38bcf6361fb4ae5796de7832b01cf6f2c2ebd7b4f289a2457669271c78eeadf1

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe
Size

1.3MB
MD5

76e878dcacf660d4abd2feff7aea2af0
SHA1

5c87f35e03176195cf2b9a2d9f92bcb61bfdec03
SHA256

38bcf6361fb4ae5796de7832b01cf6f2c2ebd7b4f289a2457669271c78eeadf1
SHA512

56ee18272767c0cdaf0ac8b8e9c0947ee3b65095f7a3aa0c4d38e94d365bcbc2db7b8ba4009f9c2c780458d3355af1d3425ec177ee7af4cd764bdaff86ba77e1
SSDEEP

6144:6MDH6/Z4EriE5ZC2npb+oB+Zz2HG8t0DoEWufVuvw0HBHY8rQ+6bPD3wPSk8ymLd:6M+/+Abaz22cWfVaw0HBHY8r8ABjMn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe

Executes dropped EXE 19 IoCs

pid	Process
3972	Jmnaakne.exe
3588	Jfffjqdf.exe
4484	Jfhbppbc.exe
3320	Kkihknfg.exe
1480	Kacphh32.exe
4464	Kbdmpqcb.exe
2124	Kajfig32.exe
4940	Liekmj32.exe
4960	Lgkhlnbn.exe
4560	Lnepih32.exe
5104	Ldaeka32.exe
3880	Mpkbebbf.exe
2396	Mkpgck32.exe
2724	Mpolqa32.exe
1104	Mpaifalo.exe
4368	Nnhfee32.exe
1660	Ndbnboqb.exe
4996	Nqiogp32.exe
3268	Nkcmohbg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jfffjqdf.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kbdmpqcb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2944	3268	WerFault.exe	103

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kbdmpqcb.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 3972	3908	76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe	82
PID 3908 wrote to memory of 3972	3908	76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe	82
PID 3908 wrote to memory of 3972	3908	76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe	82
PID 3972 wrote to memory of 3588	3972	Jmnaakne.exe	83
PID 3972 wrote to memory of 3588	3972	Jmnaakne.exe	83
PID 3972 wrote to memory of 3588	3972	Jmnaakne.exe	83
PID 3588 wrote to memory of 4484	3588	Jfffjqdf.exe	84
PID 3588 wrote to memory of 4484	3588	Jfffjqdf.exe	84
PID 3588 wrote to memory of 4484	3588	Jfffjqdf.exe	84
PID 4484 wrote to memory of 3320	4484	Jfhbppbc.exe	87
PID 4484 wrote to memory of 3320	4484	Jfhbppbc.exe	87
PID 4484 wrote to memory of 3320	4484	Jfhbppbc.exe	87
PID 3320 wrote to memory of 1480	3320	Kkihknfg.exe	88
PID 3320 wrote to memory of 1480	3320	Kkihknfg.exe	88
PID 3320 wrote to memory of 1480	3320	Kkihknfg.exe	88
PID 1480 wrote to memory of 4464	1480	Kacphh32.exe	89
PID 1480 wrote to memory of 4464	1480	Kacphh32.exe	89
PID 1480 wrote to memory of 4464	1480	Kacphh32.exe	89
PID 4464 wrote to memory of 2124	4464	Kbdmpqcb.exe	90
PID 4464 wrote to memory of 2124	4464	Kbdmpqcb.exe	90
PID 4464 wrote to memory of 2124	4464	Kbdmpqcb.exe	90
PID 2124 wrote to memory of 4940	2124	Kajfig32.exe	91
PID 2124 wrote to memory of 4940	2124	Kajfig32.exe	91
PID 2124 wrote to memory of 4940	2124	Kajfig32.exe	91
PID 4940 wrote to memory of 4960	4940	Liekmj32.exe	92
PID 4940 wrote to memory of 4960	4940	Liekmj32.exe	92
PID 4940 wrote to memory of 4960	4940	Liekmj32.exe	92
PID 4960 wrote to memory of 4560	4960	Lgkhlnbn.exe	93
PID 4960 wrote to memory of 4560	4960	Lgkhlnbn.exe	93
PID 4960 wrote to memory of 4560	4960	Lgkhlnbn.exe	93
PID 4560 wrote to memory of 5104	4560	Lnepih32.exe	94
PID 4560 wrote to memory of 5104	4560	Lnepih32.exe	94
PID 4560 wrote to memory of 5104	4560	Lnepih32.exe	94
PID 5104 wrote to memory of 3880	5104	Ldaeka32.exe	95
PID 5104 wrote to memory of 3880	5104	Ldaeka32.exe	95
PID 5104 wrote to memory of 3880	5104	Ldaeka32.exe	95
PID 3880 wrote to memory of 2396	3880	Mpkbebbf.exe	96
PID 3880 wrote to memory of 2396	3880	Mpkbebbf.exe	96
PID 3880 wrote to memory of 2396	3880	Mpkbebbf.exe	96
PID 2396 wrote to memory of 2724	2396	Mkpgck32.exe	97
PID 2396 wrote to memory of 2724	2396	Mkpgck32.exe	97
PID 2396 wrote to memory of 2724	2396	Mkpgck32.exe	97
PID 2724 wrote to memory of 1104	2724	Mpolqa32.exe	98
PID 2724 wrote to memory of 1104	2724	Mpolqa32.exe	98
PID 2724 wrote to memory of 1104	2724	Mpolqa32.exe	98
PID 1104 wrote to memory of 4368	1104	Mpaifalo.exe	99
PID 1104 wrote to memory of 4368	1104	Mpaifalo.exe	99
PID 1104 wrote to memory of 4368	1104	Mpaifalo.exe	99
PID 4368 wrote to memory of 1660	4368	Nnhfee32.exe	100
PID 4368 wrote to memory of 1660	4368	Nnhfee32.exe	100
PID 4368 wrote to memory of 1660	4368	Nnhfee32.exe	100
PID 1660 wrote to memory of 4996	1660	Ndbnboqb.exe	101
PID 1660 wrote to memory of 4996	1660	Ndbnboqb.exe	101
PID 1660 wrote to memory of 4996	1660	Ndbnboqb.exe	101
PID 4996 wrote to memory of 3268	4996	Nqiogp32.exe	103
PID 4996 wrote to memory of 3268	4996	Nqiogp32.exe	103
PID 4996 wrote to memory of 3268	4996	Nqiogp32.exe	103

C:\Users\Admin\AppData\Local\Temp\76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76e878dcacf660d4abd2feff7aea2af0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\SysWOW64\Jmnaakne.exe
  C:\Windows\system32\Jmnaakne.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\Jfffjqdf.exe
    C:\Windows\system32\Jfffjqdf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\SysWOW64\Jfhbppbc.exe
      C:\Windows\system32\Jfhbppbc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
      - C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        20⤵
        Executes dropped EXE
        
        PID:3268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 412
        21⤵
        Program crash
        
        PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3268 -ip 3268
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
1.3MB

MD5
4444af955ac9a6e8658ea5a7895810d0

SHA1
7a5084d695781a9c8cfedb4fc1cbf68583047d1a

SHA256
80f2ea50667a1f415b6c317ca03be40a3b118b3aa8200c2b7168908d40f3f7c4

SHA512
9898a977a2f1793e5ef088ee4bb259a16421f80e5cb1685c345c98e50e970d80ee222e3d0728f6c95ea5eae1cea3d08a9a61e4690e87a84f8bfff2d2963a0ec8

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
1.3MB

MD5
3cddbd6051ce70df045611ef512a8636

SHA1
0a9f5f24cb1538f1c2649ce0cbaa81c52396ae57

SHA256
1e5ecc58424d7f04a5a07e072378de9ed1bb94f7e9426a750540812734877a6e

SHA512
4388669a7511d8f7e601cb76912c56a4cbcf30be0d5fcd48753ea169e199af9b978033f5facdb78fdbc0d55458298af471b2c92341e31b865ea98a9e507d6061

Download Submit
C:\Windows\SysWOW64\Jjblgaie.dll

Filesize
7KB

MD5
98c06aee4abfe477f38e0495739a15f3

SHA1
1fa20a16ef8b2c233123bd719ce56cac51b1daf1

SHA256
373f91d4dec0c07860fe72c2de1766e210fbe85704a10256ce906c3ab053240c

SHA512
42f4d0d9cabd9c40483479c356fb59cdbb05708c312c0958eb31d29148007349c84cc526a3db03396b55199d4ce7d3c7295c6a68c06d8237c09526a5950be003

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
1.3MB

MD5
142cfa93ed07b95f1e7be90fba802992

SHA1
887cf57f9fc373067a25c5126f45bcf4a142756e

SHA256
d55d6d9ee4831933b287dc99a4f2c59ca005b4e42c6c4aba668faa4919c37e65

SHA512
5a7da34033ea01a02315251da39d8ce7ce9d2caecd14b3f251bc3b64772795e9a09f894794cb07bfa5ef60f0591149e3b39268b6932b0a60f4b327b42d478830

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
1.3MB

MD5
9f90eaa6c517f6e4839a33b4bed8cc1e

SHA1
4a47586db8ea43618e1058142fa84244a51eb8db

SHA256
596665d7f3c2497b9cb2c9bbe55956b7d0d4f78092cd7996e888ab3f7140298c

SHA512
c80e249400d08571133c38971543c11356ad9ebed77abe792c1392a9931383380091cf4d49fb9297f902045363c7a672e6f970f45bc1288810357c59a2e6a0ba

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
1.3MB

MD5
9b44f7916dca6e1b971237f370ac8455

SHA1
93020740b9bf4fc0ef4d7403324bacf67b570ff7

SHA256
684f695d40d8508f68d775ab29204cc5c3fd5eaafee1ea6ca9c32548ec54239c

SHA512
29192de2cc271ba8337142e0070dc8297d06f882d59ae1e95da9d66e8f34ca3b67ebce3ebae20314e81097b3488b567000bd1dfea82f1008ab87ae964efe95f9

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
1.3MB

MD5
6feeef6925daee5a3aca9d6848f57261

SHA1
1405b48a4d2906b9c128977155c5317feb39ea20

SHA256
39c674a73ea7d4b7db6290a981b46a8ebe79dc523d4101243ec4e6b69c3e25a4

SHA512
bc71b396194135ff1dd6fb6dff8c28e4c2b51eefed539cbbd60a7bbc14b17283c4f50176509931322393caf9f8e20f6fda493ed04fd6ed49e48f67eb76523665

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
1.3MB

MD5
d696848bb514f16c7b6bc558015bf806

SHA1
eb086097d8d401e5f119fcec81af7c404099d98e

SHA256
04550b5e078b4c85104b3536e76dbb285c8fff4d7891df9d73587f47a72c4318

SHA512
a58012ab8ee0d319a453f292d8dff9d5d8eed09d25aefade2cf329959a27753cafa6c30c8cd484c0b4b2fc33f303a5505d45e6df63f56fd664cb025c6166498c

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
1.3MB

MD5
fa1851de96cf2a8cb38e9cf65db29eba

SHA1
0332c4c154a7deaa0ab3da2be25f8dc968344502

SHA256
a49f1bee8e2a3bd87f95ac1aefb6b16a1e6a6e5d1b712e3e90f2548ac44176f6

SHA512
fc23872bde7607a6f4df9fbcb6461a0599ade9d6de83b13dc2a8787610a8d49c4c204960f43952627ea39e57ba1f9676496a0b47f3312ac51410140574ad3602

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
1.3MB

MD5
4e1ec8293d13ca2c81e76e4f3a4f92c9

SHA1
0356d0ccd7b5434cfefc4c3db341c300a017c105

SHA256
67608a6f69d6c304267496943b128da53af7401656cf5fac6e7e59c1a3a732eb

SHA512
a84ff407b3f2607aa7efa9b6881cd5b2dad24a360848bbaa0af7fd3432723088c0abc898c667cc13178df138944997c1ab51b834c84c58d62752daedad3dd1e1

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
1.3MB

MD5
5e652ea9a2e7b36d35ce59cec5d164e7

SHA1
60bacef5ec23b575bc4e3b0fdf23dfefdbcb275b

SHA256
5a47ab22ba40fe80525b14d75313c62097cae24e597df070836257c331f8b1fe

SHA512
ae6f86329f95addf507f0b35c92d68121e40d5a7202d080a6f78b6b6b7d5dc22dfd242403921c29b214a1cce9132fdc2ada47d7fb6903880c33d87a0a68aae0b

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
1.3MB

MD5
aae3f49fb38782f4f1d802c695cc552e

SHA1
a9f8823a90403d5ac7cbea1f2cb4625923a4489a

SHA256
99a7117434607ff9ca98edd1f8087525685cea116fe4d2fb282257fcb1c0a1c6

SHA512
f53d8bacb36945a6fd36fdb911db9bc0bbcc356093b7bc75763688dc9d6ebaa69d9a51b94c414d2fe3e8b8211c00210a863155ac62ebe6374a595ab454873529

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
1.3MB

MD5
cf603da180861422888840980de3837e

SHA1
e8e5d18005c97adb7e45f3b0932f8a5040f5668b

SHA256
0cc53a10392d251444abe1be7d9a90e6f66efc37b966d35245d492e001ea3fbc

SHA512
d11d3da13b7f6173af497e576aeceac54cae6c874fdf1fe801aee1a1b25f03288cbe5bea23f234a4eeb02bd80a5c02d660c43f79178bf409a7b1e4705eb905ab

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
1.3MB

MD5
44c5f9678a4ebc4f976f81e154d4c941

SHA1
0f45e775d330eb766abe4180108ecab415396fbd

SHA256
d8ca4a6c7877821b0e0c48f9846649c53a4baea14a7b31d2fb03b701559c0901

SHA512
d2605fb0b34d6cff491295013ed4d9d77aee48b4ab584542d1be48dcc89c019bb47a52c821bd89de02ccec606329ad0d87259b27847865140d0afcae4ad10727

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
1.3MB

MD5
9b72c9a0b121b43d14cb58000748183d

SHA1
5d626751db3c2eeb48692b3831df9058fa06bc4d

SHA256
97d5a52f31685ecf226c899bf7794ddd8f6906137b2f9e9f154de506cb8e5162

SHA512
19a4b1b04219ab1a0f99b343ff1b096d3b73814ed5ee70131bf9dac58a2e153f043711179f614dfc5b57c70ab6785e14f2903fb3e452c3123c722d4c3e8ec311

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
1.3MB

MD5
d2393f35cd22da744ab51f26d3e46f15

SHA1
088dd40a6ce092169810fa30bf2f7bd0f795e77e

SHA256
fc653875c3395c27ed724616365f78cbac1773a83173e7c276c8f81779efa9c2

SHA512
c63907aa4378b244d6a2476991bc354315a798127cdf2e531efab5c4c5ebefad13a224d8fb229be1c86779bc9a0a1ccf0fba8cd020fa9290a03b2cd847b40382

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
1.3MB

MD5
c71cd97e9b9d2683fd2f61a7b83d96d9

SHA1
e8684e2434696d5a4d9fbc43a59e61e12d60d94a

SHA256
9a7bf7cfa7d65f31510c176799e8d8d0146ceb3955014ea42d39524d2cfbe3e3

SHA512
427c9f91788a5607fe8e70e2d900e1b15490a6b8f6acbcfd5fabd9c3306412fa2dfaa945d566e665ebf9a52c5e743bbfa74a3c44a089d3826bcad3202a3dd400

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
1.3MB

MD5
40159dd0989a2defef8d79682c2efb7d

SHA1
991016c19152be0656c904ccb72b2c11d7d8258c

SHA256
e8311f7fae7ee5a66795fa39f9de4ad30f6063e7d3b4a43f78d34c75d7381327

SHA512
5562dbc479df7ed7c1d3a48c24f2b12fb5a1e3a42935560a3b3a0aeaf8bae6e06fd4b96ddcd97a3671643dfa5d1efbb5a1ef5fa1f9600a1148cc54cdfd6f2346

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
1.3MB

MD5
3cc5b167d45957f1f24cd93524a7ef89

SHA1
cd320fdeef0c14f58d25148cfd3458316df2159c

SHA256
9c031f1a3c097813d0805914628ee0e27b367cc193aaca96f278f2c6a12a23d5

SHA512
ea08e8c11858b7509b1072e4b0b2f62c81f2435f3324bc063d995e966cdf65c6c3f9bf49daeb76d2a2aa5dfb1a4d98626eed95ffdbec860c10e05c0f8863505e

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
1.3MB

MD5
4d72e489fd1947cf7f480e33707af245

SHA1
94adba9e3115ef4804d3b7c45f8ff65b3ba75b82

SHA256
671455b735be02143a35d8735cf9cf1897072ae0e8aad93897ccca69bbe4bf36

SHA512
9dd258c6c171c63fe1890e02a7945cda22d4405c703cee8559e5492f4470e1c12d27d05d8973461fc855acebeef1aa9c19e01eb912c71eddb481bec77f218a3b

Download Submit
memory/1104-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1104-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1480-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3320-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3320-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads