83a4ed761ed726a0b72cb8861487c72dba3fa7fa06704a4c6413109b5a9716ff

Analysis

max time kernel
95s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f68477961aeb4480e60af5db4626520_NeikiAnalytics.exe
Size

352KB
MD5

3f68477961aeb4480e60af5db4626520
SHA1

8e23830ca046c7c5ed6e7eeaa18313a7236c37e9
SHA256

83a4ed761ed726a0b72cb8861487c72dba3fa7fa06704a4c6413109b5a9716ff
SHA512

5857864b2a0ead76cf49c817b35c269234b925f41c7940e54966d323892155ea548c9fae4e1c4fb7e2532638e87bf115f038695392da530ecc46f6a0201bfda0
SSDEEP

6144:hemoR+1lmVR0q2MVEHeYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/hP66qve6UR:hemoR+1l4R5mHeYr75lTefkY660fIaDd

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3f68477961aeb4480e60af5db4626520_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3f68477961aeb4480e60af5db4626520_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe

Executes dropped EXE 38 IoCs

pid	Process
4748	Jjbako32.exe
2612	Jpojcf32.exe
4688	Jpaghf32.exe
1420	Jkfkfohj.exe
1404	Kbapjafe.exe
1904	Kgmlkp32.exe
1888	Kacphh32.exe
1008	Kmjqmi32.exe
1352	Kdffocib.exe
3124	Kmnjhioc.exe
4332	Kdhbec32.exe
4692	Liekmj32.exe
2216	Lkdggmlj.exe
1924	Lcpllo32.exe
1172	Lpcmec32.exe
2128	Lilanioo.exe
3804	Ldaeka32.exe
876	Lnjjdgee.exe
3624	Lcgblncm.exe
1636	Mnlfigcc.exe
2256	Mpkbebbf.exe
336	Mjcgohig.exe
2440	Mnapdf32.exe
5100	Mpolqa32.exe
4836	Mkepnjng.exe
2384	Mncmjfmk.exe
2268	Mdmegp32.exe
2996	Mglack32.exe
2680	Mjjmog32.exe
324	Mcbahlip.exe
3484	Nklfoi32.exe
4512	Nafokcol.exe
2372	Nddkgonp.exe
4044	Nkncdifl.exe
2380	Nnmopdep.exe
3912	Nnolfdcn.exe
1356	Ndidbn32.exe
4560	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	3f68477961aeb4480e60af5db4626520_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	3f68477961aeb4480e60af5db4626520_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4968	4560	WerFault.exe	122

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3f68477961aeb4480e60af5db4626520_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3f68477961aeb4480e60af5db4626520_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Liekmj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 4748	4008	3f68477961aeb4480e60af5db4626520_NeikiAnalytics.exe	82
PID 4008 wrote to memory of 4748	4008	3f68477961aeb4480e60af5db4626520_NeikiAnalytics.exe	82
PID 4008 wrote to memory of 4748	4008	3f68477961aeb4480e60af5db4626520_NeikiAnalytics.exe	82
PID 4748 wrote to memory of 2612	4748	Jjbako32.exe	83
PID 4748 wrote to memory of 2612	4748	Jjbako32.exe	83
PID 4748 wrote to memory of 2612	4748	Jjbako32.exe	83
PID 2612 wrote to memory of 4688	2612	Jpojcf32.exe	84
PID 2612 wrote to memory of 4688	2612	Jpojcf32.exe	84
PID 2612 wrote to memory of 4688	2612	Jpojcf32.exe	84
PID 4688 wrote to memory of 1420	4688	Jpaghf32.exe	85
PID 4688 wrote to memory of 1420	4688	Jpaghf32.exe	85
PID 4688 wrote to memory of 1420	4688	Jpaghf32.exe	85
PID 1420 wrote to memory of 1404	1420	Jkfkfohj.exe	86
PID 1420 wrote to memory of 1404	1420	Jkfkfohj.exe	86
PID 1420 wrote to memory of 1404	1420	Jkfkfohj.exe	86
PID 1404 wrote to memory of 1904	1404	Kbapjafe.exe	87
PID 1404 wrote to memory of 1904	1404	Kbapjafe.exe	87
PID 1404 wrote to memory of 1904	1404	Kbapjafe.exe	87
PID 1904 wrote to memory of 1888	1904	Kgmlkp32.exe	89
PID 1904 wrote to memory of 1888	1904	Kgmlkp32.exe	89
PID 1904 wrote to memory of 1888	1904	Kgmlkp32.exe	89
PID 1888 wrote to memory of 1008	1888	Kacphh32.exe	90
PID 1888 wrote to memory of 1008	1888	Kacphh32.exe	90
PID 1888 wrote to memory of 1008	1888	Kacphh32.exe	90
PID 1008 wrote to memory of 1352	1008	Kmjqmi32.exe	91
PID 1008 wrote to memory of 1352	1008	Kmjqmi32.exe	91
PID 1008 wrote to memory of 1352	1008	Kmjqmi32.exe	91
PID 1352 wrote to memory of 3124	1352	Kdffocib.exe	93
PID 1352 wrote to memory of 3124	1352	Kdffocib.exe	93
PID 1352 wrote to memory of 3124	1352	Kdffocib.exe	93
PID 3124 wrote to memory of 4332	3124	Kmnjhioc.exe	94
PID 3124 wrote to memory of 4332	3124	Kmnjhioc.exe	94
PID 3124 wrote to memory of 4332	3124	Kmnjhioc.exe	94
PID 4332 wrote to memory of 4692	4332	Kdhbec32.exe	95
PID 4332 wrote to memory of 4692	4332	Kdhbec32.exe	95
PID 4332 wrote to memory of 4692	4332	Kdhbec32.exe	95
PID 4692 wrote to memory of 2216	4692	Liekmj32.exe	96
PID 4692 wrote to memory of 2216	4692	Liekmj32.exe	96
PID 4692 wrote to memory of 2216	4692	Liekmj32.exe	96
PID 2216 wrote to memory of 1924	2216	Lkdggmlj.exe	97
PID 2216 wrote to memory of 1924	2216	Lkdggmlj.exe	97
PID 2216 wrote to memory of 1924	2216	Lkdggmlj.exe	97
PID 1924 wrote to memory of 1172	1924	Lcpllo32.exe	98
PID 1924 wrote to memory of 1172	1924	Lcpllo32.exe	98
PID 1924 wrote to memory of 1172	1924	Lcpllo32.exe	98
PID 1172 wrote to memory of 2128	1172	Lpcmec32.exe	99
PID 1172 wrote to memory of 2128	1172	Lpcmec32.exe	99
PID 1172 wrote to memory of 2128	1172	Lpcmec32.exe	99
PID 2128 wrote to memory of 3804	2128	Lilanioo.exe	100
PID 2128 wrote to memory of 3804	2128	Lilanioo.exe	100
PID 2128 wrote to memory of 3804	2128	Lilanioo.exe	100
PID 3804 wrote to memory of 876	3804	Ldaeka32.exe	101
PID 3804 wrote to memory of 876	3804	Ldaeka32.exe	101
PID 3804 wrote to memory of 876	3804	Ldaeka32.exe	101
PID 876 wrote to memory of 3624	876	Lnjjdgee.exe	102
PID 876 wrote to memory of 3624	876	Lnjjdgee.exe	102
PID 876 wrote to memory of 3624	876	Lnjjdgee.exe	102
PID 3624 wrote to memory of 1636	3624	Lcgblncm.exe	103
PID 3624 wrote to memory of 1636	3624	Lcgblncm.exe	103
PID 3624 wrote to memory of 1636	3624	Lcgblncm.exe	103
PID 1636 wrote to memory of 2256	1636	Mnlfigcc.exe	104
PID 1636 wrote to memory of 2256	1636	Mnlfigcc.exe	104
PID 1636 wrote to memory of 2256	1636	Mnlfigcc.exe	104
PID 2256 wrote to memory of 336	2256	Mpkbebbf.exe	105

C:\Users\Admin\AppData\Local\Temp\3f68477961aeb4480e60af5db4626520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f68477961aeb4480e60af5db4626520_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\SysWOW64\Jjbako32.exe
  C:\Windows\system32\Jjbako32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\SysWOW64\Jpojcf32.exe
    C:\Windows\system32\Jpojcf32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Jpaghf32.exe
      C:\Windows\system32\Jpaghf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4688
    - - C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
      - C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        40⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 412
        41⤵
        Program crash
        
        PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4560 -ip 4560
1⤵
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jjbako32.exe

Filesize
352KB

MD5
b829ef875546324630c881db3c132886

SHA1
b7386d4c09cbe7a3c40b27396ceac1dd49d41e8d

SHA256
4f4442a060b3dbaf4ae3749f856553d1921a57917f2a67309c11f3f560aa39af

SHA512
29a9cbcd9da06e10aef8074bd64d6f2dfb6343e7fde2915daa74b1eaa1c6cfd35a8a8b0be85c6bf3f1a8027c6becc6e7e4acd98850009b287f4abb76aeb6ab74

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
352KB

MD5
50e15bf726d0b9aeb3786600abd190d4

SHA1
c702953359b8943718dcecddcf9864d545ec507e

SHA256
08e3ee68cbb5bd884210ad7c06b644d4e0f3e5fd6f69c699b8bc13ff07b27b50

SHA512
58e28b07012c8123bb03bc1a86c2de09707b069e893a7e576a366161a4d972e041b88a27fb7a080c4021b4aa45895bd2c6a500420411e93c8f8183dfca3852f4

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
352KB

MD5
c28de7be45a2886db47c769d9e73592b

SHA1
a073badf156e9527d7b6583db0e4e4796c9ddcb9

SHA256
c4a37702833bbdabf01863f22588f19d1d91c4d81eda08c0130ea587cb613120

SHA512
2f01175cde09abec39ba2ee98089a3fcfcc4f88cd8de1981bb33c692b873c0eb8912df246ff5bf24306beb432da56ed0e29ee00795aeda00a829dab0ff3a5228

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
352KB

MD5
9baadf261cd7dff0ae858ec7e9fdc41f

SHA1
a0bb7711d3dff1150836a0496eaaa9f81cbcac43

SHA256
ff06d839da57ba224238b24b00786db60001956cda3614f4720946be717a6e6a

SHA512
3414849c1c62c8f18eeb0d0eb579bb6bc3f4d33d3e9ca8e88aafc2ab623ae8660d5307ceb305356df4fa7a1c6d979b912df90450add5992ff864b4bb0dfb0dcf

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
352KB

MD5
f8f1c1bf13ea12b9517076a0b04c21f5

SHA1
a8b4311242e43294703e9a6de68ff01c8f92c878

SHA256
082278c64e7675eab56153422729d9fee99acff05c003552f333d1b57a4841ba

SHA512
0b68a6033fd43667cb20d4968f43f088ce1702bbd0b4463b35df02c0b22672c75f30852e142c4c84a4458bf1800c72d62ad6ea2f44dbc366235157d33eadfb2d

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
352KB

MD5
9b41d6b3357f246e9e33078d1080096d

SHA1
bdb24e952fe1e18f65fcbbb64e13328f00159805

SHA256
1510156c3dcea5640ed216787b168d81e766c4412386a8229d2469fa611442b1

SHA512
7e0ab52bf89c5480438aafe43fc45254bb496e4198de62951159b03c8bd04d871f8abf1670d7d3e7c076d889e8c6eefbc311876d0add1f4a6986414de40f013a

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
352KB

MD5
c305948effb6ed6950a2f8f2851dbadc

SHA1
2387d9db570c146e6bc738e138516f34b5c6f13a

SHA256
5cb6e87aa9d0785db82211dd5ffc868be257988ba7fde7821d3d38dbea2633d8

SHA512
49fba8cb98799db18d001b42e465981051a363907094b04036c7fee7f57b121d0610fc89d511a348e0b4571f3b0214e3e93e01416bf0c722127d5aa15d5f135e

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
352KB

MD5
83e317e90df7e0bdeee6ab26535704b8

SHA1
34f2a0f6b8d00a5e5d3626c7fffd7836b6c0d5fd

SHA256
86eac790a21d79e662b1bed8c10e48089b4f611615f2405da44c541ed043c87b

SHA512
4887d467f26eea29f35ab19fb5ba0e6bb6ab5bdb3d86a34ea52f6c8f295d9cacb0e7a936fdfb92aa0fcf90006fbdf88dd210a87dd918104c0c6abc10f7a53d12

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
352KB

MD5
66d2bfe02e398175b4fa335cd447140f

SHA1
a933e7bef7344b1afe39a2302caa3aff2ebbce4a

SHA256
940bd3d4c7d1cb4c930a4f5842a719b6b0f0f9e45f079e53f97c7f1ed5c38d36

SHA512
9930ec55955dc148441b7f9469ff8cb8e7f1adb90b38bc4345acc89beaebe30402e6ce0be2e6da73f93294ac70eee9e24241bfea56582e80110ec958a3168162

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
352KB

MD5
fc95b18d5c72f71c0ead1b93894d01dc

SHA1
2a6d48d059dd289bd7799ebee5882643a54b33e7

SHA256
2ddd209b216a5bc8b8348fe769a7c4bc52dfdeb3c368118a6455082baa9c6d83

SHA512
fed39393421654174ee584bd87270160ee2a590ef0c91bf4c597e82b6996e3fd0e31fca171fdd59ba49b715cba7f14278b1c0d318f151e93b23e4d0a380f9f99

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
352KB

MD5
467accc3c18b10c9a30f90d9232056ee

SHA1
937617c481b3385886b5eb62f2be2486496eece4

SHA256
c33088749f3a8b12e0aa8f884244e34a19833ca5b10555b6f2b79b90c149c566

SHA512
3dffb0bf8bc8c86220aeca3efa38d328e3e77583ca5759223d5c75ad7508a240ccff8cd059da01e7e3dcea8dee4979f8fe49ed13519360f28d1918b0d8fdf149

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
352KB

MD5
19442ffee1e7c64a3115389bf1626ee4

SHA1
e5b83c080e2eb7936122b491b6fdb26a3a2692ad

SHA256
ca08d65eaf7130fcad6cbc798f0cdfcbd5ec7057a9c3b0cee771a9cd2026bb6e

SHA512
c10124f694fdbb51e2bb80300538d525fad99dd691e5afb49e0556aaf071195cc91968c8ab56110c6415e043442ee874273a09f8193aad4de7e05a48760714b3

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
352KB

MD5
c70f75c41ae5355c6c3b62b8810de3db

SHA1
0be172d96b7c0c5ac358b7f82d6386ca89d45f5b

SHA256
52ebf991d89c1a23521d687a14f9d4066946a91785e8da494c0ee4d1dcdd8336

SHA512
13126362cb61b10097979abaf85b24694900f656f44bbbf9e5b717ce4e7c4f044ea806217803013d6143ac2aec0332703ddf7dc87721bb5347ade98178373295

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
352KB

MD5
6f37c14aa9db8560b7ad6bcc79a618f1

SHA1
0f4692d91de365c780d6485ace2d51e579a663d8

SHA256
7660a6ce251ed3cc55d48c03a514b20a72deedb13a9bef5de51ed65e431f86e9

SHA512
9ecc6fbc66f84816afbbf1afe7f8be042a7a177d93f09d315ce4b59fe11430bed96832a6e4d693b46e721f9d51e5fac6981dda00bf81c9cf7f066708056fd21f

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
352KB

MD5
1da0b22c0b87bab95359b8d38d39f25b

SHA1
3b01061996d1720607dcab9b9eb88d192a2a0822

SHA256
e0c5ec532e7ee88a2afab183560d805f6b64173c3649671ec4cc62924033f209

SHA512
edc9d0876a2f5fe73573080e95d48bdb3afdb3b1aff9c1b2e307d3221353c9718e62b4abdfdab67ba672bf812c7b3b63f1b7e6ddf6a842af6b5f99bfe1686707

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
352KB

MD5
3baec5f3e4fa10f3c0a4e8f8a5af9922

SHA1
fdb9307bd2802b63ac0aef7ffdff972fcce36943

SHA256
96bd9d211990093c216f9f8bca12090de853c9ff3e19a02db7e7b4f1e7cd5bd7

SHA512
37b35d3ca614babb4b4c1e95b1a24dab10a62e592bad80e6e34d2e8862edb26f5efee69fb7bfa88edf4ba5c7a2aca414bea954a37ea085a18e691c2dd4446b9b

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
352KB

MD5
89c875faf00715cae46806f1a61a6a63

SHA1
4525ea7cdc3de22767826158d1cc3e856ad22717

SHA256
36debe6c2c09d602b754e16b7cf88dfa3bd2ac2adba0719b7e5bef7c76473fc1

SHA512
40511d224110b0f48ee103890bf022ad2849fc9092a6df06c356d39e7a10bd90b63e732709d91f55aafa5dd9be34e3782903683c1a62eb89b0be8b8e6bd924c6

Download Submit
C:\Windows\SysWOW64\Lmmcfa32.dll

Filesize
7KB

MD5
ee2d274687c22b0b561bdbd2cec2f6ac

SHA1
cd7f56674e7c724d6aefcca353f43124dc3448dc

SHA256
2233c2028d53c1a9b6bded8a773ae7ba7da69aac932fdf1a43af2b5ea637c232

SHA512
6be0fd3f028067d167bbe56ae603be652debd6344e35831cf934dd6243211a8c75b72a4e4c9746fc8b6ec8a84feb0c3a25737cbf30e7e97aab0f9199eb3e4351

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
352KB

MD5
997be79ae432caa334dbf74ef9dc3b10

SHA1
74de6d872e13c7d9538f1062ed82a2ad42ae174e

SHA256
3435f83711e9ab40c4217127ef4aff25000d83cbd5a8bb04274c2bdc0280ddef

SHA512
287b75b2cb809c166d037eb05f5b82c1b0f2a7f14c5436099f11c061c1a6b0351c5947458b438b4f9ef166c0a1c287e92f11d299b0ba317ea5e78cce93deeaac

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
352KB

MD5
76b65d7fb698b96d0c7b4d58053b0d7b

SHA1
28dce49059ca8bad46ea1ed77a9003a069277dee

SHA256
f960a984689c41f84bb650dc878ab2c334b9fc63be525e81348890dc8a90461b

SHA512
ec21d567095ea149c396035f9b9731231056f5a12722d22d6e96b16b200c0a2fc4dbcc2d4963923c25949670382fed248708ade2b977ac7df6cc2b2e5d301f3c

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
352KB

MD5
872acd7921426c1c05d2ba4a471548db

SHA1
96f7a44117f4a187a322816d337b87fc86b14594

SHA256
e87169c9891ca1cfe9305beb64f4a825074350b3681f860f014fc99ba0ea6548

SHA512
809b7b1511cb5fa82f9797f4ad1f4451288a5757f5828e23a65931529759211f4bf53cab68942d9c85d3241ea1cdb0c71303f1ef97827621fe882ab73bd31fbf

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
352KB

MD5
ce933c06b03ab6a44241723250c177ad

SHA1
0becd0e2efe1841e57e0eb6ee5a5ad5a90aaaa1b

SHA256
b80ceb69a0dbf18c6c004a351323e2914c0d92a755f41735989be9451b3fdbb8

SHA512
72919bf4ba796195ecf0ccfc17c4b2b0a1f1a1d7257fd6e51afa539a2b27e26974a8b60e67044e5c681e013739d1e6394fcbfea4f80de97c21048c1e1af376b7

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
352KB

MD5
4f90be251cf8634257682ca115846593

SHA1
bd280c502f38ec0d9933823823e243502ada7693

SHA256
da863093b777eafa96ebfe0633802ff5e5e649b6cb54d6b01c0eefe37a2792da

SHA512
248d9c14dac3142761b15ce9e2b724adf47a2204ce0bd7f377bcf6687a510ccea46febca8810f85e63a5119b3163331a917a241a83da276867b1f4268d2be3c9

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
352KB

MD5
5b9c5c2fcdb38a2d1cb12b52f9483bb4

SHA1
c10b5b84a50f01316101c8de7cd4e0bda4f88e46

SHA256
cadcb31bc3d454489d162aa93b040e94ce285527f785a34fcfdf908aae73417e

SHA512
66f81f16d30d63cfcd209021ac79062456b51f6835aede0c1b9c93f4f2599022232de3dc8aa7b43105497547cf591399668c0385e29a9b21aa23c046e77f6fe8

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
352KB

MD5
f9833149b935091a74815a013564c261

SHA1
f859841d185957c5237325de9d0886fbe5b81b3e

SHA256
52cedd38229f7f5cd067dedc60a194d5a89c21d6fd4af047476de2e4a115146c

SHA512
f764e419bb65a80401eb04f47d05f8a3b2c6c52359a844a6afabd748c9fd7ca50c2c000d9c776797d73c251395df6e8bf1c23618b7211ca0c68682750fbf5f6f

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
352KB

MD5
e998301397b4b37ef000bc51dbfa529d

SHA1
331a3f2fd3e7461f49d6d573e1915a785293f857

SHA256
7ddf358227355733e8a187a97d9e8006620c9e59c4f955049be7abd78a1a900a

SHA512
a35d808720d0c058681f73c13c3591fed8aa1e232f2f8b0c8c9a348f898f79b8719e164ad50bf181352e1a9ec253f548db4d7ad9c922d15fa73a1bfdccc2f380

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
352KB

MD5
c51db84f9b0fbca8da07b605dca52452

SHA1
d99400738187751d2d391e1f617c5a90f079be9b

SHA256
b85c796750ccd1f5afceffd0ab280227c1704f6427ccb001d565b6e1cc445815

SHA512
3f517867b0c3db4efee83e320e198054aa244ead95372c70cd14d99180a6b75d09aed235f788328d1ea6d50e0991b305ce67f70ce612672bc66cded95b6bd93d

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
352KB

MD5
f230f29dad46bf9de59381757338bb42

SHA1
b30b34a3edbbace48d024c0e53362b3692995288

SHA256
74fbd4d99ee5ec3511ef13cf19bec641133202607d43db2e3b7daa45873ccba3

SHA512
c7bb91fae20f09620d6aac0134006a7563a3de143917c500da843ab59d1456926ba1540c08f4ba93639c47921d360249b2384440dc498af37c6defcb889ee358

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
352KB

MD5
73cf7995ab955604d230d1b964119b62

SHA1
b97c4a38c0b45f5413a9b74cb622891bc46a444b

SHA256
83930e0ac18cf35d61928ae62493046991c031fc5436dbd53e1625f541b147ed

SHA512
fbe6f6cc60ea661fbee31e779545d9f0aebcbf5b62a2e98a88e142ed8c3c913851ca530fd838ccccc79359a9fd8f24126a5915b777f31e9797f7f9b0bff2d2b7

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
352KB

MD5
cfa5ec1f3f1756be8782bbd1c3b34504

SHA1
ac90387869661b0cd6630e66cc1ef3410851db8b

SHA256
ab5677b9518ac9a24559ba9443949e97f99836cfe75a9a5194e137098b34d44a

SHA512
f70cc7121c34eba74c5e5ea0f46d8a3f1fb6f27a76b0ddf025b6dc01b171738749015dbf39cda1d1fd24c2eaff6c42facb72f58ca38f58cb8465c467179a4c06

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
352KB

MD5
5cbfbaaa6ebdf495733063c4c618b443

SHA1
569b7818b60a77a3683dac9666746ad0100dd303

SHA256
58c81c23a18bbc0c88f4d677e4e5860862d8d38d1b5d701a810039ddda69d852

SHA512
cee777b47cd5e0832425e4d0a5994362c634e3c1eed26ed04591a82f890ea46b2b8354b5d5bd152fe4c4c91887649046faa8a01c4a4fb3b6a87d063fa79eb733

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
352KB

MD5
efd659007e1947c54cbff246883c2513

SHA1
b3d575db656972fccc016a5f69e9f2d36faad389

SHA256
562fb117eea85cb32edc86d186b6c4ddf4a427dba911be4a1c308719622cbde3

SHA512
16e42244153e537c5187fc632c40a25f810094e27fcca7565d92c9adaf393057e6d0006ba514c99264ed1b07b631f462d20c4dbbd645929227bb0bc655e1a1fb

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
352KB

MD5
6e81dd11d5fa68d0b31372e099ed275f

SHA1
eb2ed225aa7ebc0dcbbaeaed2b45b26ff8576f25

SHA256
10d51884db15f7909f5a443ee3e01079c7c19402ef7e6c6ea963d4db356e6207

SHA512
11e49b0a3c43cbd3771fbca07e6130d7950a2f25dfc84badf1428a6034f1eb0ab328690697e7179346fbe84dff44d774b1fbd72ef5fcf0bb3a8c757a9f7dfb12

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
352KB

MD5
5001f596de1d64de35f8291f1e69d58f

SHA1
432f5874e58c03fd3055c721d6084f15477a053a

SHA256
9a9da6e54d604b6ebe114c88e33a3dbf50cca2fef574f2674eb5a74267645c83

SHA512
6bd88d7c1737b9f5a4d12a0d4bbe6ac43c5f81068827209e4b4d7d82c0373e8e748a5932a313dd0e263ab56cf31ea008e4b50440266e108d106921b4477a4c1e

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
352KB

MD5
0115215cd3b068b0d1660dddb5c2c783

SHA1
ef3d1c37103ef9c60f0d85a5ff066c5f0606b24f

SHA256
1f4380c28cbeeb94caaae28330ba18e8cae0a8f5e374c29712322b5b4fb9eb77

SHA512
cb56f2461d341dbeec247a960846c45d4c6417ea10c50cf30f092bc0d174d7a4d01bf8091bca5e244647af7c85fef4af82d0569d78dba726805c9b41dbc4d16c

Download Submit
memory/324-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/324-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/336-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/336-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/876-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/876-308-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1008-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1008-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1172-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1172-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1352-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1352-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1356-294-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1356-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1404-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1404-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1420-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1420-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1636-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1636-164-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1888-318-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1888-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1904-319-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1904-52-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1924-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1924-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2128-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2128-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-313-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2256-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2256-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2268-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2372-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2380-296-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2380-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2384-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2384-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2440-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2612-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2612-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2680-301-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2680-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2996-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3124-84-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3484-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3484-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3624-307-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3624-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3744-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3744-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3804-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3804-309-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3912-295-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3912-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-325-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4044-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4044-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4332-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4332-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4512-267-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4560-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4688-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4688-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4692-100-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4692-314-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4748-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4748-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4836-204-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5100-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5100-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads