eb230ef0844f3d199d2d8df1c2455d9676dd9438e758c8a34f9221d676d1b54a

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe
Size

96KB
MD5

16b41ab7006fc41eafbd7e8e0ee91270
SHA1

d60cb6e92d6ed916a9c888e8f76ce73cf2640927
SHA256

eb230ef0844f3d199d2d8df1c2455d9676dd9438e758c8a34f9221d676d1b54a
SHA512

791b9f09ad546253edb940ae190e82e3c44ac5de5f2c650c1b180bada798080f1e207b40c4963808476fcd3d31bab5690947977f0b7758739e2b99c70f23e43c
SSDEEP

1536:keXrBSKLNybnLiSitzu/nMQ1WJinH4ARQ+jTR5R45WtqV9R2R462izMg3R7ih9:ksuCtzuoJCje+3HrtG9MW3+3l29

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe

Executes dropped EXE 37 IoCs

pid	Process
4788	Kcifkp32.exe
752	Kibnhjgj.exe
1188	Kpmfddnf.exe
4024	Kdhbec32.exe
1140	Ldkojb32.exe
2516	Lgikfn32.exe
2956	Laopdgcg.exe
4236	Lkgdml32.exe
2524	Lpcmec32.exe
2240	Lcbiao32.exe
1492	Lilanioo.exe
1596	Laciofpa.exe
3036	Lklnhlfb.exe
1752	Lphfpbdi.exe
5084	Lknjmkdo.exe
3188	Mpkbebbf.exe
1724	Mgekbljc.exe
3364	Mpmokb32.exe
3340	Mkbchk32.exe
1832	Mamleegg.exe
1580	Mcnhmm32.exe
3556	Mncmjfmk.exe
3356	Mdmegp32.exe
1540	Mkgmcjld.exe
4080	Mpdelajl.exe
4828	Mcbahlip.exe
4068	Nkjjij32.exe
3600	Njljefql.exe
4640	Ngpjnkpf.exe
1556	Nafokcol.exe
2908	Ncgkcl32.exe
380	Nnmopdep.exe
1544	Ndghmo32.exe
4928	Nkqpjidj.exe
1732	Nbkhfc32.exe
3152	Ncldnkae.exe
1348	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lklnhlfb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2916	1348	WerFault.exe	120

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 4788	1588	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe	82
PID 1588 wrote to memory of 4788	1588	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe	82
PID 1588 wrote to memory of 4788	1588	16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe	82
PID 4788 wrote to memory of 752	4788	Kcifkp32.exe	83
PID 4788 wrote to memory of 752	4788	Kcifkp32.exe	83
PID 4788 wrote to memory of 752	4788	Kcifkp32.exe	83
PID 752 wrote to memory of 1188	752	Kibnhjgj.exe	84
PID 752 wrote to memory of 1188	752	Kibnhjgj.exe	84
PID 752 wrote to memory of 1188	752	Kibnhjgj.exe	84
PID 1188 wrote to memory of 4024	1188	Kpmfddnf.exe	85
PID 1188 wrote to memory of 4024	1188	Kpmfddnf.exe	85
PID 1188 wrote to memory of 4024	1188	Kpmfddnf.exe	85
PID 4024 wrote to memory of 1140	4024	Kdhbec32.exe	86
PID 4024 wrote to memory of 1140	4024	Kdhbec32.exe	86
PID 4024 wrote to memory of 1140	4024	Kdhbec32.exe	86
PID 1140 wrote to memory of 2516	1140	Ldkojb32.exe	87
PID 1140 wrote to memory of 2516	1140	Ldkojb32.exe	87
PID 1140 wrote to memory of 2516	1140	Ldkojb32.exe	87
PID 2516 wrote to memory of 2956	2516	Lgikfn32.exe	88
PID 2516 wrote to memory of 2956	2516	Lgikfn32.exe	88
PID 2516 wrote to memory of 2956	2516	Lgikfn32.exe	88
PID 2956 wrote to memory of 4236	2956	Laopdgcg.exe	89
PID 2956 wrote to memory of 4236	2956	Laopdgcg.exe	89
PID 2956 wrote to memory of 4236	2956	Laopdgcg.exe	89
PID 4236 wrote to memory of 2524	4236	Lkgdml32.exe	90
PID 4236 wrote to memory of 2524	4236	Lkgdml32.exe	90
PID 4236 wrote to memory of 2524	4236	Lkgdml32.exe	90
PID 2524 wrote to memory of 2240	2524	Lpcmec32.exe	91
PID 2524 wrote to memory of 2240	2524	Lpcmec32.exe	91
PID 2524 wrote to memory of 2240	2524	Lpcmec32.exe	91
PID 2240 wrote to memory of 1492	2240	Lcbiao32.exe	92
PID 2240 wrote to memory of 1492	2240	Lcbiao32.exe	92
PID 2240 wrote to memory of 1492	2240	Lcbiao32.exe	92
PID 1492 wrote to memory of 1596	1492	Lilanioo.exe	93
PID 1492 wrote to memory of 1596	1492	Lilanioo.exe	93
PID 1492 wrote to memory of 1596	1492	Lilanioo.exe	93
PID 1596 wrote to memory of 3036	1596	Laciofpa.exe	94
PID 1596 wrote to memory of 3036	1596	Laciofpa.exe	94
PID 1596 wrote to memory of 3036	1596	Laciofpa.exe	94
PID 3036 wrote to memory of 1752	3036	Lklnhlfb.exe	95
PID 3036 wrote to memory of 1752	3036	Lklnhlfb.exe	95
PID 3036 wrote to memory of 1752	3036	Lklnhlfb.exe	95
PID 1752 wrote to memory of 5084	1752	Lphfpbdi.exe	96
PID 1752 wrote to memory of 5084	1752	Lphfpbdi.exe	96
PID 1752 wrote to memory of 5084	1752	Lphfpbdi.exe	96
PID 5084 wrote to memory of 3188	5084	Lknjmkdo.exe	98
PID 5084 wrote to memory of 3188	5084	Lknjmkdo.exe	98
PID 5084 wrote to memory of 3188	5084	Lknjmkdo.exe	98
PID 3188 wrote to memory of 1724	3188	Mpkbebbf.exe	99
PID 3188 wrote to memory of 1724	3188	Mpkbebbf.exe	99
PID 3188 wrote to memory of 1724	3188	Mpkbebbf.exe	99
PID 1724 wrote to memory of 3364	1724	Mgekbljc.exe	100
PID 1724 wrote to memory of 3364	1724	Mgekbljc.exe	100
PID 1724 wrote to memory of 3364	1724	Mgekbljc.exe	100
PID 3364 wrote to memory of 3340	3364	Mpmokb32.exe	101
PID 3364 wrote to memory of 3340	3364	Mpmokb32.exe	101
PID 3364 wrote to memory of 3340	3364	Mpmokb32.exe	101
PID 3340 wrote to memory of 1832	3340	Mkbchk32.exe	102
PID 3340 wrote to memory of 1832	3340	Mkbchk32.exe	102
PID 3340 wrote to memory of 1832	3340	Mkbchk32.exe	102
PID 1832 wrote to memory of 1580	1832	Mamleegg.exe	103
PID 1832 wrote to memory of 1580	1832	Mamleegg.exe	103
PID 1832 wrote to memory of 1580	1832	Mamleegg.exe	103
PID 1580 wrote to memory of 3556	1580	Mcnhmm32.exe	104

C:\Users\Admin\AppData\Local\Temp\16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\16b41ab7006fc41eafbd7e8e0ee91270_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\SysWOW64\Kcifkp32.exe
  C:\Windows\system32\Kcifkp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\SysWOW64\Kibnhjgj.exe
    C:\Windows\system32\Kibnhjgj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\SysWOW64\Kpmfddnf.exe
      C:\Windows\system32\Kpmfddnf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
      - C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:380
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        38⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 412
        39⤵
        Program crash
        
        PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1348 -ip 1348
1⤵
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jifkeoll.dll

Filesize
7KB

MD5
ba896bca52441e999b6ed83b69e84651

SHA1
a2024693a64f8a05839348d1eff3908fdddae9bc

SHA256
2e8ec81ed5f0ed86f78a85b4d47b64d7eb50111cddfbee7af29621d0e0d106d3

SHA512
bcddb4ac4c5b11f8f0721eb19d5f643a2d73b5634da94322c800f85c2efbfb5c6e2f229de4c7a4aac7e7c5b514ec7d60f6c136959dc9776626e7f812da59cb25

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
96KB

MD5
4621bbc76581d5b8d86649f24b7fdd89

SHA1
42c33b3aa0489b53513dd0097f135508944fdda8

SHA256
8c03bab0a31cae1f3041afa49eb5a487da6f832e939b5cf198a8edf8f9ac8dd7

SHA512
bb825ad37ab5dd3da36c4a138e61cf202fd70188bf4c10996d1fd74632147c093391d2a116ae779c241236ae295350730de432882f33df0b792d0fc1c0053b9b

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
96KB

MD5
65a73486f589a08a87005d4805a8eea9

SHA1
0d7e1eef0e9fd237137e6c697f908e5c07de452e

SHA256
0c44974edf276942448546f6c511ad0029233cc6880dcbd2d264b241b645403a

SHA512
dd36ba80ae1f396cb632bb7fae28ce46bf646283dfe37a707b8d8f04917adaca288d47ac6d2896bca0caeb9e22197ebb437e0bc2727cb198074b42d7de67686c

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
96KB

MD5
d01506303a6578a318dcd41871c0f56d

SHA1
28067178efd9b420332bf45ec9a9ebf362967994

SHA256
c60df698ab1ee1fa9454995b5c64c7c2833a5a39eb76f2ad4a841284b7c506dd

SHA512
15e52ec2a857b1d55c2a8d12ead69c59d9b239cae2e2585a1c7b55d32837593ee1f2fd5a9a1e002b36f39d8e31aa2c347e8a6f2bed41baa4bcf9f22884176f58

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
96KB

MD5
b723b5873fcaecb64f65c95416d3a12c

SHA1
cf6c82ebe8fbd70941dbfcdde5adcd338ef8514e

SHA256
df8f0e681618c1dc6849a874781a0c4096fb0178965f66f420ff120a9bb4cb0e

SHA512
bad4ce52023847cd7377e76f1b2eb4d3d97961636de4b09ca89cbb966eb8cf96ca2e15cc947ab15aab26afb811e4f6fc3e121cac8188af77e6e0f79cbb280d2b

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
96KB

MD5
bc4304a6ef0a6bc49834e1c94c0e56a6

SHA1
74015ab14bd99c179be89c1dd9031917888a103b

SHA256
5f2cac55bf2f6bf1b38fff55f9ccd9f908ab1576d0ded22802701ba125d408d4

SHA512
884bb1c6da131acc791d0924b42a1162b3db5041210c8b442d62d8ac8335124f01a759664ca674d6ad3916c44df6fdc710395112dd9923cfb700b14a787fbc62

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
96KB

MD5
1c7885b4f615d4a06ec37333e48d0556

SHA1
ea384978bbf65776275915bed7440ec6781a4761

SHA256
51acad997935df978507492712b08847f28d2dd04081cbf0ac1bcdec730ec6df

SHA512
50f13ca827f69ed8a58de85c475c5aa60fc370d0db14080b553c5f6c57515f50105f8c5ca11f34f04e0614ef528d5f5ab65a67c4d013be055ec33e9c0441c618

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
96KB

MD5
16e53fc46140095b317b2ce3b2789486

SHA1
16e691488048d56982bdd4aa7149f0564cab14af

SHA256
5043ac35aa01d6289e0fe0d0f58a1919ccdcbd0ec15243e1f6ca935f9df4ad9f

SHA512
0fcb93dc0cdd169076cc226e3e950d0bc88a7e6a0270c8dcfa59d9566e7efc9a3f330cb32c5a55e8ed13afe3238003d32a25b941e68dbac2909ecc9a7db52cd5

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
96KB

MD5
6fdd5219a41ffd9e1e96e3d14aae7625

SHA1
0137ae3fe968fbec9a52b85c2e9134ae38cd7341

SHA256
accafda74a07294419dbc62edcda5364150ea002cb17ff99f0864c952cf0a034

SHA512
e81067f7528374582bf75bce7f07447e6ac78882f8adcb532ab849fac6901dfedf021166cfdf542269750d37b07da02d0d305558faa47ea7e82207f453f7694a

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
96KB

MD5
5799a0aeff4f16f426346eb5fce51947

SHA1
f3bb1e78a119761201bc2cc57a73d76a4f675eb8

SHA256
29d2a8b594e3531c8193bbffe602914a68ed143c4384aec4d52bf4eda4d0df46

SHA512
59dbaff7eef35bedfb6b028f500e38cf989b8afb25d3dbb88b5974bef6371ea158e958f8a3c394c66fdedbceb6fc31a2d68804ba4ee1502f114878ca1a492fd5

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
96KB

MD5
2e2c73d5913c10a1b8bcd1d16030fcd9

SHA1
7064fc68bae6960da98bf1e861688f677585fdab

SHA256
3145c281a0f6592df69ab99d21ab8d20e58aa75004d5360034ae72f5d406aaaa

SHA512
b053a0b8daf0f1d267f923762f88a2ebf921248e4307ecb51680b920b52a5848be00043a3561b444847039f9e6fefc7e963ea59a42dabbf26d741a5455169c83

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
96KB

MD5
fea3b53cf272e5b984e7175d39a8e3ca

SHA1
27c27e6728faf6a86e8e5c9a9743fdbed9a66006

SHA256
8c880cca12782271c128324d32120c098a7ffcdcf62adad905969ac9ec383637

SHA512
bb6f3996aa139cc02d42069af2f94bec5406d35af22a84d77eab07d157fb714332474f11e9deba344a07762ce36f30eabf5b6b54d55c54728e519ba4166e0bd6

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
96KB

MD5
718af1571a6e10e16c0bdf3d1356c0b5

SHA1
0f78468faab4c871f07eb579a1411867e029ada9

SHA256
952dacfed347655cc426e59260cf3a51cee9067c4ef961033c4aa08de4a3353d

SHA512
eff2a9dd9fa42d39d6dfec4e10559d6bf9ebe20b9e912c089e2873dd9376398935f04e5ccc194fe443601f085f7841cf025b651b8933c630b2efb3b2e9bf9253

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
96KB

MD5
a82acb7643eea8dab2973007bbb4a238

SHA1
697982824373ca125f39ebea13f38dfe53f7d114

SHA256
08ae6a1bcc2d8f2867936259dbef863b5073655b121b0b476295656d60ef749b

SHA512
68c4e0362f2ecb17a733bb2e6747dcdddc76c10f314131a1ee81c0a0a0fb7871bda1f48c2165f9b95dff4ed391c87dfe10e5341c463352045b94886c7ba991d0

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
96KB

MD5
1b785d31026629d9743569e01adf51c1

SHA1
9b95fe1045983718da4bcba777ab30ec0085ca71

SHA256
d1c3a64207a63af99a7815883a13dc033dd99af5de83483ed8faaa7664d8612a

SHA512
2a419dcb3127f11fc71c8dc0c2046e7540200afc10ead02353061d83e7b18f1b6d528858a30a1f06f09a0d6cc3c68c8d1772cf87e6591140e7de895d82568e00

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
96KB

MD5
8c460de237e5558964b5bd0df935368c

SHA1
b2cf3f9d58cbd97be9a8ccf0d51e9b9a68aaac5e

SHA256
986d965238eb74fd92aac855a8898ef14a1064dddafa8bd78be593908ca0b5c8

SHA512
37ac4c89ee852d1fc9019d116fe17e988d487050ff0b503c21a3defd3092b3f06d2b0b28018e36d52ade77d2e5a8b7d692911783e4142597aff3e5ab1ded582e

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
96KB

MD5
0d3c886aed710e0cecb6317f714f55d3

SHA1
625180dcb3708d86f2fb2af5fda54ebe3f84d393

SHA256
8b356628c3475e037eeab753106fdbfe43cc00b11be8b76e12bc13ee8694ae2f

SHA512
16208a7a31c061525df51af49f0b6460f133314ecde0a852276e5f91946194065e210bd20b777c8d8eb918e16aa2ff396da4c8148cf2218ddf51e7412e11915e

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
96KB

MD5
e17b71c20ca9cced6b4d77ad81e58b4a

SHA1
e5768c05d7e96fbcc82aaedd87fca4ed342b0bf6

SHA256
de4d0d1a7adf3c146b57a255f9e0c706e24ce8510b665cfbe8bf7ad18607744f

SHA512
02ae3711f91dcb777405a215aedd336d43eb9efbdb7c9a18c5c3ccce9629530a5cf3d9891262a28e6eaecc0a9d41b4f77f1b2ef0cf149830ed0df488288a96b4

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
96KB

MD5
82e9465e4ea969a0523e22a1f3b05041

SHA1
a6acc2e2ea4a674e8bcb74f1912fcfe705c52955

SHA256
fdc3f6176fb7c12746d9863a033a8f0676573a59a501b121f60a039bd2c0fa6f

SHA512
82d434eec45cc5619b9a1cda071b92e57ce0be7858f2eb45956689bc862a2dce10300c2b94ef81c44cf94f5cd44cdbd5aed740d1fc7657ef5bfaa7b74b5dfdf3

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
96KB

MD5
476fa7fae79de4edeec08ad84c5ffd64

SHA1
009867ec7f7f3976049a4b8e2983b5cb292434b9

SHA256
34a99661f53f4058a30783273726de100dc6d8aac38b25b0923a60849d300c4f

SHA512
80ad003d6a2eab2fecebf971bebee6b31efcdb91c717d6a555b206478fb8aeba1a416152c2ff58b8e255d8a9af1daaec2fa0ecb6e15420a848108515dfc2ad21

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
96KB

MD5
3941deaf372d2c272e249bd941aef1a5

SHA1
8df6f46bfebf0d8419b2d9924dd801036791c3ad

SHA256
343fe02b44724dd3b3df39a251490679b5147874c8ddebf887f32f70b3681384

SHA512
8170558ccc7fcbbf15e5040ec7bebd0d442034e67660bfdd45af092afa35a6fc5e4e0d4681565b711a030a7caf4133da9c6e093760dc5502b9450fe3282c098d

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
96KB

MD5
beabd8c70dcc8e6303fde48815676fbe

SHA1
2d35b616153339a17d0e731fdfec435b73988b68

SHA256
819fc4b812ab6845638f249d3fa5f194c3a566dae352e20c8a6cadd7ce8ba691

SHA512
eb22fdf64a7db969df0732c481293a247a97842bc068a35c3e56b4f71f99993ef00e42593c7e6c6c7fbeb866dea4f4aef4b537605f7f2d42670ee14c42cf8597

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
96KB

MD5
4dd087303327c3c1b2266e0f6721b396

SHA1
cfb07b43b185ba06145e536ef37d3b6ab17a4257

SHA256
9f57df400689f551feda994c9393d257891f1767aefe3996bf622b73b3afb681

SHA512
4577b5ef949082a239c391c17ddbec4b882afe4800d990f5a5eecebc76194869d39c4cbe96579c31beda5e05f9997282ac9ba3f73757dd31d0c9a0f02ee3ad02

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
96KB

MD5
c4e128b25a091c77a3d25f79e71a0a10

SHA1
5c71ec51aa6f66729a9d8fcb728f2391b995c444

SHA256
1d53e38f8da987983254174c0f4511de623c21decbc2e96a762cc524aa44470f

SHA512
5c6590f07972508270fd81125c56fb9775980125c40cd8d2bcd7455408dab9faefc2563ed001eacefc29ab5bf53e864a44898749807493608c6d059401ce1a63

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
96KB

MD5
5387ff68333f048a8cd140831e42ef56

SHA1
52a5940d1608292719e052e1e0e270b8a750d451

SHA256
c4d75cbfac128dc3be981856e82ef6538e3297d55f9f05f22c5e4defe56528a0

SHA512
9bba9c0628b269e95ef6b243f103bf078656a16ef259c7991fd58de56549e8f7ec5569a298c45f5c70d7fb5fd2d96675bac768230e581b97bd5b1b154afbed14

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
96KB

MD5
9146d8a2299877e5e18bdd3d852568f4

SHA1
aa82a26d758d964dee22c4bf2bbd7713e826d7f1

SHA256
0cacd4a6bbd59e75f7064e09dd76c5f085318f925b214bb3f362e6d2b1d1c828

SHA512
bbf7c7c7343c40fa9e8352ed4dc27144a0535de1c8c541a3c08eb297d1c41b3318410e0adb59a770a2e867e23ca26cc37ca9ffa049f3a14d6348698d52783d5b

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
96KB

MD5
d7a6cd2c292aa389d3d163105b62904a

SHA1
e89efc6b339430ff0fb65a765e3a1ace3c0cb6e1

SHA256
b0b767e62c53fafccaaa72b9be02727ef2ec581d8bb69881b5ef461873ed301b

SHA512
83c44d845a7a230a3ffaeb8c29c1876c8ca227e932b14f0706059ca2394b7c50b3513ad634d65f4a1a8123eaaa334f556a078f7cda6797bbccf0d664b05a05b9

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
96KB

MD5
f249da6b487fc3b56cd343a1e8ed181c

SHA1
005de587045e01a73189713fe443b34d743fdd8e

SHA256
9c2690d5f4aebccdca0d6e9d65d472aa5ab56852b0ff3c4aa8853fbf41302047

SHA512
18a97345af29e74f102e161e04675e9f3203314185a7e0690d5487f5502cca8912bcf6685328cf85dac658e465dbb2a7efb1072522b311257c9787bd3b89f63a

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
96KB

MD5
73d849a5f66bd5bf480584339e51341a

SHA1
cebe074573b6f31195090cc91faf7bca4b9b8eef

SHA256
f16068506b74850c61590403707f8f5f02e58d941a57fc2d8b59131ffca04968

SHA512
1dd680d4a9e48162b5604622881b6a390f16c1917e1d24f1fe7aae073a6079a4353a1b35cbba457ee7479af3467042424f2cdbd6f652e1ee9f33a89e1e7218b3

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
96KB

MD5
44c88978b5d0c138460891e733391d08

SHA1
65914699de7a722c5b3e1dbe96c838249849b893

SHA256
73bb4dd5c02e8cc0a62ec5d445aef5f77d3b366cc7f973580b60b82d2eab8053

SHA512
b4e2df8920892736663a96b09be152ba036ee8bcb6a52919610a167f6874f406d8385dd9aa267b1126c4c2eefc51f01ebedc0ced1081bd93a4479ce17151f64e

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
96KB

MD5
294aa435b39bdfadb5bf927208f90937

SHA1
ba1f7e1232c85446d37d2966e315bd4d0227a54c

SHA256
5a7fdb9edc36ebbd5c7c31d06dabcc0841f75d2f051e7eb827fbc833b776e5a4

SHA512
559018bc53d44f168d2b2e788402ff3fc0c2b96fb4451ce1228a7a08037b7516d4493a020ad67a54220f4c5eadfea6951fa1de79a4507bed5859b2106b8d73eb

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
96KB

MD5
e95864a2aaea999cd4f138f2e4fbdb57

SHA1
882a928a5e36bb34456f8fb6cef7cb34eb916fca

SHA256
e7bb3f7b4adcee2cee6609381ae5ffd3133d46c2ebcb11efc0af387b3c8921e3

SHA512
6a31c89b11a765a00cb35db5cd98fa3e6911295f4f0d08848f036860551607486b13dad13cdf4b802f0d9c67e43fee71d4600d9806617a67023e6cb6c89f613e

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
96KB

MD5
172a87f5c5d6d83087e4b1228663a3f5

SHA1
fd86bbcc3eb3e10c4924626610d8c85fbf3f581b

SHA256
e7cfeac82f75d3bfa682fe648910adceb3a722a2f3bb8097a37c82ca3a038ffb

SHA512
1df44de6c26a884edfcd19d01db04d7b215a9407579ef0317b0975da27a5e84e9992829c05b2c0946f134eee984085d18f3268c0c5b92642eca0c6564168faf6

Download Submit
memory/380-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/380-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/752-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/752-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1140-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1140-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1188-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1348-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1348-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1492-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1492-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1540-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1540-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1544-266-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1556-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1556-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1580-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1580-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1588-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1588-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1596-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1596-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1724-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1724-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1732-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1732-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1752-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1752-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1832-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2240-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2240-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2516-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2516-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2524-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2524-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2956-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2956-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3036-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3036-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3152-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3152-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3188-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3188-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3340-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3340-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3356-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3364-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3364-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3556-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3556-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3600-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3600-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4024-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4024-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4068-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4080-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4080-295-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4236-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4236-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4828-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4928-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4928-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5084-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5084-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads