7535a30a2ad1c0eab0f548e75880147526eaf042f51f51d8cf1471e69f5b9015

Analysis

max time kernel
93s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
Size

434KB
MD5

1cefbb0182282eeee18fa3de3a3ee690
SHA1

598b59f6970ab149ce516b29398dae4799c7b5c1
SHA256

7535a30a2ad1c0eab0f548e75880147526eaf042f51f51d8cf1471e69f5b9015
SHA512

f0c6ae6997fd28da5aebd7dc2ed285f73dd4d87ff8bae2899d27e1cf5604741680f37b1c26ad471a1149b05f415d9c280b645038d2ba9dd0319fab782d759bac
SSDEEP

6144:QpZ3bDQxSGYwVnXMo0X+mYJhqoxGfDxIAmZ4IB2mMWjWVWreN3SUeDRiwxELHIE0:QpZ3fG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe

Executes dropped EXE 21 IoCs

pid	Process
1492	Kkbkamnl.exe
4868	Lalcng32.exe
4460	Laopdgcg.exe
768	Ldmlpbbj.exe
1508	Lilanioo.exe
712	Lpfijcfl.exe
3892	Lcdegnep.exe
2560	Mgekbljc.exe
3820	Mcklgm32.exe
3504	Mdkhapfj.exe
864	Mpaifalo.exe
3672	Nkjjij32.exe
468	Nnhfee32.exe
4900	Njogjfoj.exe
4380	Nqiogp32.exe
620	Nqklmpdd.exe
1092	Ndghmo32.exe
636	Njcpee32.exe
2384	Ndidbn32.exe
3552	Ncldnkae.exe
2540	Nkcmohbg.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nqiogp32.exe

Program crash 1 IoCs

pid	pid_target	Process
1932	2540	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Njcpee32.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1492	2360	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe	81
PID 2360 wrote to memory of 1492	2360	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe	81
PID 2360 wrote to memory of 1492	2360	1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe	81
PID 1492 wrote to memory of 4868	1492	Kkbkamnl.exe	82
PID 1492 wrote to memory of 4868	1492	Kkbkamnl.exe	82
PID 1492 wrote to memory of 4868	1492	Kkbkamnl.exe	82
PID 4868 wrote to memory of 4460	4868	Lalcng32.exe	83
PID 4868 wrote to memory of 4460	4868	Lalcng32.exe	83
PID 4868 wrote to memory of 4460	4868	Lalcng32.exe	83
PID 4460 wrote to memory of 768	4460	Laopdgcg.exe	84
PID 4460 wrote to memory of 768	4460	Laopdgcg.exe	84
PID 4460 wrote to memory of 768	4460	Laopdgcg.exe	84
PID 768 wrote to memory of 1508	768	Ldmlpbbj.exe	85
PID 768 wrote to memory of 1508	768	Ldmlpbbj.exe	85
PID 768 wrote to memory of 1508	768	Ldmlpbbj.exe	85
PID 1508 wrote to memory of 712	1508	Lilanioo.exe	86
PID 1508 wrote to memory of 712	1508	Lilanioo.exe	86
PID 1508 wrote to memory of 712	1508	Lilanioo.exe	86
PID 712 wrote to memory of 3892	712	Lpfijcfl.exe	87
PID 712 wrote to memory of 3892	712	Lpfijcfl.exe	87
PID 712 wrote to memory of 3892	712	Lpfijcfl.exe	87
PID 3892 wrote to memory of 2560	3892	Lcdegnep.exe	89
PID 3892 wrote to memory of 2560	3892	Lcdegnep.exe	89
PID 3892 wrote to memory of 2560	3892	Lcdegnep.exe	89
PID 2560 wrote to memory of 3820	2560	Mgekbljc.exe	91
PID 2560 wrote to memory of 3820	2560	Mgekbljc.exe	91
PID 2560 wrote to memory of 3820	2560	Mgekbljc.exe	91
PID 3820 wrote to memory of 3504	3820	Mcklgm32.exe	93
PID 3820 wrote to memory of 3504	3820	Mcklgm32.exe	93
PID 3820 wrote to memory of 3504	3820	Mcklgm32.exe	93
PID 3504 wrote to memory of 864	3504	Mdkhapfj.exe	94
PID 3504 wrote to memory of 864	3504	Mdkhapfj.exe	94
PID 3504 wrote to memory of 864	3504	Mdkhapfj.exe	94
PID 864 wrote to memory of 3672	864	Mpaifalo.exe	95
PID 864 wrote to memory of 3672	864	Mpaifalo.exe	95
PID 864 wrote to memory of 3672	864	Mpaifalo.exe	95
PID 3672 wrote to memory of 468	3672	Nkjjij32.exe	96
PID 3672 wrote to memory of 468	3672	Nkjjij32.exe	96
PID 3672 wrote to memory of 468	3672	Nkjjij32.exe	96
PID 468 wrote to memory of 4900	468	Nnhfee32.exe	97
PID 468 wrote to memory of 4900	468	Nnhfee32.exe	97
PID 468 wrote to memory of 4900	468	Nnhfee32.exe	97
PID 4900 wrote to memory of 4380	4900	Njogjfoj.exe	98
PID 4900 wrote to memory of 4380	4900	Njogjfoj.exe	98
PID 4900 wrote to memory of 4380	4900	Njogjfoj.exe	98
PID 4380 wrote to memory of 620	4380	Nqiogp32.exe	99
PID 4380 wrote to memory of 620	4380	Nqiogp32.exe	99
PID 4380 wrote to memory of 620	4380	Nqiogp32.exe	99
PID 620 wrote to memory of 1092	620	Nqklmpdd.exe	100
PID 620 wrote to memory of 1092	620	Nqklmpdd.exe	100
PID 620 wrote to memory of 1092	620	Nqklmpdd.exe	100
PID 1092 wrote to memory of 636	1092	Ndghmo32.exe	101
PID 1092 wrote to memory of 636	1092	Ndghmo32.exe	101
PID 1092 wrote to memory of 636	1092	Ndghmo32.exe	101
PID 636 wrote to memory of 2384	636	Njcpee32.exe	102
PID 636 wrote to memory of 2384	636	Njcpee32.exe	102
PID 636 wrote to memory of 2384	636	Njcpee32.exe	102
PID 2384 wrote to memory of 3552	2384	Ndidbn32.exe	103
PID 2384 wrote to memory of 3552	2384	Ndidbn32.exe	103
PID 2384 wrote to memory of 3552	2384	Ndidbn32.exe	103
PID 3552 wrote to memory of 2540	3552	Ncldnkae.exe	104
PID 3552 wrote to memory of 2540	3552	Ncldnkae.exe	104
PID 3552 wrote to memory of 2540	3552	Ncldnkae.exe	104

C:\Users\Admin\AppData\Local\Temp\1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1cefbb0182282eeee18fa3de3a3ee690_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\Kkbkamnl.exe
  C:\Windows\system32\Kkbkamnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\Lalcng32.exe
    C:\Windows\system32\Lalcng32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\SysWOW64\Laopdgcg.exe
      C:\Windows\system32\Laopdgcg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4460
    - - C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
      - C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        22⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 400
        23⤵
        Program crash
        
        PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2540 -ip 2540
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
434KB

MD5
7888d512317df789e4f135698bb39c3f

SHA1
df984b6111f8484b139c0507ba73226acbf5ace3

SHA256
29c9c974f35668786806aa968e3b90c6feb7fbe12ae10cecd3af36e818a5fb0e

SHA512
4e5f5526c8ee33eab4108a2f2af38f4335cf19b903d083f6632e69ee0288e0a34c90c0f923889e066014f41c895efa6383dece0303f1acc2abe157c4c72d1fe8

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
434KB

MD5
cfbfefba5de03e2a0e3ee4e2bff914f9

SHA1
a5fc6cbabd1bfb55c3397f09f8d254a434d7bc99

SHA256
d996962cc6de9ebf728d92f4d469495d01a5c63da436593aff251945a151c567

SHA512
0b3607bb3654e5004dc3c51ca4c9dbe608b1f552af2bce66309f8bf445e41b71e858b7b56e9b90d979734f52f14a1f02d3b74072324879b17a8e9a97edb6e5be

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
434KB

MD5
46adef4e7490e229aaad618ac9d4a774

SHA1
09ae0c8b285038f4696098e4371747e7a5190fc1

SHA256
b8884e75ecbfa0f95ee8f1c11f5066c38e318b26e4ba6b44a11304104e064ed1

SHA512
d279a3d5245129fd1f87f4b84ca78e44de42a09c72ada7e9a6f1ae15c69d6bfe6adcf6db6cab6d354db76d0336b1283e16fd0e0e33cfafa2eac20961433a2ae5

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
434KB

MD5
05926d9a89a752fe84fc4a15cf1fa158

SHA1
0248a12e304a945168ecce700cb3e195a5a87b25

SHA256
27390a8e50472532412817e9560e99124d924d5467e46582bc397f8b90aef344

SHA512
9be51f956e7b17aa70378bf3ed15f4ea5edabc879c27de7ec660ebbf2857f9ae285717fda61c6e17a5813b4626c82ac3a2ed56ba08a4987e2b2050f96c4d9046

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
434KB

MD5
15dab762278c6b1e2656b0b50912d36d

SHA1
1859d0864d8bce8ab17f1812c06d65b79b5045c1

SHA256
6f64400638bd78cea47afab0745ec199c5c1d54fd9957c128ab4416376f617d6

SHA512
698661041a9ec84a1eb165cec1e8b2cfb0682ea8e43caa135791625820375c187c0890955e6903050e121d9c56a62d3924afaaffdadf02715418f957fb1423c8

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
434KB

MD5
ab9bdb53ea09c3f848b82c831531bdbd

SHA1
c170d6361795fe1771e93705711920d44e38cce1

SHA256
f787430c6141ce81ecf42665dbcdb0b9dd9fff81fc0a07523874806596ffc6eb

SHA512
f20f303e511f5793f78fa8983990e4ba98eab4d16517b820b0479794c4d2c4b6af5a191f017083744bb59d71f072a18fd63293fd05487e4223ebb45ec9bdce67

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
434KB

MD5
18ad4a64c2fe4f6d6b058047560809d9

SHA1
bad7c24075087ef0c7a7f33de3b599369c67ebc7

SHA256
4b1cd9e647ebb69cd4dcad9cbaa130eb77e8c0e3491c64717256d1fef1338626

SHA512
9664c86b2c3f48a0abed54eb1cfadc8461e430ef1d9ab5d3c54f378e0ba5a807637469efb1c4d32ee8ce87e31e414f915b98da973e12670c5d20e0c02ee592a5

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
434KB

MD5
6c13cf26adeae4e3c1f194ccd356d1ab

SHA1
db09f257af7399bc6bd05e4ecd05290f167f2936

SHA256
a8fc08ce4dcc65df7f4d9dc3b63132e3320aaacbe83cc44f6f01ed98e1e2c468

SHA512
ce628d8a0448aa7f27bf09f52300950f5efb61ccb4b42473f12ddc60caefb0f722bdb1da9de972bd39c92dd706096f8fa0a7e74633a34d4ebed58e1d0ab8f46d

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
434KB

MD5
384af7e8000ba66feccccc9de47c317a

SHA1
00fcbff0c9d1602f231af3d60979fcbcbf3c8b33

SHA256
51611b081a3960dffb05e8dcffa7d7775987c2c1ebdf7c3ffaf584b283e73ab4

SHA512
513ea645ee2ba9637b3d062efa1f0ba8736698179a66f91c4cbcc16d324bdd7252137719426193e9af85e2f471ba15be43ed77c45eb0db80b62f3639ffb6ecaa

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
434KB

MD5
ffab5917a350cb22576115c2e2bccb79

SHA1
e7814a66db4877210750f5060db2c5ab3b42ea6a

SHA256
3588d1926f11750cf953752290ef3402be93851300e389f748996fe4cb3d015f

SHA512
fcb74a23c075e981dd395aa154bf98b52ea9243f6eee5a4394ea6f4347cdf7020b8e46b3bcfa3992e5bdf853d034e1cfdd54117b968d7764711e54900eb75f3c

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
434KB

MD5
db684da0f1b4d7ef8c835b5f47e61d38

SHA1
9a2c6ad3c3e5584f6f2c3e7488956aa9d5143581

SHA256
a5ead9f68261f22a169538ea294792273f43a26eb277129564f9622208df7d79

SHA512
df7a133e5afa5cee1332c06ac468ddc92f3d1cf3b8fadcef391870311374a8d37ad1b02bfc7ce8b1f4d05307987a4ed418d0e64f8f189a3b8a0f71b43dc8cf3c

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
434KB

MD5
380d7016018ffdb06ecce03481f91374

SHA1
fd3dbcc44fc2764baf62d7ced463219e56fbc6a7

SHA256
2a203938625e743c48402cfc86d34cc8d5168ed9c2bb8f3229e2eff9f7710056

SHA512
4edb530f0f49c52abf2ef374182542512ebe86f55578c746368ea7d5f143ab3339ee18b7df48bf7902d89f62aa98970ec5173b2fe66110d7d89657b831a754ba

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
434KB

MD5
0068d1aca0ca9a58be2049ac83c4a8d6

SHA1
75796d70f3c9532541e28eb7e9a757bf1411cb64

SHA256
d6f02166dc3b63a45a7887e6723d62859146da59b9b86695f55dbbbdb1904103

SHA512
770241413a1ddee249bb8a4682d16a27dcd4c453834d433ae309433f8ab015edcc4ea7d362269d2ad79e0a9f74c09226b87095b887b701661c679b14c134da33

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
434KB

MD5
b44a5917bf56288d7a64906da7b7b5cd

SHA1
872a0e17533a91a83c4402d7ff100c1511b0f6cd

SHA256
663086e6c8d8da3f35256115c9c83033f6e548b9b6fad38e4563b5e0088f3f46

SHA512
4b03e8c2db791bdd2f2b2404f3ceaefa0e62de91ac839dd92fcde55b7b6aa75c3e51d06702b97dca7c2f080ebbc61aba694392b279587dc98e34a86251288085

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
434KB

MD5
87c9cbff3b2cc1399cd58779caee9391

SHA1
ae1314b323e31cd1096472256d5eba3a778c1504

SHA256
96aa4468127835f74480996e8c963fdaf4dad935c6f1107df5457bcb6f47f107

SHA512
11096647787e4ea84606d1dd512b54b3ce19a779cd8b849608cce84e9020d5e5ab0b0b39fff3bb3ce3b26c391e4ac958a2210b512bd9de330fcd9b83776c11e0

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
434KB

MD5
787c61538334c2aa3d87ed9e869a992d

SHA1
f77736a1c735021b0cef69c7ae4dea01a54bc8b8

SHA256
7653b815c64eb7ff4b0f7ed1558e8c1cc1d258c1fdbb207d152e70a561338750

SHA512
b0bbba0358d57fde0922f0ac750e11d6fd65c45bed6c7b16deb13d21c5240250fcfbb9a2927eba93367cb210742805c3676d007f8af1bdb2f1f7246436017e02

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
434KB

MD5
0bf02c728b897d64f40c9192efb3bfb6

SHA1
32ec2a19137052282517afca89be4529a7680f1f

SHA256
949c38b1157d79ca56fd24e832aa19ce2275652dd8d63eb7eb5bd9eb8130702c

SHA512
50e75fae33a44bf93e2d579391069e202914a56344704fcdd466bbafc94c80fb93d0412d6bf8879783e0e2063f02764b0e315e5ad1cc8b6b6eae31c5ea94738f

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
434KB

MD5
87178ff913b4565174db48533287536c

SHA1
5f75b7abae7a992822be11eafacbd77f38fdb984

SHA256
d21b05150b98fc66927c92e4b3bc92274299227c92e55aaf2e98b6a9e2f9025a

SHA512
91302d26ee5242ffd220aa6eefd9e7ff0e64ada01d7560570cd8a3e00b80120c5a80970b95ef8c2b033ec5c6a54f20baad553de753ef259b83a124c3a6f58c05

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
434KB

MD5
d7edd6a500a750c74560bc79ac41e943

SHA1
368a19fed23e70beaf2cc0e778d0bc945f9eb467

SHA256
3f06edaf8e271309c9896e0ebadf3fa76b01d71a0fd0645000e88c1d33968c21

SHA512
a73a349e5dd1b009ecd25ee147bf766cd1db623a8ac80cbe4276bb4301964b8b77c2a687fc325362b1016b86959c14bf20730bf0f1b5178e4110bf8832f081c3

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
434KB

MD5
8321b8cf18f03df0e05210de1acf0178

SHA1
69fbe1aa63bdfb16251e7988551068d7906b3d9f

SHA256
32dd2c16adcb7279f971f8b8a93eab760b32ed8a55aaad9178dc778cce51022b

SHA512
74a7a6bd4098168aeaeb7183fb0e38f4b7471a4ed9d047a53abfa0335906340f075c1483a8da1df0e2ae2e7673a6d46b27b469cc87e6bb961b5b15f69ea0ad92

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
434KB

MD5
39f3e72157fde8298481d50b4388318e

SHA1
d2f3d85ecdb8515dbc0cdf0928ea278c137bd1f1

SHA256
3543f9a5dbc928921be45c809ff8cf0f4ead2d6f62b3fd381ca3e35cbc3d7972

SHA512
eb4154e313f89f01e9e0e8355e913393b782cd93983f5e2121e5d97bc57211d86256f8ed669a25bdc89c6e57534fa7821b3973547132dc5b4226ea705536487d

Download Submit
memory/468-183-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/620-127-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/620-178-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/636-173-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/636-163-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/712-197-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/712-53-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/768-201-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/768-37-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/864-187-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/864-89-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1092-176-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1492-9-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1492-207-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1508-199-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1508-41-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2360-0-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2360-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2360-209-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2384-164-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2384-171-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2540-170-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2540-166-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2560-193-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2560-63-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3504-84-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3504-189-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3552-165-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3552-174-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3672-185-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3672-100-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3820-191-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3820-72-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3892-195-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4380-119-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4380-210-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4460-203-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4460-29-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4868-205-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4868-17-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4900-181-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4900-115-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads