86fb6effec39fa2ce4481e6a6ef7f07a216fa784d1cd1644563812bb9a655d30

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 11:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

10555790a1fba3adc1b0a56f2861a050_NeikiAnalytics.exe
Size

90KB
MD5

10555790a1fba3adc1b0a56f2861a050
SHA1

f1b1b2ff6dcb56a5839a97eb57fbe5f102c448e0
SHA256

86fb6effec39fa2ce4481e6a6ef7f07a216fa784d1cd1644563812bb9a655d30
SHA512

14c29bb850f80831ee7ac5bed0008ab93ba829d662ec1cf8dd7abeb772f3658daffb01c07fa01bda79958c57ee12a6d6ac6ea1741ce7a4c27cc8fc21590b92b9
SSDEEP

1536:MSf2tOiqicevKXkMi8H/3cFo+0KeQ5M87Guu/Ub0VkVNK:gOiJc7fcGQGuu/Ub0+NK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	10555790a1fba3adc1b0a56f2861a050_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe

Executes dropped EXE 36 IoCs

pid	Process
3232	Lkdggmlj.exe
668	Lpappc32.exe
908	Lgkhlnbn.exe
3696	Lpcmec32.exe
4908	Lcbiao32.exe
1608	Lilanioo.exe
3560	Lpfijcfl.exe
3652	Lklnhlfb.exe
3712	Laefdf32.exe
1380	Lgbnmm32.exe
2696	Mnlfigcc.exe
2788	Mdfofakp.exe
2536	Mgekbljc.exe
1872	Mpmokb32.exe
4448	Mcklgm32.exe
4156	Mnapdf32.exe
3120	Mpolqa32.exe
3420	Mcnhmm32.exe
4400	Mjhqjg32.exe
3228	Mpaifalo.exe
4032	Mcpebmkb.exe
4352	Mkgmcjld.exe
3592	Mnfipekh.exe
2052	Mcbahlip.exe
2284	Nkjjij32.exe
4304	Nacbfdao.exe
4824	Ngpjnkpf.exe
2224	Nafokcol.exe
2856	Ngcgcjnc.exe
1004	Nnmopdep.exe
2388	Nqklmpdd.exe
2792	Ncihikcg.exe
3208	Nkqpjidj.exe
5100	Ndidbn32.exe
4868	Ncldnkae.exe
4848	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	10555790a1fba3adc1b0a56f2861a050_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	10555790a1fba3adc1b0a56f2861a050_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1320	4848	WerFault.exe	122

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	10555790a1fba3adc1b0a56f2861a050_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	10555790a1fba3adc1b0a56f2861a050_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	10555790a1fba3adc1b0a56f2861a050_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 3232	2608	10555790a1fba3adc1b0a56f2861a050_NeikiAnalytics.exe	82
PID 2608 wrote to memory of 3232	2608	10555790a1fba3adc1b0a56f2861a050_NeikiAnalytics.exe	82
PID 2608 wrote to memory of 3232	2608	10555790a1fba3adc1b0a56f2861a050_NeikiAnalytics.exe	82
PID 3232 wrote to memory of 668	3232	Lkdggmlj.exe	83
PID 3232 wrote to memory of 668	3232	Lkdggmlj.exe	83
PID 3232 wrote to memory of 668	3232	Lkdggmlj.exe	83
PID 668 wrote to memory of 908	668	Lpappc32.exe	84
PID 668 wrote to memory of 908	668	Lpappc32.exe	84
PID 668 wrote to memory of 908	668	Lpappc32.exe	84
PID 908 wrote to memory of 3696	908	Lgkhlnbn.exe	85
PID 908 wrote to memory of 3696	908	Lgkhlnbn.exe	85
PID 908 wrote to memory of 3696	908	Lgkhlnbn.exe	85
PID 3696 wrote to memory of 4908	3696	Lpcmec32.exe	86
PID 3696 wrote to memory of 4908	3696	Lpcmec32.exe	86
PID 3696 wrote to memory of 4908	3696	Lpcmec32.exe	86
PID 4908 wrote to memory of 1608	4908	Lcbiao32.exe	87
PID 4908 wrote to memory of 1608	4908	Lcbiao32.exe	87
PID 4908 wrote to memory of 1608	4908	Lcbiao32.exe	87
PID 1608 wrote to memory of 3560	1608	Lilanioo.exe	88
PID 1608 wrote to memory of 3560	1608	Lilanioo.exe	88
PID 1608 wrote to memory of 3560	1608	Lilanioo.exe	88
PID 3560 wrote to memory of 3652	3560	Lpfijcfl.exe	90
PID 3560 wrote to memory of 3652	3560	Lpfijcfl.exe	90
PID 3560 wrote to memory of 3652	3560	Lpfijcfl.exe	90
PID 3652 wrote to memory of 3712	3652	Lklnhlfb.exe	91
PID 3652 wrote to memory of 3712	3652	Lklnhlfb.exe	91
PID 3652 wrote to memory of 3712	3652	Lklnhlfb.exe	91
PID 3712 wrote to memory of 1380	3712	Laefdf32.exe	92
PID 3712 wrote to memory of 1380	3712	Laefdf32.exe	92
PID 3712 wrote to memory of 1380	3712	Laefdf32.exe	92
PID 1380 wrote to memory of 2696	1380	Lgbnmm32.exe	93
PID 1380 wrote to memory of 2696	1380	Lgbnmm32.exe	93
PID 1380 wrote to memory of 2696	1380	Lgbnmm32.exe	93
PID 2696 wrote to memory of 2788	2696	Mnlfigcc.exe	94
PID 2696 wrote to memory of 2788	2696	Mnlfigcc.exe	94
PID 2696 wrote to memory of 2788	2696	Mnlfigcc.exe	94
PID 2788 wrote to memory of 2536	2788	Mdfofakp.exe	96
PID 2788 wrote to memory of 2536	2788	Mdfofakp.exe	96
PID 2788 wrote to memory of 2536	2788	Mdfofakp.exe	96
PID 2536 wrote to memory of 1872	2536	Mgekbljc.exe	97
PID 2536 wrote to memory of 1872	2536	Mgekbljc.exe	97
PID 2536 wrote to memory of 1872	2536	Mgekbljc.exe	97
PID 1872 wrote to memory of 4448	1872	Mpmokb32.exe	98
PID 1872 wrote to memory of 4448	1872	Mpmokb32.exe	98
PID 1872 wrote to memory of 4448	1872	Mpmokb32.exe	98
PID 4448 wrote to memory of 4156	4448	Mcklgm32.exe	99
PID 4448 wrote to memory of 4156	4448	Mcklgm32.exe	99
PID 4448 wrote to memory of 4156	4448	Mcklgm32.exe	99
PID 4156 wrote to memory of 3120	4156	Mnapdf32.exe	100
PID 4156 wrote to memory of 3120	4156	Mnapdf32.exe	100
PID 4156 wrote to memory of 3120	4156	Mnapdf32.exe	100
PID 3120 wrote to memory of 3420	3120	Mpolqa32.exe	101
PID 3120 wrote to memory of 3420	3120	Mpolqa32.exe	101
PID 3120 wrote to memory of 3420	3120	Mpolqa32.exe	101
PID 3420 wrote to memory of 4400	3420	Mcnhmm32.exe	102
PID 3420 wrote to memory of 4400	3420	Mcnhmm32.exe	102
PID 3420 wrote to memory of 4400	3420	Mcnhmm32.exe	102
PID 4400 wrote to memory of 3228	4400	Mjhqjg32.exe	104
PID 4400 wrote to memory of 3228	4400	Mjhqjg32.exe	104
PID 4400 wrote to memory of 3228	4400	Mjhqjg32.exe	104
PID 3228 wrote to memory of 4032	3228	Mpaifalo.exe	105
PID 3228 wrote to memory of 4032	3228	Mpaifalo.exe	105
PID 3228 wrote to memory of 4032	3228	Mpaifalo.exe	105
PID 4032 wrote to memory of 4352	4032	Mcpebmkb.exe	106

C:\Users\Admin\AppData\Local\Temp\10555790a1fba3adc1b0a56f2861a050_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\10555790a1fba3adc1b0a56f2861a050_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\Lkdggmlj.exe
  C:\Windows\system32\Lkdggmlj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\SysWOW64\Lpappc32.exe
    C:\Windows\system32\Lpappc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\SysWOW64\Lgkhlnbn.exe
      C:\Windows\system32\Lgkhlnbn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:908
    - - C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3696
      - C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        35⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        38⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 412
        39⤵
        Program crash
        
        PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4848 -ip 4848
1⤵
PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laefdf32.exe

Filesize
90KB

MD5
e7de54c05b69643138955661f5d94c0f

SHA1
1a6a6cdd65f39feb653c9c7c5ace9e07774b8faa

SHA256
13dc6cee810f48d5bbad3d042111913ece3c34627323d04b127e7b70e5f0eb87

SHA512
d8724d7bd5907d3c27a0336dffb3159f5c3787b813c08de73cc444aa601a73b204177cb3f061b32e5ed6c7b9710ebfe3545c0995062ede5f7dfbb7e046285cdc

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
90KB

MD5
2356d624e7301f3d6c8463cf7644ba3e

SHA1
e7f40052eee015b468fcd74c70dcdc6e5128a9a8

SHA256
653879c410bd623da47664ec610b655b84824d3dc54147eb51907cab3a5b2ad0

SHA512
0ec4552ccf5dbf76ff4f87867eb2c33d1704fa992e3dab9415d2e35bb749df2a1a4626ac256fbae2a71ddba8330c5ea9eb5e059a6d52979d8df436679f761d66

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
90KB

MD5
90d334e3388c1bef295de5c1623baa77

SHA1
38c5643e1ace5b5df8d3ce3f332025c613c4c2b0

SHA256
2f55d23dc2c2fa0eef01cc0476cea967872205d5ecf2e7e0d0bf8011fac6687d

SHA512
df1dc56c4e04278ae91e2cd7e92aaf3bb867cf0e73f9046b912b74f7178f1366696a66da427eac45d1d6a0945f2e8a28877a78c37bffbe458bab7823e3cac4b6

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
90KB

MD5
30f78ea4d1f37dba50e69a494ac67013

SHA1
4e2b34ddf10aa7b90f0d959d2a360b44fd7f7fa1

SHA256
2ec730e5389c93badce843d70af4560fcece376bd54b85fed82bd535cbfc01a2

SHA512
5ba00f4b91316d58f21e60a0b3abf7d9966adda7e6ada943ebf88a55c660b65fd65dca256eb358a53b7e77154896fe288b9d146aec9de465410f0790fdcda829

Download Submit
C:\Windows\SysWOW64\Lidmdfdo.dll

Filesize
7KB

MD5
888b1179bf773d7f5c29aaf67292bfc3

SHA1
bcba9fec2e7403c63f85cde914b8a344be85a4c2

SHA256
38b59d124edb9ab40c37651664a50dc4432be5af8d90124d5f337f68dcaa1506

SHA512
123986719d0bcecc26ce191a1bbdb390ae4fe293f1ed7de9e6a2364888e7d6238abd683bf81704c6d451ee68e12c7d70d3f9058b6e2d24c05dac26b97de9c314

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
90KB

MD5
a9e89d96212628f4e7e2d7623f272d96

SHA1
866d9236c80c7c8c76912e1ac22613aa91803ccd

SHA256
365748b563007220a42037a465e750ab921f2bf6c272bfa471bcb8665d22828c

SHA512
ba6c1a8cb49765ee4c6771f73988e692765106d26616cad4934feac79c7a95f9481a5fa682563825a49e3442bb5632854051c2150ba308a60d3f30e70b9a2621

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
90KB

MD5
1f8653360e3d97f015302ef9bb5d08af

SHA1
22fd1e6d0c543fbaf3c3cfe902cd9d5fc0313205

SHA256
25959aaa36ca4b68a6322ca19b3368967b7e3c0c4154182a1d19927d78350ae3

SHA512
86a5b625a3ca23e27f2fd4181d2831e56817b0b442468ed9eabbfd1ac3ce6f94033493f4c516d147e9420bcf98c8257607faa3ae35094605ab99496b068fc293

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
90KB

MD5
149c8c2c1cb20d78af97a6118a649a84

SHA1
fca4c46c0a1241e1f39ef77452062bb7a00a8472

SHA256
be55b40b38cac5263489f9d309e39db37f894c7e5d7d481c58969792ffc8c814

SHA512
032e94d9a5b5cefba4c35fc643a1934690a08f95c66d52155e02065b6dfe6755fb904f18c15dcd7715773036435c137e62eab02c4241815cb05516833c5fc52b

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
90KB

MD5
d84480d03e183d9e44a9c1ed4aee4aa0

SHA1
b5bfe56b103f503ff1f1b0d2b1ebdb6785c5b55e

SHA256
9ae1500bd7ba0be843f646d7b4242d8b0af0f4aa31539f58712ff85e04dcf001

SHA512
a5be0f0b5c0840b9ea6e8e90e23e657f75634014cf05f6bcbb959d903f8407fb7919b513296b1bab9906c7e034f5d77e66840c16de07c961ebedd4d15ee36955

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
90KB

MD5
310c9b2b5967e9fd16dee6d2eea46f2b

SHA1
3bbf2afe3a481854258b5d40ebba10c5ee58de1f

SHA256
2cbbf93a3011f19901fda36de17b29b85e0fbef948638bdc512c6409dab87358

SHA512
3be8228f59f6cb068715f01c3958ce94e2d3ee7db8dcb3f9f3225d7a1b6e57f3b88937cfce846c01718cba6c5092c1eef02a2e5a88cf25e85c3198f6109584cc

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
90KB

MD5
01cc017e4be691a8612509fd241c9b94

SHA1
5a94e115875fd3058b2e3b3a4d67e7472d734710

SHA256
898904dac337535d648ea206762e2f60e1e97967da55bac3eebbf1f572016d24

SHA512
020e3a01c96bf8569d9d9382efe45e25f949fbe93d988a65067521f6ddab4a9bde50694f6cfd459d521f40da07903a548ef0f3adba41a479eaad69e941e30d10

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
90KB

MD5
5e3c34d8b91979b016b6348ed72f030b

SHA1
7500c80bd1e8a1af271aeaf9296bc4530fb93973

SHA256
c07cee8830d31da60d5ccf7879d806abf18f7f6b76dd7d871ada10f85c3dbd38

SHA512
b4c9269da3af984c617d001cdfdab78931bf36f99f8cd977852fb5f3828e1c700f778124206851383ff56890824546de14d6e35c47109d491a0b96037d94eabf

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
90KB

MD5
2edf5e63f84feed7fbbb5bac0d1288e9

SHA1
cb8bc8dd3450180d8e062e2e4d4138175a855509

SHA256
b41e5c8c2734accf875034c822f4c85f727e6a5708c55bcec0c61aee587d1e02

SHA512
9dfe5b0016d0b1ad72826e30779edfc0a3d584ea8febcc11083f1d1034e802a0e643ce65a92c5063c116464248db6b95d14c23101c024204befe481695da6106

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
90KB

MD5
720f71156339098d83fd6b238c846f12

SHA1
a91b97a2f81f2828eb1e11644b2298522a60e1e1

SHA256
393a28a3076ce133304b360b004c3f0410b20eabc4d0893ca2db199d39e34607

SHA512
4b4f1f84e22834be4af14d549a2332ca34ca0e9b2a7753095cb757dd20b920062b04eba837ae2dcdaf51fbee92ca53b8909372ef838d5b3ebc73012212a38880

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
90KB

MD5
ad7baa4ad75f17c9fa19ebb68de3aa6d

SHA1
fed86b1e741ef8738c58db325ead70f3198f45ca

SHA256
60621c7c5d287a31f7c2813b802c83da7655410e896eb56ad3f2400814c92678

SHA512
7fa7a9bdaf971db2365daf8879f2e86b2a75989557890d8654b5dc72c98fc204604ffd759759fdaa06414ac8221a72b13d4253fc89cd4302d02f03d74a7fa1d9

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
90KB

MD5
1c07573cf011a7c7e8c73c4f6d33cc0a

SHA1
c8c7202f76b9428f9052d80dd61df91eaaf388e6

SHA256
0b25de796c873b8cd75146f8a90e24f80704d94ee3238d864ce11a63a42f9451

SHA512
64c1b67118b7f2b05f83f3dbedddbda01599f6bc264db2e8a8e400c67449f995b39907fd654cc01b777f9b8f51c0e20d538bb153a71ddd6c09f6272530ed5261

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
90KB

MD5
99baf1c04fad838bb65f4390deacc704

SHA1
6f7a3aa62cb909d1379dcca3ade60779e8496cec

SHA256
cfa4ebbdbb614340f820c0421b3bf8d3b651d645f51eecdcbac2672f3d2e2936

SHA512
573f559244c0c501439b5e381aace0d5244827a0159c0af4a075a5448849562ebbbc4e1a70436891499fddba8fc8f4c29956f1bb8e6a44486d439f098fa32e45

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
90KB

MD5
e11b0790cd81de2121b415c5d9b10dd6

SHA1
e7acf06ca58148e342f4668e91597c9ce18e7376

SHA256
9e68e3e91a6d74c4412dbd7b3534c8e811988759b63124428329603c06dc6602

SHA512
c75665fa1899e63bd807b3df62f8a38a3d4763fc34515f56826309d77f9e771251070b6a909476baad366ea15a2c758c78e1dca447e7a75d4f988d11b9ec7508

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
90KB

MD5
0a1622658855f7e8b9aab57ad03adcae

SHA1
6713ac3962c9a7dd946c3d3d480d10128d4dd7cf

SHA256
90b06798b5e6dc7f5aeba3d5e366b3a0cf32069476d29bcd992d86b84880ae08

SHA512
09ec48288d12149cf3ddf0f57cee548dd48b3d1abb41e119e728acd1af2e4ebf1ee7e6efa20ca0ce0148934659e826635512295889c38e234654dc81820287b8

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
90KB

MD5
75d9bbfc0716408e839916086c453386

SHA1
4ce03ed230f4d8de37868a354627ef03f9ae69a6

SHA256
0ad134d824cc90ba39f0290527d7bd922a1e02e4dbc125e8d0711c90c1e90b4c

SHA512
bf7f7c88894c478a11b0a39b090ef5a22327d7c966a2bd0fc400e54fe70da4843348d2bee5ce3ceb5ce988a811a983ea182ab22d4ed80a8bcd0d0090f46a01f1

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
90KB

MD5
8c1c00031c543fade3ddb637ce373248

SHA1
b054f9952630005e57d2da9708f028eb82ee86af

SHA256
77fd64c8c61e299966bc1d178d1b91c3b0803fd3c26cb514b4bcc6ec24d30973

SHA512
f60f33355a02c16509caf1441503a1d0a80886dc007eb15cc4cd7575ecfb6c289f43fb0de5b3ed2a90eb3ec984551fb1212baf9aba75cb5e27094d89313a52e8

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
90KB

MD5
4cee5dcfc655c9cc893813b6a305afdf

SHA1
035b576bac4fc59b4df6021050e1023c6e0d7512

SHA256
3c7413a30e69327b0e99b3b2982b92980f63777d45f7f19979f37be9d3a7370d

SHA512
b31429c65ac368faaea60a123cb03f39d4ede11fd8c53731f92738ec07f58407a14faa45ee408ecd4237584e94c2d91833e4b5908258d9cef224625f88010e86

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
90KB

MD5
600e57eb6469c0f9144eb4ca400d0ae4

SHA1
8f6fad71378b66047c2cb2c7d57fa66674ab3612

SHA256
42962f9a49e52dd20aa51c6db33e2da237326fc32ed9c6cedf0291a9dfc21810

SHA512
bcc071d62bf277e0e50c946b7b56b6fed3cec56aadd73ec52d8e7ce1b84dccefa8c66cac1c1f2a5db908a740853a7b731f0d9be3a5efc58d382e15ccf8ba0a79

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
90KB

MD5
516721ef425379a6739977a18b4f0a5f

SHA1
b43ca0ab45aff57c9d4cf1bd2f3220bf8108c016

SHA256
1bcb21a8438d05af8ad4f0c89a42d42af805724ac482c1f61f25b89115366215

SHA512
c7a0d0442f239d31dc362cada5bf8d0679873d181079e5c16308911189a8ad0e1f602280030ceb44cd1564bb231140c8ac524fa6ab1772ce80a82beb20fad3cf

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
90KB

MD5
2dd4b36521b84469c056a69813c09c84

SHA1
e941b576ac16862a7fac2c6a203022b53e7cdd9b

SHA256
4a88d2dcf3e10130906304c2fad4627464bdb57541445d35ab4ab750fef3ae92

SHA512
5c809a972f887cdaa8c1596e1937dbca2faa2d350b9ce834e866b677da673f6c9bb42f03f812207ff21c502210d8737ad14617de3349c52b8f540b70e8f1017f

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
90KB

MD5
77c132aa9c338b327167c0da56053efa

SHA1
9a1997e67914a6a071724b7495913cab85404435

SHA256
5a38b03b3d57e776ed2f137ccc89988321489239ca1cc0380fa1365576c31416

SHA512
11f07985e781fa2d159b1a014042d76966d7fdb278d4c69a315df8555ccf33d081db9d04b7391884fc685b4b396badff36dbed56ee0c0bbd83e0bbc242d138f7

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
90KB

MD5
cd6d0b3dc69980e384594ef94d98d478

SHA1
ef29383badf9ea7b18fa75dfe049a4e394168219

SHA256
173f5c5d88a3397d7bab46bf24284d730e1e07166b5a11ecdefdab82aba849e1

SHA512
554d5361c51712811d4923f09dc75e070d73bd940a6a31f96de8ebe508aad64e2cd85ff879f8df3a99d4585565658b46757c2653da03da71dede6800e43d7f7b

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
90KB

MD5
25a0e1773095b99ad89917b5f813ecdb

SHA1
45623050dd400a193873c23d388d247ee3e48eb5

SHA256
345534f2943f9e7b093f076dc2eb489f7e43a31de1a4be968c74f6e915f30e59

SHA512
e1df2ea1f67feb9be7042c5715d93cd75738f5d01f5f9ce248580413302b0332e9e3d3165e051831557e4be2a4e3447723d612291f58e1b74c5a6cfa4787fb8a

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
90KB

MD5
5171f1521696435d26f01a7f9c912384

SHA1
02ace84e2ff046ecbf9b2b5e0a0f0ba22e78d025

SHA256
167a3dd2629c13d0707bbba4cd5686c7630f4444e64c7f0d04e632fdaa55584e

SHA512
ec5dabdd81e2d4a5cc07991bd5dea7255f9c1b97e175ca09d573a3d6fee84d03827b81bbe86839e2a9d66fd4f25e4bede66a836134cc592927ec0f0357528878

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
90KB

MD5
c7cc8e1afc2f3fb3a98bc768588c4385

SHA1
3a9965231229d31afbfffef852dbe30d4efd478d

SHA256
fc98d6a6083f6efc9a96e4971b843e5652b7ae801ddec326a8c53469f9f21fc6

SHA512
3ab8b7e896a07459644b29b6371d2693b6baa36f039b15eee5ffa0b5b0db8e24328381a9500b97aa2c9cb6ea27194c2f97f8f099d6fea389a03d59f3eb47420f

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
90KB

MD5
18a90297e1881114a54e0815b940b5d6

SHA1
a5812edb4924d7b02c6642c752a0c1c260bdcddf

SHA256
d8d7b609b2d9d8a50940988122a964552fa516863fdd316f8fa8877b2f2d719b

SHA512
ff00cc5b0a48cfbf817a9334828ee578a3b25b42284c09be0b7129ded877105ed245ae7542ee65920189b25a60f7b68581d7d7ea1d171e1bd065272d4d0627f0

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
90KB

MD5
d4ebb06f0beef025a8dd590e809131da

SHA1
531b6e60fc74517fa0993e4e58b3d797c6f9f01c

SHA256
a6db8a18d01328d86956236ca104ef3f015126815361b524e6f49b27b5271f3f

SHA512
f9674742cf6481e4c0bf3c369d7f331aaf95ef0338b4d266d149dec082430f8b5f3a4c40983392e593b5ccf2cc90083db9881e5512209e10c0cbf8dc1a9a57b4

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
90KB

MD5
b2e32f99567b77c37afc1bfc5f6d75b1

SHA1
90db30c482699dc57976dc5e36dbbbe771b4e60c

SHA256
025a52f6065a5bb59774194dd06b2a7c97d6844fc647bfe020355914c33e7c5b

SHA512
26b22921cb029d063555440c5aed6e5f41eb806392be4b750988c4ce3b2d92657d666cf761cf70afa0400fdad2bfb504c77f5dbf4c1508ff4fec16f90589cda2

Download Submit
memory/668-309-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/668-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/908-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/908-308-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1004-240-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1004-287-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1380-312-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1380-80-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1608-305-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1608-48-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1872-112-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1872-298-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2052-197-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2224-289-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2224-223-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2284-205-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2388-248-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2388-286-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2536-103-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2536-299-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-311-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2696-301-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2696-88-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2788-300-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2788-96-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2792-261-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2856-288-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2856-232-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3120-140-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3208-262-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3208-285-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3228-293-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3228-160-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3232-310-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3232-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3420-294-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3420-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3560-304-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3560-56-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3592-183-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3592-292-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3652-303-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3652-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3696-307-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3696-31-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3712-302-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3712-71-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4032-172-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4156-296-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4156-128-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4304-291-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4304-207-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4328-284-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4328-263-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4352-180-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4400-295-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4400-152-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4448-297-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4448-120-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4824-216-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4824-290-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4848-281-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4848-282-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4868-278-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4868-283-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4908-40-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4908-306-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5100-274-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads