57159b7c984b168a856e4781ef34440234ea546bcb329cbecabd8b409dc705ee

Analysis

max time kernel
137s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 02:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4ec6645122b692918d42d5d8cf1bc9e0_NeikiAnalytics.exe
Size

55KB
MD5

4ec6645122b692918d42d5d8cf1bc9e0
SHA1

c67ad7e2f9ee681fad29831b85ae8c03d88870d8
SHA256

57159b7c984b168a856e4781ef34440234ea546bcb329cbecabd8b409dc705ee
SHA512

057a3d112bd900f625d02e1a96b60ce0e698cfea30ea95131bb91c5049d9320dee1fbf358207116c37dc574826b72073200fbd3097ac72ce364907b8f3c2732c
SSDEEP

1536:dAZYnqKnpMc+z+bY9XgwDqk8b+5sqeIwrMYZ91:dAZYjlb6XJebZ91

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4ec6645122b692918d42d5d8cf1bc9e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe

Executes dropped EXE 39 IoCs

pid	Process
2284	Lgikfn32.exe
2764	Lmccchkn.exe
720	Ldmlpbbj.exe
5012	Lkgdml32.exe
2880	Ldohebqh.exe
2968	Lkiqbl32.exe
4068	Lnhmng32.exe
2868	Ldaeka32.exe
1640	Lgpagm32.exe
5028	Laefdf32.exe
2448	Lcgblncm.exe
4980	Lknjmkdo.exe
3620	Mahbje32.exe
3240	Mgekbljc.exe
2220	Mjcgohig.exe
2368	Majopeii.exe
3412	Mcklgm32.exe
1064	Mjeddggd.exe
2576	Mpolqa32.exe
4140	Mgidml32.exe
948	Mncmjfmk.exe
4468	Mcpebmkb.exe
880	Mglack32.exe
5052	Mnfipekh.exe
752	Mdpalp32.exe
1088	Mgnnhk32.exe
4388	Nnhfee32.exe
1228	Nqfbaq32.exe
3964	Ngpjnkpf.exe
4964	Njogjfoj.exe
2712	Nqiogp32.exe
3316	Ncgkcl32.exe
3016	Nnmopdep.exe
3668	Ndghmo32.exe
2876	Ngedij32.exe
1544	Njcpee32.exe
3800	Nqmhbpba.exe
4984	Ncldnkae.exe
3952	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	4ec6645122b692918d42d5d8cf1bc9e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	4ec6645122b692918d42d5d8cf1bc9e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	4ec6645122b692918d42d5d8cf1bc9e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2688	3952	WerFault.exe	124

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4ec6645122b692918d42d5d8cf1bc9e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4ec6645122b692918d42d5d8cf1bc9e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4ec6645122b692918d42d5d8cf1bc9e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	4ec6645122b692918d42d5d8cf1bc9e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2284	1568	4ec6645122b692918d42d5d8cf1bc9e0_NeikiAnalytics.exe	83
PID 1568 wrote to memory of 2284	1568	4ec6645122b692918d42d5d8cf1bc9e0_NeikiAnalytics.exe	83
PID 1568 wrote to memory of 2284	1568	4ec6645122b692918d42d5d8cf1bc9e0_NeikiAnalytics.exe	83
PID 2284 wrote to memory of 2764	2284	Lgikfn32.exe	84
PID 2284 wrote to memory of 2764	2284	Lgikfn32.exe	84
PID 2284 wrote to memory of 2764	2284	Lgikfn32.exe	84
PID 2764 wrote to memory of 720	2764	Lmccchkn.exe	85
PID 2764 wrote to memory of 720	2764	Lmccchkn.exe	85
PID 2764 wrote to memory of 720	2764	Lmccchkn.exe	85
PID 720 wrote to memory of 5012	720	Ldmlpbbj.exe	86
PID 720 wrote to memory of 5012	720	Ldmlpbbj.exe	86
PID 720 wrote to memory of 5012	720	Ldmlpbbj.exe	86
PID 5012 wrote to memory of 2880	5012	Lkgdml32.exe	87
PID 5012 wrote to memory of 2880	5012	Lkgdml32.exe	87
PID 5012 wrote to memory of 2880	5012	Lkgdml32.exe	87
PID 2880 wrote to memory of 2968	2880	Ldohebqh.exe	88
PID 2880 wrote to memory of 2968	2880	Ldohebqh.exe	88
PID 2880 wrote to memory of 2968	2880	Ldohebqh.exe	88
PID 2968 wrote to memory of 4068	2968	Lkiqbl32.exe	89
PID 2968 wrote to memory of 4068	2968	Lkiqbl32.exe	89
PID 2968 wrote to memory of 4068	2968	Lkiqbl32.exe	89
PID 4068 wrote to memory of 2868	4068	Lnhmng32.exe	90
PID 4068 wrote to memory of 2868	4068	Lnhmng32.exe	90
PID 4068 wrote to memory of 2868	4068	Lnhmng32.exe	90
PID 2868 wrote to memory of 1640	2868	Ldaeka32.exe	91
PID 2868 wrote to memory of 1640	2868	Ldaeka32.exe	91
PID 2868 wrote to memory of 1640	2868	Ldaeka32.exe	91
PID 1640 wrote to memory of 5028	1640	Lgpagm32.exe	93
PID 1640 wrote to memory of 5028	1640	Lgpagm32.exe	93
PID 1640 wrote to memory of 5028	1640	Lgpagm32.exe	93
PID 5028 wrote to memory of 2448	5028	Laefdf32.exe	94
PID 5028 wrote to memory of 2448	5028	Laefdf32.exe	94
PID 5028 wrote to memory of 2448	5028	Laefdf32.exe	94
PID 2448 wrote to memory of 4980	2448	Lcgblncm.exe	95
PID 2448 wrote to memory of 4980	2448	Lcgblncm.exe	95
PID 2448 wrote to memory of 4980	2448	Lcgblncm.exe	95
PID 4980 wrote to memory of 3620	4980	Lknjmkdo.exe	96
PID 4980 wrote to memory of 3620	4980	Lknjmkdo.exe	96
PID 4980 wrote to memory of 3620	4980	Lknjmkdo.exe	96
PID 3620 wrote to memory of 3240	3620	Mahbje32.exe	97
PID 3620 wrote to memory of 3240	3620	Mahbje32.exe	97
PID 3620 wrote to memory of 3240	3620	Mahbje32.exe	97
PID 3240 wrote to memory of 2220	3240	Mgekbljc.exe	98
PID 3240 wrote to memory of 2220	3240	Mgekbljc.exe	98
PID 3240 wrote to memory of 2220	3240	Mgekbljc.exe	98
PID 2220 wrote to memory of 2368	2220	Mjcgohig.exe	99
PID 2220 wrote to memory of 2368	2220	Mjcgohig.exe	99
PID 2220 wrote to memory of 2368	2220	Mjcgohig.exe	99
PID 2368 wrote to memory of 3412	2368	Majopeii.exe	100
PID 2368 wrote to memory of 3412	2368	Majopeii.exe	100
PID 2368 wrote to memory of 3412	2368	Majopeii.exe	100
PID 3412 wrote to memory of 1064	3412	Mcklgm32.exe	101
PID 3412 wrote to memory of 1064	3412	Mcklgm32.exe	101
PID 3412 wrote to memory of 1064	3412	Mcklgm32.exe	101
PID 1064 wrote to memory of 2576	1064	Mjeddggd.exe	102
PID 1064 wrote to memory of 2576	1064	Mjeddggd.exe	102
PID 1064 wrote to memory of 2576	1064	Mjeddggd.exe	102
PID 2576 wrote to memory of 4140	2576	Mpolqa32.exe	103
PID 2576 wrote to memory of 4140	2576	Mpolqa32.exe	103
PID 2576 wrote to memory of 4140	2576	Mpolqa32.exe	103
PID 4140 wrote to memory of 948	4140	Mgidml32.exe	104
PID 4140 wrote to memory of 948	4140	Mgidml32.exe	104
PID 4140 wrote to memory of 948	4140	Mgidml32.exe	104
PID 948 wrote to memory of 4468	948	Mncmjfmk.exe	106

C:\Users\Admin\AppData\Local\Temp\4ec6645122b692918d42d5d8cf1bc9e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4ec6645122b692918d42d5d8cf1bc9e0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\SysWOW64\Lgikfn32.exe
  C:\Windows\system32\Lgikfn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\Lmccchkn.exe
    C:\Windows\system32\Lmccchkn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\Ldmlpbbj.exe
      C:\Windows\system32\Ldmlpbbj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:720
    - - C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
      - C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        40⤵
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 400
        41⤵
        Program crash
        
        PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3952 -ip 3952
1⤵
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laefdf32.exe

Filesize
55KB

MD5
4eb5729ded3dc0c4f77fede9267398f3

SHA1
e3fbc89fa84031dd2e9f650e24f65f051d2f1c65

SHA256
15179ee397adf4817433f5d5d15581b7a9beba4c5a2c6e63546bf8d0ecd261ff

SHA512
796fce6925dc25d7273a227607d8dccfaf6fcf11cfa02bd8bbcd38891c62af03d11f6adf9111c78eb7c9c22b0df0874da7d1eebe35e72f922c4149c4df3f7840

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
55KB

MD5
50d628ef4db22f96b95d18c04e0995c7

SHA1
050b6f1dfdfe0f89742bb2eae2d9e2b4f8d62e8c

SHA256
39eebffb23dd139bcf1731619d5a91cf51de6a76738d293761da581076b9fe3c

SHA512
0f7c989b5e3820170b8748e8318bc5559b37901d53ef453ea169614749ff3269dc21803ff2660aeb0c813be2c3ed6e0fb7b1882338bb9ee431af4626293f0f45

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
55KB

MD5
b10818a1cc9b6fe9e8f38b249d0c84d5

SHA1
df2c16f879498914ba4757ea172d7d469042b0dc

SHA256
5c2abd5154a27fdd1d501edae1484d0418ac71c35d8291438e1a077177ecab28

SHA512
0ce2c02cb07476090a5c0a88be06f6a9ea222848d147d6786ee89636f41427130aa857f1a0b01a94b5f468dec119c70a0c079437d5d58779453e517d39cb3944

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
55KB

MD5
dad3512acbf98f913bf4b0d18d2bcccb

SHA1
87959f997aabcd38ad5a326417295f134419cddc

SHA256
7bd9f84f2db198ac34fdf71b1fd13d76bc357c21df9f79f63f3c35ddc02f755c

SHA512
e405f0f0bfc47dcb445e69ed153d5aa9d4822988f5ee5a74a4e952ae4c594dcd63cfd5f5364c7524d4bcf47129e95d26b859e2d709275f5f2fda3c117858d026

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
55KB

MD5
3599c9a26d6f3e9922ca163370dda230

SHA1
d4475a86f721768933830abde5b82bf3b293c218

SHA256
449b9f524402d9b1eba2c7865dcf595b739b442cf33afd2e065f7ff9bd3daeaf

SHA512
1264dc45474fbba76349cdf5a6f0954dec6703f7e3acc611afaea224f6bab509eba679dd2e90dc13dfd5914e31a5100d7eba13469c7bb22037076f3b4a691329

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
55KB

MD5
da397ef6da739745114ecffc564d78a1

SHA1
8e9b0e83a2a0892ed995764826deadb723fa6c37

SHA256
3eeda043174dd5dda6ad66c57db7182827aadd6eedb53b766a388c8bbdf99112

SHA512
f8387db25c0fb1c0acc23fb169e5dde5da86c4118ccf73978015695a0a913d9f3dd210185344f9849f55407faaa2fc4ed46720de32ceaa42c4589f6ca4ed1224

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
55KB

MD5
086585168abb8e4d50d4cecee58a4081

SHA1
42b7a36f3a75b05d92a7b3f755919b58c35e024a

SHA256
8efe86c993c142ed97f5190f186743d953a92408416e776273d74bd6d8bae869

SHA512
9dbf99418d0d538eeab8dbd0d5fa920d7b9aa7c1abb46b9508af2a17bcfca4fb70753768abe2ab2cf83b1ee536dc6f539036c234d9b94d6062a105ed1b3c55ff

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
55KB

MD5
55de5f269fcef6e03910cb58e3546e6a

SHA1
e9f953af650dd2699950fe60aa8d3d9bbd828ed4

SHA256
901c2d823f7e077091cc24d95fa242096177d632325a709d7d05dfd8fd76cc04

SHA512
5a29fe358045a93b1c04c685e2c7e3837c5a27584090545cf62e55012db17b463ca6c39581076bbcc9c9e01b8ae4bdcaf4ef3ea4833cd7d63b1795a0a7785b40

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
55KB

MD5
10b3584f3546d0fa12c7f8591b64beb4

SHA1
41a3a74fc5f633207b6525756a1334c5a1035807

SHA256
2bed5f97be6296fe55744e106d6f30e218b44b79ef96534f10bb9136bcbeae3f

SHA512
6eede251a28a42ab66c585a3a27516be56f2bdba88bab7b8a81fb05b0a72932d3aa4aeffee5f2897f0df5798531e1726145f7fd05e2edd57f44133263a84c2ee

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
55KB

MD5
9683e9a904a813a6d61f748fc343646a

SHA1
a55725cc47c9231e236c982271b20231b0936a72

SHA256
660918dabf6869be2f381908102b41027806b81e56244e33f5004ed00b83b921

SHA512
f6e5b5ae36322f3c0cee480d2d3c9d91e91e4267f8651e8edf872ba6dd362aa45009f0e718897449a0d37eb9b64c926bfc014adf58439ec1fb7e9a7a9253e527

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
55KB

MD5
7e1e55eca2dcc2c35fdda73ee2ea74bf

SHA1
c4f865fe34240f564f99229b98c472e7e92066d8

SHA256
0a42fd78f1e7880170f4531a0046938e718ceb995af4f4dd9b5ae8b8b05e7ed6

SHA512
603a6a49dd238631e6366f4e7b94eebb7d1c45ceec42edd9e201fa6dca54e2647019264898dbc782e3c4183e7da59529c7de972cb6a712f23697cc55787e38a0

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
55KB

MD5
dcdfa70e83a02ae2a76e419be33c971f

SHA1
c58894ebb38619114a38247d7bcd91066f9b5a86

SHA256
536d13a1449659d8ac4d5b45483ac523a397fa8d0418794415c810e8fa519e05

SHA512
4ffde55995260208f765a23bc6eb9e52ff44cfff0e918fd319756cf1600d5deb43854fb6de30c50ecb17417631e86dc43389d86dc952f7127bd897ca2dc6adaa

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
55KB

MD5
2d27dbc47071e02e2d322988fe196ca8

SHA1
aad98b5bf9707a010d998b3c57108846341b7ffc

SHA256
0b6f4de838a3c9f1effdf4df8d5776003034695ff2faeeb6ca8467444a9ca479

SHA512
69101350a3d8b2bbf054665689e61abc7c207f6a28568d2c406a47e5a081f40330d7922d0d03d69f8e79d50c05388874804d9363749abc15d54e81d5def99c29

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
55KB

MD5
11e286e54e710d79fc58d5e6adcd4d25

SHA1
e6efdc780f17324719cb25d7a27a14dce85e53a2

SHA256
be528be9c5e5fb9b9caf98725a0b68482cfabb5e8413c2a98ce0dc4d5446f384

SHA512
87432631ec2c4ba60e009b98f21f11d773c81b39de2c056b33d768abbb2da6c116aac2290f20d0c95e2150c172080d6d8217a6f26feee8e01774ed5fba755ddd

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
55KB

MD5
3dadb3978a8e90ea505c1a4dfdc62a28

SHA1
9b2d1cb58e3e134712cd7108a531342d1e611290

SHA256
ddf5ff32d7def150858245948f75c225cb801286eab8ac67e0ffbf16c819e636

SHA512
734489066e3dfe947ca567ac84720542b5de89d24b9b1db9eef43303fe386c370f00c0a4497bfc3fe6417e7d65534aec330e22389c0ae7e12f802be97a043be1

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
55KB

MD5
78acb529f3c32bd8a31a23a5989eae63

SHA1
2419673526a1ecebdc17835368821dce52a6ce41

SHA256
1a4c5b8529ee1bb2331057722c1a9d1969a49c9ac882442466e9f8b834bc4e8d

SHA512
46c413aa9757d7dcb817f6ab0d525fa6fc01cce5cb3cf74bc68f9a05799a0b975ce32b5e4db9989f09e0da5aa4582cb6f372842ac7275273c0da5df0803c2315

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
55KB

MD5
bf660b3aed1e8052a27c954384f26f3e

SHA1
4fc333cd0b72001a137126e955392a3848a9d67b

SHA256
f7deac1bc1bd2342f421dc5dbae6148e9c7020feba853ebb898e0314d4e06754

SHA512
83f13ee0dc1ffceee5619689e44608674bc012a0c67c2e909cece7a20c34b65ad7a920c52868e1612dc4a4764d31ba118842d31a1189748a3fb42dfa8d4f45f2

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
55KB

MD5
d068e25aba803a8b8989af43c6a56893

SHA1
4b140ff40e6fddda53d4a925ae57b7dbccc8a98d

SHA256
dda41608ecdcc8011729529b485d98ef589f18479cb2549284e42d67a1980160

SHA512
2df0d138b8b30b7a5356d6c5714b369b8259e3c17fdf13e092b7a3d51cf554c24d9006db55be61dcd6be2f70c1d28aefaaec084012948ed1bd702d867d8cd528

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
55KB

MD5
e181a547ba38e03d236ebfbfd3ee5490

SHA1
bbf92380b7d462759583dc12d3f347b359999bd4

SHA256
a07113257c3c4079162f11414d63f58b8dfa4355893f7ed8b5e76ea236138e55

SHA512
3cb70c2e14579c6e08bdfd082edd63175caa1f9cc773b63b43f3dd623a63f2d93027bc6d67653581b75c2ff1205d6d22eab36df33214b8d29c92684935944032

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
55KB

MD5
7b0c1f7db00e137ab3f83bc69f7aa041

SHA1
29b4cf35039bf616e8e57a8fe6d08b019d690188

SHA256
00410c21722e29ec605eb04d457c9cf11bacb35a02bfbc434dbf71d841e168ac

SHA512
7685ec665fec1e8c16bb41e024945ce377fbd866027617ab9f58049257c349cd511243335f356d982091b38bd74a345dc3a6625f147fca39fa49f0337fc88867

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
55KB

MD5
e65f4e78121fc3bbb78a4e6db65c562d

SHA1
4932e8a52520be04e1723ea218cd234eb08f9139

SHA256
816844787f53ace1dcebe861fbe01df500e0b64b5381fa6af62c93a3820c9e5f

SHA512
3212f21482e23e41598b94078a6eb578ff3bc3dd7d83d2f732be1e5914cd30b2fae268bda1b8b494e1677ef6e251a5bf75542492d761f373dd340eab7342667a

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
55KB

MD5
09e6a8da2849ed036f62cb8c2fd06b33

SHA1
7a09f505c106016134a52f48e0b37561a7a3a321

SHA256
90f2aca49a46f0d8ddb51bebe3e2357fd5eb455ed35ef9ccbad76e91a35b2ee7

SHA512
433c8651cf2848296a55abcd5f6af3df792ef49fe88bd2ef0400632705d97e8d8572ad26d6af55eef77e626cc7fc9ebb4ad57037b64e6fab69e948ce8eacca05

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
55KB

MD5
de9d4c360e860a68169e1cf9d14c6bab

SHA1
c37d06dd7e36bd7732eaa019214f3ca7e08a92c7

SHA256
4985e9e5607584973b964db258fa600b104f84e8978d3e7851ddd0e94bd5d063

SHA512
41e41b4b204a68f56ef78997bd39594a8d78116624cb68e9b47e65ef4d819206abb51acd7a8438c4b44794453bd071a705ec53d084ea32b28684f69c4908338a

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
55KB

MD5
091d671d75eff36842203e239f89de08

SHA1
5e6397b9e0ec82184ed107412252a72a6c61bee0

SHA256
7df592e2e338901f27a6912a58121e96e9175921254589e8446a493b5a5c1721

SHA512
a87cd8b024bb82e2434cb404c3e78ae424bb054bd707b711975c6e19dad4126696e4db9fc545d52e3ed60e55cb56b9c6f6b6d932c24d021d9c80d59498be32df

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
55KB

MD5
0287d16257175f09c85f8a1c54b768df

SHA1
a0fb7a1adf950adec7813b2a015a013ee7d93717

SHA256
f5808b6f5d0eacb7b8552a89b3e841aaf8f9eaf43b44e9c1c141b40c5be08cb8

SHA512
a2cfed61ae64920dc2fdae7c4af89fd24b662437e241b977010f54c39932099f26f808bbc11ad0ca176c5cfcc069d03f7275f831f2b3189ad34295594ca7d4bc

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
55KB

MD5
13c9472c9fc55dd2a3fdf16ad98ec4cc

SHA1
8aaba1909832fc21b7300e959349a5b46f435f80

SHA256
ad16c536e285fe2d2755c2434b78725290584a5986d5a6b6edc97f34415fce62

SHA512
6367a21a7ebbf993c67fd09ca434f65f2e0b4a9877ac5ed05cdfadf88ad89408dbc75b39b295d369b820637d7238c4eb5cfea596394720abfefae96b2ecf0f2f

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
55KB

MD5
de20b841c3db24bbb0b37deb57f0adfd

SHA1
65e2135cf479e1e3121cff20f78b2a7572693abc

SHA256
61bb60fd80b1718ab5373ac8d86a3b876626e3f07ca03d173fb773ed54abcf89

SHA512
23e480215316dcd7de8221c2dcbf32cd39468bffc1e5d9eb952c9ed2fb827baeed17448b9ef7d80737f4ab20b583ea15d24648f425ac3cd6afe478add52cb81b

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
55KB

MD5
862e57562810b368061d5e9714ed2aad

SHA1
4bca26de85e5217dda38091141cfafb56cfb82e9

SHA256
06c45db6e9ae6bd4159906f1799e7d98e4ff30e1ccda6de6c9791a7f0bbb799e

SHA512
8fd611608cad04b4eaa1c5ff8bb47d892d6d1e706c3c54319943e6e6a6812235ce68388a5274bb3e9ea37dba13b2c3fbe3e48574d7cc1a6c5a54a77663e9ef2f

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
55KB

MD5
3d313bf06fb9dc20bbc3e73aa3c79d6d

SHA1
f64448dfa08cae994eb45cf1f0196f3a5dda826d

SHA256
118d0e77fa14dee24a17af35a47aa3427c726b252ca31f7a3f3851035edb53bf

SHA512
4d9159e38b1c4f45c4bdaa29b833b6fc3141adcbc4dcd32240e9cb0c7ebe2490a8063ed7d60065d0dedd72cba08a9c936e6143f963227603322a2b1c1c8a5025

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
55KB

MD5
779e4354be9f0b0ebdc361e0aaa6e3c8

SHA1
1500bbfbf3d40f1b592ed050356b795d9eb7d836

SHA256
316f3adc2f4c3ee3224124b61f1c511e634c80a7a38d93ff48843827b9787ff7

SHA512
86a96e97c7fd80ae4298da8e41b673961446e158971658df496ae786d04873a9c6e203242bbde29af515bd6e35f3dc262bec2ae2523ab29b93e51b9be2ec167f

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
55KB

MD5
4f40ded941261f637d9e8a3e6c92bf39

SHA1
e88e3010b0a8d74474f39b0c848d4d69b1ea2045

SHA256
ade8f59883031d5fa4d8ca015d9e0e773e5f38b6f9a807a0df10a691eec0b020

SHA512
2058c7b6dbe6e72514733871cfad03a5acda12b5cfa446ee2e1b1d089dbdc711101d15e79af10cf1e1ae9936794a774b2a9b0de511d24e36b7fdadbfd79aa670

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
55KB

MD5
180a49940fa0846abe839c40ce340f3f

SHA1
f69ef1f59fcf406914ad0ce36f9a6838bf96701d

SHA256
cc3e8992ef04527ab0790ad19f9584a077c08627a09d1fb1ec84153f0cd5dfd7

SHA512
db1ce7fba03777dde92e24b350c4c9e796a5f4a7f48398706f33dc0bb3a1db5dd9ee992b3fe1929c8a71ef5dc8fd596525ab37ae86ac26257c336bf54005ce6f

Download Submit
memory/720-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/720-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1568-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads