6abba7c323f880af6906d4de90382672a6c91ea9abcd06648a44fe879a7d0062

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6abba7c323f880af6906d4de90382672a6c91ea9abcd06648a44fe879a7d0062_NeikiAnalytics.exe
Size

479KB
MD5

d53c8c71b4bd3640ad8db443d7286e20
SHA1

c900d4dfbbfa88dec141f6cccf0b18511965bd3b
SHA256

6abba7c323f880af6906d4de90382672a6c91ea9abcd06648a44fe879a7d0062
SHA512

a4e61fa9dcfde40aed6927b5eb13fa93a4f456c2d6afa265eea2547d2a84136537d6120e1e5b5e159a4bed569aa908fcc7d67bbc55dc8617d3a3cab6ed67ebb2
SSDEEP

6144:dsO2A+sycRJ6EQnT2leTLgNPx33fpu2leTLg:2vuRJ6EQ6Q2drQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6abba7c323f880af6906d4de90382672a6c91ea9abcd06648a44fe879a7d0062_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe

Executes dropped EXE 41 IoCs

pid	Process
408	Jidbflcj.exe
5048	Jdjfcecp.exe
1280	Jkfkfohj.exe
1852	Kbapjafe.exe
4396	Kpepcedo.exe
64	Kbfiep32.exe
4468	Kknafn32.exe
908	Kkpnlm32.exe
1692	Kkbkamnl.exe
1800	Ldkojb32.exe
804	Lmccchkn.exe
1724	Lkgdml32.exe
4536	Lcbiao32.exe
1944	Lnjjdgee.exe
3140	Lgbnmm32.exe
4040	Mpkbebbf.exe
4232	Mjcgohig.exe
2760	Mgghhlhq.exe
3648	Mcnhmm32.exe
4944	Mpaifalo.exe
880	Maaepd32.exe
368	Nacbfdao.exe
3652	Ndbnboqb.exe
740	Ngpjnkpf.exe
2328	Nafokcol.exe
1748	Nddkgonp.exe
4076	Ncgkcl32.exe
2060	Njacpf32.exe
2572	Nnmopdep.exe
2872	Nbhkac32.exe
4576	Nqklmpdd.exe
2856	Ndghmo32.exe
1892	Ncihikcg.exe
4964	Ngedij32.exe
3248	Njcpee32.exe
3656	Nnolfdcn.exe
216	Nbkhfc32.exe
5020	Nqmhbpba.exe
5072	Ndidbn32.exe
4340	Ncldnkae.exe
3172	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	6abba7c323f880af6906d4de90382672a6c91ea9abcd06648a44fe879a7d0062_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe

Program crash 1 IoCs

pid	pid_target	Process
3676	3172	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6abba7c323f880af6906d4de90382672a6c91ea9abcd06648a44fe879a7d0062_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6abba7c323f880af6906d4de90382672a6c91ea9abcd06648a44fe879a7d0062_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6abba7c323f880af6906d4de90382672a6c91ea9abcd06648a44fe879a7d0062_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 408	940	6abba7c323f880af6906d4de90382672a6c91ea9abcd06648a44fe879a7d0062_NeikiAnalytics.exe	80
PID 940 wrote to memory of 408	940	6abba7c323f880af6906d4de90382672a6c91ea9abcd06648a44fe879a7d0062_NeikiAnalytics.exe	80
PID 940 wrote to memory of 408	940	6abba7c323f880af6906d4de90382672a6c91ea9abcd06648a44fe879a7d0062_NeikiAnalytics.exe	80
PID 408 wrote to memory of 5048	408	Jidbflcj.exe	81
PID 408 wrote to memory of 5048	408	Jidbflcj.exe	81
PID 408 wrote to memory of 5048	408	Jidbflcj.exe	81
PID 5048 wrote to memory of 1280	5048	Jdjfcecp.exe	82
PID 5048 wrote to memory of 1280	5048	Jdjfcecp.exe	82
PID 5048 wrote to memory of 1280	5048	Jdjfcecp.exe	82
PID 1280 wrote to memory of 1852	1280	Jkfkfohj.exe	83
PID 1280 wrote to memory of 1852	1280	Jkfkfohj.exe	83
PID 1280 wrote to memory of 1852	1280	Jkfkfohj.exe	83
PID 1852 wrote to memory of 4396	1852	Kbapjafe.exe	84
PID 1852 wrote to memory of 4396	1852	Kbapjafe.exe	84
PID 1852 wrote to memory of 4396	1852	Kbapjafe.exe	84
PID 4396 wrote to memory of 64	4396	Kpepcedo.exe	85
PID 4396 wrote to memory of 64	4396	Kpepcedo.exe	85
PID 4396 wrote to memory of 64	4396	Kpepcedo.exe	85
PID 64 wrote to memory of 4468	64	Kbfiep32.exe	86
PID 64 wrote to memory of 4468	64	Kbfiep32.exe	86
PID 64 wrote to memory of 4468	64	Kbfiep32.exe	86
PID 4468 wrote to memory of 908	4468	Kknafn32.exe	87
PID 4468 wrote to memory of 908	4468	Kknafn32.exe	87
PID 4468 wrote to memory of 908	4468	Kknafn32.exe	87
PID 908 wrote to memory of 1692	908	Kkpnlm32.exe	88
PID 908 wrote to memory of 1692	908	Kkpnlm32.exe	88
PID 908 wrote to memory of 1692	908	Kkpnlm32.exe	88
PID 1692 wrote to memory of 1800	1692	Kkbkamnl.exe	89
PID 1692 wrote to memory of 1800	1692	Kkbkamnl.exe	89
PID 1692 wrote to memory of 1800	1692	Kkbkamnl.exe	89
PID 1800 wrote to memory of 804	1800	Ldkojb32.exe	90
PID 1800 wrote to memory of 804	1800	Ldkojb32.exe	90
PID 1800 wrote to memory of 804	1800	Ldkojb32.exe	90
PID 804 wrote to memory of 1724	804	Lmccchkn.exe	91
PID 804 wrote to memory of 1724	804	Lmccchkn.exe	91
PID 804 wrote to memory of 1724	804	Lmccchkn.exe	91
PID 1724 wrote to memory of 4536	1724	Lkgdml32.exe	92
PID 1724 wrote to memory of 4536	1724	Lkgdml32.exe	92
PID 1724 wrote to memory of 4536	1724	Lkgdml32.exe	92
PID 4536 wrote to memory of 1944	4536	Lcbiao32.exe	93
PID 4536 wrote to memory of 1944	4536	Lcbiao32.exe	93
PID 4536 wrote to memory of 1944	4536	Lcbiao32.exe	93
PID 1944 wrote to memory of 3140	1944	Lnjjdgee.exe	94
PID 1944 wrote to memory of 3140	1944	Lnjjdgee.exe	94
PID 1944 wrote to memory of 3140	1944	Lnjjdgee.exe	94
PID 3140 wrote to memory of 4040	3140	Lgbnmm32.exe	95
PID 3140 wrote to memory of 4040	3140	Lgbnmm32.exe	95
PID 3140 wrote to memory of 4040	3140	Lgbnmm32.exe	95
PID 4040 wrote to memory of 4232	4040	Mpkbebbf.exe	96
PID 4040 wrote to memory of 4232	4040	Mpkbebbf.exe	96
PID 4040 wrote to memory of 4232	4040	Mpkbebbf.exe	96
PID 4232 wrote to memory of 2760	4232	Mjcgohig.exe	97
PID 4232 wrote to memory of 2760	4232	Mjcgohig.exe	97
PID 4232 wrote to memory of 2760	4232	Mjcgohig.exe	97
PID 2760 wrote to memory of 3648	2760	Mgghhlhq.exe	98
PID 2760 wrote to memory of 3648	2760	Mgghhlhq.exe	98
PID 2760 wrote to memory of 3648	2760	Mgghhlhq.exe	98
PID 3648 wrote to memory of 4944	3648	Mcnhmm32.exe	99
PID 3648 wrote to memory of 4944	3648	Mcnhmm32.exe	99
PID 3648 wrote to memory of 4944	3648	Mcnhmm32.exe	99
PID 4944 wrote to memory of 880	4944	Mpaifalo.exe	100
PID 4944 wrote to memory of 880	4944	Mpaifalo.exe	100
PID 4944 wrote to memory of 880	4944	Mpaifalo.exe	100
PID 880 wrote to memory of 368	880	Maaepd32.exe	101

C:\Users\Admin\AppData\Local\Temp\6abba7c323f880af6906d4de90382672a6c91ea9abcd06648a44fe879a7d0062_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6abba7c323f880af6906d4de90382672a6c91ea9abcd06648a44fe879a7d0062_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\SysWOW64\Jidbflcj.exe
  C:\Windows\system32\Jidbflcj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\Jdjfcecp.exe
    C:\Windows\system32\Jdjfcecp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\Jkfkfohj.exe
      C:\Windows\system32\Jkfkfohj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1280
    - - C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        42⤵
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 400
        43⤵
        Program crash
        
        PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3172 -ip 3172
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
479KB

MD5
46696a877de399175773769aa44051dd

SHA1
51897aa5d1ab4a1a5e461d8a760d4a0e0928937e

SHA256
ef153758b5dd89eb05762b31b61147d465f903013e5ae4e8d2d82bbde9f0f053

SHA512
1c3e7f82b4b3e963416d86d56f73ee61b662faaf5c50b524ed51207662b8cf8be74d31dfd61e6a55745b6a9ef6eb764196af62260798b888f7a4e6ec2e5ac221

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
479KB

MD5
cef1c2677efc544e153b2279b0e7a788

SHA1
2770f6edbe4799b959aef4c6813cd2d583680d9a

SHA256
624045a75cdc0a1081851a8f200fd27d2e8db38a167512a0382afffd621a78a8

SHA512
ea879cffab99753627b7936b2bef7eaf629775070fa24a71f368ed26a7df057098a84ad416dd9b19e2485c4dc3a357cb882cfa74230d53aaad105622033ae914

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
479KB

MD5
ad1178f888a8d52ccce9241f1dcebb62

SHA1
5d4878a44d5df2af41eff195a497ab8dea11e71a

SHA256
9c3877df8f384c1d9f91d83f7a5cda7f9b21d951a67930449421c3c3388e349e

SHA512
afee9f94cce42bd34f366ea2837e1637d9e37fc6a9a2aa976707cd626fd00f6ab7fb69a828a15a55a077f5b2af02f86fc4f0e2e17509c88ddfc24f6844342cc2

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
479KB

MD5
3d4dbffdb121e2e17f59e7c17115386d

SHA1
43416da51a2648ea72605011cbb596aa4dcc3042

SHA256
3dd4f64bdeb02d3c334339265022d81a096f9b3fb1bfa6171d56492721947e29

SHA512
920034900f09d6d398b488c1fe5f010ac5317a7844ae048218951593d43cd059625779fc86160136674f5ccd8ec0fcdb2bdacb1f8a360e38c818f507c1e82689

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
479KB

MD5
24e1894912867c1af7530bcda8a8652b

SHA1
43ee35052b836381fd0468137b0c94cfba4bb4ae

SHA256
13d55efbfb0e908af358e3e149f19cffb1e70018aecccc48be200ace45149e83

SHA512
9977c3cb31f1a810b06d066fc4b23cc4eb6dea0e63a39b73d77af66abee77372816eae4afd45ea92189f2c03a7465a11e6509e78b4e173682ea3629c6a02b580

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
479KB

MD5
7419cfae4037a048c7508cf197f41016

SHA1
c21179aa4dc7c38f28b19cbea04a2c90479cf4ec

SHA256
9f5223f96658d9378b5a465132a81ff570fbe825ce801282494c9eea71d32b9e

SHA512
5736ad64502455342c6a20cc82ea7d130e8b27190420475d8bda63878cf5d1294a480938e9904bc51a5b682dc5a92c3bc664eb07583141b73e2b92c54b0d2f3d

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
479KB

MD5
8f82092b672acbe31ae39271c4be4568

SHA1
6e1ad0a00161402d731964037ffd51b418aa52bf

SHA256
f38b574ee07a880d4a6424a86ab782fddbfdccfe00556813fa4cfe16267343c5

SHA512
fc6a8f54b2931cfdfd6f57087935f8f19fa6617e1000352b3515660abe2668ecb9ac849f8ef74329cedc9b71f5acadafd84c5ef6c2c76283e8e898f5ef17ed24

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
479KB

MD5
d59640cfbdbd2e5d7076e895d79f2fd1

SHA1
2c24960e4650693f98734f04a0b11f49fb923e24

SHA256
8dafd94da9a3eac692d891ab76d46df398fd13a952028ce47317af48782d31c4

SHA512
a10ac96dfd34e736ad465c690c426587afe2a1cf3487709cc36b7df4d18bf0a6140433b4d77d54a2c4a11dee98d9c2a8834e2c302de1a4c8566c0686402cbd79

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
479KB

MD5
843cb26a0effe57aa7d0ae7c48f00bde

SHA1
8c5d369e42389d99ab64f0f608f577cd6cf4aa84

SHA256
6d0c7ba9db29cf37d5afd91afd9221057d4694a8b50fb4693721dca6bc6783b9

SHA512
818b19bdaafee5cecd2b09a4d78febf18e596adc2186c639302996bc591240dfadabb5e0eac364ad08205da6f37b81e69651f95a12aaa5973ea72a29a9b57c9b

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
479KB

MD5
56eb7686201ec224738be0e28de1c8be

SHA1
fea6ab289f360b24f626532328ca7aada5d3da1f

SHA256
1292e47ac2188fec51ff1b543dc5e923212780b57e3342aaca4c02dc128083ad

SHA512
7da066c7d4cd587608d6e7e05d467a61d12ac2639e302d2e1f4d790c66898712eb087545afe4f82c6a0dec6536970cf12b576a926a7baba023d9e1bde230350c

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
479KB

MD5
2d045d9a8031482b5e63f1b8f5ac9193

SHA1
3fc4c90f9d585821f5de0818f381a22437491e48

SHA256
57e46bc86b9673832a7375b3ecbac645a5b0b2e0eed11c832124bdafc0aed526

SHA512
3ddb10485a7944871d3212b285896fc7b302182cd8811c44f8cbe4b1ed22032374f42b5404f78e9d8e4db3af25b17a2c59c260c49f344e00c5c34eb89c1c9394

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
479KB

MD5
c5c3a91e792bd890f63115a105566cdc

SHA1
0eedf6b20898234fd29073259baae0fc2d86ff5f

SHA256
382f3705b3e990505393ab46a7067e05cda2378a102b9eb52443b7699dcedbf1

SHA512
74030114a20613a9b838b3183c97ae8eb0e121571d1c02c9747908413b56beca9c6116623af42762b98e2256443a62145b5d94e584ca92611bc9a55582ac077b

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
479KB

MD5
5aa7c1f38c994555a0e706b2aeb2ca42

SHA1
68b77ee2072c780eb5c055797fc4c6ab0a3732ec

SHA256
960e9ba5c548b3d8efe8aaf82ddb06dbdeb95ca25d6cbfbaf01b918da807563a

SHA512
ef44cc772811ce768df6f3b8445ba0b4362a469b150177d09df05269bda41eed222148356e43cd5d26faa56037f6d5af664d68e0b98c64e7bf53b58b4bcd918a

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
479KB

MD5
0e3de063a441595088a732fdf453f1f7

SHA1
964569a44d704444275e9ccd2bd67489f1e69280

SHA256
4c8399b9d12927580047b51ed309f0b6971d630e134adbbc288456abfd40e4b1

SHA512
cb075c19742c4db68f5e7584204fa9f480f92642ef94f36b797db90a62a610f15f6d83fe38c8a27047bd743355b787ef09514bd51b5df0963e9b8f6eb50f8413

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
479KB

MD5
91947509eff58104aa98e128d0a75702

SHA1
f1b5ffe06c21fe8c4bae4d49464521578ee7e45d

SHA256
f9e5715f4051c3b8d8c8854ca99196bea5aab68e3623fc012b1424d90e235f7c

SHA512
8e4c36a97b8de5fc268c6a8f56c3e2f09cfbd48e139fd1125ac3768c762637ffa19e6d7ec736491936f43d5e198d5fcb1d0ae42593c73fcead58c8db533b0ede

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
479KB

MD5
4bb874c31675fef426d1da04131ff5b4

SHA1
1c48a497301a1cc0e4b5dfb5f491d0f6cd3800b5

SHA256
065b9afaa7f80d8d936e3418abc17a9bf0a7516f0c91741de2e3ed7c5e5c8817

SHA512
ad39a154680ce46a4ceac8550467656ce80dade007a3fe1516c9a6802a507fc3b8aa1d4108c77a38efcf02f542ffdbaf0c84e569f0cc45c7c801bac5d03f5379

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
479KB

MD5
464abe3eed80efcb95918f405a02db26

SHA1
2398e158269e0470967dc01f1e4192c6b9338ed9

SHA256
3c20dfdcc0a65e57827ca390ca6d848502f1bd6f2e80d4d4de6389718a1f4776

SHA512
32e0c0696ab544109336a2e7b19cbc92011aa8dc4905e18522d0a8b32796939e3ed7f456580e3e80b107449cbaa2263b2f7104d995eb8cdce1b54df490bb7d31

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
479KB

MD5
7edc8bc56c925415ec981a0e302bba3d

SHA1
b9b87954c286480d8a55a26f235e75edb3e1a42d

SHA256
1caecca2f9e14d316ae3fbe7e0912c6647fa0d333151ae5fc1c29474ad244a25

SHA512
dbd4e7451759d03e726c7dc638407c62012c3ae10744501a4a8cad84f4e5a792daf249f8c79f3b510c558ccccc862a9c4931fed62c97e2a5ef3c1918dd3e5530

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
479KB

MD5
6fb678ab2fdd739e73f4eddc3a4c7757

SHA1
9099e19977d9b99574e9d54c2aee7295c390078d

SHA256
e2a569aa05286b8bdd22b28ad7e633570f03070c62fd46002cd9bce17d051041

SHA512
3eb48063b96ed4db5e7d09efbcd30fdeaff422bb03b6c5d94a623cb615a66d4c10692b8f2f23e83f968c9ca31edf1f8334564b961274f8631f6782aa19a0e3a4

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
479KB

MD5
ce451d9c4209e99e1061e6552a5c17c5

SHA1
fd98c728913e6d3cf45079d82e5874f6d3eeec64

SHA256
a5a6e1e6cf79dc40583220e3a0ef473e6e84619de4a9f5df002c11e4af4a2325

SHA512
f95f4b11937f5961a7e409db86f9c076b9cc60db3941bcce2f5bd9e2b8ff5b0ea2d6ea8819cb319c9edf66feea3fd33257feef656aca1c6430d33f8b269ac25b

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
479KB

MD5
fa4088c1536d92f2f919ef8286c8f31a

SHA1
0748ca6a27e04facb170cd9ea741d66aff45e383

SHA256
285ebd960937d2a7388efae0f8c8adc9cecbdac26136273e583e29878f6cb6e6

SHA512
e2f4172bb37b215b45774241777994e82923947cc0f480b49ebdd8ee9a86709e3d6d1886a202114634f9b0452dc3e42ef6495dc9d7814c651c75d9f5587f153c

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
479KB

MD5
eb8e96e33702d2bbcae0fa2d32712839

SHA1
abd656383da3a56ad26360b78379e6236f0151d8

SHA256
b382cef8d9ba72762b6bd5647869fe2b4b1c370b79c02e7d09ee9a05e516e442

SHA512
f8fccaf08b4fdbcf0ffebc99db4427853f8ccc3d61721138c1ed1899ee4b192bb80b3252b9c642b79e0c0231017ea6f6f50808c7c5778269f492474c9ff9438e

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
479KB

MD5
fcaf61a60296348ccdb458b314ceb76b

SHA1
88a5c70ec5132455b26936a08dc1a598bb2813fd

SHA256
dfccbb1c01299e05cdbf54949645d29c6f0d92d79206676b21e2e4ad160835a2

SHA512
ee9a39fb6035c6474cf87c2d0cc9645346b3938eeb5faef072bd712d5f542fa8686726dc1ffb504f24f01537350f7fab4b2166adc462857dda71615f121d9eed

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
479KB

MD5
2dc212d2f654ecbde8834deb183224bb

SHA1
59ec97711064c59d080e3ea00de75dff2fa06c7d

SHA256
94a6a4afb1f0c494265487f58c8dbcce556ae2f3cc33a1e22cc52fff9bbb1e10

SHA512
2fd0d5b77eb2830f34498cf1768f32edd188cada7ef993df00e755b24a8fa9c9e9dde300276d058d2478d3190fd17d541367408f45aa58b40d95cb0dfb1a1adf

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
479KB

MD5
20b03c077f63bd825e5248bf1a423026

SHA1
1a7992dbfc545ba9a687f53c44d871fa344b05b8

SHA256
48836cf9b6b9bd71d8d4ed74d241dc4ea49c1c98caf5c3933227b87969ba9390

SHA512
f48489468e537519928baa201c65e228ee4f25acb8b70b3878a1a73d43bd3684691de25c7d638855b6ef734007eeca6072dd5f342f860a882933f115f3730a90

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
479KB

MD5
24dae5d6990ae1a0ede294522312ff55

SHA1
36416234ecdb65dd038511611debec67467d2e83

SHA256
6e23648ebee514e913ef6a8c418bb6060bdb3afbf10a92fa448e2c271a7d7585

SHA512
530517f825e788ab203a4ef3062c0d451ef70cb655f5841c3ccc9a394166fa12ee1611fdf479fa3f6c6fa337fc7cfcaebcc734a901bd5dc706bb941acfd54bf1

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
479KB

MD5
0d78f8355d2fd4dede010c785418ef8a

SHA1
9ca1beda3fc77b981a9cca0da1efef2fb0dc94a8

SHA256
6a463616306d79b4ee9030435ba85d61aaa35eccb4c37d004037110e6637a2ba

SHA512
6415cb7268dda05080f795a1a27aba1b3165c9558ab7c04131efa6900e573a433fa0f609ac68cb1da779a77dbe756a69b13429be06de5c539aa1709c4c036cac

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
479KB

MD5
c5bea77f29f0bfdae8415bbeae01ab19

SHA1
3fedf3db58bf2721bdf8bca700dd997d3c2696d9

SHA256
d8ac509069a99a99291cf9f1f247dfba4465092997be652a2b9517abd2f9bd69

SHA512
87444fddf967b6c4fb93ab5349970a93f37de8c0f38bf644b8541231a5d699143f47c1e4ec7c2affba272a94df2627bc8b40c0ba4f524e09fc989dc61a504c7b

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
479KB

MD5
a657d2e4f626e304265484214b576c2b

SHA1
f85d033f2647b7078ad1c74816abf0b3c3e0d812

SHA256
3c9876979e62e856c5db30118eedcc80e01bc47eb9fafb240ab5370da4922ab2

SHA512
c2d5812a1f3f18c6485ba13df28df257a776c57e18da72c2c64faed7a3b99de9aaa65f56f78c7bc745e2e1c503cacf71d7574540234878ba9c6983e918663feb

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
479KB

MD5
3350b13e6544b1acba9963ab33e5d233

SHA1
e89116037ea242780dacb6678ee06e8675ace77d

SHA256
1428314dd55fcedc1d0736deb00cd1faa804bcba54f223840696ce922cf0172f

SHA512
b744f41111f3ea3dab3eef26283f3d73f323e633781dfe7a53965fe27486963043dbb3233ae08858a4dd9db6fae60fbe1e416537006f91db97d62ab187685f56

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
479KB

MD5
567d9b256f5412586ec1a06fb699b972

SHA1
1311f13880f7fbabbef82984e00600b8d8f4e8ca

SHA256
51676575682adb45c3f3c23c50794ce856246ca2bdd7b9227b732af8b7dc2741

SHA512
10428fe9d775ecb24b4576d14cdb870b542c4c562997207cef2c12a2c76c9b9ae8eff5522091f026e990220ca9bf3359de2ee03de4a425a03973af7536b7747d

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
479KB

MD5
8ecaf0637719d7e7c319a9303b352f99

SHA1
4efb2ee278e9e5bd188ce8d5123f8ef4271dba0d

SHA256
6113e21c6286a71d8c4eb14d623ebb4075d7b4b8cc6c8284b8915e495fb827e0

SHA512
47bebed06d25a363bf7f653e1330e77b6cd7dc4703b70c52324da332da35ca2d62bbc4e45cbe27a7a1648b3b76196fd3d2125c9f0355ab7bcaf0d0626b82fb0f

Download Submit
memory/64-49-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/64-383-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/216-320-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/216-307-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/368-183-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/368-351-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/408-12-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/408-393-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/740-347-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/740-192-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/804-373-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/804-89-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/880-353-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/880-168-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/908-379-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/908-65-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/940-4-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/940-395-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/940-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1280-24-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1280-389-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1692-377-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1692-73-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1724-371-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1724-97-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1748-343-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1748-214-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1800-375-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1800-83-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-32-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1852-387-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1892-303-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1892-329-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1944-367-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1944-113-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2060-298-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2060-339-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2328-345-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2328-213-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2572-299-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2572-337-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2760-359-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2760-144-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2856-302-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2856-331-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2872-335-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2872-300-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3140-365-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3140-121-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3172-313-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3172-311-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3248-305-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3248-325-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3648-152-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3648-357-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3652-349-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3652-185-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3656-306-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3656-323-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4040-129-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4040-363-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4076-222-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4076-341-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4232-361-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4232-137-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4340-310-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4340-315-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4396-40-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4396-385-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4468-381-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4468-57-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4536-369-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4536-104-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4576-301-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4576-333-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4944-355-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4944-160-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4964-304-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4964-327-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5020-308-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5020-322-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5048-16-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5048-391-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5072-317-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5072-309-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads