242d046ce463e43d528a3e223bfe123065cd5e7277e30c2ef05e1da5a782e51a

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

242d046ce463e43d528a3e223bfe123065cd5e7277e30c2ef05e1da5a782e51a_NeikiAnalytics.exe
Size

264KB
MD5

ed2b8804d1bb30153dc17a3725582170
SHA1

eae57bc3c5b8deb2409b538f61cd4ecf0d6ee989
SHA256

242d046ce463e43d528a3e223bfe123065cd5e7277e30c2ef05e1da5a782e51a
SHA512

fcf52b873288169587c1f1a536848b338df69e2373011d0d83b34940f529f4a3be0af2247c5d3690bd9684a16bd5d24c15f6160d6cebf622eadd7409dc875097
SSDEEP

3072:5rGPUhilEPBh1gGA4e24ho1mtye3lFDrFDHZtO8jJkiUi8ChpBhx5Zd424ho1mte:iUhiIBh1gG/TsFj5tPNki9HZd1sFj5tw

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	242d046ce463e43d528a3e223bfe123065cd5e7277e30c2ef05e1da5a782e51a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	242d046ce463e43d528a3e223bfe123065cd5e7277e30c2ef05e1da5a782e51a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe

Executes dropped EXE 33 IoCs

pid	Process
4112	Kkkdan32.exe
3596	Kaemnhla.exe
1500	Kdcijcke.exe
748	Kpjjod32.exe
1440	Kgdbkohf.exe
3160	Kajfig32.exe
5080	Kkbkamnl.exe
1580	Ldkojb32.exe
872	Lmccchkn.exe
4024	Lcpllo32.exe
3928	Lnepih32.exe
3292	Lcbiao32.exe
3720	Lilanioo.exe
1980	Ldaeka32.exe
3964	Lnjjdgee.exe
816	Mahbje32.exe
3716	Mpkbebbf.exe
4156	Mnocof32.exe
1592	Mgghhlhq.exe
2760	Mamleegg.exe
4036	Mgidml32.exe
4616	Maohkd32.exe
5068	Mglack32.exe
2588	Mjjmog32.exe
3016	Mcbahlip.exe
4904	Nqfbaq32.exe
1252	Njogjfoj.exe
4600	Nddkgonp.exe
4528	Njacpf32.exe
1388	Nbhkac32.exe
3564	Nkqpjidj.exe
1968	Nqmhbpba.exe
3516	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	242d046ce463e43d528a3e223bfe123065cd5e7277e30c2ef05e1da5a782e51a_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	242d046ce463e43d528a3e223bfe123065cd5e7277e30c2ef05e1da5a782e51a_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1052	3516	WerFault.exe	113

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	242d046ce463e43d528a3e223bfe123065cd5e7277e30c2ef05e1da5a782e51a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	242d046ce463e43d528a3e223bfe123065cd5e7277e30c2ef05e1da5a782e51a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	242d046ce463e43d528a3e223bfe123065cd5e7277e30c2ef05e1da5a782e51a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 4112	2600	242d046ce463e43d528a3e223bfe123065cd5e7277e30c2ef05e1da5a782e51a_NeikiAnalytics.exe	81
PID 2600 wrote to memory of 4112	2600	242d046ce463e43d528a3e223bfe123065cd5e7277e30c2ef05e1da5a782e51a_NeikiAnalytics.exe	81
PID 2600 wrote to memory of 4112	2600	242d046ce463e43d528a3e223bfe123065cd5e7277e30c2ef05e1da5a782e51a_NeikiAnalytics.exe	81
PID 4112 wrote to memory of 3596	4112	Kkkdan32.exe	82
PID 4112 wrote to memory of 3596	4112	Kkkdan32.exe	82
PID 4112 wrote to memory of 3596	4112	Kkkdan32.exe	82
PID 3596 wrote to memory of 1500	3596	Kaemnhla.exe	83
PID 3596 wrote to memory of 1500	3596	Kaemnhla.exe	83
PID 3596 wrote to memory of 1500	3596	Kaemnhla.exe	83
PID 1500 wrote to memory of 748	1500	Kdcijcke.exe	84
PID 1500 wrote to memory of 748	1500	Kdcijcke.exe	84
PID 1500 wrote to memory of 748	1500	Kdcijcke.exe	84
PID 748 wrote to memory of 1440	748	Kpjjod32.exe	85
PID 748 wrote to memory of 1440	748	Kpjjod32.exe	85
PID 748 wrote to memory of 1440	748	Kpjjod32.exe	85
PID 1440 wrote to memory of 3160	1440	Kgdbkohf.exe	86
PID 1440 wrote to memory of 3160	1440	Kgdbkohf.exe	86
PID 1440 wrote to memory of 3160	1440	Kgdbkohf.exe	86
PID 3160 wrote to memory of 5080	3160	Kajfig32.exe	87
PID 3160 wrote to memory of 5080	3160	Kajfig32.exe	87
PID 3160 wrote to memory of 5080	3160	Kajfig32.exe	87
PID 5080 wrote to memory of 1580	5080	Kkbkamnl.exe	88
PID 5080 wrote to memory of 1580	5080	Kkbkamnl.exe	88
PID 5080 wrote to memory of 1580	5080	Kkbkamnl.exe	88
PID 1580 wrote to memory of 872	1580	Ldkojb32.exe	89
PID 1580 wrote to memory of 872	1580	Ldkojb32.exe	89
PID 1580 wrote to memory of 872	1580	Ldkojb32.exe	89
PID 872 wrote to memory of 4024	872	Lmccchkn.exe	90
PID 872 wrote to memory of 4024	872	Lmccchkn.exe	90
PID 872 wrote to memory of 4024	872	Lmccchkn.exe	90
PID 4024 wrote to memory of 3928	4024	Lcpllo32.exe	91
PID 4024 wrote to memory of 3928	4024	Lcpllo32.exe	91
PID 4024 wrote to memory of 3928	4024	Lcpllo32.exe	91
PID 3928 wrote to memory of 3292	3928	Lnepih32.exe	92
PID 3928 wrote to memory of 3292	3928	Lnepih32.exe	92
PID 3928 wrote to memory of 3292	3928	Lnepih32.exe	92
PID 3292 wrote to memory of 3720	3292	Lcbiao32.exe	93
PID 3292 wrote to memory of 3720	3292	Lcbiao32.exe	93
PID 3292 wrote to memory of 3720	3292	Lcbiao32.exe	93
PID 3720 wrote to memory of 1980	3720	Lilanioo.exe	94
PID 3720 wrote to memory of 1980	3720	Lilanioo.exe	94
PID 3720 wrote to memory of 1980	3720	Lilanioo.exe	94
PID 1980 wrote to memory of 3964	1980	Ldaeka32.exe	95
PID 1980 wrote to memory of 3964	1980	Ldaeka32.exe	95
PID 1980 wrote to memory of 3964	1980	Ldaeka32.exe	95
PID 3964 wrote to memory of 816	3964	Lnjjdgee.exe	96
PID 3964 wrote to memory of 816	3964	Lnjjdgee.exe	96
PID 3964 wrote to memory of 816	3964	Lnjjdgee.exe	96
PID 816 wrote to memory of 3716	816	Mahbje32.exe	97
PID 816 wrote to memory of 3716	816	Mahbje32.exe	97
PID 816 wrote to memory of 3716	816	Mahbje32.exe	97
PID 3716 wrote to memory of 4156	3716	Mpkbebbf.exe	98
PID 3716 wrote to memory of 4156	3716	Mpkbebbf.exe	98
PID 3716 wrote to memory of 4156	3716	Mpkbebbf.exe	98
PID 4156 wrote to memory of 1592	4156	Mnocof32.exe	99
PID 4156 wrote to memory of 1592	4156	Mnocof32.exe	99
PID 4156 wrote to memory of 1592	4156	Mnocof32.exe	99
PID 1592 wrote to memory of 2760	1592	Mgghhlhq.exe	100
PID 1592 wrote to memory of 2760	1592	Mgghhlhq.exe	100
PID 1592 wrote to memory of 2760	1592	Mgghhlhq.exe	100
PID 2760 wrote to memory of 4036	2760	Mamleegg.exe	101
PID 2760 wrote to memory of 4036	2760	Mamleegg.exe	101
PID 2760 wrote to memory of 4036	2760	Mamleegg.exe	101
PID 4036 wrote to memory of 4616	4036	Mgidml32.exe	102

C:\Users\Admin\AppData\Local\Temp\242d046ce463e43d528a3e223bfe123065cd5e7277e30c2ef05e1da5a782e51a_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\242d046ce463e43d528a3e223bfe123065cd5e7277e30c2ef05e1da5a782e51a_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\SysWOW64\Kkkdan32.exe
  C:\Windows\system32\Kkkdan32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\SysWOW64\Kaemnhla.exe
    C:\Windows\system32\Kaemnhla.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\SysWOW64\Kdcijcke.exe
      C:\Windows\system32\Kdcijcke.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:748
      - C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        34⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 400
        35⤵
        Program crash
        
        PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3516 -ip 3516
1⤵
PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
264KB

MD5
ab76eeeec366f88b354a87e592d7c014

SHA1
3eece1d901b0c7b4c66f75e0de4e82dd4c6a1209

SHA256
e6daefa70f8c67a8f749318b1b39278cdf49c399332243f47223e3fa855c64e6

SHA512
9b162bef05920d7f09b580cd9b168f30bd11ff920f8678ccb2e903f7cf1d0ff3bcc30216d848a471329180a2bf9d8eefaa76d7e27a136690385c85c04276ee7a

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
264KB

MD5
f5ecc1ec9d35a0fdb2e6d289e23cea5f

SHA1
2da09095e2db47e40c34caf8d3cd068e600c16de

SHA256
6e7e37e36b271b0aa1326872151a154ab0b372baa25b11b4d3a91b6e8ef1425f

SHA512
d4f414d3a5068db19d1f2148072c398428228204c9b6f396822674a66b7a83b48c4fbd70cd53b901a039f4d46f83fc817ae6f2352d712032912e7874cd128266

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
264KB

MD5
f431d180c100fbf77befb5068560c6d8

SHA1
f068434d9cfaf481811d8bb7f877a980fa87d232

SHA256
09d0f4ee5745452379c89af089cefe4e2612c0120d76fe338907df6c5d19312f

SHA512
d0b89fc9439f7c181d7779249595cc90747998c2a2317b5465e5927f13f6898d1aefbd20c1777c6e5c3b7366118f0df55ac5035709e6e8610c2aa1e1036bb7a0

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
264KB

MD5
ba4f638c96dee3d1812dc92a0cddfc3b

SHA1
5bc4c85bc0f18a9eefe32103bfc211250deb4e41

SHA256
413d25e92b4790a29ded4d157b5506c334d5c659eb5d7e199d1bf7944a9e8097

SHA512
2ef54a15e49b04bf5dd971e6de4cedd1851f5e9b2ba0644319de4c183caf54a46d22883963e50bffbb5f9e98bddd485e2bd6f608b60a19585eb1726b04af2009

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
264KB

MD5
043c5f947b0c83fafe229019e91e455f

SHA1
4ffaba3020e884a07d8f1c244b2fef09f2290bdc

SHA256
3c9bc528e113e5de2987ef1b633837f1181fc6565d77b0f03358667eaa6f65d8

SHA512
6d848460c5d251951a686f186586b86b314cb7411004e099d15e2c211cf0bc213efa204ffd7421312a3bd02db6e33da075fbd0e564755f2b1ff33610d4085e8f

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
264KB

MD5
ac85bbee0f24b1ac8ba4ffc3f570acb0

SHA1
74ccb5f104833ea6eb1e5d223df8108c8bb75d55

SHA256
eef257979aa1352a995875c6773dcda3fddaea722c0fc670f3255c01d35d3955

SHA512
e5ee7230c7b15b1a916b9f7cb63d3cfa11bff52c9a85ccba70335bcac33baf64dda7d6f699f8192452df3e1e63f43e95c02194cd82309ee77cafd17715dd8300

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
264KB

MD5
f404af4640df6c94fc7a6bfd5cc87d87

SHA1
cfee629fb7aeb61a98f14f78da70323c4ad6d565

SHA256
8e3f608cef75c551b448b7df9009e3e194e70676fa72872d7e3c67902bf6eec1

SHA512
0beea40f4f84a73c7f477ddfcdd07c618366e6ee29ed368a1c19f79ebb84d03e827906100e97469e9e2ac31fe48f2e5a4b4388f9e9e26cf23f079029539180fb

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
264KB

MD5
f9c285d505683dc8be248ef5cac81204

SHA1
87883b846f58e37083edaea9ce008bb40c786394

SHA256
fb5adbbf36f020920507cee950f5f3cc7887ecb6c5ba640140ebbecbcdb06047

SHA512
08a5ecdf54b6117bd29bc4d971d2f976233fa9d157371c6a6cd007eba03acb6bd554e2f03e06a0e55f10a341f667de73d1df8ba9955cbccb4c94c75a3a33baca

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
264KB

MD5
e57dae90d3524050d295e9bfd7353ed4

SHA1
fc8ed8bc8daa9956d48f1e2d5e0c9d44aaa3ca8b

SHA256
2cb8a8fab1f10bf55d927c73205fe4864f1790727e95ad0a4684db45cd1e2bfc

SHA512
563e2edb535f88662b7dd25098bfd57f46cdda4314ac472d848774362edf779b7fb57587d72cb42f7e7ce77bd02088c9fd493bbe390ae3f931f7f8971f9e03a6

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
264KB

MD5
2b5ea896884fd4bb0f4e5fbcd83f812c

SHA1
282f92da559f660a99552bd9cd1fe90e74bc0e32

SHA256
ad9200dae175456ce5944fd3b71ffbe21c4fc4c0719988b4452b6c5b10631241

SHA512
6327e3f27e56eb2b93aa49c4985211e028e59137ab8717eac592a4ade9d2800f63bdbf600e99bf43c0de4f789b24ceac6778f98b8d3385c05a48b15f2f53a88e

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
264KB

MD5
380d0d5c7293895c412b1c714e5db2e0

SHA1
496eaaec31c19f2494962fc9e3aad158c87c0af4

SHA256
3cd1d61e1b09d6e78fec2bc5505221e5d4fc2659826afe3f2ca3a4bf2016495a

SHA512
e29b7038f12b63bb85daad14be99b078cd00f51a3351dcdc992bfe939ae189e0c4aebceeda5426563707b75cbabb7187baa24e6d0325e2206a95ea0fee5ceafc

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
264KB

MD5
b7490d0dd1ccb9211a0a7aa5e0f77f73

SHA1
e6bf4c066bf3aebc8274a10dd743a1cad6a8d22c

SHA256
4f14f98e9a1f0f6d965d316bbb88db82663bbac7962e72711300a5dc6eec2989

SHA512
731c006e23d6cb526a4421a3d82bc15f2fdd8ba9587271ac9cf138cbddb105aa2cf0d5b82ffb3128b8f346187cf050ec499f66fb5e625bbf5aa27502baf842b0

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
264KB

MD5
2d5f87d8b3faa15599923d2f2a02bb3a

SHA1
47d6506e322fdf0320fccce437161288fcb5ac49

SHA256
7de2a3496c008c7523e3453184b9781e01db8f02b0c6be4f60872af3e515b689

SHA512
da744e18b8ab95387946dfd73f314fce99b58e81da6a36704898a71c821c12a205feeac117858c6e1e12dbfd8de37c44290a7b3dc728cb8e6c265b01f31a95c9

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
264KB

MD5
130843051a98b515ff00f01fe4bb0a87

SHA1
290c70757adb5ada60aa35cdd2ac89a9f0c8cd38

SHA256
77f67e9c431b946dd76905997cc4780d70350f1e68d5b4c1065587e24d553eae

SHA512
5323b1c5c662d067b40d3dbe81716912e10439b394862a379b0f61d7ae6368dfdf9687e4d4eff434f530dad82ba64104bf609ce0d0f2c1e404e4bfd64591f84f

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
264KB

MD5
7f55de0d371e9900403144464fc9af7c

SHA1
f1595d16188df365d2a741a5c284f6ccf0a2a394

SHA256
334e1821221d86a243786e509fe4ac95f357ac0dfe0461f6733f109fd71f8345

SHA512
1159210a2d693e94ae5d182505125fb441e593fb50e864a124c83966465f34a1a4bf83ed111bed01a46cb9ebe010f748b7496f2a0fac1744cc3d02e28a33d4d6

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
264KB

MD5
1a6fc23c0803ae8c99e2c9ecd988aec8

SHA1
088792483d7d96b9f051b08c85ef68ee11e5bb7b

SHA256
ca7c4491657336abcd16e6593829ad66b1b52ee9a094106a8538a24785e10b43

SHA512
f7de5a1ee472478615b9dda9a1add61adf367f9b7d06ee03aef9bc3d39ad43c26ce602c90cf91aa44742a8b320cf9294f470bed63d06303845975bb760279b96

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
264KB

MD5
b9d0709aa25d4aee0f2300fe15c40967

SHA1
99eb329093dc884352237defc46989135d1a082b

SHA256
b9da375c2fdbe3d8cc3c3b2e13751677f1946060819c5cf4bddb944d0cf93f4c

SHA512
88b6cab3d8dd392bb27f52472bdad2a692b85f1d149dbd8f3b3ee683e3a4415ab680215808e7f2706d6506921fe39cb33a12064109205f34d5da0df0d1ff71a7

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
264KB

MD5
e6c6e617601bf33adca8648d90d73496

SHA1
eb600c928b7d0c4de43646067d2c2a4f925273c3

SHA256
888a5f61fcfa3022e935e8277e56db0a55b2241b3589bac40c1c037d409d6906

SHA512
3ad01cee578f32cb6e4616755bd3ac54120ea1b5ffd6c0e0b43194646a36ef983778788410887a56f995ab6f8fa29bad273c7c6fc8a3af0695de6e348483e7f7

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
264KB

MD5
8456ab0e160af1a0dfeae436e0366f92

SHA1
ac44d72ecff01e21a161700fa838215730294313

SHA256
aad143aaf9715d0427e84979c8234b0178a5005ee5cab0a7965d4c8cbb3d59ee

SHA512
bd8aabe9bad7160b041c722764d9ff0c207578fccc218b954e5c81cc67394da044ca82faa7c0572c1ab5bbe286c04b57073969a6839683c3ee8d23bcc1a52ae3

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
264KB

MD5
34659a3fe3d0a3171347ff2e6dba3f21

SHA1
7b2cfefe77f64d749b5930fbe267ab1da5fcdb69

SHA256
4b066ec16522e5694af9483b53010866600ffe59ca3577ca88763aaef668139f

SHA512
7da4fb35f7ebf93c3b49d5a7a9e1fbbc0b7bea072d1eb3aad8003e1ceb6275b48f8fc85b4ce4b229b9e2b155d00259d5569780a4a8dc21b02cc8cac5a5c47285

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
264KB

MD5
ce48c96795b43369f3b004782aadb61f

SHA1
4be1ed2bb6d2f6cb45067fd21bc0c481e93dc310

SHA256
7f6d00375e8ed45a97352203152133514035a1fde055dda2c0f26c443a6765ff

SHA512
2494f40c469d431b10c75b521d63e6daa2c6b901fb1b90b5415e4fedbe666d6cd4c01b110c066d3b381f5be3f04137dad0fef3b166a3cf6a8dda2e2823012a51

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
264KB

MD5
eb6aed15dbd3229841d609e800d8ab2f

SHA1
602b39ad525c5fd5e78f5d8f05252f3bc17b1489

SHA256
a9d77aabd30722aa8191a4e18194c1403dd7e558ee170729fd9d6ace5d912215

SHA512
882fc9b3e79a6fb8b35a4adb2332ddefce4e105bac29443c8e578a203b719ddac9204d2c4967506052c0ea318a11dd4396914cd502adbe57d858fcf131376fc9

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
264KB

MD5
edabb7ffec4bcd5af849f382ca5a75b4

SHA1
ad1bc5840f09625c0560d7fc06823e9d3651ee72

SHA256
3423b3d4e262d711420bc3efed6c891c0ed69f8cd7281e6814634b0869116160

SHA512
805c1b751b34d7c65aa6fc20cd36e1a8cc2fcdadfc2e76da381730b4943eeb1b4b571571fa9ed2155751c45fa8b835fd2b0da569fa203267ed3a37a13a519814

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
264KB

MD5
5818b2a769ef5ed19a9be4a07fbc5073

SHA1
ec677a578fa493dc4aa57c9e1435159cb8de9519

SHA256
018a38c0f8371e6b1b0ebf4d81052145515d8a01ec4823de1702738aef85a993

SHA512
828a880794ffbc17e4ef32adc3db9c78f8d98059c857873c1dedea79ea4df6fb59c21a31f93a6ab1844bba912d56c7f59a1957d4e2d180b353ad8614f934b7d9

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
264KB

MD5
05008cb142923ad1af9abb0b7d902c93

SHA1
735808e9e7810edcc6ff5e8efa51d8f5d3f0b483

SHA256
16bf733d863a0a438ed7b66f40ca53d9bfc031d3cae8fd43dcdac84d49da1cfb

SHA512
01cc33c47b240b449a45d802b87141f3d44da1e5a581bc18e6f599bc7a51aaf5fb77fb86b611d6551b58b1c997d7c9753565a859320d58df79852b4d24f8d563

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
264KB

MD5
5d563262742ace3d237970af9b79fdc0

SHA1
400b31a5993c1d9295d1cd252c4933eabe174345

SHA256
a37709079369e0eeead7b02dfd6d01dd51e7ddcf92ca0515b36c6cc3be0314b9

SHA512
7e6139e2e9c8eca6d026300a052e07c1a1679e063f1b0e3831884ada50cc98e187110094a82136f36d9e0a55cb49afd7a726f325d434eb5a028792edd8922155

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
264KB

MD5
7d0066d6ab6ce7ce734d21a44bc44da6

SHA1
56ffe6a2150b3e819bc73787db2db37f7da77224

SHA256
c3e4ae0d43bdbc7b74f6557e4c1c1668cba775797347f45f39b9fad7c191d6cc

SHA512
97e3d1703180683900914c8b9d582f207c786b20a0b82a5ab857fa785dae4c144f3b1e85799a59f35b3c85ce428c8cea12012e779ae794a99d814891aa24ccfb

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
264KB

MD5
77931bd7255b4a0bccfeb8941aa82383

SHA1
10098815690bb2defd5d76c2666cb3c3c24cf190

SHA256
4ed1587a7573b3c07084a0490dfe570068c3956866235cb416c7544e9d1d8aa3

SHA512
e20cf1e6e9c93768268a66c0dd8cf124aeed42e284cdc119a6d452ff8e0ae8e586ebbcadf158cca92928da6c19293c436be49d87776d3e0f247d69c967688a75

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
264KB

MD5
08bb6f8bced052f01a55f8f2a92e917c

SHA1
ab0c87d6b6b1e6d6afbcec51fb76f7555897b10e

SHA256
7489b5cf9cf768191606442b4bbe37688745e003ec72c748e0629066557c8218

SHA512
23156bc9f5f761cc979fbfae648bd6ad799ff2eb60089efcde0cc349e92bc6dde21bfb97b3925a3702687f0460297e1de5901541e2809d1f382b20115e71023d

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
264KB

MD5
0cc46006db9f85ff8ca52981d13f6122

SHA1
b192072c3e6b14fe4fc43a0e86cc177307c791f8

SHA256
2bc9a40b462560ca714b6e849ee7bc710c6d4e3095046f1d78f35e1787c38eb0

SHA512
c85668690e375cc9c8ee635ddff8c7da836ba7db8fc4a0ab32393ffbde250d4e64ea56487cae923021eb9f7e0a924d553b25bfefd0d9887c43374116b1ecc584

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
264KB

MD5
5c2de0c706c422c578e85364159beff1

SHA1
29b2275468a1ab6ccdd74ed195e5a70981308929

SHA256
2d0b202dfd94bd25774efe48dee11316c79326fb9fce09a30ae572e9f56f1ffa

SHA512
f24793224d884c907c1d338e110bdf4e4e89c2c7af829d8f44344933e3c138d7f894991528389c34455111f5a24d5e70ed1c54edc9f74de79b26321a6efec6c0

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
264KB

MD5
5895c1c9185e05263bac7e811e00ae7b

SHA1
eec91aeefcc26bc0e3dfcc5753e6e584396c3d56

SHA256
48e1fedfba3212e059ab1de4fd5e2685c91fad2fcbdb53fe99fb939921c1ec12

SHA512
5ae02fec311d2d8919aab2a4e9ab1e0ea17c310bb0316f84861d567fbc6b4227ebc559b169a0687f1c9698bcfe39dae677cb953c76b56fb35f31b382a730e923

Download Submit
memory/748-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/748-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/816-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/816-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/872-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/872-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1252-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1252-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1440-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1440-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-265-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3160-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3160-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3516-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3564-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3564-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3716-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3716-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3720-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3720-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3928-306-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3928-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4024-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4024-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4036-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4036-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4112-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4112-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4156-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4156-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-277-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4616-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4616-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-282-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads