633d773b49b27f286cb3491b9b5bb98d98b5306801353331758049783879db03

Analysis

max time kernel
51s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

633d773b49b27f286cb3491b9b5bb98d98b5306801353331758049783879db03_NeikiAnalytics.exe
Size

352KB
MD5

fbc9c9e32e934e000a85f1415ceb9ac0
SHA1

54adf5915619fabf46edfe9466e879247e7aae90
SHA256

633d773b49b27f286cb3491b9b5bb98d98b5306801353331758049783879db03
SHA512

7304359cf433075918b77e8473e698a53268712781af6ebc1f2909d274a3ae677412800d8b63f9bff22a7a6ffea4bd9525379003ae74a34d0e90019ab1b0932f
SSDEEP

6144:lkw9spBnz9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:/QOsUasUqsU6sp

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	633d773b49b27f286cb3491b9b5bb98d98b5306801353331758049783879db03_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	633d773b49b27f286cb3491b9b5bb98d98b5306801353331758049783879db03_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe

Executes dropped EXE 39 IoCs

pid	Process
4540	Jaljgidl.exe
2236	Jfhbppbc.exe
2680	Jbocea32.exe
3124	Jiikak32.exe
696	Kpccnefa.exe
4956	Kgphpo32.exe
2496	Kmjqmi32.exe
4420	Kknafn32.exe
3320	Kpjjod32.exe
3504	Kibnhjgj.exe
3224	Kgfoan32.exe
3632	Liekmj32.exe
3044	Lalcng32.exe
2524	Lpocjdld.exe
4220	Lcmofolg.exe
5032	Lnepih32.exe
1852	Lkiqbl32.exe
2004	Lnhmng32.exe
3636	Lpfijcfl.exe
1740	Lklnhlfb.exe
4272	Lphfpbdi.exe
1720	Mnlfigcc.exe
436	Mpkbebbf.exe
3032	Mjcgohig.exe
4528	Majopeii.exe
3208	Mcnhmm32.exe
1904	Mgidml32.exe
3864	Mglack32.exe
1172	Mnfipekh.exe
4356	Mpdelajl.exe
2664	Nceonl32.exe
1128	Nnjbke32.exe
4340	Ngcgcjnc.exe
5084	Njacpf32.exe
400	Nbhkac32.exe
1488	Nkqpjidj.exe
4564	Nnolfdcn.exe
1284	Ncldnkae.exe
3892	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	633d773b49b27f286cb3491b9b5bb98d98b5306801353331758049783879db03_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lcmofolg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3200	3892	WerFault.exe	122

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	633d773b49b27f286cb3491b9b5bb98d98b5306801353331758049783879db03_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	633d773b49b27f286cb3491b9b5bb98d98b5306801353331758049783879db03_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 4540	1116	633d773b49b27f286cb3491b9b5bb98d98b5306801353331758049783879db03_NeikiAnalytics.exe	81
PID 1116 wrote to memory of 4540	1116	633d773b49b27f286cb3491b9b5bb98d98b5306801353331758049783879db03_NeikiAnalytics.exe	81
PID 1116 wrote to memory of 4540	1116	633d773b49b27f286cb3491b9b5bb98d98b5306801353331758049783879db03_NeikiAnalytics.exe	81
PID 4540 wrote to memory of 2236	4540	Jaljgidl.exe	82
PID 4540 wrote to memory of 2236	4540	Jaljgidl.exe	82
PID 4540 wrote to memory of 2236	4540	Jaljgidl.exe	82
PID 2236 wrote to memory of 2680	2236	Jfhbppbc.exe	83
PID 2236 wrote to memory of 2680	2236	Jfhbppbc.exe	83
PID 2236 wrote to memory of 2680	2236	Jfhbppbc.exe	83
PID 2680 wrote to memory of 3124	2680	Jbocea32.exe	84
PID 2680 wrote to memory of 3124	2680	Jbocea32.exe	84
PID 2680 wrote to memory of 3124	2680	Jbocea32.exe	84
PID 3124 wrote to memory of 696	3124	Jiikak32.exe	87
PID 3124 wrote to memory of 696	3124	Jiikak32.exe	87
PID 3124 wrote to memory of 696	3124	Jiikak32.exe	87
PID 696 wrote to memory of 4956	696	Kpccnefa.exe	89
PID 696 wrote to memory of 4956	696	Kpccnefa.exe	89
PID 696 wrote to memory of 4956	696	Kpccnefa.exe	89
PID 4956 wrote to memory of 2496	4956	Kgphpo32.exe	90
PID 4956 wrote to memory of 2496	4956	Kgphpo32.exe	90
PID 4956 wrote to memory of 2496	4956	Kgphpo32.exe	90
PID 2496 wrote to memory of 4420	2496	Kmjqmi32.exe	91
PID 2496 wrote to memory of 4420	2496	Kmjqmi32.exe	91
PID 2496 wrote to memory of 4420	2496	Kmjqmi32.exe	91
PID 4420 wrote to memory of 3320	4420	Kknafn32.exe	92
PID 4420 wrote to memory of 3320	4420	Kknafn32.exe	92
PID 4420 wrote to memory of 3320	4420	Kknafn32.exe	92
PID 3320 wrote to memory of 3504	3320	Kpjjod32.exe	93
PID 3320 wrote to memory of 3504	3320	Kpjjod32.exe	93
PID 3320 wrote to memory of 3504	3320	Kpjjod32.exe	93
PID 3504 wrote to memory of 3224	3504	Kibnhjgj.exe	94
PID 3504 wrote to memory of 3224	3504	Kibnhjgj.exe	94
PID 3504 wrote to memory of 3224	3504	Kibnhjgj.exe	94
PID 3224 wrote to memory of 3632	3224	Kgfoan32.exe	95
PID 3224 wrote to memory of 3632	3224	Kgfoan32.exe	95
PID 3224 wrote to memory of 3632	3224	Kgfoan32.exe	95
PID 3632 wrote to memory of 3044	3632	Liekmj32.exe	96
PID 3632 wrote to memory of 3044	3632	Liekmj32.exe	96
PID 3632 wrote to memory of 3044	3632	Liekmj32.exe	96
PID 3044 wrote to memory of 2524	3044	Lalcng32.exe	97
PID 3044 wrote to memory of 2524	3044	Lalcng32.exe	97
PID 3044 wrote to memory of 2524	3044	Lalcng32.exe	97
PID 2524 wrote to memory of 4220	2524	Lpocjdld.exe	98
PID 2524 wrote to memory of 4220	2524	Lpocjdld.exe	98
PID 2524 wrote to memory of 4220	2524	Lpocjdld.exe	98
PID 4220 wrote to memory of 5032	4220	Lcmofolg.exe	99
PID 4220 wrote to memory of 5032	4220	Lcmofolg.exe	99
PID 4220 wrote to memory of 5032	4220	Lcmofolg.exe	99
PID 5032 wrote to memory of 1852	5032	Lnepih32.exe	100
PID 5032 wrote to memory of 1852	5032	Lnepih32.exe	100
PID 5032 wrote to memory of 1852	5032	Lnepih32.exe	100
PID 1852 wrote to memory of 2004	1852	Lkiqbl32.exe	101
PID 1852 wrote to memory of 2004	1852	Lkiqbl32.exe	101
PID 1852 wrote to memory of 2004	1852	Lkiqbl32.exe	101
PID 2004 wrote to memory of 3636	2004	Lnhmng32.exe	102
PID 2004 wrote to memory of 3636	2004	Lnhmng32.exe	102
PID 2004 wrote to memory of 3636	2004	Lnhmng32.exe	102
PID 3636 wrote to memory of 1740	3636	Lpfijcfl.exe	103
PID 3636 wrote to memory of 1740	3636	Lpfijcfl.exe	103
PID 3636 wrote to memory of 1740	3636	Lpfijcfl.exe	103
PID 1740 wrote to memory of 4272	1740	Lklnhlfb.exe	104
PID 1740 wrote to memory of 4272	1740	Lklnhlfb.exe	104
PID 1740 wrote to memory of 4272	1740	Lklnhlfb.exe	104
PID 4272 wrote to memory of 1720	4272	Lphfpbdi.exe	105

C:\Users\Admin\AppData\Local\Temp\633d773b49b27f286cb3491b9b5bb98d98b5306801353331758049783879db03_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\633d773b49b27f286cb3491b9b5bb98d98b5306801353331758049783879db03_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\SysWOW64\Jaljgidl.exe
  C:\Windows\system32\Jaljgidl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\SysWOW64\Jfhbppbc.exe
    C:\Windows\system32\Jfhbppbc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\Jbocea32.exe
      C:\Windows\system32\Jbocea32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
      - C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        40⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 408
        41⤵
        Program crash
        
        PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3892 -ip 3892
1⤵
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
352KB

MD5
fad56b185ba0d838cf00a339e3c97950

SHA1
6424304e7e6a48eafabdb85146ddc06928911fb1

SHA256
1a91c5c2ff14f6ba510ece4f7c49b2e042e6595c86e2c1faf17dddb3e3548b3f

SHA512
ec4bd657116aa8e0cc6ea922f8ecb8396b522eb6bc1fcda38211f587372ccec1b7edb304282886473b1821025d3f6c8757050479f13a2edc326f5755a9741918

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
352KB

MD5
d079a8298b7da3a4be44b75a30b40b3d

SHA1
934bf91c3ba7773cd9f7446b22cd3c6b73d889d7

SHA256
ec450c5108343c0383603caaab03a5681e3e17191684d1ead184dc19cc54204a

SHA512
d68e340c1c5a2b9a7aad2f98f9980ba645d64ed4f58c20f0fdd3bdf24436b94eb82ab282ea5061c1f1e7bac5e73910bac1ca32ecd0befc8d1cc3a6a30bd72e37

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
352KB

MD5
c6dd25b584aba7cc4f8471c8366ddc35

SHA1
ef047b1553f5c39833036894ae6c6d554a4c2c6e

SHA256
277fd3ab0b389338fc383877da66f2a13cd2bf40a0e3c4b82c0f95af7c809bb5

SHA512
1644ffcdd18e994b6927fa723ebab01fa0b95a70df99e635607903898afff979ca1d9bf680745ad7fcf9a63e5c45a423b07645a0bf1c871cc1a95e6effaed33f

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
352KB

MD5
0547ed6078f469f7d7e93b3097d6f8d8

SHA1
2dc4f465ffe873a593d5076095b9f20b4fd8fe82

SHA256
f5fc0fe23029d17892b12522656643c2597c0e46d0eb0880cd0d06b107deddda

SHA512
5d2ba88f480132813ce9666b440a1ac43bac9c2740569b8fc4c18d381bff9aced834d8ccea422efa5eb4c08f1e620431d0bd45ee092eed06868515a9a38a9a8d

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
352KB

MD5
2919a604a79ffa76196ad59a4c527991

SHA1
2eda9b4aeb9e678f241fa34591b12b1384b77b99

SHA256
db1f3821e242299aee67f491984cc9bfc24eb870fc9890cb752bafc11d68497c

SHA512
77176aeeb5f5468592ef55d56e92907c141d435dd03d1ba17e11d7cc09f6c8363db03ffd8b7f431cf966fc682c475bf274e149370d4f3db7a1f4f5b4d09ec0d4

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
352KB

MD5
d3c4f7ad172c59823e0764252212718c

SHA1
a5d5bb20b7c6aa404f652d90cadcd44322451d57

SHA256
0e5b86babb84d7e1af9c5f766f3afca85b8b252eafb48748732158f635dfe218

SHA512
953366fcda898cd24ce615bebfa47b8c85ffab13f2bb5be5eea0a61de3ed0a19fc7466ea438fd12cafe2bb297f3d3b496de02e2e95adaddf693b34d02d6e73f7

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
352KB

MD5
135fdd1e8acd146c25e76df97b8e8456

SHA1
4401591b84a2ac4bd0d17c5574530edec2fc1ab6

SHA256
fb1e9eb08461b4bd17e0cfc484b0c59c089db9a78424528701d004388c8aeaf0

SHA512
472dd4240c515f04c219f9a0c0770689e86c81ea1fb7e4f612e8991d94f338be86ab0c2ab4ed0b6854c03259dc7242b391127c8faea304dbbc2faa0f438c8695

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
352KB

MD5
28bce163f2e95bfad4c6ce3cd276c39e

SHA1
aa62141a50e3c75e1b036bdc01b28497593c7e95

SHA256
44a3518da6f67603e1f821d4f47214ee5ed00f106305f6b5f0d364433805cb73

SHA512
d1d920e380d8dea87fb44a141cc4a4fb4aab5432b1701c04925c5d55045e6b72dfbc9adcaa481466ccd591cc97072d0ccd6861ee748ad27a855cbdd9219826f7

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
352KB

MD5
97d0cd175e6ec8fd2f8437b149aae166

SHA1
f24d37fea6cc4dc6b872c1fdb4e40d31170a5758

SHA256
55d7d429bb5e5c33f86c13c2779185806b42cb17de48264e277902a9e7d1f546

SHA512
095d1ddfc502bef1a34b9bced5f862b0fca028800581845e7a224a91ea1f079e055d31e8ccb5511fded34fdc0f12a94aef25fb06c1ce636e66f3d0eed5ea06be

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
352KB

MD5
d78c887865caec44ab141eac26e62e14

SHA1
83c45f69fc0f85d8738f2e7f04d5614bd332989d

SHA256
e7a1a22c319b65422d3961fdc481b5f512b5fa14eea518702643e8f82d47b57d

SHA512
287a5f3e0ebf3b26913f051f40d87413721caa46e85eed75aa9de5bd187d58ea13024050a33ad87e9b34f5f8829632020394d9390a96466287cc2a482307e5ab

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
352KB

MD5
31f4a9c55e44e3acf4c60e86c429a5d0

SHA1
3790e8629f8658576aee7d88412534eb0a1058c3

SHA256
5b18b1b6514bda74fcb5d7129054868ad08ab47b64a7f5da6e4fa6d1828d1a13

SHA512
4e19d4545ae1954b0dcf1064cae09a5416022d3ef38d0761ef8b2bebd9dd49bb77278549c00a100e8eb2bfa6313aa19f96205e9d71d738616bfa2fcaa51821a7

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
352KB

MD5
89a2edb8d454bd8ab554d55ead24f5f8

SHA1
07d097290f21364e9d2b9ab7073d2168cb41908c

SHA256
ce0baaf29e0eadfee8524b895682a0dfc25034b34b83bf6a7e53980859988267

SHA512
9f298d894c3aa7c00ead588105b58c40819aab190f4c3650941f7f3169445d62ed18153b3658a74ad329d1b17f96e02033837076a25aabfd5d54962596278348

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
352KB

MD5
8ac119829cdf433dcaec24eb8fa4e8b8

SHA1
38ee4499320bbba026a7ea23e60b5cb5b8633c89

SHA256
2457296c722f82699227282c465f6efe146c4f5d0b2848a8797ac47af0188b1b

SHA512
1f3fde1c679d2fdbd3bb15a0d3de3286edd8dc0f63210381d78f5a6dd8797658c8c9227b67a785e9b41f484009b4feb4f73a21c6d502f46d1184c4ebe6513186

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
352KB

MD5
51a3cacc85a0da48812fe1ff8b475285

SHA1
f4c936485a1ef72653111374c4a8cfa4d8775241

SHA256
3875664426572d81f29b19ea3f1fd0fac31c2cdf29f7fde750b0f805fcc3d8f9

SHA512
f3163102d8bd53461c06fa8400317cfa2fba597838397eeb867d639c9907ad749f70e46868ebfe20524cd49ea874da692914f4ca4fcfed53d0dcba6bf3af0da2

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
352KB

MD5
eb71bcc25161cb75dc409cdb26d480cb

SHA1
1ccb46d6c4047fdb4bac665cb06d8a0fdd10fb3d

SHA256
e5169dbce75916cbceb030f7080751b648a3dcd8479fe9944d61c64155fcc136

SHA512
5236c7dc54c0a14c01989f61b4c8902e8d51e5eb312b309063fb7e073d779e56549fe693de6de1ffe455f25f4cc3c284291499bb4c0b83b066b174544961b3ee

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
352KB

MD5
57bc8d4b3153bfb74301b0ed0b982339

SHA1
f22d82cfd22b503f5e8bc3fc64563aac77637712

SHA256
eec894865ccec8d7689e0501ff9018ae1b5d36fe02c7fda805c308cc4444f7fd

SHA512
e7b2e97674da37c47412b602a3c75ecd2bde081bab557a5e653eb641fe49bf2749a8667dbb476a39ebe5cb115ef42be039bb995505e1f7803af9a2b59d67b1e7

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
352KB

MD5
166afb2918ef5d53b6b709d91d49494a

SHA1
775078b210409dbcda3294e81f6710842fb6ad97

SHA256
01cf1240d098dcd9c8bad9db6e2ec5da33ce31d1ab749150ae1533d47fd157bb

SHA512
b3243d9193b598623a8ea56fac390ee8263d3bfdb46678323b1a72baaadd7d64ad2c5505813180fd5e9f64531b2d92ae169d6a0c4e028a88154518b92cd1dfa3

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
352KB

MD5
6f20d66cce37f096fcd41badeb84b1e3

SHA1
13d4a870a2962cfe001a29be80997880d58094dc

SHA256
b55e79014505fd0ba301696af48552f7965545586866327437bef0a77d90fac3

SHA512
8d3005b6c90bf87f3a9a701b68aee31f4644598c48212e7c075ed442de1fb061c8bd1b07c49996526b5d90ab9514801a131bb6a7bc59a841d79504cbb5f36725

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
352KB

MD5
4dde732d153c8a4d34a428a0ebb8b2af

SHA1
d28c32453946369f8d3197043cd1183d4137bcec

SHA256
a96b154bed0797f7f1f0dd3aaa8f7cad2bf75efc444b1df2ad583ca5295ae73f

SHA512
a92993d83341e393fca7fc804e549455f71687deaceb3cbbcc65bc433c218c6b890a4a8eafd086052274a6e9192819b938ff5dc4961980d34aff700b3a77bae0

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
352KB

MD5
1c4b6895047fa513097db648954b4a6c

SHA1
67ab8d2b872789d62df593b1f5abb4bd7b8871ca

SHA256
ac796f08c268c6ded50ad6e54f2780ceefc3d384f49563a98d5c18a1d5cfd532

SHA512
331dfc24ed2bf266fddf20a362e44c3da8f1c0ba6e70760c82841e8b9e83a4c41aa0d8ebdbaa629f62de20443401cc32f3516700d1d826c9db6b545c907cb1c3

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
352KB

MD5
fde21499028473b11c28a2941de9ef8b

SHA1
2146109043624f426f1c33e1f65779e5a068e81e

SHA256
830a1d91b7345e8cf54210fbbd8f1413adda916393a659ee89e2a3c43823dcfa

SHA512
225070295e7fd9f5b476f802eaafb7f9659b8985416095c3880c7aab26f97ca0556861084ba37d54537bc1b37380d1c7bb3cae7dfc877913cf50aac08f3a5e07

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
352KB

MD5
6a4edd7ad021ff6c8508e68a88683cca

SHA1
b3196d63987bee25631660426346fbc66ef1da2e

SHA256
0a2c5a6971b3aea7c8efd972ca52e6d4901f13cedcb5e00142d505ffb8563b07

SHA512
d446cd3f3de07087cf27cc482bda33a7d24e928efa4e1e99fa076bf7576b63e58b13adcf9661a56a588769a4683ea4da15dc08d2869214e36d7d0e60ece61e62

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
352KB

MD5
42679afb25c24d706e2d011b83fdc259

SHA1
800163e42c11d1f071ce4afd43c8c7d83695d475

SHA256
58565ac07a911dd147bd21feb86c08a712799d2609dc3cfe690f14aa818a4051

SHA512
61a809dc751980e50c2f6847ee3b44925738eff8189ae87f99fec0007dc165bb92e373c8dbdd6c70b86c2ab06e91d8c79ada1c088b8af655343f6ec9779ed7e7

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
352KB

MD5
933ce9e485fbc1af84dfe614522ed1c7

SHA1
114d237f5cfda8de62f63dd081f7870cc7596f81

SHA256
f54b2e8d0298c4d57051414ba70cd2a3a581fb506e0ac490500498def9e7a0ac

SHA512
3f9a161a239d37dd6b71214a54cc04fabe15955f3c61e30240c8c4b39f1071d1502c681a1922479b2bd2456e90f77c66c3e6b9abac5f1eeeb04ec6c47beb5ccb

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
352KB

MD5
93ccda8dacf8ce21ef5d5e67144d7824

SHA1
5a8b5ce24579be1e23830de68d0c379ee1371cf5

SHA256
6b1ee6e05d62c9c2d0c036014a7ae51680349b6cd3d4d2ea6aafd61ca2750d7d

SHA512
1ba327624841941c236c9413aa796ab4ce30abab7e9f8b176c5f6af097aa37d2747ad8957b0df4a548731dcb70ca623cf71b1cc56b76201372ba5ca892986362

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
352KB

MD5
435a8a9114c82fd822608be3365824f2

SHA1
83dbb0018e5f17eef3cfb7ea17b1c87b5402caef

SHA256
ab65f6fa00ee114aec99aa3cd7da2797fc7c53d7f8bce8d472d8ff0a1f9fa25e

SHA512
2a53a40d26289310f7e469a62183b3a011e25616fdc59871e1dbe49620bc416d3c63b0795243fe978dc6d81470e352f72f72fef89a500ae5d468d2e0fe7d2689

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
352KB

MD5
14dc05a7c65a037e6fe0d78d0df93577

SHA1
8840784bccf9727c4cf037e89e8654569474dfd4

SHA256
24bf3c43adf19e2bb72fa02e5dafbb759198e7d87738410ff2685e37641b6d56

SHA512
cf1f5649113e079776b8458eb6bf35d1687795e82f6c8d854b44f5f446f20da57ca16ccd4994cba2ab22de292d014871e9933511cfb465d6d4aa62fce1c27421

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
352KB

MD5
bf57871179934cd3c2703e6686623d7d

SHA1
4fb941f2cc40b51417a34832a3cc2d4c75f26bd4

SHA256
25a7759a4482cc709f5136472c7820c6e58cdcf7c8428bd77b2a161b07d9c77b

SHA512
c41f64685f723fa541940a30303cde10b4ba4b8632f842ad358a27808e87374c466785d63f831029ef1b8b3e7bcb9ab7a8600fe402cb0e6fb3f712f60656b60f

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
352KB

MD5
6aad921333d58151d06a320ee397b6df

SHA1
4f577413beabdf6e5e5f3b7218add1c089a2ef5a

SHA256
39ff112dad4637f59b5b9fa6a7e7caf99ce61b9f42c735c275457e874c194f2a

SHA512
31bbf4a48448d6e86d3c102a65988db4e265236e1b9ccd568885bb5c057a83bee43f85461f15fcb27742ccfe522226e5bc9e5f065788aaed15cdca7fe4ab7fd0

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
352KB

MD5
6b367eaf0bd2690b077e62c03a950028

SHA1
519b9e1705075f023c39513ee62674dc64f8857f

SHA256
3dc0a1067011036909c30d58fde5db41ebc355f9fae484b7c2f8d96ebd397e5c

SHA512
34d7be808983d3bd83067d202fc7688d43fc92dd449789198ad8d1b823f9f962f497ce432cff4696947abb88722fd2e173eb9e279a23d33a5c73355dbaa2990b

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
352KB

MD5
0fb55cc6227228a7dd0719cff431fd2f

SHA1
d58b8bf004bdee39034b5bdd70b143c6286dd830

SHA256
059ef76779e154f45bfe2ab714f2fe2f0fed16147da6c514ac6eb03f9be762af

SHA512
bc1622587e6f3755b088c74a1cb8a97140255f1c08ce3bf3dc55b97a579c839e3b5016f3c134945f30835dd6c9df4c1986f72de41fcae65f6c943d06e8f4cc4c

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
352KB

MD5
c0fdf09a154f7b4ef6f5242cc02dafa9

SHA1
b810574d88255d277243a4e2b9603e7d790356ad

SHA256
c5da385c6941f02421db2d65a10346c46e0f5a91e58f7b47e66bdedfb4d91ca2

SHA512
2fe96bf8d93fd4aefb371be0e497d42b028c08d675b7f19d1880a39fe2b26de4a39ead2e215ac7da821e9dc4ac2fc5698edc7e5d162a7bd07849b539a2c5c1b9

Download Submit
memory/400-274-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/400-307-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/436-184-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/436-331-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/696-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/696-367-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1116-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1116-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1116-377-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1128-256-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1128-313-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1172-319-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1172-232-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1284-301-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1488-284-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1488-305-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1720-176-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1720-333-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1740-337-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1740-160-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1852-138-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1852-343-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1904-216-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1904-323-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2004-149-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2004-341-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2236-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2236-373-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2496-363-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2496-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-349-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2524-117-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-315-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2664-248-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2680-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2680-371-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3032-192-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3032-329-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3044-351-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3044-109-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3124-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3124-369-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3208-208-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3208-325-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3224-89-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3224-355-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3320-359-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3320-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3504-357-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3504-81-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3632-97-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3632-353-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3636-339-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3864-321-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3864-224-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3892-297-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3892-300-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4220-121-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4220-347-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4272-335-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4272-168-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4340-262-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4340-310-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4356-240-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4356-317-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4420-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4420-361-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4528-327-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4528-200-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4540-375-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4540-8-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4564-303-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4564-286-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4956-365-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4956-48-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5032-345-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5032-129-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5084-312-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5084-271-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads