b8df84df0573acaeb94f09b562de470d89b23b4451394bb37ca8fd50b7ddcaf0

Analysis

max time kernel
135s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ba3651cb9c335395d719b827f2e5f10_NeikiAnalytics.exe
Size

324KB
MD5

5ba3651cb9c335395d719b827f2e5f10
SHA1

ca6ad2dd8aa09f48837e850fbfda52075e37a96a
SHA256

b8df84df0573acaeb94f09b562de470d89b23b4451394bb37ca8fd50b7ddcaf0
SHA512

6cf4451778ede4503d3f057cb386abcf5f0a5d4de37a9f891e16c1e1b34c2baca6a9f08c24a18151ba0ec9184f59d4a0a31b836fa981ff8bf9685e5ae4b5b483
SSDEEP

6144:eldw0SBws35yHohg2KY/FBziwrzd5IF6rfBBcVPINRFYpfZvT6zAWq6JMf3us8ws:eldw0SBws35yHohg2KYCKp5IFy5BcVPm

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5ba3651cb9c335395d719b827f2e5f10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5ba3651cb9c335395d719b827f2e5f10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe

Executes dropped EXE 45 IoCs

pid	Process
2224	Lgkhlnbn.exe
972	Laalifad.exe
2020	Ldohebqh.exe
3052	Lcbiao32.exe
5012	Lilanioo.exe
3608	Ldaeka32.exe
1188	Lklnhlfb.exe
424	Lnjjdgee.exe
1696	Laefdf32.exe
1708	Lddbqa32.exe
4364	Lknjmkdo.exe
3516	Mahbje32.exe
4124	Mpkbebbf.exe
1584	Mciobn32.exe
2164	Mkpgck32.exe
1652	Mdiklqhm.exe
3048	Mgghhlhq.exe
3700	Mnapdf32.exe
4200	Mpolqa32.exe
5084	Mcnhmm32.exe
3932	Mkepnjng.exe
1524	Mncmjfmk.exe
2320	Mpaifalo.exe
2752	Mglack32.exe
3132	Mjjmog32.exe
1940	Mpdelajl.exe
2712	Mcbahlip.exe
2060	Nkjjij32.exe
4460	Nnhfee32.exe
4380	Ndbnboqb.exe
4428	Nceonl32.exe
2676	Njogjfoj.exe
4188	Nafokcol.exe
416	Nqiogp32.exe
4224	Ngcgcjnc.exe
4468	Nkncdifl.exe
1380	Nnmopdep.exe
3960	Ndghmo32.exe
3996	Ncihikcg.exe
4716	Nkqpjidj.exe
2832	Nnolfdcn.exe
4968	Nbkhfc32.exe
3796	Ndidbn32.exe
748	Ncldnkae.exe
1280	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	5ba3651cb9c335395d719b827f2e5f10_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	5ba3651cb9c335395d719b827f2e5f10_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1964	1280	WerFault.exe	130

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5ba3651cb9c335395d719b827f2e5f10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	5ba3651cb9c335395d719b827f2e5f10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5ba3651cb9c335395d719b827f2e5f10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	5ba3651cb9c335395d719b827f2e5f10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 2224	632	5ba3651cb9c335395d719b827f2e5f10_NeikiAnalytics.exe	83
PID 632 wrote to memory of 2224	632	5ba3651cb9c335395d719b827f2e5f10_NeikiAnalytics.exe	83
PID 632 wrote to memory of 2224	632	5ba3651cb9c335395d719b827f2e5f10_NeikiAnalytics.exe	83
PID 2224 wrote to memory of 972	2224	Lgkhlnbn.exe	84
PID 2224 wrote to memory of 972	2224	Lgkhlnbn.exe	84
PID 2224 wrote to memory of 972	2224	Lgkhlnbn.exe	84
PID 972 wrote to memory of 2020	972	Laalifad.exe	85
PID 972 wrote to memory of 2020	972	Laalifad.exe	85
PID 972 wrote to memory of 2020	972	Laalifad.exe	85
PID 2020 wrote to memory of 3052	2020	Ldohebqh.exe	86
PID 2020 wrote to memory of 3052	2020	Ldohebqh.exe	86
PID 2020 wrote to memory of 3052	2020	Ldohebqh.exe	86
PID 3052 wrote to memory of 5012	3052	Lcbiao32.exe	87
PID 3052 wrote to memory of 5012	3052	Lcbiao32.exe	87
PID 3052 wrote to memory of 5012	3052	Lcbiao32.exe	87
PID 5012 wrote to memory of 3608	5012	Lilanioo.exe	88
PID 5012 wrote to memory of 3608	5012	Lilanioo.exe	88
PID 5012 wrote to memory of 3608	5012	Lilanioo.exe	88
PID 3608 wrote to memory of 1188	3608	Ldaeka32.exe	89
PID 3608 wrote to memory of 1188	3608	Ldaeka32.exe	89
PID 3608 wrote to memory of 1188	3608	Ldaeka32.exe	89
PID 1188 wrote to memory of 424	1188	Lklnhlfb.exe	90
PID 1188 wrote to memory of 424	1188	Lklnhlfb.exe	90
PID 1188 wrote to memory of 424	1188	Lklnhlfb.exe	90
PID 424 wrote to memory of 1696	424	Lnjjdgee.exe	91
PID 424 wrote to memory of 1696	424	Lnjjdgee.exe	91
PID 424 wrote to memory of 1696	424	Lnjjdgee.exe	91
PID 1696 wrote to memory of 1708	1696	Laefdf32.exe	93
PID 1696 wrote to memory of 1708	1696	Laefdf32.exe	93
PID 1696 wrote to memory of 1708	1696	Laefdf32.exe	93
PID 1708 wrote to memory of 4364	1708	Lddbqa32.exe	94
PID 1708 wrote to memory of 4364	1708	Lddbqa32.exe	94
PID 1708 wrote to memory of 4364	1708	Lddbqa32.exe	94
PID 4364 wrote to memory of 3516	4364	Lknjmkdo.exe	95
PID 4364 wrote to memory of 3516	4364	Lknjmkdo.exe	95
PID 4364 wrote to memory of 3516	4364	Lknjmkdo.exe	95
PID 3516 wrote to memory of 4124	3516	Mahbje32.exe	97
PID 3516 wrote to memory of 4124	3516	Mahbje32.exe	97
PID 3516 wrote to memory of 4124	3516	Mahbje32.exe	97
PID 4124 wrote to memory of 1584	4124	Mpkbebbf.exe	98
PID 4124 wrote to memory of 1584	4124	Mpkbebbf.exe	98
PID 4124 wrote to memory of 1584	4124	Mpkbebbf.exe	98
PID 1584 wrote to memory of 2164	1584	Mciobn32.exe	99
PID 1584 wrote to memory of 2164	1584	Mciobn32.exe	99
PID 1584 wrote to memory of 2164	1584	Mciobn32.exe	99
PID 2164 wrote to memory of 1652	2164	Mkpgck32.exe	100
PID 2164 wrote to memory of 1652	2164	Mkpgck32.exe	100
PID 2164 wrote to memory of 1652	2164	Mkpgck32.exe	100
PID 1652 wrote to memory of 3048	1652	Mdiklqhm.exe	102
PID 1652 wrote to memory of 3048	1652	Mdiklqhm.exe	102
PID 1652 wrote to memory of 3048	1652	Mdiklqhm.exe	102
PID 3048 wrote to memory of 3700	3048	Mgghhlhq.exe	103
PID 3048 wrote to memory of 3700	3048	Mgghhlhq.exe	103
PID 3048 wrote to memory of 3700	3048	Mgghhlhq.exe	103
PID 3700 wrote to memory of 4200	3700	Mnapdf32.exe	104
PID 3700 wrote to memory of 4200	3700	Mnapdf32.exe	104
PID 3700 wrote to memory of 4200	3700	Mnapdf32.exe	104
PID 4200 wrote to memory of 5084	4200	Mpolqa32.exe	105
PID 4200 wrote to memory of 5084	4200	Mpolqa32.exe	105
PID 4200 wrote to memory of 5084	4200	Mpolqa32.exe	105
PID 5084 wrote to memory of 3932	5084	Mcnhmm32.exe	106
PID 5084 wrote to memory of 3932	5084	Mcnhmm32.exe	106
PID 5084 wrote to memory of 3932	5084	Mcnhmm32.exe	106
PID 3932 wrote to memory of 1524	3932	Mkepnjng.exe	107

C:\Users\Admin\AppData\Local\Temp\5ba3651cb9c335395d719b827f2e5f10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5ba3651cb9c335395d719b827f2e5f10_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\SysWOW64\Lgkhlnbn.exe
  C:\Windows\system32\Lgkhlnbn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\Laalifad.exe
    C:\Windows\system32\Laalifad.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Windows\SysWOW64\Ldohebqh.exe
      C:\Windows\system32\Ldohebqh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:424
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:416
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        46⤵
        Executes dropped EXE
        
        PID:1280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 412
        47⤵
        Program crash
        
        PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1280 -ip 1280
1⤵
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kgkocp32.dll

Filesize
7KB

MD5
557967b442efb4981059fc99435f1363

SHA1
71cf4e981123b070d2a4beff2b8f2249d23e1243

SHA256
130c9779f9c1729534e8a868c3d8e23ea1b218eafbd8bba76398e23c0e562c6a

SHA512
094bb0bcba5e52fc207beb646716fff5826526ad2f343a98fd8c8ee3d1b2ce73aa696fe432d06b95f84422d2e27af913be7eeb8bba223bbf0d8b85c4739a1c20

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
324KB

MD5
e81316680c6ef3780de8b53d6bbfcd1d

SHA1
dd0d09ba6efa655d94ca7166bea5d6654bb3da4f

SHA256
b48615d78b33e878a1e6d76869cd85c63eaf81210cdd11a024e149680985267b

SHA512
cb881c86e09d7c613ffab9ac41c0fb6839a38720581def4131c604a8f95c74efcfec8d2a5383078a8c9d8cd6da54b71e0715398b246e6868ab11fb223fecff41

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
324KB

MD5
b2afb575104617523a21e1dcca624bde

SHA1
d997c3a4920842fb713deb5792a025a5f01446e8

SHA256
418c03675f56061c4d4e03aed39fbcfa2120e07ae3f29dc57716d8d83cf714b4

SHA512
2b4c9d9877c7880f5e723fe92acd9a45ab760ee61e54279bfaa2db86e9094a75f085b0e8c6ac849ea01b5470eb0a5efc3eaa6a8e166ec61e266cdfa8625b7a42

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
324KB

MD5
57d809d08c10a621a1eca2acdc72f5e4

SHA1
02743214843aae2773a918122c97f1b19d7bcdbf

SHA256
b35e06ab27616d4cb7a05e495716db66a792a9e023ff1f4e7f911a851c9441b1

SHA512
77ebbd8c50102281a0d1ad57a60995f852cc8a82a9b83bdd886c68b7c29bd1a30e0d129d33b8a55377711a926ed0c55d17194e3e9e4f8ee80dc294e26dc6c3fe

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
324KB

MD5
b601f6085ba451653d2cc31795a9ff4a

SHA1
04bd670280a055bae41e6befda17425a39b9e066

SHA256
80db4ede1fc292fc721687fad12172d7f2cceef6e7e1481c4350f8940d3de6d0

SHA512
3862ae95046a9ea9e536938cba7a682f7a8a0f380850213c24fb9821ae5997e00056c45f4472351df9dcf72cf119d7204ab2f1657394900cbac10225cfc193b7

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
324KB

MD5
cc2e734a89d6ed0a007c076d91911c41

SHA1
efabb7b60182e8fe665eaa7cca52e6ae5f972a2d

SHA256
c285062cd3a6f04537fc4fc3bce410a64dad9b550ed1ac8022344252d1ecd9b4

SHA512
27ef9360c78d377e9c77243614f82346c491723a0bd23bfe0b63f13f7859dd4d4c8b19292f57ee0b697a51e2590b8e5c1bd16d9b4652cd726789ecc344f0ab8d

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
324KB

MD5
56f80f10bd4fe236722d99cd317863ae

SHA1
33fbd44d23862e121e95a4e743afed70a6af3e29

SHA256
32bae5c877d0de676bc3572828efb5d0c2994212996e5f3fda75378c0fc6e086

SHA512
fe5b6fb29c3ddc22e553ed365881fb48f042e252c208733b209c51bc19ba6ea347a1023d5c6b8892ab34a9a556d2690fba29a3ce3efdaa23f345c8348b198706

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
324KB

MD5
de080232ca9d00735d89de317d991e49

SHA1
356eb7d86bcef1d1cd30ee6d22d0dcbce0ad714b

SHA256
f21e87dc480767b5a3451c89d106250077ab9a99dc19df5327a8b05de47a6ca0

SHA512
65a2549668ed7e7d8dbd3aa65ef26f8eb93725e29b904bf307eb2ad4a4576d59288fae8df8aff4ca6395994cf05c1f3cd7100e4ae4ada8e89dcbc00c1ab19054

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
324KB

MD5
f0aa2c646e2e734f5fe1f5300ae3e4f3

SHA1
ea5ea71e13498b851595912952958aae19aa51cb

SHA256
9760e016a7f6d7d9b7c77f057e461d78841a6d51ff13d9e35f9559de6c87ff57

SHA512
76b128a83c8fe723296ba4e1a681355b0cc04d10cff8fd2404bdaa1c6076b3323034e5cea8106016827b367cf1d61e45d8584b200c287d8c111312ee4e2e7a2d

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
324KB

MD5
4d84ac9d21b19a7037430fe1c88f5523

SHA1
8adee66872abb504ff079281023c17663d8dbb5b

SHA256
fc10713c3a41fb30d05014e76054726635495ceb7f8127c85d4f826f96ada0c8

SHA512
3c8cc312c53ceb9c61ef5abd53f701496a90f84ba3cb5b9d7102b6a482a9b8c20360f36df9d8b63ba2a6090794bd2914606403c5f58a156df9416e47e42b313a

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
324KB

MD5
1dc86b7aee28dec7f6ee222cd82632b0

SHA1
f6df998dc58ec78194b5292ade9f639eceddae6e

SHA256
ed6a01ac381bb71777483732e45ed334699e56910a6ea089f14d3065971d00cd

SHA512
ca3bd25a0850f1b8e2ee23fd58bb7fd2d096549503fb12cc893f5f8c44a3c2a4fe362b709be3ce9863a7c6c72cb3e7ef0229790bcbec657b151526072fe8613e

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
324KB

MD5
5bdfede2173eda09b0e41a9053e03bad

SHA1
a7f80fb7e45d20a86ae859c82b40a5e133ce9399

SHA256
6adce336f2378aef06b810fc598e4991daa512c465f3cb87f3da8da01c39ddf1

SHA512
f7a1b4a2994c1e30e0981e1ee502413bed4442a6da71115a0589fcf4a2c9ce829af96e0fa8a06e1f056719b9da6d2bc8ddd5f3e5452a2ebc58dd452d8acd2ce0

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
324KB

MD5
3aa0559311f9d4abcc20cf7bd31d4ae9

SHA1
0b4d5e8e467cb9d470a475b7ec474fa2ddfe1b29

SHA256
b36296c1261f4d1950219019de5cac245387c61c47891a1696c62b2f5ab1370e

SHA512
7c19de96e307862222aabea1fbe75bd50a091be941f677a97a7df1c1991709cdc6e2b5fc70fa483ca1bb4530b3f4bc5935ad48491925a69ec1931f7fdf506183

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
324KB

MD5
ba9574b41ef0ac2652e5cc18fa62483d

SHA1
44f322c107c89fb08a37df76c01f70f828e37230

SHA256
7d1a731c16b0bdaf2dd937b0e3fe97d6b6b4149232afe035053b2c1210bbd644

SHA512
d39ec3d1d346e64e974272bdade95bb5f00d98bedd858486dfe483268283f17c6d22b4b6307db6aeae7b8c93bcdccdba9032646a4e92a03b21c1d4efd1a11c46

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
324KB

MD5
063c15f29daec4fb12139851ca81da88

SHA1
949dc326f0c5f8162e1691c36a5634b9570d43c8

SHA256
d38e5e0b59bbcadef8bd82de7cd1a571fe671a8a28234ca2ef5537532a25aaa6

SHA512
ef42aa2f09e6df46e39faf409923b70993697f4a4045dcfc4bcaa635345804a495b6ef660ef5b5bce0928b2852d1ba407702880f6d44b26f922ae2bebfacd426

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
324KB

MD5
fdc4479d3bb31eebcd7ea32d92b6247e

SHA1
df9ab6ef2d67aa8d242907e46727b4fac3757411

SHA256
7519d8b059ef51caa14ef0e4f2504be6329af260fe9eb158bca44d5891f3fe90

SHA512
3cc3b43d7a533cf3d4afd758c7a626e2d46c71c9cbaec38e0cb09e0892100b81339140d6ff325f4c63b3cf3a495513b41d0df4f001531f7b46a0da081950e547

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
324KB

MD5
811f7020801b25b8116a21b21326453b

SHA1
f235df751ec9bbc6c3865b5100da3dd7579e431f

SHA256
73f0cbe740045ec43e3e2164d385f76a26fa3258f1fcf51b144beb128f6927aa

SHA512
3b056a311c7860cb6cc1feb1550d7c7789a4a9ee3fbd74f59e49beec1505f18100c99c23c43e89dade53c382f203bc60b0c7818110e7677e22bd5bca590b9795

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
324KB

MD5
c8f5bdb7710de8da1c6705c71e4be61e

SHA1
3b255b05864160b088e1e2224a00a2eb0bb6d381

SHA256
39a6681da2353e3d886bec7e4bebb4181deb60edfcee96f7c78ed7e4eb5b6c4f

SHA512
32bb1b6c0ad75cc15a43da69b056137b62456ee162004a659d29af885dd96a325768065fd4ba62f71a0197d9f19257ba5307c62466c390284ce76c3e7f4f4556

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
324KB

MD5
ad0f444dbbdb8729193a0e8e25f67422

SHA1
3a75016cddd167b740cafba1641a5dc4b38fe363

SHA256
a48486f8744e588596f00ab9396ccc8d602f34597c0684521adcb01144516b35

SHA512
c088dc42dae4a7d7bc9bb1537aef52d2b7e782f11e19eaeafee60e8506f9a8f4ea5cd808f929608699ad94ff75d477a704a0cfdeb2dc8ed5a167c907429396fc

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
324KB

MD5
d636eef634c263da23e67a3fc71c3cb3

SHA1
112ba1ab5de8a24fa7e62c13fcb8764ab5e34b7c

SHA256
1a8ea72ad5bd8e08fa1a4af8c4cc6e24ae6662cbf77e7c3ff96e058e255c31ab

SHA512
e2a5b7840321ee312b63d2adcf4cc09a01d40c3dbd18e52582d8d8c15a65265a714fa9076ae716c2ab176adc75baeba1ee33137d07231c5e847eee42cb82e3c5

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
324KB

MD5
b15b6864745cdf78a30b6782e9b8c17b

SHA1
909a936a90bc0cfc7159223a9481631575312326

SHA256
3d85a7fec9a3016a5e3452bba981951dd0dc65ec6aa45acdf68b73422e0d4981

SHA512
9856232662d0e51f1cb70e1e4fa66426e7d111ac4d13e930dc1a1353acfe8899493076894673c4f8feaa30349993bceb330d61afe6c22d09d4422e1bf495be6d

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
324KB

MD5
225aeb19a810c7eb380f3a8f5670ff0e

SHA1
2d96373a0b7be24518b86877727bd6fdd8a110f2

SHA256
5da3a94f6c22b421270873a02d1d81eaabf3ddc7f75c7773576f6a4a1bbeeb53

SHA512
99ee8973b2f9026a210e20794435a0b1fa81787d6faacb0459cdc5ffad3aeadc5593822860304b65883ac14f371e8dbcd8f945f6f22f94d25a2d308ed256975a

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
324KB

MD5
82e4c96b2295c5b8de406b88bd5d5d90

SHA1
8f156382ca674e542b14515c6fb12dc041ea55b5

SHA256
47fc587833a1a87156eccf92a73f75331d8a7d29e087aec3e0fd7667bf234882

SHA512
d88a54473bb65f408140f98a930e275c29162af0ba3a7a41a42770ca0d51ed0666ac5a7b5b71c334bc9f4b48e6fae50c7cea413be47f4f46702373681522358c

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
324KB

MD5
c415494fb09ef4061a8cee6a67ca096a

SHA1
1bba3faef88d5943ea4f1bf8dce530f5a62e64ef

SHA256
8f6948cc494da7bc0f4a01595cf0c32f24940c6c896bde2b1c5bf269fcc7136c

SHA512
9681baba421b124bec6a6aad6f5c2d8b3dd9ab78517952674fe549a037f3246c6aeb113319f86dec8bd453506f596c78a1aa43ed378c3aadf4b60296fb6f4a03

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
324KB

MD5
49283c9c1ebbae2f613c5bedb018fdce

SHA1
7d0712e40d48f397ac752d9fd205ab026765fcd3

SHA256
2912216cd031a14a6fc47c306a2aa6d7c37a3ac4c0ec9fb6f68f2b5dbbe701bd

SHA512
fc25a5a7962a05724a7de334d3c84f5931ea93ca5e9e6842380f7e7e261f88d93c4c0d9b3ec14dedcb2b538f79698a3c23890f7a1c4139038f2c9d1e96a009cb

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
324KB

MD5
d46c402358453ff3df4bf235400ac5d7

SHA1
940139dd7dc70a1c10b983556f7c4cb2e6f0caf3

SHA256
dcbef804b6c7dbe5478f14553f79522d9708418a3f85264cc39a9eab53d07cc6

SHA512
f8953fe7fd034390febfd931efa64eba5bc36c7d80ce622a4ab224f2e69988093aaf35756e3cf49e5588edd45a004f825e5d2a12c6dfe0df09aba0685bc575de

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
324KB

MD5
978394464a381a6a0413214f231651d1

SHA1
aa23836fafae586d9d8a26fd104ecda5022433d4

SHA256
43ca835ce896f278fd3536d9d849e720c3a45533944c61d602af4ad821d55c74

SHA512
af146a8d04dc1235e111f67e7350fcc2d4cc2fb031ae5dc4b2761472b6b55da0d14bca82c97f81d4d34868c9401bcfdba7470f6f24ed1450000941a79f2f4d37

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
324KB

MD5
52b46c6d816b3dcbecd22631f52f3e7f

SHA1
862bb73634fc1f3332350f48debcd172e923fc2a

SHA256
369c59e84b39eb622c342972f8b4bd9b4672e053429a883b47c06e6a4b3b2aa4

SHA512
528598e004320d8bc2287875b3ff0011919a4d41e12a26efbd544ee5415ee2f7d53019994faf6d993fc53d0e1aae13f341c666fce7d1d1076b8ce0d6dddb1755

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
324KB

MD5
e5533ad5f342ff453f53d4243b122ecd

SHA1
a91532a33e5aaa07e816cbd6209a0846dc8cb509

SHA256
6d950a02f38bac5813db32dcd22fcd07cab06074e5800c997cd3c45dff2d9e03

SHA512
aeffc7dfa801932388046440b0f761a9f9deac33a10c2f8dd5a10d0a13418c6e9534d64f5e5fe1acab6f024dbc6ecc745ee5b8109924987f8aff3c9fc24d070b

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
324KB

MD5
478cdd8be994961106152a086fde69c6

SHA1
e0ffda4d82ca1f0e154c4e761ea51d677f7e26a0

SHA256
e9769173fb8bd470033a8f2d54669303f3b3a750a0e6a64d147c7ca3084a5736

SHA512
f1fd93677823ef8f4e646c160ec31d10d5ed381e66c1603d0831246f0a51188ec8b5ada706bba2c46bea01bb4684b809e39cb5e7bbb15737e758a4d11eb8899c

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
324KB

MD5
64faa696bc54048e156ec562a4e4b30b

SHA1
639a27467328ee0ba897e914d71f0c419e33424f

SHA256
84a969d4e8aab5e34d21feefddc38ac8b14120087137d49fbdb99ac6940f1804

SHA512
789210d6788e4b29eb3dcf4d35f3da39f28a9fb8625c3eaebbb035b48b2f74ff2966700b4b029cb3bca37bd8e9cb33aec67cd77e789d39fd0a409b0c0c43a407

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
324KB

MD5
bb27771adf0c4a21f25d2ebc07d5b05a

SHA1
b2688c703a37c832c2c6b65f5146e5b6da5350eb

SHA256
913a078861bf248bdb6ab36999587abaa0aff4ee965d9e84505155275dda4252

SHA512
17bf79c918518e1c5d140378d26fc934fb6ad0834ff1bb228e2012f31eed2857583a88983ae4916eed4616da76835f1fe69e649f38fcc2de9f94ec05639cc6a0

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
324KB

MD5
504cbb632e410dd6b0437edcc94b3229

SHA1
f148c66feedefa79402126eba7dd7f2183dbb12f

SHA256
0e423e95905a13a099c594a8e435c989d4d31f46851a39b72c27cb2392f31577

SHA512
53123742d1a1910d736f920290d1d2f552c0338936e0e0ec778e3102c3524aa6ca610f9d1d404bb16448ba842c9b664422edbdb4a6b10aa70fde9ab5c6f1c351

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
324KB

MD5
34bdfb35f472f32eee46dc3698f57d23

SHA1
fa07e01f59372e4daf42aab9b94ab40d33c05421

SHA256
e1ebc8fe5de8a5948fd9e549cb17acff762e4c3ade34b5a169637f2739d8493f

SHA512
1527cfc98309c6c4f4f0f682ef436aed248c3bf312f520fe6d7c552b6f9f47b9b5efd4013dec0d426730c6c98657bc526f9a44c8bc59a4606cf60df7e0880571

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
324KB

MD5
e8ea3a8a953a5c9ef7dc17fdb8dbd4c4

SHA1
5fc8ceb5893cf11e7af5c4a404b3e980cd1bfc8e

SHA256
b4188a8f39a43f932f131ddca8cee66a8714c5bfe8964e6b7bac4ff524b52075

SHA512
dc53fa8e95bf501e5a42ee0ca6dbbcbb28eea8c81082b869d3335dc70982a3c2fbf886628ee74e4c234eaf52a41c477d96f9229319baf2c8c8cf869668c4ad4e

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
324KB

MD5
d92b43c16a0ca1e1f7845c3761f47a7a

SHA1
82b63c451aae5a02c0f47d1991c84340e0c27302

SHA256
2862d76f7949041bc7b2605b8988d2bfc1c5056455ae9780475fbdb1a0c8ed06

SHA512
96ff3fc098066ebc15aecadb1c16ba15d324158740285ff070ad92c018b219881c96b2057f7cee82b56a5b85a6949f23e31ebe55a9a14ae28dfbd9047f73e9f7

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
324KB

MD5
2416c79182e665eca729343e4d1442ee

SHA1
0281feb190dbdde9eb4576fc50b722d8a3b2c5cb

SHA256
a2ce66578d08d3b649bafc08a2067b32a35a4035ad42437a03240a362219eb3b

SHA512
97f4cfe4b94436ff43e457f6e8ee32ee4a087c906f1a6bf28d6c7c62e624295150d65afec7ed9a426973878f8f85f2dea6b1232153e80d58074e1ad17161bff5

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
324KB

MD5
64a928d64a0c6c7b102ec33d75416fca

SHA1
f8b73a9f81056b3cd7fc8ffae6625b25fe92de35

SHA256
dbf2c468c5b767cf7a8b9ab623e2e725b8782930ab124246c82cf92da77af1d6

SHA512
02eebfa49e6fe3e67a7391b2038db353f78b99eea252cf4e91f7315505c70357557bccbce0333a527dcddeebedec2e2a2c3a30fb6bb8c639cc065d5f0bffb8e6

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
324KB

MD5
ac200078a7fac21c8735553b09425777

SHA1
b662a0591ad8a04c9572d4e40448140a518fe706

SHA256
cdf00bdba7d1a3601f04be0f31cada73b40cac1e7d3ca7d146a9b6fb4042bb33

SHA512
a915c96423150ae49b386d6c1937be354ffe94cd24210e5d7a62fa90922cf2b1d050d03a3eae8011deebf3f5cf426f24c156ff3ab60da237bb79429cf0a222c5

Download Submit
memory/416-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/424-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/424-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3796-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4124-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads