bf6cea15c1bf19a17a15bef93430ee7a128dcf9c7fdd751ad0329517f98052b8

Analysis

max time kernel
150s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e48df16cda354962628ebbb66a992b50_NeikiAnalytics.exe
Size

2.7MB
MD5

e48df16cda354962628ebbb66a992b50
SHA1

314a5276352c3a038babae89d11650f09ad5084e
SHA256

bf6cea15c1bf19a17a15bef93430ee7a128dcf9c7fdd751ad0329517f98052b8
SHA512

c6790c0db984694b73ba1039052671880347540dc3dae7205f5d0e18d1eeaee41234c59243e5303bac2020729f0c6a9235871c7892aebb18f9bb24dbdc947271
SSDEEP

12288:eEikuo2Ocv1DVqvQqpCtRwKA5p8Wgx+gWVBmLnWrOxNuxC7:fuo2O65hqEfAL8WJm8MoC7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e48df16cda354962628ebbb66a992b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e48df16cda354962628ebbb66a992b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe

Executes dropped EXE 36 IoCs

pid	Process
3576	Jkdnpo32.exe
2448	Kdopod32.exe
2824	Kkkdan32.exe
4788	Kknafn32.exe
4824	Kibnhjgj.exe
3100	Kckbqpnj.exe
1464	Lmqgnhmp.exe
4312	Ldkojb32.exe
2952	Liggbi32.exe
772	Ldmlpbbj.exe
4968	Laalifad.exe
1660	Lcbiao32.exe
3552	Lilanioo.exe
1940	Ldaeka32.exe
2008	Ljnnch32.exe
4764	Lphfpbdi.exe
540	Lknjmkdo.exe
632	Mpkbebbf.exe
2888	Mgekbljc.exe
2892	Majopeii.exe
3940	Mgghhlhq.exe
3456	Mamleegg.exe
1980	Mkepnjng.exe
2920	Mpaifalo.exe
4412	Mkgmcjld.exe
4724	Maaepd32.exe
5016	Mgnnhk32.exe
2476	Nacbfdao.exe
1736	Nceonl32.exe
4188	Njogjfoj.exe
4560	Nddkgonp.exe
740	Nkncdifl.exe
5040	Nqklmpdd.exe
3384	Nkqpjidj.exe
4036	Nqmhbpba.exe
3856	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	e48df16cda354962628ebbb66a992b50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	e48df16cda354962628ebbb66a992b50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kdopod32.exe

Program crash 1 IoCs

pid	pid_target	Process
4704	3856	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e48df16cda354962628ebbb66a992b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e48df16cda354962628ebbb66a992b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e48df16cda354962628ebbb66a992b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e48df16cda354962628ebbb66a992b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nkncdifl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 3576	1468	e48df16cda354962628ebbb66a992b50_NeikiAnalytics.exe	83
PID 1468 wrote to memory of 3576	1468	e48df16cda354962628ebbb66a992b50_NeikiAnalytics.exe	83
PID 1468 wrote to memory of 3576	1468	e48df16cda354962628ebbb66a992b50_NeikiAnalytics.exe	83
PID 3576 wrote to memory of 2448	3576	Jkdnpo32.exe	84
PID 3576 wrote to memory of 2448	3576	Jkdnpo32.exe	84
PID 3576 wrote to memory of 2448	3576	Jkdnpo32.exe	84
PID 2448 wrote to memory of 2824	2448	Kdopod32.exe	85
PID 2448 wrote to memory of 2824	2448	Kdopod32.exe	85
PID 2448 wrote to memory of 2824	2448	Kdopod32.exe	85
PID 2824 wrote to memory of 4788	2824	Kkkdan32.exe	86
PID 2824 wrote to memory of 4788	2824	Kkkdan32.exe	86
PID 2824 wrote to memory of 4788	2824	Kkkdan32.exe	86
PID 4788 wrote to memory of 4824	4788	Kknafn32.exe	87
PID 4788 wrote to memory of 4824	4788	Kknafn32.exe	87
PID 4788 wrote to memory of 4824	4788	Kknafn32.exe	87
PID 4824 wrote to memory of 3100	4824	Kibnhjgj.exe	88
PID 4824 wrote to memory of 3100	4824	Kibnhjgj.exe	88
PID 4824 wrote to memory of 3100	4824	Kibnhjgj.exe	88
PID 3100 wrote to memory of 1464	3100	Kckbqpnj.exe	89
PID 3100 wrote to memory of 1464	3100	Kckbqpnj.exe	89
PID 3100 wrote to memory of 1464	3100	Kckbqpnj.exe	89
PID 1464 wrote to memory of 4312	1464	Lmqgnhmp.exe	90
PID 1464 wrote to memory of 4312	1464	Lmqgnhmp.exe	90
PID 1464 wrote to memory of 4312	1464	Lmqgnhmp.exe	90
PID 4312 wrote to memory of 2952	4312	Ldkojb32.exe	91
PID 4312 wrote to memory of 2952	4312	Ldkojb32.exe	91
PID 4312 wrote to memory of 2952	4312	Ldkojb32.exe	91
PID 2952 wrote to memory of 772	2952	Liggbi32.exe	92
PID 2952 wrote to memory of 772	2952	Liggbi32.exe	92
PID 2952 wrote to memory of 772	2952	Liggbi32.exe	92
PID 772 wrote to memory of 4968	772	Ldmlpbbj.exe	93
PID 772 wrote to memory of 4968	772	Ldmlpbbj.exe	93
PID 772 wrote to memory of 4968	772	Ldmlpbbj.exe	93
PID 4968 wrote to memory of 1660	4968	Laalifad.exe	94
PID 4968 wrote to memory of 1660	4968	Laalifad.exe	94
PID 4968 wrote to memory of 1660	4968	Laalifad.exe	94
PID 1660 wrote to memory of 3552	1660	Lcbiao32.exe	95
PID 1660 wrote to memory of 3552	1660	Lcbiao32.exe	95
PID 1660 wrote to memory of 3552	1660	Lcbiao32.exe	95
PID 3552 wrote to memory of 1940	3552	Lilanioo.exe	96
PID 3552 wrote to memory of 1940	3552	Lilanioo.exe	96
PID 3552 wrote to memory of 1940	3552	Lilanioo.exe	96
PID 1940 wrote to memory of 2008	1940	Ldaeka32.exe	97
PID 1940 wrote to memory of 2008	1940	Ldaeka32.exe	97
PID 1940 wrote to memory of 2008	1940	Ldaeka32.exe	97
PID 2008 wrote to memory of 4764	2008	Ljnnch32.exe	98
PID 2008 wrote to memory of 4764	2008	Ljnnch32.exe	98
PID 2008 wrote to memory of 4764	2008	Ljnnch32.exe	98
PID 4764 wrote to memory of 540	4764	Lphfpbdi.exe	99
PID 4764 wrote to memory of 540	4764	Lphfpbdi.exe	99
PID 4764 wrote to memory of 540	4764	Lphfpbdi.exe	99
PID 540 wrote to memory of 632	540	Lknjmkdo.exe	100
PID 540 wrote to memory of 632	540	Lknjmkdo.exe	100
PID 540 wrote to memory of 632	540	Lknjmkdo.exe	100
PID 632 wrote to memory of 2888	632	Mpkbebbf.exe	101
PID 632 wrote to memory of 2888	632	Mpkbebbf.exe	101
PID 632 wrote to memory of 2888	632	Mpkbebbf.exe	101
PID 2888 wrote to memory of 2892	2888	Mgekbljc.exe	102
PID 2888 wrote to memory of 2892	2888	Mgekbljc.exe	102
PID 2888 wrote to memory of 2892	2888	Mgekbljc.exe	102
PID 2892 wrote to memory of 3940	2892	Majopeii.exe	103
PID 2892 wrote to memory of 3940	2892	Majopeii.exe	103
PID 2892 wrote to memory of 3940	2892	Majopeii.exe	103
PID 3940 wrote to memory of 3456	3940	Mgghhlhq.exe	104

C:\Users\Admin\AppData\Local\Temp\e48df16cda354962628ebbb66a992b50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e48df16cda354962628ebbb66a992b50_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\Jkdnpo32.exe
  C:\Windows\system32\Jkdnpo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\SysWOW64\Kdopod32.exe
    C:\Windows\system32\Kdopod32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\SysWOW64\Kkkdan32.exe
      C:\Windows\system32\Kkkdan32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
      - C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        37⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 400
        38⤵
        Program crash
        
        PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3856 -ip 3856
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
2.7MB

MD5
53093c05aab5503f010941a478831a29

SHA1
a97d921c8e843af9fb59b56adde9adb54d863ca0

SHA256
cde61f8c8df232c5be7ad3a1e717de220fb63f8b98e2a1cf67598fb41687229d

SHA512
a2b75b91419774d07377a05752d792aecfc32aa2140b4396a08c12d06eaaee522d176f25a8e20e191e9e747c35486b54e3c02febb479167fa4364f834426b4b4

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
2.7MB

MD5
e0bf3508dd75081c64c98e20685e2a4c

SHA1
22bc209cd78156c96451acd38342dee39b4e4dde

SHA256
05105f4b88d9c3f2e27edaf30c50655b2aec3324f4320abd4edc77583459eecc

SHA512
7314b6ac3f394bd6ded3887cc1f24af4909871d02914551ec1360918b144b20a075c1b75e531e67e6db5ea1d8b2ff782f4f562723fb8fa84aaf5756c1d633544

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
2.7MB

MD5
a5cf6352c3a3f32a28b41d640c23e26a

SHA1
654c16f8ed1551480b9b180df4a51f1346ee078a

SHA256
454c3ddf28398cab798cf4d408f96dcc2765498ac048276d0082e35627d85580

SHA512
96ee1b26b5870d1c5463b917eca1f75267596d646d3b585d2e8916e1c01bf76b953e788eda192a0402ed52a32c0e3cc8a824835f7506cb46ea75757d72636704

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
2.7MB

MD5
bfc3748c13e363e26081c5d0ece655b2

SHA1
850fae57090eadcc1a13633533795028793a9d98

SHA256
e8d77a9fb0fe0e60ee2974086f991898cb542a4cb9af376ad5992b745c793cda

SHA512
6f29de1bc56a71935d5f2634a57b8c1ec0ecbdf25c1297de3746bfb9d029da3f7fa3630644401608a6bfdfe56c940d0430820cd4ef527940c164a089a180dd71

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
2.7MB

MD5
0a40aa96ed69f371ac1eadce647d860a

SHA1
ff72cf06f580ee76f9dbba7d3f52d98da46b5a70

SHA256
e9d25acf5541c1d71da7edabaca00b58d3057b347ecb6b0da962d02c9544cb8e

SHA512
30092d88e9e0b3d77917052c7bc696fce6e9c29d566e1ee7934e02121d05701d144d62b9d987476cf4526d22886d9f3cfc382f8a03f3641aeaf47a74b2b66e5c

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
2.7MB

MD5
742b6a6e9fd4b6b8efbb8e00ce26f03a

SHA1
21d941c9dd94415edebb4537ffd8d278544f9e64

SHA256
fac1d0bdbe43fde30ec4a3e2d589bd521c2d7c2fed5c6708fa1504e992fb5595

SHA512
ea510cc04f0602a9debf2d7befd80cc605298229c0aa1a45947d8b16f12980aa4f87fb1352f9f538dcb1ef0f8175f5214064b19065ae647f4f4af455dc275822

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
2.7MB

MD5
e0a0f9314cb5edcad2a3e2758a73d032

SHA1
d501685a3cb8d388d3e62aba8fc80e2254755870

SHA256
daffe4c1c3046e8ec12e6ecc37635c75cb973e747800b68ae6da8288624d7595

SHA512
62e8dacb4a6d1cbb6a79cecf3aa595dd0e56b1d593e1e6e6aa1fa604d720a8bcfa3c283a30b67a514a7cc235ab3806397f97d21d61fcd7380b2f662d1db4a914

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
2.7MB

MD5
779dc2c20e1cf5cfe6fbe9c8f4cead3a

SHA1
e94e581af0af3ccba2620bfa99ef808f573878ab

SHA256
aeee671274c4624c0d40ee45f007189b415b8210ab665f8fb21394a44c01c2db

SHA512
dc3f79e72469b64c62e5f3f81329d4107936181895417da969385e629ad17dde9c0fa6e476b55879efa41af14a2ac79868ec8b3472e4bfeb6133decb16cb5f6d

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
2.7MB

MD5
43f27db4ac5f0c9da448a8f4b2965eff

SHA1
6d54e9482aed22804667da78e061afbb6439b809

SHA256
22ff6676e8f4aba04678b4abea6b12f526d0bdb50bbd3d71e372b57fbbfd9d23

SHA512
8853b6e3d2c43e6fa5ab44ad2d0b9cc08f458fc6f9895124922f0db2c42a8f12d1a4db83c49f743ed4b8432bfc0220bfe2059e5da97f72710a3f1fb4f11f9bf9

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
2.7MB

MD5
0f4d8633cde85ee86e81ffda310b994a

SHA1
22194b324958d112a8984c4962511021a33f26c0

SHA256
2efd21343a33f529d95682169d0908f4c589c91a203fafd302d983cb4719bb37

SHA512
45b04a63ff45fdb9508ef54d8a85d668449baa2513194f8299de88293ac2f7b4cc863dc8692a50ea056057ac21e21984039c5a5792e8e04b9297a98d7db98338

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
2.7MB

MD5
cab9631a3c1646485a4628ed8755ab17

SHA1
137720f5ff525fc268d65ccf84140ed25bb69941

SHA256
8c4145ede806e2c5eebe816b3cb555e4dfae1f92781b27a08046bae6edb9b70b

SHA512
f2150f03bfe1a616eb06c7c1bc003c5b17c4a44f7e2134063ab209379bcd0dddc8066fa6343d59f8cbd7edc42fca9ceccba2a0d0c28a2d52028b464cd29a4948

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
2.7MB

MD5
c1d6971cb30f58da5febdd9a2b104d41

SHA1
b1d18028c0f89c27ff43d29adbe16ad71bf348df

SHA256
d71b9342565906815a734a623a79efb61e335ef616158bd8387046ff1fd384d9

SHA512
e35ff96d97d9506346c1acf8ef2e0276fc225bc11e9a93651de0c57601b44e159f10f2fdbfe365c56cc29effc5c74d67e6c571f1c3dda6e6d532034ec93ecd85

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
2.7MB

MD5
1fb8d848c62f39a6318f24e60e2475e2

SHA1
e763c74ab53cd6f99eb6532bf64fad1739f71037

SHA256
602b18a373999792c17420e7a5574be924878db2d75b21a46e76fd18a394b776

SHA512
ad27219b213574d2287d69861dc847393f3d0c1b9d06556f4a53b8184211ea7c55296995a6ddb5142c232b0cfb5ae458cfc359eb7389d3963037e07fe1245f3e

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
2.7MB

MD5
eba94a84c3e9d5213ec515e0ed7c9406

SHA1
e0320bf18e81d1b902e268653ec8714f82ad0262

SHA256
0c842cbeeec41504f53e21a4d37bbaaf1147f0e8fecb9a0f5b7e5b6c27e63507

SHA512
716db5e9d3156a5fd1308707387b220023c056bb0a6693eb07219bf913471f43b499e0ac0e4d33d3b1727245f3a87c87c1be4a2ac536ad4ec551c517ea107ab8

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
2.7MB

MD5
058a1d504f670bf807e7be3ed33ec868

SHA1
c4dcbd5403a91b78bb944a3448970506553ed237

SHA256
92e78e4b8026599b918b2911ec378e49332f6ed7a80753b182dc8b3810d47e7a

SHA512
378e998f49fc06b79151875db2cd01e6b9cd355b216d3d4dbefe46211d08ee78f87bbe900f3b5b8cd23784fb8e4232f58460a45d9f161dded41d7d467f02057b

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
2.7MB

MD5
d652ad0b044d370eedd9df094a459bdc

SHA1
cf17ea5cc8c03e9eea9ba2046de2f5570d7784ec

SHA256
310f6ad4467a7324a3d48f08f16dce687b47f64965a5ddfb29c61e594236b9e4

SHA512
8b098574fd3c1b42830f7018c0369eaf3f233d25310ada484d723d89ad4fc72cb537f8fc62284966db34f72961a206cd5b3782f62326ddeaf1be8ac3f0cc8651

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
2.7MB

MD5
2b71d6afd1306911d2bf0fb40b38fe86

SHA1
05ddf3035d08f7d01bee455f030fc718cfa81802

SHA256
86619818f062c003cd22a12999b45f1d1d2c1f4c36b439838b8d4e3b1a6f7e7e

SHA512
ed4417a3ed809d9bffcb60b449fb36bde6e81cbf58b53536a540f31af834cff7960b5e0932c1d88519c7f034cae194af5d2c20c6f03793c8a5bb7feaf8f391b6

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
2.7MB

MD5
f03a0fda79c3bfc74beadabe1e1b9acb

SHA1
aa3c15ccb64bc0ff8b66fd7278d0dbb28d715246

SHA256
1f8678040f5a0c5093f22629e0ec02efc681170514f328425583a62beb515204

SHA512
3e18067b885ed34cfc9ab291415a57946067f8bc2d9081f7d40c7d3dc1563a5c69b252137d49fd14cf7ca407cb19e3cf548abc58c9e572acfabbdc0ca248e874

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
2.7MB

MD5
42afa8bc58fe7c5e5ff082056ffbd756

SHA1
4b5467d9e9c6a9dd09e2283f867433b885cf6cdb

SHA256
a3ceb7be036dd91634c6c69cd12ac3bd97e8a7bd37171a241da20ebb4b6ccfd7

SHA512
54eb7cc1d9658ab30487e4daee9f7622a3462c9d5a8cceb43a3114aab4485375b0125828820508666f21469742d3e4c7067f59fba675a19599c261b95d7530f5

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
2.7MB

MD5
7ffa85e6b743200f01f05240caa7867e

SHA1
28e7cab78e80fb19bfe6d2750b898d1bdc46204f

SHA256
3d980547c44701b8774432862b1d3e2844abbc196dc44565bc778ed7581df07d

SHA512
2bb8b946c7155128f3e3d570fc6ba4fd33b9396696bbefd140f30c64bba8ae52e9ba70ecf6433f8ed4950f815f4475cc875099e5d0a2009ded74c0017f14642b

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
2.7MB

MD5
03889edfe115d37ad8f0da55317bdf73

SHA1
f94e3a06e8a1734a497cbeeb1a19013b0831e9a3

SHA256
8c5dddd9fc69c0c9bb2d85714746901644c5025fa508c3364c7a9017623b8d9f

SHA512
24a36c4d404ea61c92faf25298233a12aa0ca0ac4090a33918639d925cbf1c242ec4a745852b42599d66a49fe0f726b975981c81999bb260df418b769378420d

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
2.7MB

MD5
e612b25daae5a1fc14b4c85fe1ddd066

SHA1
e29eeeac0807c0d60bcc503c9dda4400a0363996

SHA256
b13b9096855cb1c9b88f17fa70faf7a82ef676cfd7288746181e1c246d4ac8ca

SHA512
93c83e97d4791a284b8ccdabf7d51d5d3d7d83a011b0a01d596f692db945bc50493d5c7fcf0eb03fca57f23a6d62e5a770884e6e77028bc3e6ede9bad5d066ef

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
2.7MB

MD5
60f2dba62bb9856fd9803225335b2597

SHA1
ef4db57e9e37c447951ec4bd28f6c4c4be9e9470

SHA256
f8e9a5ccf7f8e9c61ec1865eedf379e841c101bec3b733b88321b18f6f6f972d

SHA512
6b573c2d5f7816d4f526097d463fa3ab693e0293a7a9f9daa18c04cbddb949209b8010be4c77b67bf5910c09b295480ce0b93272ecb6324e8abd0055084ff534

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
2.7MB

MD5
4fa833ce5679c9210ef61daaa45bf481

SHA1
b52ce06c5d8ee63cb1a18b3e1c9c0137e70f0597

SHA256
37479ee8855a98efe387e72fa89df293bb84d63ebb59d5505347358f36d4dab8

SHA512
61e64e66b9f92285c8319fe8a2eb6d63678e4eca21a86bc27335095ef72f2fe183700957901bad6c58d614436b899d2148f1479ecc5a376c4d7f3f09353c4f84

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
2.7MB

MD5
b794f0e6cb98754b6934237c1cd84659

SHA1
f7fc188fb6f58de0a4f9e41d53406261ff6b4865

SHA256
a888a48b5210e9afed27679b0cbd812c1bf40166bc2ab67b810aa6edeca392e4

SHA512
bd4ba0e759498a51eedb2165680a6668f6e92e1a5236ffc03ca1026c69da45a7b0fd9e2ea8c070f77c59844f42809f6b766b778e232f1e3686bc378938e0bed7

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
2.7MB

MD5
a71a3ea61021575d74ffff8421a9c0f2

SHA1
5f4ea7e77e42b8b3e30b20f30c0c93c002fe6d36

SHA256
4fc5563875585084cc5ec3d602c741fd51cfba1252b57adf35e75bbb75b365fb

SHA512
e91a6d07ca79fc2be266b11ac782254e102974fc7c0bbdbb802399dd5f64517ef853b3732e4236b6c285e0ddd8eddee2266cda644be46cd1d1382942bf758eaa

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
2.7MB

MD5
9bbd5460a420f2021cbaeb9eb7fd9b19

SHA1
4ead59ca918f33c54931b7ccde106a9491aa2b34

SHA256
c447c1b2f45e7742583992cf98d1abb4f95b96b52c2daafeccae2fada9e20c39

SHA512
028d8f1fa66d7158b5c5ed14309841edd1a83bab2b21bf776632c108b55d1c4da788f2d6bbcf5e471304caa51cf7fe04f7e34528a819c125b5767f95755ab10b

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
2.7MB

MD5
a214ea67d8563339bc8950b1cc5d6ac2

SHA1
180fbc6e18bb68317f4b1e010e61e30fa0146d1f

SHA256
c3e2c7cfbf006888bd4ef2b287cac8a4851888764bbe0719ab85b6ead0c5eeb2

SHA512
6d292dbbb686f74af6a3e04440847845c6aa42b56b6841c791abe6e626d53a886211a7b4c6a01294cd6f610ebfd77ed91b5a90280c8ed918a3dc1d92e4404726

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
2.7MB

MD5
89d83b440aca869820bd170feb1d18b4

SHA1
0bf514207e7617ffda0a04fd6cfbc68dfbce6bbf

SHA256
b20158a716ff1c0244dcbc89f3cbf30c2b11b4bc0f0f6b5eade5fe58bd645634

SHA512
62429786296a98fbf1b6d27cb697b7c487eeb7fe26af052fac03a215ef5f0e89b50fa2d0c692c0e3e7b8e1bae483794f6c3cb607bcd8f28a002819b252e157de

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
2.7MB

MD5
30ada32038567253f375b515ccd28332

SHA1
bdab6a97c3e9768a60b5fe564cd92b4ec488c2b1

SHA256
2cfb8cb809615bfb018ed1a049a63adc7e2604a094ecd0cd0fdb2f2350635548

SHA512
6233365b5c95d03da63501bcfb0bff92c65c3fe87ea96ce9934bfa69b4f1050315e06b5e3dad116ab10acce881aa1a3d490260cf16842c2b9522bc01e4d7f58c

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
2.7MB

MD5
cc3bf19f7c0fa01745b7a270fdd10e9d

SHA1
ccfde723bf384d1974732709bd99e7e972fe1bf0

SHA256
c4cc9b18c23c541e45be99601dce96d3b3e70931120a2946f73a270f4042bed9

SHA512
9fdd9e56d014fce43e4a94e6ff5cfd3498e7cc17568cef30cc3005ba79d22931ef1d1fd632e3a7693c6081cbe3c2777ab8865235badf9fcd9e5bbd0385c2a7fe

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
2.7MB

MD5
750d1f91202507ce6e7ae5f72115b8bb

SHA1
32d6a9514a366d7e388d0e833b7f8d813c7c6906

SHA256
2131aab4b9149c9ff0c7ad647f36601a835528c19cb8ba126c002451c1a5f536

SHA512
c93bdef4360e617251e773633cfb136143f36fff7df148a6df2581b5830c9c3e91eed41b2120dc765273f06e8999ca6db4b481b95ef591310227bad605e8263e

Download Submit
memory/540-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1468-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads