99654427177987708217f5f92f45ee34218ae99f0bd4066d168ea0ab6ddeef6c

Analysis

max time kernel
51s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99654427177987708217f5f92f45ee34218ae99f0bd4066d168ea0ab6ddeef6c_NeikiAnalytics.exe
Size

104KB
MD5

173984cf063081bdcf59f8b9660dd120
SHA1

e3974b2d3176704f1b49444aa008e5eb65f6e226
SHA256

99654427177987708217f5f92f45ee34218ae99f0bd4066d168ea0ab6ddeef6c
SHA512

39eaa927362dc3fc925d628df0d65de444e88277f284bd772b08d0d4633e16582737a2915932c30882517712db9ad391cebe1374072cf825cf3314f1866ae8fe
SSDEEP

3072:m0fnQHJOKSRooTaugcq7Hy+YsUOU/C43kremwc/gHq/e:/xzjgcEHy5sUW43/fc/A

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	99654427177987708217f5f92f45ee34218ae99f0bd4066d168ea0ab6ddeef6c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe

Executes dropped EXE 38 IoCs

pid	Process
4592	Kajfig32.exe
2512	Kdhbec32.exe
4996	Kckbqpnj.exe
4444	Liekmj32.exe
2440	Lmqgnhmp.exe
2136	Lpocjdld.exe
996	Lkdggmlj.exe
2324	Lmccchkn.exe
4424	Lpappc32.exe
2260	Lgkhlnbn.exe
3692	Lnepih32.exe
3432	Lcbiao32.exe
4924	Lkiqbl32.exe
5000	Lpfijcfl.exe
1552	Lcdegnep.exe
3304	Ljnnch32.exe
3352	Laefdf32.exe
5028	Lcgblncm.exe
4916	Lknjmkdo.exe
3584	Mciobn32.exe
2328	Mgghhlhq.exe
4640	Mjhqjg32.exe
4988	Mdmegp32.exe
2132	Mglack32.exe
2992	Mnfipekh.exe
4920	Mgnnhk32.exe
3196	Nnhfee32.exe
1340	Ndbnboqb.exe
4992	Nklfoi32.exe
4412	Nqiogp32.exe
2656	Ncgkcl32.exe
4080	Nnmopdep.exe
2840	Ndghmo32.exe
4344	Ngedij32.exe
3504	Njcpee32.exe
5088	Nbkhfc32.exe
1704	Nggqoj32.exe
848	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4680	848	WerFault.exe	117

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	99654427177987708217f5f92f45ee34218ae99f0bd4066d168ea0ab6ddeef6c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	99654427177987708217f5f92f45ee34218ae99f0bd4066d168ea0ab6ddeef6c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	99654427177987708217f5f92f45ee34218ae99f0bd4066d168ea0ab6ddeef6c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	99654427177987708217f5f92f45ee34218ae99f0bd4066d168ea0ab6ddeef6c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 4592	1840	99654427177987708217f5f92f45ee34218ae99f0bd4066d168ea0ab6ddeef6c_NeikiAnalytics.exe	80
PID 1840 wrote to memory of 4592	1840	99654427177987708217f5f92f45ee34218ae99f0bd4066d168ea0ab6ddeef6c_NeikiAnalytics.exe	80
PID 1840 wrote to memory of 4592	1840	99654427177987708217f5f92f45ee34218ae99f0bd4066d168ea0ab6ddeef6c_NeikiAnalytics.exe	80
PID 4592 wrote to memory of 2512	4592	Kajfig32.exe	81
PID 4592 wrote to memory of 2512	4592	Kajfig32.exe	81
PID 4592 wrote to memory of 2512	4592	Kajfig32.exe	81
PID 2512 wrote to memory of 4996	2512	Kdhbec32.exe	82
PID 2512 wrote to memory of 4996	2512	Kdhbec32.exe	82
PID 2512 wrote to memory of 4996	2512	Kdhbec32.exe	82
PID 4996 wrote to memory of 4444	4996	Kckbqpnj.exe	83
PID 4996 wrote to memory of 4444	4996	Kckbqpnj.exe	83
PID 4996 wrote to memory of 4444	4996	Kckbqpnj.exe	83
PID 4444 wrote to memory of 2440	4444	Liekmj32.exe	84
PID 4444 wrote to memory of 2440	4444	Liekmj32.exe	84
PID 4444 wrote to memory of 2440	4444	Liekmj32.exe	84
PID 2440 wrote to memory of 2136	2440	Lmqgnhmp.exe	85
PID 2440 wrote to memory of 2136	2440	Lmqgnhmp.exe	85
PID 2440 wrote to memory of 2136	2440	Lmqgnhmp.exe	85
PID 2136 wrote to memory of 996	2136	Lpocjdld.exe	86
PID 2136 wrote to memory of 996	2136	Lpocjdld.exe	86
PID 2136 wrote to memory of 996	2136	Lpocjdld.exe	86
PID 996 wrote to memory of 2324	996	Lkdggmlj.exe	87
PID 996 wrote to memory of 2324	996	Lkdggmlj.exe	87
PID 996 wrote to memory of 2324	996	Lkdggmlj.exe	87
PID 2324 wrote to memory of 4424	2324	Lmccchkn.exe	88
PID 2324 wrote to memory of 4424	2324	Lmccchkn.exe	88
PID 2324 wrote to memory of 4424	2324	Lmccchkn.exe	88
PID 4424 wrote to memory of 2260	4424	Lpappc32.exe	89
PID 4424 wrote to memory of 2260	4424	Lpappc32.exe	89
PID 4424 wrote to memory of 2260	4424	Lpappc32.exe	89
PID 2260 wrote to memory of 3692	2260	Lgkhlnbn.exe	90
PID 2260 wrote to memory of 3692	2260	Lgkhlnbn.exe	90
PID 2260 wrote to memory of 3692	2260	Lgkhlnbn.exe	90
PID 3692 wrote to memory of 3432	3692	Lnepih32.exe	91
PID 3692 wrote to memory of 3432	3692	Lnepih32.exe	91
PID 3692 wrote to memory of 3432	3692	Lnepih32.exe	91
PID 3432 wrote to memory of 4924	3432	Lcbiao32.exe	92
PID 3432 wrote to memory of 4924	3432	Lcbiao32.exe	92
PID 3432 wrote to memory of 4924	3432	Lcbiao32.exe	92
PID 4924 wrote to memory of 5000	4924	Lkiqbl32.exe	93
PID 4924 wrote to memory of 5000	4924	Lkiqbl32.exe	93
PID 4924 wrote to memory of 5000	4924	Lkiqbl32.exe	93
PID 5000 wrote to memory of 1552	5000	Lpfijcfl.exe	94
PID 5000 wrote to memory of 1552	5000	Lpfijcfl.exe	94
PID 5000 wrote to memory of 1552	5000	Lpfijcfl.exe	94
PID 1552 wrote to memory of 3304	1552	Lcdegnep.exe	95
PID 1552 wrote to memory of 3304	1552	Lcdegnep.exe	95
PID 1552 wrote to memory of 3304	1552	Lcdegnep.exe	95
PID 3304 wrote to memory of 3352	3304	Ljnnch32.exe	96
PID 3304 wrote to memory of 3352	3304	Ljnnch32.exe	96
PID 3304 wrote to memory of 3352	3304	Ljnnch32.exe	96
PID 3352 wrote to memory of 5028	3352	Laefdf32.exe	97
PID 3352 wrote to memory of 5028	3352	Laefdf32.exe	97
PID 3352 wrote to memory of 5028	3352	Laefdf32.exe	97
PID 5028 wrote to memory of 4916	5028	Lcgblncm.exe	98
PID 5028 wrote to memory of 4916	5028	Lcgblncm.exe	98
PID 5028 wrote to memory of 4916	5028	Lcgblncm.exe	98
PID 4916 wrote to memory of 3584	4916	Lknjmkdo.exe	99
PID 4916 wrote to memory of 3584	4916	Lknjmkdo.exe	99
PID 4916 wrote to memory of 3584	4916	Lknjmkdo.exe	99
PID 3584 wrote to memory of 2328	3584	Mciobn32.exe	100
PID 3584 wrote to memory of 2328	3584	Mciobn32.exe	100
PID 3584 wrote to memory of 2328	3584	Mciobn32.exe	100
PID 2328 wrote to memory of 4640	2328	Mgghhlhq.exe	101

C:\Users\Admin\AppData\Local\Temp\99654427177987708217f5f92f45ee34218ae99f0bd4066d168ea0ab6ddeef6c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\99654427177987708217f5f92f45ee34218ae99f0bd4066d168ea0ab6ddeef6c_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\SysWOW64\Kajfig32.exe
  C:\Windows\system32\Kajfig32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\SysWOW64\Kdhbec32.exe
    C:\Windows\system32\Kdhbec32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\Kckbqpnj.exe
      C:\Windows\system32\Kckbqpnj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
      - C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        39⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 236
        40⤵
        Program crash
        
        PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 848 -ip 848
1⤵
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kajfig32.exe

Filesize
104KB

MD5
83b2cdaa0396ce97f1887fac53b93a63

SHA1
f684fc1f5ed4478012d4fc51c088f78b35d61100

SHA256
c0297c90196f7ce489802316c16fba8cec18846875f8b049a2fb9290f4b0d312

SHA512
139b4c66b67392391e651b0bd7332347d141a60a2190dc456c45f7b5c77bc53dcc9ed2a83270655054060d16a29695c407b43e5ff78f2f2b2e7c7532107bfb12

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
104KB

MD5
71a87cb6ecc61eb92ae6b7fbb5b5abcc

SHA1
cfae77ea3db05342f915a4596dee6ea86677d785

SHA256
e1046fcfb0a6b229198605e928fb14e785c96724c21931c0becd3a7c59b812a8

SHA512
01be6791b4d18c77d7385daee81f26eac5bef741d8fe98d0a962012ace6ffd02251ccb457c098b0d52d0fee111ec362b201b03544c097b036a369d37b062c04a

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
104KB

MD5
e0aae50bd6be60dfdd51fa6534b0b05b

SHA1
a4c96a672be44b286f88a50a4dcc8ef57ab3b280

SHA256
c0c72acf0f522cbeccb32e4b84893759ce3327020b809711b3701c9907864fee

SHA512
3948433dcdbce4190eb55836f2c76d47ce192d988c24cf3392f69b070210da4e69c5354497249dcad4e4afae9b06f81504833574f36b9bb0254f367e4362a724

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
104KB

MD5
94f88c4640f33e54b8931da86683df64

SHA1
6fec2f0c95ba3b89cd449305ca52a31e33483cae

SHA256
df1431909939a55cb725802f3f6113f8b044459ea20574e9c7c42d20661d38b3

SHA512
4cb8a8bbb570e087c429d11fa62ffa576a68e5d4255c7fd8c8028b08c0974e2a8ed429e5615e3eccd518562fd3d57b66210c21f76ae31bbf36f82000bc5c138f

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
104KB

MD5
c0b03974cfce17d76824a87b1fbca7d1

SHA1
12a3d0359b066214de8c4ee2d361b19ccff047db

SHA256
ebc1ac972906f69716a86bba8ee3e033344879b5994a1e9e819e50d2592b3797

SHA512
dea834d7eb5bc19e6db3a48470929bcf06235e2c697972c876d28e654f44b51f136dc0ee9e6fa83333906b850c50b3b9e3f637aacb3b1ecd90886fb473a1a3ac

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
104KB

MD5
3d1280720e9b66d291a47d853a6744a3

SHA1
feaf2f897ce11eb4d87694886f0459d6f761a200

SHA256
76c09cf8bbb58d08d246895089edf5b081eb909487051836cb2de7201125097b

SHA512
14dcb10cff04bf2bbf4e34ca452134ac309f7088aba4b2349894f2016b101abf5429bf526b0aa1b6e60f419b8a417b2b3c66a92bc3ca62740a8a38cc7fa0604c

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
104KB

MD5
d1b3cf07e8c42412fd0b0afdbccc1d59

SHA1
cc5025f1b360ea45524c761309b7274949382fb5

SHA256
80671d86acc3a773aa4020120f23c324cae0aff241663034002789081f02e5e6

SHA512
e202b452799bf2046159ce0631b31d2db0467f508b121afc059f1c86508e246808e80db6dad282b74c619af580e90d1cfbcf3015f6a7a3e220a473a5e0fd1086

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
104KB

MD5
1b0a780a6b8add07e9a11a4f02e2a46f

SHA1
2bd6b9b6d670058cfdcf6fcc02b88114e95b7d3f

SHA256
bfadc2fdcbbdc49f87c074abd4cf57cbacfcce50a98dc1cfc8674a1dfdbfbb8a

SHA512
429cf022c9434fbbde3c38442b64e490c5cf567ffee6199228f81a8a38f7c52f6a29abbae1475e34496e9a95d901faba2a67acfed67217a1f46d93d74b492a51

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
104KB

MD5
0e283f314f6d508d2e62dca32e26275b

SHA1
3b26cda10471fbfd8ade5e28c25b37b0e9f3413d

SHA256
05256d5083ababfced513020e84324f77a9f7b3df2269fb2cfd5333dfa3061d3

SHA512
4c65f4a24c5c3182a0f5eb2f3290f496f59e3f7b386e0c2affe2f43a2a549530c8cf5a18fe5e72863026a9bc88ee1be7770866f915bc078962051f7cadcfb0a5

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
104KB

MD5
925c66263c188b33fbb2deb492a16659

SHA1
f65fdb9ee618a3f4a3c7819716283961eedb1481

SHA256
1fe207169bd517712b4209f8eca7ad06ebecc6ab00495ad93f1c42060d039c43

SHA512
c0086b843f0842d4a5eacac75099d6509ffce0e1f1248fb9d80e65a1f8ffbdaf08a1a1a3da13fd5fde581dd0e93e2e35d624ae8da61ae426cbf9704aca7799db

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
104KB

MD5
ee7e5e088180cfb94c3e3b61a009ecb2

SHA1
e6a0f804dc3ec3cf19e4263db20d65f916dec76a

SHA256
9b382317c84347ce9db0575698f302e3a47f5a67b207ee8975d6889db0504010

SHA512
09a9c609113f698816c43c268f269b88fe996fa9d334584ce028c1ed407fd8d45062a3e11ced532f498b90cd39dc230cd387718a7c8f7e27bb6ef388962c4188

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
104KB

MD5
5c3ca74bc4ecbcf0c4b18154a342abfe

SHA1
651c9101985f89cb636fec78e00e453bd75c4676

SHA256
4701fed8d3ee5b6dedae93ef1b63fd9a83e59232111929ac1c86bf0b1c72d8ef

SHA512
5b429095ddfa337fcb1bdb75ff08af0d46a97ce879d44bb97e95cf473e9f910cbf17c5b58968a4fc7a2c25c7dba7f3e8df9e1c66230f4903a9c128a88cf6159b

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
104KB

MD5
622c1f8b308691d7e6d648e7af7cf21f

SHA1
173ba6e6b78f865f68bffcb800063be6d97720f5

SHA256
ec876a001a2ae569ffa6b565091d6a70952ccfa0e45c04851669e4335fb19b6d

SHA512
9c066df213ea4121d482e4a9a0c5f09d9db26d5a0c41f22bdb2557abf58420bb2c6cbbea069915910ac3127f55b52953efe75671348d4e1e98175bdee21bde9f

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
104KB

MD5
93a15e9270de0f3cc776fda307f10a39

SHA1
790f68d869c11d32754b9ae7a783c24152abf46f

SHA256
eada05591c93050ca746e97ae6f5016e53196d81bb1ad9dd603046b864848bf4

SHA512
cbc2e18122dd2d3f3422529105c2eb86506ea5bee3d37a6b143cc67b665dabaaabf8239bfb000cfc34129434243c79bf51bbaa1b5bb964c830fdce6140d54460

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
104KB

MD5
7f0c30d272d397e158407699c1c91979

SHA1
7f8f653dc95b1d2aeb38aa9ecbb9fcf7679929e8

SHA256
8fdf3a7659d0fccbdba8fe3482abfce61551345c3d294a7b0d6e717c77d5a0a7

SHA512
2e60360035e6f96e090a787495993c01c97101f6def492fda3c8a9a92655fcb677ec7018de478d3954369da56df32430a37e0718faee22686be7f4f7331f7ccf

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
104KB

MD5
fdc7d4fa9059c63d1a2faf468ce9bfe9

SHA1
3c334291890576a3560c428e5721a31c1b6df957

SHA256
7bd19f8e79977200830154ec2abcb14db59e203780e51cf58af9fd66069debbc

SHA512
e7291b07a29c794c1fa1c0c784251577974b94af029e5d0184f09f8ea0dfed06ecf21f2d43db278f7f3ae6bb58143ea1973819c776b3a192237fd5d0a5f348a5

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
104KB

MD5
036549cb2bb924b582fefdfa3d7a8ccc

SHA1
bb985fc62999dda7ed8061d793c9a17baac49fab

SHA256
9a440c8312d1c797bf1e869d4cfbbd1e4aa3ed00f699cf7b5a1c2c071de2f889

SHA512
ee0a33efe9778c903c4667c1673fc1dfda3323539f14630731de112bc6b47dfbc05c7d8d200850216b52d2c3070d05b152aeca2f8cb471872ba7e509983b6d3b

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
104KB

MD5
24ab69395264d7d7cea36e3187bd1536

SHA1
f78bff964c84e03b5cf5d6e0c6b6ad0d9c8a92a3

SHA256
b62c5e4de1b89c6325c54e0d4521860a53cdf3ea19d6bae73a83f4f07494f0b7

SHA512
acbffd379fec86e3e08498bf8f6c592e09d6adbc976d9bfaaf749aa0055bba31a3bb4baf2b5123a4be525da807d2234f352fd47441c676c16013e16fe5d41969

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
104KB

MD5
240b592da129edd5d310eae5b981f062

SHA1
35e91c5ecf920ca64e10a12ad3ce9855798b61bb

SHA256
bad53d891a3e77ac4ef192aa65f8e6f35761b41ac9c1372fbc8114f1c853072a

SHA512
f7181531a6b03dce53433cafb2b4abcd2c7fed36dea97c86c59d3f0384c0eecfa2b9d833ef92be4734177014345ecd651d97f5b72e27417b0648f57a51dbd634

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
104KB

MD5
a25265db64368a10ad85d8d01c4eceec

SHA1
5a717ce055561b997bf337b2ff184f9c6feb6791

SHA256
db1fe2472089b306b44936651fdb6d6db965a972153b4284e552606039a36601

SHA512
4a9f4918350c82916add66f41db68f3ff54d822fd5835bbb2da2d43f72e1beb2ddc20850a5dca0cc47c2df7ca0b526877956652f15759dfb28c9b733a9d76d32

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
104KB

MD5
b6a0e2495a9e92a8119d8bbbeb7293d4

SHA1
ed158351cb4a2f24caecc0916d19b6835c9742be

SHA256
baad155c98628c5afebd919deb923e1b87241d2468fdab0963d69a0022937d5c

SHA512
606a403be822633ab46f37ca27bf071e26275effd125489de509057d4456459d3963d381c0c600f5b4aa9eaa4690b9318f19825675ecb853d59cfe5fdd4c57f1

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
104KB

MD5
13c85ee7c0fb527c63e26ffa75a906c9

SHA1
16686311f4e02f35978438fcc42195620dcfd3f5

SHA256
13753b4aac6140caa8e361bd0d8526b550371b6adc231ef0f75a3a7c0c205f5b

SHA512
104d4aa77a0ad72ed0a08bed6bc9ed63bfdc503d406c4a5d5d749a2c5fc473f01ab8f8bda88df245fa66603c7ae34061f4a1f1fbbea396b2d9cd90a3221f1997

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
104KB

MD5
70331b51897a212a2bd8bae2661a9bfb

SHA1
d04abe3d5d0a2f5f8e355e70536ffdeac73d8876

SHA256
f8b667f5c13efd143fbc645d8ea718257303fb23e135605faf359e2171a96571

SHA512
660d94e85986fffb63db2ff1b47ad130bbc4078c35c9ab163b20d946f4ec52ec2f93eb4c20b9c9561abe0085fcf875f37284f87d4ba180466b792327cf5edac9

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
104KB

MD5
58cd40426fe99a49eded7184a5e535a7

SHA1
4fda5d8e52dc627e3353e3ce2302bba179fa7c25

SHA256
95e677eec111dd6024aa29cd7bccc142fbfd1c66fd61e0a08ba7b1c7a73c65e2

SHA512
e9b9f62b95af081dbda14e4747e0b283276ad26088885863d89e5a5da2431e06ab88ef82e99d8840a1481b4c2cb07e390732842613df3476729eb5b9bf16a0d5

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
104KB

MD5
f22a056ef9fcdc186e391788981d6702

SHA1
c01e538ce3f0954e3d7b717d656ee4dbacc18286

SHA256
1e6028eb1345d4f629e6df18ee88c34abdffcde16616360949a2222baec70266

SHA512
e53493149ffc5de48437e48a1a5ce9f00aea057b7204ccf9a0c01a11d05f38a8669b7f9f886d12724f700026cb519b48acce1e7848f5599a78b896989c93660b

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
104KB

MD5
db6fe62ee75a46c90af3b28270efa70a

SHA1
7b300400497e4c83742e980e222bfb369c09f3c7

SHA256
73b64b7e3b3f2c50b1b77521cefe4e01eddf3d8f14f065081d398e0f78e168b7

SHA512
051669ec8df090deadfcd9c3ee0168c8829c642d92b14eb398c26f96da85c9e42d92f15553e6c547708b31e20a6a306383353958c33366f2d3807a0470f1da5b

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
104KB

MD5
726b5e7c43ef8780bf7314438149cf1f

SHA1
101e21b5bcd0eabab3063ed6c122e4d0eed3ec54

SHA256
814d8c4ba91b705d5b4d36431dad1f5595e34591c461232e670947f74ea8eddd

SHA512
b50b30d67926892f2236970d5b18dbb70332e66f03d7aa5f51d97de9a256cdabb2c285bf49497c4aae61e21a2a7a4f2a97e0b042249d8bef4aa000a136be20f7

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
104KB

MD5
ab6b444d441261acbbeea1a233aa08bb

SHA1
e8bbe7c680c9cc3bec2733bcf4c93fe2e866f512

SHA256
b79dfc28ffa0af6aa4a13db3fbe5184eae1069e8d11b3d3e46cdbdfce8a09e9a

SHA512
62fc0827e515a5da0e04a3691d6e6ceebdf6a4260872692e01c075ed91b0c74bb48f7bcb41498f2b9db9648a65719d423a1ff42e65aaa34a696d5c8a7ada21a6

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
104KB

MD5
1d74bbc104fbd9a587046a2acb307408

SHA1
70c5048191523a0e94e4bdbfc67e111876165d4d

SHA256
52dd2c87da84808732fdcf2908145f862d41303f6dada80a3e609b6f13316609

SHA512
7b7990df702987a53cb6feb19f0f0c1e67e4d04f7690875c9cfd47e0fa24546d609bd8645d3b5e1a1ee8a464d20ddc31a6792cc62c5e320981001cb5d6cad847

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
104KB

MD5
2016895de73e6da66bf360d11ed85f07

SHA1
4546bbd42d6823c7bd03178773e85a425ab3a6d8

SHA256
37a4e9c2cdd2209504990b36cb9e5a8604a5329cb3df84d693663e51f72d0e31

SHA512
449b550b6927543650bbf3d8af6705e84e54b088c1253429861f8dc5292bbfa858e2a3104e36132ca7ce0e623edeb28d621384f8f96189bb86fc140ca0caad65

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
104KB

MD5
3a503e00d61789f5a70f617a3416e10a

SHA1
adeba2a3573956218f9d514911a4f7ccfa4881ed

SHA256
483b937dbbfa385bd00400969986224670c1319925de25ed9d985a3065811cb5

SHA512
770c4c5db66d336b363e8f9aa4d71fae8f0e88004315513d029272cef5965469385195f596220061e02c69e04f1f68c1bb9554881147a385bb9e32c9c42e56ca

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
104KB

MD5
0ddb43881e453eb4413d782a6e0c836e

SHA1
bb056af3164588f87f8ab08e03303b889c2e5da4

SHA256
37fe9eeeacf7f35b23c2786c50c3a6c83688324abdd0e468e68f19e0f4774502

SHA512
50c78e82acfb4fcdcf801c59bfdc7367af2a10a4915346cda0bc1a8de9276bd7b70ce079889cd788ebe631d4b56e8f04fa6f22866f08fd0b2a0bd0542c7a9950

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
104KB

MD5
9eeaa0b8acf5a9dbdfa4980ed5cd0504

SHA1
aecbe21f46d2fa72a40689747f7c24b898ca8806

SHA256
757adcc8e06aa50f64f31344fd8fc58ad2dbd6cb62ada600b35439c35747d8df

SHA512
f07eff3143aa6db7395885b057e8283682cd2ee65438adcdc286239e0dd53b451bcd76ab3ac3a60106f6949d188c8beb5bc6e455f021d1e9442ee5d68191049a

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
104KB

MD5
80c1aded1119f6ae2226309026b4fb08

SHA1
40008cab113de2f8515101fbd2c35d526a2eb54c

SHA256
ad5c86c8b22dc9572a76d38e5b57bac41a0ea4d3a34bc2229f0ee5709a377652

SHA512
ce9783dc73212d2aabf2a49032416b0c2cfded16d75b4f8bea5a05271b631c70b1fe36f21cf9b98771f86ee406e9f676f2eb84977f2930a014e1a5f75e75966c

Download Submit
C:\Windows\SysWOW64\Ofdhdf32.dll

Filesize
7KB

MD5
447c4bedc2a0990ab0f57666eec15493

SHA1
5956dccb6f40f0f4d1209a5d231d14d0049f90f7

SHA256
6c79c0257d2ee6dd941c6f1cd76df040dfdbcd2179004fa4df46546d2f8a8945

SHA512
397a9d35f2a774e0babd1c8e1f7d436bb8f5b9aa4d92dd2e82b8f34874df5e8567b546d4f52c401fc43d6152a563ef6569fa69eb8d7fae7dc3ab8ac32b6b859d

Download Submit
memory/848-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/848-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/996-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/996-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1340-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1340-303-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1704-294-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1704-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1840-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1840-329-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2132-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2132-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2136-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2136-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2260-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2260-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-323-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2328-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2328-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2440-44-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2512-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-300-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2840-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2840-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3196-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3196-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3304-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3304-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3352-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3352-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3432-319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3432-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3504-276-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3504-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3584-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3584-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3692-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3692-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4080-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4080-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4344-272-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4344-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4412-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4412-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4424-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4424-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4444-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4444-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4592-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4592-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4640-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4640-309-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4916-312-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4916-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4920-305-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4920-208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4924-318-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4924-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4988-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4988-308-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4992-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4992-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4996-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4996-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5088-295-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5088-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads