6004611c0394e8c40413310cea946f1a07c82b0a720a5f496f867ced864fdd6a

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 16:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe
Size

96KB
MD5

bebcc80a67c48c65cef68216b6d3a360
SHA1

89612f879ae406a45fc681502fed93e9c93ced8a
SHA256

6004611c0394e8c40413310cea946f1a07c82b0a720a5f496f867ced864fdd6a
SHA512

deb9e76e903f6e66eb438c649f4db6b3d78772bb4cb5c068eeb7a31ee263eb910c819900e7abdac806289a4dbb2788f980552f940481586175a7878f38a5612d
SSDEEP

1536:OuKhIcs+EqW0Ra1alCXiDW9ZxxnX4wJfX9khrUQVoMdUT+irF:OPhPRE029ZxxnIwtX9khr1Rhk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jppnpjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlikkkhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jojdlfeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kamjda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laiipofp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlikkkhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jojdlfeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Niojoeel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafkgphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kamjda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laiipofp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojemig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kapfiqoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcghg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nofefp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pafkgphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpiqfima.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbnlaldg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofefp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jppnpjel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kapfiqoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbnlaldg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqklkbbi.exe

Executes dropped EXE 20 IoCs

pid	Process
3600	Jppnpjel.exe
4620	Jlikkkhn.exe
1632	Jojdlfeo.exe
4968	Kpiqfima.exe
1324	Kamjda32.exe
1380	Kapfiqoj.exe
4260	Laiipofp.exe
4612	Llcghg32.exe
4360	Mfpell32.exe
3740	Mhanngbl.exe
960	Nbnlaldg.exe
4756	Nmfmde32.exe
3940	Nofefp32.exe
1588	Niojoeel.exe
1656	Oqklkbbi.exe
4488	Ojemig32.exe
4744	Ojhiogdd.exe
4604	Pafkgphl.exe
2784	Paihlpfi.exe
2552	Pififb32.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ojhiogdd.exe	Ojemig32.exe
File created	C:\Windows\SysWOW64\Fknofqcc.dll	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Mpagaf32.dll	Pafkgphl.exe
File created	C:\Windows\SysWOW64\Oqklkbbi.exe	Niojoeel.exe
File created	C:\Windows\SysWOW64\Bfmpaf32.dll	Oqklkbbi.exe
File opened for modification	C:\Windows\SysWOW64\Kapfiqoj.exe	Kamjda32.exe
File opened for modification	C:\Windows\SysWOW64\Nofefp32.exe	Nmfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Niojoeel.exe	Nofefp32.exe
File opened for modification	C:\Windows\SysWOW64\Oqklkbbi.exe	Niojoeel.exe
File opened for modification	C:\Windows\SysWOW64\Jlikkkhn.exe	Jppnpjel.exe
File created	C:\Windows\SysWOW64\Bjmkmfbo.dll	Kpiqfima.exe
File created	C:\Windows\SysWOW64\Mfpell32.exe	Llcghg32.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Emlmcm32.dll	Kapfiqoj.exe
File created	C:\Windows\SysWOW64\Fllhjc32.dll	Ojemig32.exe
File opened for modification	C:\Windows\SysWOW64\Pafkgphl.exe	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Paihlpfi.exe
File opened for modification	C:\Windows\SysWOW64\Mfpell32.exe	Llcghg32.exe
File created	C:\Windows\SysWOW64\Oipgkfab.dll	Llcghg32.exe
File created	C:\Windows\SysWOW64\Ojhiogdd.exe	Ojemig32.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Paihlpfi.exe
File opened for modification	C:\Windows\SysWOW64\Mhanngbl.exe	Mfpell32.exe
File created	C:\Windows\SysWOW64\Ceohefin.dll	Mfpell32.exe
File opened for modification	C:\Windows\SysWOW64\Kpiqfima.exe	Jojdlfeo.exe
File created	C:\Windows\SysWOW64\Llcghg32.exe	Laiipofp.exe
File opened for modification	C:\Windows\SysWOW64\Kamjda32.exe	Kpiqfima.exe
File created	C:\Windows\SysWOW64\Leboon32.dll	Kamjda32.exe
File created	C:\Windows\SysWOW64\Nmfmde32.exe	Nbnlaldg.exe
File created	C:\Windows\SysWOW64\Nlhego32.dll	Nmfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Ojemig32.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Jojdlfeo.exe	Jlikkkhn.exe
File created	C:\Windows\SysWOW64\Lkjaaljm.dll	Jlikkkhn.exe
File created	C:\Windows\SysWOW64\Laiipofp.exe	Kapfiqoj.exe
File created	C:\Windows\SysWOW64\Nofefp32.exe	Nmfmde32.exe
File created	C:\Windows\SysWOW64\Lkpemq32.dll	Jppnpjel.exe
File created	C:\Windows\SysWOW64\Kapfiqoj.exe	Kamjda32.exe
File opened for modification	C:\Windows\SysWOW64\Jojdlfeo.exe	Jlikkkhn.exe
File opened for modification	C:\Windows\SysWOW64\Laiipofp.exe	Kapfiqoj.exe
File created	C:\Windows\SysWOW64\Ojemig32.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Jppnpjel.exe	bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Jppnpjel.exe	bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kamjda32.exe	Kpiqfima.exe
File opened for modification	C:\Windows\SysWOW64\Llcghg32.exe	Laiipofp.exe
File created	C:\Windows\SysWOW64\Nbnlaldg.exe	Mhanngbl.exe
File opened for modification	C:\Windows\SysWOW64\Nmfmde32.exe	Nbnlaldg.exe
File created	C:\Windows\SysWOW64\Jlikkkhn.exe	Jppnpjel.exe
File created	C:\Windows\SysWOW64\Kpiqfima.exe	Jojdlfeo.exe
File created	C:\Windows\SysWOW64\Mhanngbl.exe	Mfpell32.exe
File created	C:\Windows\SysWOW64\Niojoeel.exe	Nofefp32.exe
File created	C:\Windows\SysWOW64\Nnndji32.dll	Niojoeel.exe
File opened for modification	C:\Windows\SysWOW64\Paihlpfi.exe	Pafkgphl.exe
File created	C:\Windows\SysWOW64\Eiacog32.dll	bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ncbegn32.dll	Laiipofp.exe
File created	C:\Windows\SysWOW64\Debcil32.dll	Mhanngbl.exe
File created	C:\Windows\SysWOW64\Qidpon32.dll	Nbnlaldg.exe
File created	C:\Windows\SysWOW64\Hjcbmgnb.dll	Nofefp32.exe
File created	C:\Windows\SysWOW64\Pafkgphl.exe	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Paihlpfi.exe	Pafkgphl.exe
File created	C:\Windows\SysWOW64\Pkffgpdd.dll	Jojdlfeo.exe
File opened for modification	C:\Windows\SysWOW64\Nbnlaldg.exe	Mhanngbl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4448	2552	WerFault.exe	110

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhego32.dll"	Nmfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlikkkhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpemq32.dll"	Jppnpjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmkmfbo.dll"	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiacog32.dll"	bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kapfiqoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nofefp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nofefp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmpaf32.dll"	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jppnpjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpiqfima.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknofqcc.dll"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debcil32.dll"	Mhanngbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnndji32.dll"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlikkkhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jojdlfeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlmcm32.dll"	Kapfiqoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceohefin.dll"	Mfpell32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kapfiqoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcbmgnb.dll"	Nofefp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipgkfab.dll"	Llcghg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbnlaldg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjaaljm.dll"	Jlikkkhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllhjc32.dll"	Ojemig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpagaf32.dll"	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jppnpjel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jojdlfeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laiipofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laiipofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qidpon32.dll"	Nbnlaldg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbnlaldg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkffgpdd.dll"	Jojdlfeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leboon32.dll"	Kamjda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbegn32.dll"	Laiipofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhanngbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kamjda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kamjda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhanngbl.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 3600	1432	bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe	91
PID 1432 wrote to memory of 3600	1432	bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe	91
PID 1432 wrote to memory of 3600	1432	bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe	91
PID 3600 wrote to memory of 4620	3600	Jppnpjel.exe	92
PID 3600 wrote to memory of 4620	3600	Jppnpjel.exe	92
PID 3600 wrote to memory of 4620	3600	Jppnpjel.exe	92
PID 4620 wrote to memory of 1632	4620	Jlikkkhn.exe	93
PID 4620 wrote to memory of 1632	4620	Jlikkkhn.exe	93
PID 4620 wrote to memory of 1632	4620	Jlikkkhn.exe	93
PID 1632 wrote to memory of 4968	1632	Jojdlfeo.exe	94
PID 1632 wrote to memory of 4968	1632	Jojdlfeo.exe	94
PID 1632 wrote to memory of 4968	1632	Jojdlfeo.exe	94
PID 4968 wrote to memory of 1324	4968	Kpiqfima.exe	95
PID 4968 wrote to memory of 1324	4968	Kpiqfima.exe	95
PID 4968 wrote to memory of 1324	4968	Kpiqfima.exe	95
PID 1324 wrote to memory of 1380	1324	Kamjda32.exe	96
PID 1324 wrote to memory of 1380	1324	Kamjda32.exe	96
PID 1324 wrote to memory of 1380	1324	Kamjda32.exe	96
PID 1380 wrote to memory of 4260	1380	Kapfiqoj.exe	97
PID 1380 wrote to memory of 4260	1380	Kapfiqoj.exe	97
PID 1380 wrote to memory of 4260	1380	Kapfiqoj.exe	97
PID 4260 wrote to memory of 4612	4260	Laiipofp.exe	98
PID 4260 wrote to memory of 4612	4260	Laiipofp.exe	98
PID 4260 wrote to memory of 4612	4260	Laiipofp.exe	98
PID 4612 wrote to memory of 4360	4612	Llcghg32.exe	99
PID 4612 wrote to memory of 4360	4612	Llcghg32.exe	99
PID 4612 wrote to memory of 4360	4612	Llcghg32.exe	99
PID 4360 wrote to memory of 3740	4360	Mfpell32.exe	100
PID 4360 wrote to memory of 3740	4360	Mfpell32.exe	100
PID 4360 wrote to memory of 3740	4360	Mfpell32.exe	100
PID 3740 wrote to memory of 960	3740	Mhanngbl.exe	101
PID 3740 wrote to memory of 960	3740	Mhanngbl.exe	101
PID 3740 wrote to memory of 960	3740	Mhanngbl.exe	101
PID 960 wrote to memory of 4756	960	Nbnlaldg.exe	102
PID 960 wrote to memory of 4756	960	Nbnlaldg.exe	102
PID 960 wrote to memory of 4756	960	Nbnlaldg.exe	102
PID 4756 wrote to memory of 3940	4756	Nmfmde32.exe	103
PID 4756 wrote to memory of 3940	4756	Nmfmde32.exe	103
PID 4756 wrote to memory of 3940	4756	Nmfmde32.exe	103
PID 3940 wrote to memory of 1588	3940	Nofefp32.exe	104
PID 3940 wrote to memory of 1588	3940	Nofefp32.exe	104
PID 3940 wrote to memory of 1588	3940	Nofefp32.exe	104
PID 1588 wrote to memory of 1656	1588	Niojoeel.exe	105
PID 1588 wrote to memory of 1656	1588	Niojoeel.exe	105
PID 1588 wrote to memory of 1656	1588	Niojoeel.exe	105
PID 1656 wrote to memory of 4488	1656	Oqklkbbi.exe	106
PID 1656 wrote to memory of 4488	1656	Oqklkbbi.exe	106
PID 1656 wrote to memory of 4488	1656	Oqklkbbi.exe	106
PID 4488 wrote to memory of 4744	4488	Ojemig32.exe	107
PID 4488 wrote to memory of 4744	4488	Ojemig32.exe	107
PID 4488 wrote to memory of 4744	4488	Ojemig32.exe	107
PID 4744 wrote to memory of 4604	4744	Ojhiogdd.exe	108
PID 4744 wrote to memory of 4604	4744	Ojhiogdd.exe	108
PID 4744 wrote to memory of 4604	4744	Ojhiogdd.exe	108
PID 4604 wrote to memory of 2784	4604	Pafkgphl.exe	109
PID 4604 wrote to memory of 2784	4604	Pafkgphl.exe	109
PID 4604 wrote to memory of 2784	4604	Pafkgphl.exe	109
PID 2784 wrote to memory of 2552	2784	Paihlpfi.exe	110
PID 2784 wrote to memory of 2552	2784	Paihlpfi.exe	110
PID 2784 wrote to memory of 2552	2784	Paihlpfi.exe	110

C:\Users\Admin\AppData\Local\Temp\bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bebcc80a67c48c65cef68216b6d3a360_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\SysWOW64\Jppnpjel.exe
  C:\Windows\system32\Jppnpjel.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\SysWOW64\Jlikkkhn.exe
    C:\Windows\system32\Jlikkkhn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\SysWOW64\Jojdlfeo.exe
      C:\Windows\system32\Jojdlfeo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
      - C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        21⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 412
        22⤵
        Program crash
        
        PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2552 -ip 2552
1⤵
PID:3244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bjmkmfbo.dll

Filesize
7KB

MD5
71b8aa3c7796263bd2221198a1362845

SHA1
3770b45c0083313b189bf5d0037727d6a99d97f0

SHA256
70d52a0c7b14484464377fa48a019babbecb1ad307d30a38ad95443dabdc1a04

SHA512
81d7e62f68eeaeea415bd31522149de5a53addb9d635dd3d06dbdcc4cf7068b6231aaf0459290c4e6c606cd83b307fcb667b572905dc422c8ea9cefb94493188

Download Submit
C:\Windows\SysWOW64\Jlikkkhn.exe

Filesize
96KB

MD5
d946b8eb1e958ef0554e510a96f7a6ea

SHA1
0bd1557016a5371c52f053a7c1e9aa79ac76a0d6

SHA256
d6adb4a39f79e32693bbc0aca1cdfc9053e8b4498e226e71f9ff1371109018c7

SHA512
22cf084b32146f4c087aaf6017f77184b97367547deb657fc8c886bf097cd13731b3ce051d09097ccc2e8c9c0a0d0b42419f81d4617f2b6ac4f1156f11d37b2d

Download Submit
C:\Windows\SysWOW64\Jojdlfeo.exe

Filesize
96KB

MD5
94d3999e44f60ab4f63708b3f9be3ac5

SHA1
950734879ed3842e4c0b5d57f5446fc33d90da9f

SHA256
e8d321b361014b73e71766a3889f935527f3f22144ecf1a6da0dc1cf2a60238e

SHA512
e8e999bc43ace65f0a0c1d04aa88d6cc3a1f7600d91cdb4c5f3d64b97484a9e84a1e7d478768fb9bc8986b939c5de179eca223994e1d603c18fc37c66b29ce18

Download Submit
C:\Windows\SysWOW64\Jppnpjel.exe

Filesize
96KB

MD5
9954c7269c922ceb7dfcac83b501eddf

SHA1
f85cf7655019aa131aac2cb4bf681c2ba513262c

SHA256
f183980d34cc13c425cafd99ce778be3505f7714efae7b1b7de1ed7798bb92d6

SHA512
965b30796ac4b91d9891fbab986abe60901a5e0509fc022b34e940f511b70697d3d000e024308216c8b96ef62267aa185bda0f1665cb46b81d2b14583824679e

Download Submit
C:\Windows\SysWOW64\Kamjda32.exe

Filesize
64KB

MD5
29c1c3079ae96fda98d4ea2c8cd69e1c

SHA1
2f949398a430538793ef2d8e62f3d936a3995faf

SHA256
fb0045f12564e4c54a6602c5550cde7b8201edf23031443c03ff100176e49766

SHA512
ca0dbf734482d902a72aba7c4de21b80d6011187d186c95c263c462fd7d862972c7d7b5758184a33355684f2e89d983b0c306c2167707d31eaf40627bff2750b

Download Submit
C:\Windows\SysWOW64\Kamjda32.exe

Filesize
96KB

MD5
8fb5d3efb08566bce5d532e65b033f45

SHA1
ecd4f6585689d811c9722fd9a1af04c27934e083

SHA256
54f5cd0b03682c2d832af6597483ecac531a8d179326fab38869a426118714dc

SHA512
dea9aebb780053da56f3879f25a3b4eef7ebef5458a3af74a492be4a9e0f8cb452a84e65d912ce60c59b92766c46b12ac5c576483cdcb5778563b62176be2ad4

Download Submit
C:\Windows\SysWOW64\Kapfiqoj.exe

Filesize
96KB

MD5
04ba91eb722ae33a44146f35fa803329

SHA1
1fb308f4f32a42c7543c5f6c21f45a515507e55a

SHA256
e4eaafa2627b92c07cc8b86e81582702f361fa7509468ecf3b2c1871a6afaa5b

SHA512
e4dd2477a4e66db3bcba488c13c2d1fe5bea96de8d5998d382a1e445b4484764e1a31324c3bde1196da078925ef71c6b0c13bb14fb1c9d0df9270000c2fe233e

Download Submit
C:\Windows\SysWOW64\Kpiqfima.exe

Filesize
96KB

MD5
cfd6588ae3f3986a29eb591b8ced719b

SHA1
6cad18a86df1130d424467255ff07abfe077caf5

SHA256
b70f185e8c7ec9e2e3952728a009aa4557990a560847470a244b538254e431a9

SHA512
d14cd9cc57e4a98b482e08db5c9a768cbdb86d8de2c61ba30d2087cff1122023a5136b99d73b9a9ed045dd374de44f81c6e51060ff3369f44d23429a8521ac25

Download Submit
C:\Windows\SysWOW64\Laiipofp.exe

Filesize
96KB

MD5
b32f342644bc07ff269c976f41e5784a

SHA1
cca6a7d869f4ec29c67b4e7448e0783540dbd57b

SHA256
e6eb9dcb059eb11938e057cc034d9bcf096af0492b596e09a519d34b2bc266ad

SHA512
9e252f8ceb65a92c470043d2dc7bf08ec235699f17b196282213cc890974d7a29f30f73fdd54e90504ffc59d669de86d2f187aee66116afc1571f00883ce8c71

Download Submit
C:\Windows\SysWOW64\Llcghg32.exe

Filesize
96KB

MD5
324bf90d518b6a3b0b7d4425879ed766

SHA1
3d25cfbf4d10662052c39d9747f7deaadfd036f8

SHA256
f838531df3d1bb6705876b0243509a37712c742e50cc6853dd6edff53fff2c88

SHA512
49b6307d9c0cb59a144420aff6156a73ed6ec6d822dd5c165fc588dfcf87fef2f2d10efe998a981c239b7dc77590313e251b388e25befea555caac4ddf30ebc5

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
96KB

MD5
7a99e130b18b9fbf2a12b435f7483489

SHA1
f71db76b9fa43b94332767739edaf97f7e521e09

SHA256
0dae8521f1a8372dbe9849506d3c5b4eabdf36c9f61034bdcfeb3a4d66673e9c

SHA512
015a73a11cf0b348cfe93ac422be9dafeb826873b185c532f5deaa207ff54d417b5b51d916a3d89a9d5fa9f284ff9ec78feb30cb3e46eba8fc076cf69e9f2555

Download Submit
C:\Windows\SysWOW64\Mhanngbl.exe

Filesize
96KB

MD5
3905b831df735c0a03e52de244992af8

SHA1
ec5a3bb6871034ce676113cd2a199d9a1dc58d2d

SHA256
bcaea5ce83022fbe3aaa4827506b081870f766c967c9f75a33d060339aa31f87

SHA512
63727bf30c90876265552d34300b56702b7502355dbdb0426b60849e92413ac1b7ad31c1c9f1818c71a9b2a0aed04adea89c3636c8286ae2292207d731823d26

Download Submit
C:\Windows\SysWOW64\Nbnlaldg.exe

Filesize
96KB

MD5
f5749e6f81a4f02f66251b5ce3dcff84

SHA1
53a4972bbc0d20f3f93e1c5eba7db6702dd6cd1d

SHA256
f7bb19116fb45e27a8616b036bcc32f9e445418317a9d5e4f3cc3b3c9c89156f

SHA512
42c7be43554e6792cb5742bc5a5b4edbb2f00ed5c3f98cbca93bb6312870724b6ba69e917df45268cda55b5199ad82a39676f808f7ce34667cd203ebbd8a99d9

Download Submit
C:\Windows\SysWOW64\Niojoeel.exe

Filesize
96KB

MD5
1ae2c5504e45505d523accfc45f7d15c

SHA1
7c92cc45a92e33d87cdd8f5a0d54b51987b5006f

SHA256
4f5b876e8930f837a251d1764754d0ee369be2217a8c6e8a55872123788cf3db

SHA512
9d6a3c77317bb8e8e43cbfa3f74772bce1da335dfccf5c35b40b7c47df0e13d401d565732b8ff288ec21b3addced87b60a28874c076ec26073a580d41ed72691

Download Submit
C:\Windows\SysWOW64\Nmfmde32.exe

Filesize
96KB

MD5
cc46e3df4c57ea7583ff6d06090a005f

SHA1
957aaec26965bde3ac1532360a7f0e45ae7f8d65

SHA256
67d11616f344bc56e78d602027129d107ef215321b1f6ce824f67b0d2d088566

SHA512
bc6e6191d3e10d37e7c7f5bf2cfe2d1194dc83fd9c1129f50e071330dae23ca1e6cf340962990b2ac6ee484dce6ad9f9d21b04c1b9e4f7d98f8f245197a1bbc4

Download Submit
C:\Windows\SysWOW64\Nofefp32.exe

Filesize
96KB

MD5
283cbd9702534fb9377eb5343e675ec1

SHA1
3d2334dcd96d1f79d9da7addb11296907b2349e5

SHA256
8a25e24c5b02b4fc486af3b7400306cdf27816bef16a1e937b270aa11f3b7e8f

SHA512
233433800c8210ce3d615c3f7d30013df550dd4a8a31684b10d6d4bd85cbe1d72f79222ff849f0e3420d776194a300934ff0f70acbc7294b1badc7c9d633fae4

Download Submit
C:\Windows\SysWOW64\Ojemig32.exe

Filesize
64KB

MD5
7b9f8704023ad1316dd3c87277700d33

SHA1
75a6e43d838516a866f1e3b22f40d58832a0fc98

SHA256
2e050a8cb25a1048a114396abf4ee15b6852fa47f748a2b3fa2e35c216cbb516

SHA512
24202b16bcf402ae791ab0ce37858bac187eb87ffa0a8ff4d1bfdab60a534deec8db876177b70458e5e0bfe8014f012daaabde17b0645a3b40a40363315e67c4

Download Submit
C:\Windows\SysWOW64\Ojemig32.exe

Filesize
96KB

MD5
fe4394fee14fcf871531b5b2cc4cd509

SHA1
a0704882f44cab60fec5ed509ef4a1f9f3cb9432

SHA256
2d559bc64f243b769f80e5a177fb689b83bcc70927617f0f054257ec52fa2a87

SHA512
4c6e1b20767b09cde4f6af8f769518e29d4dc4010f59a2f954826738a1395f7273ffe02a2450d1b30118b5beb0d8c5dc8c85bd4dd2b0b9e0358f4dbe86e321e8

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
96KB

MD5
1d94b66b13b98f0917532f88c32ae29f

SHA1
dab58bfec2c9edd677e39c51448904b9178d8531

SHA256
ee5d24dfe7a623d28f4194f53d4626b960468a70fc1b2cc59cd39265a4174196

SHA512
e3dd7c6935f3a7d96c39de9481cf8fbd68e0d9bb81c4f38054099525c34da13a6e93d9937312d489e6b319505f52f0c93d2aa6251d08614fbf9b881fadff9ea8

Download Submit
C:\Windows\SysWOW64\Oqklkbbi.exe

Filesize
96KB

MD5
f84ce87ba7b4a10d9ed9c03dc6291300

SHA1
98eb08fb641793aff447dbc2b14ef7b8ba68f530

SHA256
6862f132d6c821a72a972d0360e2bc9a3e92730ffdcb626e091c4c7eed7f3137

SHA512
ec9f6f7907cd87399cc6ae1d272a7d13155ab7d2ea98b1d6eddb279c423eb4d5b3888c4bf0a5cbf091d717d1fb584b089d875aba1fae8e84b669cf3eab1c8134

Download Submit
C:\Windows\SysWOW64\Pafkgphl.exe

Filesize
96KB

MD5
206735c582885044e5b8389632489315

SHA1
4fa61db273cb899834d4a04c1891a50715ce09f1

SHA256
2a17923ea7cb6283fd2732cf466de62448dec0913be9b5be4dd7fd5d58cada33

SHA512
89495591943df452c56881b3bc4a25cfeb72e421b4cd8cd4b89a8cb1f426716030f2f5640e66348cc9e7143b1d8be4affc75b0e4e6037729f497b71b5eb85047

Download Submit
C:\Windows\SysWOW64\Paihlpfi.exe

Filesize
96KB

MD5
a10980370529b16d8f8410a0b7a04bc9

SHA1
4a7e740adcbea94252e57daf944ce324147c6cd0

SHA256
e54ae355d34ac57beabf6db3dbe6749e20f8d25d82b2ecf8060afda0269e9d3c

SHA512
7cbd79758cd18de11ea1681bf879c18bdb6d73f72a36547e48861a90fa05a04d994e1071420a96de8001f7f71f1633eb40a3c405ca7160e0e5724de7770587b2

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
96KB

MD5
476d8abfd9786eea2334787e713d9c8f

SHA1
d36970c946d3718b87984c29794aad34055d2b07

SHA256
713e2bf7868be0fdd8d39833e44a19f93bec02319a9670edc263fbfb24baf6c2

SHA512
f485218413cd8d6df6581e9f3bcdda4ccf0ce085108d0d532f460510b6db34561c0decd518237ed6f075d435831ed660cc555044714316a0eb640a383a93c3f0

Download Submit
memory/960-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/960-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1324-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1324-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1380-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1380-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1432-181-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1432-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1588-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1588-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1656-166-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1656-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2784-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2784-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3600-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3600-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3740-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3740-171-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3940-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3940-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4260-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4260-174-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4360-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4360-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4488-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4488-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4604-163-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4604-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4612-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4612-173-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4620-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4620-179-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4744-164-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4744-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4756-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4756-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4968-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4968-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads