235b

SHA256
29a82d0e1221d17833e7fe92415ffd65465d17ecf838caf8b100af2b3ae379a0

SHA512
72658e3a44e055855687d749c985976561f4ff99d4ef3b5fced4ea06ed9d0a87584240baf64c512e48f3c4dd6b3c27dda435c567b9e2c42aa6f239f26ca4c20a

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
320KB

MD5
b3545a79cf1223bdad9b537061957d85

SHA1
e2d9b590ff6a745e369304cabc9fca0a61e9545c

SHA256
7d8289f08d00d232a97009aecdf642f5507bf69ec6f11c68f7875ea527e95f6d

SHA512
c71c7e3c02876f1e267a435b03526976a98b6ab8fa5ee6a1abb90834e6ed64480fbefc64a64e6c8062c57bed11bf39b9ac18bf223a96b8898cc4d9d9e97f46b1

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
320KB

MD5
64b2d67bb8029d2a17ac07dbfcf29c34

SHA1
0b1bbf0a298d0177d53378cb6728639673676973

SHA256
21338ffe10fc16c55175e2bbe5911a891767d037abb78ecead742b2d953dd573

SHA512
e413a291ce549f6f00c561dfdc5508651cc167cb30050ee5ed0281ea5b2778b1794ec275aafaa20364a5e732121630eff4b8c90c3bde50441ce8eeaa0bde01c1

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
320KB

MD5
30add184cc8942a2deefbe670d7f2d5c

SHA1
e5c8b29b0cc1a061a97bc6922a84bdd863fa460b

SHA256
15f5f0f5a3c23d3d52ea96166cb7e39137201226286b80ba0403595499b8941a

SHA512
7beef075680baedaf112ad96e2ecd24ec2590365b09bf710a75cff7b9b9ae7dfeace72690fe98cdb7954b3607b08d2226c283a0433d2cfd725dc2897523b8e2c

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
320KB

MD5
a3efcf637f8d63ef422bab63bccc88c2

SHA1
e8ad64687f4edd582a9e9a7096911cfb4bc31dc7

SHA256
0056978386c77aa01392c2608143cbd72e2b6eb442de079dee736669d4aa3a09

SHA512
dc3dabf7376d4a2795f5a4a9599c489ac715780157d1b40ff854a38e2baaf75c71779cbc0b43f81aaca3d8d5e710a811c0f2191d086d27dc0c53982691dba2a1

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
320KB

MD5
888d1ff93c8da9b71a87b0331c8bdd60

SHA1
c9e649d9efdff1d74da7fad12b1a2ae5827bc365

SHA256
72591833fecb44b7caa9bbb6beb7d679c80c088f39775a33c19b3764d88b2705

SHA512
6540a2b58b38c0458f0fbc17f0a758cd1b0a74c533e10cad4f0b8c69ad0f0ab28ebf9307bdf2d3fb6ea176e7e4721d3395d5b0d22b1ac1a8f188c173cda0d5b9

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
320KB

MD5
28dcb498fc309685393771638535fa3f

SHA1
81694c27aca686a2eef2d3ed392a67dd28850742

SHA256
70e7333f307e4c76ed5d2638f657db2542fdea18b3b5dfa16736e3a6e8696674

SHA512
eabe5cc070275f2ba18da47f06993acd02d9600d3601775ddf4899da68ad2bc901f18be9b81bdb936b123505ca37990ae621b2c8540077531b1ef103bb897783

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
320KB

MD5
fe90f6e978399bfbfa285a57008c95a9

SHA1
773f6f2620a5ee773e2598a180c8be02fdf56578

SHA256
48464a20ab15da2e2346fa6e690e753e94a87cb7eb8d283e4e806ca0e9a8a2fd

SHA512
7d6915869e372a1524dd213c69ac22014a7dbe1586d4825a48640ca128bf81603ee2ad02a24b971219856c10d047728476a3bfaabd9a958c5d90a85de848a0a3

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
320KB

MD5
45b5a1f11913457bfdc3ef17e9e84fa5

SHA1
7bd21fa8e1167027110feb3fa42efa1baaf2083e

SHA256
3267b00392b485f6a6b754980579c32df89e473d1f283da1788128f4a8efbe41

SHA512
d214bbe2392bf0a6e30761a900117fd78212a035c5d23b5e091d786bdcf8355ef4787147a75ba04dd4804a7ae22903f5c5fec8e58865244600addd632112374f

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
320KB

MD5
18455ddcaba2839ee600237c45a2bd4b

SHA1
3126b114aa55e1af5dc419ac67bc2250dcf16b64

SHA256
e46f3f4af299ad25e7bbeac9fda7cf86f91fcdadefbf87c6a2589f931fbaf8b8

SHA512
9463fe8c07a503fba16f1bd5c4ed7fe7a433547f0000fa25ae98cbd0c925ced8be0613dc21eab7d1977ddd66c7361472988ad4098226304d6cd37ffa9cec0f27

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
320KB

MD5
96733c7c809cfe198e2f520e1e25483c

SHA1
2f6cab66a48803ac0e97cba71b52e6feec2b577b

SHA256
ce12cc15b6b11ce2b55e5bd4325301e19b4dcb9be6c0c533e9a97fae6a8b3a82

SHA512
0af638295bc57f47f356206401fdeeb11480dd545072d506570bc0a2069c3927284e0abe259884a8d1b1d995b0677f6f427c37067c9f258758f87e0e5a795375

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
320KB

MD5
07328e450461b1a28268d8bb0da58c2b

SHA1
57f02e1f67300542b33bd708b85fb0ff31501faa

SHA256
5c2f0243d4f72bf3dcee14ff6af92377fa52ab275959408fc05dcbeda25b5666

SHA512
560d0296014464fb44b693e67b7d3f10b72c3c18b3501dfaf5df285a0002b7a5021b2056e34c372a299fed3d73da6ccd96ecb5fc27451bffaf47e2a00d1e07ca

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
320KB

MD5
bda62225a514476f16d84cbfc63e5447

SHA1
48ede35f53ddb4b63fca0de96f2a14963fbd252b

SHA256
c582e99b5f08bbd396e661cc8485fed65d6422b67a74cdd08bd74c6818571fbe

SHA512
e2310645ce5d81a95211ebc9f7b74ac842f21a6e889a8c1bf59db9347b7ac644d2c42e58da416995cc0a453499a136c8c64997fad617b0e98d3db6d02ec33b39

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
320KB

MD5
a12110ea5307d4cb0a5265dd49ab3d8e

SHA1
5176904cacf73b07bd6fcc130d28926eee3c49f2

SHA256
e9db43b06db439330ceb71b31b28940c032553616f72e1ae0d3102dffeb6dc68

SHA512
d7112b74f0ec286366491a5cebe503dfeb240170a888af46845672a968c0a1a724f866426f01d7c4bdb4664c681e3c789999da34b56c9ee3db668069e536752a

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
320KB

MD5
b79f83cfe2340c263a8eed4833b69ece

SHA1
cce664d85f1d3e25e5d2daddd006395b80614406

SHA256
3fcc368ad3df500ea854e44f5b5d5b3a3e5c949a954fc8af12880c34c945a3f1

SHA512
fdddcf225d9b52260c9039096e516a95081e7ad88bf471dd96e67d237b63247a4f4b77e0db3d355eae71161a2aa9962e4a5d09c656a21952b2f274d25edb43e6

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
320KB

MD5
59dd9ac8e360eb437802243f560b0bb7

SHA1
58893571a1b99e297e40c5714b2d82ed869ab0bc

SHA256
ddfd99ebffd33c66bd3c066ab84d960bf438d31cf779fc616bbe420a60527543

SHA512
e560d50f178a163b771b1988889e931dde6f665dc1089b835d9106eff01102346b94a5e7c014179beef75586194462af365109999d705923289adb9efddca721

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
320KB

MD5
988b6625df2233357a1ea2d29c0273a4

SHA1
7a6d81a1b35840928bef9ff7d8757ff951731008

SHA256
9c539aa10b4d3a2ffe4c81feddf8d4ef21aecb4ecc0b1b7c89d44caabb90ad28

SHA512
b20f7928a73b3aeb89201cdd389bbcb6481d43114120cf065b8140c21f90d7b031fc48978b9eda620ae0fdf3b042b1cbc387867e5ff79b7c92189ec8e6a7bacf

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
320KB

MD5
b69dc04139adee3df2b0e8ecce8456e7

SHA1
751e12b18e4ef73289c8f88997b7aba1ceb04e26

SHA256
b0e7900791ba30385247fe6159f575e8c262e14f0b79b362678e07eee8e6d172

SHA512
588de7332b6b395e873bb3503524059b50d9a2b22762eaf9a58dd89645e978e8fce2c46a1f0ada0e95aa4410924368c30c8e07bdd75d7b518e9a5331d545701f

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
320KB

MD5
9081586719a64778cdb095339e4b3ce9

SHA1
5ee4708b7e62f209b7f2533ff88e160fdc9ce6cb

SHA256
69b949a2d3c9328b8d1ce23cb43121d1449941941be8356c83d2c4ec052c1528

SHA512
6ac5379006bb6a5792fe1919d4ffb46c882d91d94acb21ef7bd05b41b03714bbc1c7a5a0da84658485fcb121ecd8dd8088f334513b62da14cd011ff123c3d34f

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
320KB

MD5
44424725fa05b0c5dd221588c2d96d0e

SHA1
4548d63a7345cc3d7ce05d91dfc143d2d4e72a04

SHA256
3be5c2ff9161653d676d8490418ca54d36d5c198b74b8cc0863c3ebbbca4ce91

SHA512
a9d89b5744b3cc2570bf71a02e584e0fccc2cd4e9335d8e9f0cf449e598e30469f2769854c3a271bfb37ffac78035f35aab5501363360be0793d0c46faa33d31

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
320KB

MD5
23043d6fb27d71598753b88e06555662

SHA1
2bf6058a5aad09d020cf559e3f903390a3c27946

SHA256
245f83a640fdfb7e466971d32af039560773bba23db8002152592a6683ad3463

SHA512
1a668ad6de8a401341d3bbced491e0a97cb57a088be954eab9684793d494d23dc44f4a741ccdeeb8f89296f7f0bfb4d2747170c964e77a8a026276b499a75259

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
320KB

MD5
65c680b8003af02cd4eea843f666e6aa

SHA1
2501f959eb5606ed2e0a023eb2390a0aa855a6d8

SHA256
a1e29371db50a3a50ec532a3917ff76811ddf46739098a8f441ffd5f7621cfe2

SHA512
9f584028f522ed8b46e5e976cb11d370e8c57cbe73ee0af1a1683e52fe24dfc4aac61e8c748f74b1421ef2a61aa7d99b0456a076d96c05ef8ac7db8c56da7cf8

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
320KB

MD5
2e3c5bbf8f6ee93d1e9de09d370b43dd

SHA1
ca3a8c608de10923672d11737aa13e67abddaf12

SHA256
b718309eb67d72902ff39229c45707fed3b3abf903fe44274a32d1d2f1cb381a

SHA512
0c6dea9b0086e6b552fe4930bad64316555b935ff24b4cdca7a721d252dbc75b1e76c318fe953a78ab6d9bc9a07a027cb3fc01a0b7c992843f3ce6af295653b4

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
320KB

MD5
6f88280d711a76affae42b89dcc16ab8

SHA1
1a2966f394cadbdb2dec96b00ebcbb44d0ae6dfe

SHA256
045d8f0fa779f4c732b8fcaf7feecff4e6114d405321ed991f107306aa6a01b2

SHA512
37cd6cec59387a37ca1af7280c8238a1a847d821c159c8d79ef7dff9fc2337dd512ecd12e4f9b170b3636685815b58b3759d06f0b51e9f238dcaa91c4faeb0b2

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
320KB

MD5
d70b14c4ea16a2b4d4e2224131b43c86

SHA1
6b04771b8ed729524daa2a9242debbbeab14d037

SHA256
4b8f3f24e52d7340062529e14efcab722a1744d49eaf18d06aca6d9134bca529

SHA512
93edfcf6fe646349a0fffd6891506b9ed78dc6e8618aa64069b99f967464709314481d2891c5df38d5c81c911fb74c06d53bb81255efe44a8e2d2862370e22f8

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
320KB

MD5
f9a4f846e05de95ff4fc1e4009c66970

SHA1
1a7111758d18e91db3bd44d11aab2c3b40d590f7

SHA256
8c265a6697d9b903b6faa64b3f5e105458e8ce436d8b21c363e4262b86550a5c

SHA512
6d7b3dd71fe0cf1abbc6533795de4dd45b1683dcd11fad1ec658a3e1c7bdc8a4ca540234ba3b9d2f1819d4545c720ab1f4d7d2abb79c5ad88e1db0fd866f763f

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
320KB

MD5
102d70b31550a599d02d9cfecf356766

SHA1
67472af2155720d7493c1f3962347670bf53c728

SHA256
2c0e451749eb3b3153c314b4c6888456a789c3a8488490a773e2f3cdfefc01fb

SHA512
45e532c146405340049e5e7a42503e4209f14e2fa1a9369d3a4da4cf09806bc7be68877ab4207605c032d77d86893d6eb10ce3ebe6cb32d20c0c94ce56e6db4b

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
320KB

MD5
bee9f5d0c270be2afb403688c71a2f11

SHA1
dd0b25cbda3ca88d137fabee98b9692e149639f9

SHA256
bb4dc9ef2f4cc7deb0102aa7d966959b1166cf0471e1231a6ae52422813300fc

SHA512
103bd0e246339fee97322ab6a617b7d2eca94760737470cb41708b2433a7afee6f53de3f8745d0d16137f0b7cb0e8fa8bbc072a195f1f29a14d1cc5a2f0d6439

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
320KB

MD5
e8b6eb8d32474946b8071282ce374263

SHA1
c807ed767aa840fc039a9219a6a59ad7f2b3faa3

SHA256
4d227bba76c7b2d35eb002a4acfec78d656a91ff92e4a803cf89dbb161a7979b

SHA512
67d657020ca777da12ea66e5f01371587f2df3bcb1ab4e34f99e612d25c2170dc50b7429910c9fb785bfbed1a22904e018be969107d09949baa20aa306e9bfa4

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
320KB

MD5
f98ea48b523206ef598294869f316a78

SHA1
c40a97ccf7a24a25d3f21db40f08fc6594aec4d8

SHA256
854f0a2013a2c52c31d03805e1d009c15501b675c4b16c5e4d8e6e3e18926f59

SHA512
7802663f58e015a1a6ef891e1fc746cdc114c6511d28dab6586a9dbe4f745985eaf0623dc086209bbd660830acaa2b9ec1ad62da57af896198fd2c0f71bc2f61

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
320KB

MD5
bed67537e7dbc752113c4542988b79c4

SHA1
77092d129ac6d1d070b8527e4cfe3751d421851d

SHA256
ff667e0055c7fc5c3aca4aeac0739c747313ed7c85bfe67f59033acaa7eda186

SHA512
9b6781fe55200b038c9cc3e305decbe9c2b0d022fc65ce9f68c9198a330e71e035272a4356cf73461e1b1a35460d7131702699f109da4b4dbf8d77b4eca8faeb

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
192KB

MD5
48eb610ccf81bbcf2383dda4982bbf60

SHA1
209fb951409023f4d406b8a7d25996381a1ce665

SHA256
00d26ea72ccc17ec362ef22a9cb403799f6c66a145ce000b76a9b48992fc2ec4

SHA512
c4adbadf787b5b5e95bed361a672551549836df2667c48b46b5dbc08f66492203ae3721c8e3106b6908104624dd53ef7246dbcf497130deac45698c384bc2d73

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
320KB

MD5
6b23a91c6563fa15da75d8a21cc5c0c4

SHA1
fa0d2cb46fc37b2367815f65d1edf3b7a2a62fe9

SHA256
e0e41f2d3bf5220dce195d4e2a189ae5913e6c6f8f7fb78016e1e40184cfbd17

SHA512
937ee50b7c189e47b4382f68f0d8ed7d07fa7f46f1b289faa8e779952368bd49dbac1ac98c370696b6642250adb63f122034dab45a2cc050e7c741f71be6a0e4

Download Submit
memory/220-307-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/220-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/396-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/396-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/404-319-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/404-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/948-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1144-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1144-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1468-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1468-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1636-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1636-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1724-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1724-313-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1996-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1996-296-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2624-85-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-295-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2896-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2896-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3084-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3084-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3104-314-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3104-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3376-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3376-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3444-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3444-302-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3520-318-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3520-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3628-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3628-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3800-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3800-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-308-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4104-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4104-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4140-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4140-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4200-320-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4200-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4440-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4440-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4540-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4540-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4624-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4624-301-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4744-289-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4744-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5064-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5064-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads