efe56ae987957ae229685134d7a8bbff3fe1b68a0cd7a07765316f6c73663a68

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e4cdd968eee703c4a014be10611c0b0_NeikiAnalytics.exe
Size

415KB
MD5

7e4cdd968eee703c4a014be10611c0b0
SHA1

3d936dabdd47b95cca5877d974b4737c8aa2b823
SHA256

efe56ae987957ae229685134d7a8bbff3fe1b68a0cd7a07765316f6c73663a68
SHA512

acfdbefbea63b380dbaf48cc43bda0a5329ce6fb005f3248fe682c23142ed1f846be01efad8b5713d3bec683f36258df52b8586d764091f4d28839dd441088d4
SSDEEP

12288:hOwoWj7NtInBBBBBBBBBBBBBBBBBBBBBBBBB0kfBBBBBBBBBBBBBBBBBBBBBBBBL:Awklp

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7e4cdd968eee703c4a014be10611c0b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe

Executes dropped EXE 37 IoCs

pid	Process
4428	Liggbi32.exe
3124	Lcpllo32.exe
3684	Lnepih32.exe
2828	Lpcmec32.exe
3620	Lgneampk.exe
4588	Laciofpa.exe
1984	Lpfijcfl.exe
3112	Lcdegnep.exe
2040	Lklnhlfb.exe
2372	Lphfpbdi.exe
3636	Lddbqa32.exe
3004	Lgbnmm32.exe
1588	Mjqjih32.exe
3892	Mnlfigcc.exe
4604	Mgekbljc.exe
864	Mcklgm32.exe
1944	Mkbchk32.exe
2204	Mpolqa32.exe
440	Mgidml32.exe
1964	Mjhqjg32.exe
1028	Maohkd32.exe
3220	Mglack32.exe
3264	Mkgmcjld.exe
3320	Maaepd32.exe
1936	Mdpalp32.exe
4944	Nkjjij32.exe
700	Nnhfee32.exe
3144	Nafokcol.exe
1032	Ngcgcjnc.exe
3524	Nkncdifl.exe
908	Nnmopdep.exe
3056	Ndghmo32.exe
3876	Nkqpjidj.exe
3272	Nnolfdcn.exe
4520	Nqmhbpba.exe
2360	Ncldnkae.exe
736	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	7e4cdd968eee703c4a014be10611c0b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4876	736	WerFault.exe	123

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7e4cdd968eee703c4a014be10611c0b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7e4cdd968eee703c4a014be10611c0b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7e4cdd968eee703c4a014be10611c0b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 4428	1724	7e4cdd968eee703c4a014be10611c0b0_NeikiAnalytics.exe	83
PID 1724 wrote to memory of 4428	1724	7e4cdd968eee703c4a014be10611c0b0_NeikiAnalytics.exe	83
PID 1724 wrote to memory of 4428	1724	7e4cdd968eee703c4a014be10611c0b0_NeikiAnalytics.exe	83
PID 4428 wrote to memory of 3124	4428	Liggbi32.exe	84
PID 4428 wrote to memory of 3124	4428	Liggbi32.exe	84
PID 4428 wrote to memory of 3124	4428	Liggbi32.exe	84
PID 3124 wrote to memory of 3684	3124	Lcpllo32.exe	86
PID 3124 wrote to memory of 3684	3124	Lcpllo32.exe	86
PID 3124 wrote to memory of 3684	3124	Lcpllo32.exe	86
PID 3684 wrote to memory of 2828	3684	Lnepih32.exe	87
PID 3684 wrote to memory of 2828	3684	Lnepih32.exe	87
PID 3684 wrote to memory of 2828	3684	Lnepih32.exe	87
PID 2828 wrote to memory of 3620	2828	Lpcmec32.exe	88
PID 2828 wrote to memory of 3620	2828	Lpcmec32.exe	88
PID 2828 wrote to memory of 3620	2828	Lpcmec32.exe	88
PID 3620 wrote to memory of 4588	3620	Lgneampk.exe	89
PID 3620 wrote to memory of 4588	3620	Lgneampk.exe	89
PID 3620 wrote to memory of 4588	3620	Lgneampk.exe	89
PID 4588 wrote to memory of 1984	4588	Laciofpa.exe	91
PID 4588 wrote to memory of 1984	4588	Laciofpa.exe	91
PID 4588 wrote to memory of 1984	4588	Laciofpa.exe	91
PID 1984 wrote to memory of 3112	1984	Lpfijcfl.exe	92
PID 1984 wrote to memory of 3112	1984	Lpfijcfl.exe	92
PID 1984 wrote to memory of 3112	1984	Lpfijcfl.exe	92
PID 3112 wrote to memory of 2040	3112	Lcdegnep.exe	93
PID 3112 wrote to memory of 2040	3112	Lcdegnep.exe	93
PID 3112 wrote to memory of 2040	3112	Lcdegnep.exe	93
PID 2040 wrote to memory of 2372	2040	Lklnhlfb.exe	94
PID 2040 wrote to memory of 2372	2040	Lklnhlfb.exe	94
PID 2040 wrote to memory of 2372	2040	Lklnhlfb.exe	94
PID 2372 wrote to memory of 3636	2372	Lphfpbdi.exe	96
PID 2372 wrote to memory of 3636	2372	Lphfpbdi.exe	96
PID 2372 wrote to memory of 3636	2372	Lphfpbdi.exe	96
PID 3636 wrote to memory of 3004	3636	Lddbqa32.exe	97
PID 3636 wrote to memory of 3004	3636	Lddbqa32.exe	97
PID 3636 wrote to memory of 3004	3636	Lddbqa32.exe	97
PID 3004 wrote to memory of 1588	3004	Lgbnmm32.exe	98
PID 3004 wrote to memory of 1588	3004	Lgbnmm32.exe	98
PID 3004 wrote to memory of 1588	3004	Lgbnmm32.exe	98
PID 1588 wrote to memory of 3892	1588	Mjqjih32.exe	99
PID 1588 wrote to memory of 3892	1588	Mjqjih32.exe	99
PID 1588 wrote to memory of 3892	1588	Mjqjih32.exe	99
PID 3892 wrote to memory of 4604	3892	Mnlfigcc.exe	100
PID 3892 wrote to memory of 4604	3892	Mnlfigcc.exe	100
PID 3892 wrote to memory of 4604	3892	Mnlfigcc.exe	100
PID 4604 wrote to memory of 864	4604	Mgekbljc.exe	101
PID 4604 wrote to memory of 864	4604	Mgekbljc.exe	101
PID 4604 wrote to memory of 864	4604	Mgekbljc.exe	101
PID 864 wrote to memory of 1944	864	Mcklgm32.exe	102
PID 864 wrote to memory of 1944	864	Mcklgm32.exe	102
PID 864 wrote to memory of 1944	864	Mcklgm32.exe	102
PID 1944 wrote to memory of 2204	1944	Mkbchk32.exe	103
PID 1944 wrote to memory of 2204	1944	Mkbchk32.exe	103
PID 1944 wrote to memory of 2204	1944	Mkbchk32.exe	103
PID 2204 wrote to memory of 440	2204	Mpolqa32.exe	104
PID 2204 wrote to memory of 440	2204	Mpolqa32.exe	104
PID 2204 wrote to memory of 440	2204	Mpolqa32.exe	104
PID 440 wrote to memory of 1964	440	Mgidml32.exe	105
PID 440 wrote to memory of 1964	440	Mgidml32.exe	105
PID 440 wrote to memory of 1964	440	Mgidml32.exe	105
PID 1964 wrote to memory of 1028	1964	Mjhqjg32.exe	106
PID 1964 wrote to memory of 1028	1964	Mjhqjg32.exe	106
PID 1964 wrote to memory of 1028	1964	Mjhqjg32.exe	106
PID 1028 wrote to memory of 3220	1028	Maohkd32.exe	107

C:\Users\Admin\AppData\Local\Temp\7e4cdd968eee703c4a014be10611c0b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7e4cdd968eee703c4a014be10611c0b0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\Liggbi32.exe
  C:\Windows\system32\Liggbi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\SysWOW64\Lcpllo32.exe
    C:\Windows\system32\Lcpllo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\SysWOW64\Lnepih32.exe
      C:\Windows\system32\Lnepih32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3684
    - - C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        38⤵
        Executes dropped EXE
        
        PID:736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 400
        39⤵
        Program crash
        
        PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 736 -ip 736
1⤵
PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laciofpa.exe

Filesize
415KB

MD5
3517da0c8081fef6e7d1b7cdc7702951

SHA1
37dc5cf837dcb8bd51a0b08d2339ba56dfd472e1

SHA256
830f3b7e88ebdd1952c867dfcc22b6559e2459c7b20a0ab0cc4a14a940566bca

SHA512
9ef9b13fbcf17721bd76e220743fe7e9f7cf749a19ae672849d220973a0a6a39bc31c7195c53bf5e2de278a9b84eb86af902c0d52fd52860e911fa445106cde8

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
415KB

MD5
e3b3d9e49e25943acc8f0e39ba9b66af

SHA1
c1bcc5a772944bbb70b874c7a1bbd2a35ef04320

SHA256
cdfde726fe3dd08c04e675bcbe436676101019cc57306bbbb8046abe086d6540

SHA512
c7cdc3f2e760469c2948ec8c71be8ab3cfd6da6ecb73953f4468d39dac1d564be20de0ce3a97200cf7d6948ac94d04306cbd1374dda2c538dc0b7c0e4ab0f502

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
415KB

MD5
f79083f0fa5e5325fa9d109bad79bcc2

SHA1
fa172912cb46699f624a9e8a9c0b693f52af1af1

SHA256
3ffb7e252a4ec6d08d78ed5ec9eac15059f5c18ffdb5d7d4857282a727251649

SHA512
01474f17f7e9d15ee00e645f3d895a73534b98f69fc5ebe80494fa5cd5465382f50e9c8a7b999154f68f4195893b776c25c9419444573f6e3887ec7f23b44a94

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
415KB

MD5
ad599c43296c07fc91f9eca5a66dc5f8

SHA1
8e0554f5b4195b3ceacdc15de434e9a9cae2689f

SHA256
0b779c694d47bfe0fcec78532772f41ecec3fa65d99951635bcfdaa2f53de583

SHA512
8fd171033358871f8b30e38124e038b84bab05797076e2256b407ca4d3d4ed4e93b0b151b5db9a437d4f7c0dc5497727541224f13f25b905d94b47bc86f3515a

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
415KB

MD5
0417609879064d937b323094674bf63b

SHA1
6eb187fbd7aed5fc49cf853cda38d29511f17766

SHA256
085ca2426e04f851f324e763d881f308f63587c99ad36cfb50ec4764d1f813f1

SHA512
928f1a94a6ae6fb83bcb9d9d14c282b940bf78f9acc84bcb5e60787d2990308b3e0dafb75b76e3061b28eebd787438257a6c3647a04c9b9725a9cfeddce4cb45

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
415KB

MD5
096c86ab61e5866d282593d9a9fa8f4a

SHA1
81bc9975d950c45bc7d8591b19cd3eeadbde42d1

SHA256
b9b39fcdc5a06985d0fa73523a622745918bd1d5eacdd40398002c4d07b15ebd

SHA512
2a95856423ac0842bc964d647002a800b4978c49ee883baa6e63980c9d9499a6a08bd78ad1625ccda748f21a59c7f07d2218ed9b08f3553f9110017f9b313c51

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
415KB

MD5
902eb00545012a32d2a203cdb3ade906

SHA1
a5bebb4a6e4b995f1f874b908b9ccef6e6ab741c

SHA256
ced5c5b60a1912d980bb4d9a0ad3ee52ff401577a4218e3444b5588e7672ee8d

SHA512
582652d0a666bbc9150c46f65ff67d06da5cef868f55bed6d49536d95cadf7c570c532d4f6ea5c753e51bd43117f8c41193cd500405d4517721573db1dc0bc1d

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
415KB

MD5
159faa2ae5e5208d1573cc4771672212

SHA1
6f4b04ba394b3ba4b111b626f779ff9bfa8474f1

SHA256
b4d93985fa840dd5ef81040af266282aead469a7fdd78dfb8ab9c4c1c8765f03

SHA512
db582b7516c0c22672638499d10bfc5e399a1a3a6dcd39e90cfb571eae64db0e7bf48157c3a26bfc295728cfd545a9e486d258539781c9b50f7409a16f3f1faa

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
415KB

MD5
3dfcf64cf3fbb170520c5701efcd962d

SHA1
92a99d378d42c8366126ac075043ec2d199af2e0

SHA256
19befbe248d7a90e22e838403e46b2c3b3dac6b82c454ae8b472f5032642775f

SHA512
4f45789ff15005bb728b4890da61740c93e230b9ee16b364105938fee2e84ecf0f09cdd07fd3bcc9dbcd38a83a79f7809610889cad5920fac7ae998d43411891

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
415KB

MD5
4c562be660e6158ab8a5a7c77b17e338

SHA1
fb48c787283491066bbd298737b253c87dd434c9

SHA256
126990d9e67a18bfeb695c36b367edf139d6bfab064c10a808a69e08c97dbfd7

SHA512
c397396e99d566b9d9b79441a7e8acaaf8944d9ecca5a5b9d659a5a5793681c3bece8c329bc861cdca5edd2023149679337d23f7e3f8e2abddf5c118909df444

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
415KB

MD5
aeb10837f1275e920667413468a6716b

SHA1
3249656f2027adb899375650a48ac76be9fb6fc2

SHA256
0cb6a4eece646e60a129966d3c5eb28173f5c1d2122f459061adf2ce3773453e

SHA512
a3832151ce3765fa83102064817865e95e7c64b443c0903216758c075e3c640f8902fa2c142bd968dd3efe14ee4ca6b74161d76c61c73e4c3694faf56aafddf8

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
415KB

MD5
c938ca14dc66d8c4cc19db02e18b9281

SHA1
a3ea3c8edccbdc4128c791ff7ae19c512b8c89dd

SHA256
9fbfa89bd07aec59489e296198bfbe3db1ebd925fe961fe7205a8b54942f9a47

SHA512
fa5ecda6dea64032b34f89043b1b0e7f6cc05021959708f76ec10121211364cb93ce3c718b28572da7c975522b6b7a02aaffebaf3ac01a11f796712d64e3b8d5

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
415KB

MD5
318cee65d14058d4422e1c0853059a5d

SHA1
a50998c87f02fbc7c86e1470ad1834a67f3589b0

SHA256
8ff33568cfe4f3109ec19bdff5238000101778f0e5403f2eb9ffb2bc5e457dc3

SHA512
98f8727ead24049506c373d3fd84ff1e789ae9b8013cf5d4ac140e1b800276e33f73274239a0d8bb5988bf37ab6a3ed734096a9480f29212edf7bd956b2dacab

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
415KB

MD5
ab62f17a1d649f7655bc2141d0c28c5d

SHA1
3ed614668a7474d0751abb3ac61edb3c0a0b909a

SHA256
6326634bf212003d04ed71c3827c0d213785a064607a614c73914f78e01f78d4

SHA512
aaf3f7f4c79912d703cbd33b4709e34fdb0031734473093a56140f0fb0c44007068541d44bd59066380ac9835593fd244cad085a7bda4cb679ebc971638ae1a4

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
415KB

MD5
a18b42fc74e8b45c0d707cfa129584fe

SHA1
af6c8044a89cb8cf5f5d443ce50909380b555ab1

SHA256
8d2fc5f7e64dbf5645b01afc3b41a40c39f58c6c2005a27ea55223b8eed8a29f

SHA512
9a0a078a3054a71e92b8f23c346a9e5b5d0950adbffcf909d33e38372d22acbec062b12ffbd72162a81e08f4fd3222e2354e0031f1f01e50a7128bcb99f39329

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
415KB

MD5
44928cac20a47ffcb3f84baad9f2491c

SHA1
5bd46eb154cd97ef016c202318d4fd7cd5697837

SHA256
1a4e197d272099aca6703b1623c1c4a194f4cbc8ae6ee15e2a5b01c05058f124

SHA512
51e085aa848ea95725f107bf2d7ad1ba311fa9ed3e106e190779dc5fdc5630e242b8b88b9d61dd8fc79c18ac24b5af2b951c65d8948e702b1d8e9046aef64ed9

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
415KB

MD5
6c24c7191a55765731ff1c89f598cabc

SHA1
6930d8c82d19a2d870ac52ff26bf01b77048df00

SHA256
282f37bc3a6c1ab872f26709c3643ccd0ccdd863a9b9d0dab13225d49e635e14

SHA512
f3ca0ac058ef22f6e7ba682c8e26d451099ca667d80d6c1d9528dce377803bf06bfa3815e444f2b77376da34b38e76de9e0d8f7dbd47530e005db056c24524b0

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
415KB

MD5
cc6eacc40068f2c7bfa5e19120addb43

SHA1
07bb39ffd8cea016b5a5d9389ae5c13efab03e0e

SHA256
338188dffaab40674292f25c12c976dea441c864fe7693c788bc8cda277b28df

SHA512
2567b4a0147bbe737eafa95371f84df9c8ae02270d3b7a2ebb0c915dac0163b7621d8d24fccbb781fb5527c70c2647ae25c7e5efe0e4117b8851db9f8a41c588

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
415KB

MD5
8cd619f5b3a2fc0dd8e5c52d8c48996d

SHA1
dde6611a7d4d86d8f40a7748fa8cbb8ba5eba4be

SHA256
0e076c9415afd5cbf2020f4dce9df8500645a4e737909c24ad3ac11e42231527

SHA512
863daa8cbce675e3c9e0b3a42a9f3dbca4a441b449523f09dd3ab39d9624451d329dd759de226749ec654fcc0e0d50cfbf30bd8fb993fcba3d5407bd83d8b7f6

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
415KB

MD5
20c4833a52a14c61a858d285ae2af03b

SHA1
fec57ae740b7e2572c433e1fb8089d029d0b7ae7

SHA256
32015f446e7a38833c6e53ac8249dd083a6eacdd659ee4338d7950e75c1c1e2d

SHA512
c5bdbe3fb68ebc3976b7662df1a84f6bb29a9bbf9184b4237b888e6e089ac244d21b6e4f1364d50df595a44e80abe09116a41701d8d7fd416ced5a793e96a2c7

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
415KB

MD5
3c5f2d5da9b19b53162638ffc96f452e

SHA1
9e7ca7c6906684021922bdeabd4ab624d84edd88

SHA256
7c890d7fe1d13a62748c05093713dce25ba026123632b77b502b2d0178b42ae6

SHA512
fbebc43464aa9d9aabfee0cec41306f59d7094d4f2b155691b57be64fa28fcfbd9f18877dd9fa68783a7c60315d420001d1f0fa61a8be882f3df74fadd681178

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
415KB

MD5
e38ecfc53e3084a0d29e37ad11ddb690

SHA1
61b49bdb95226b010b3f08fa0a8919d9c2b8ec0f

SHA256
db018f5f53fd4aba8c62c101e5010d73fea968441d1aac9068a242b3b055fdf6

SHA512
b2667dfec703688da06f8fda8b25ff94df44bcbc06d35a07c4ec7bad22f397a65d7976d0157018d3e0b6dfa991f6f088396681b2d24fadafd22767c40c2cc71a

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
415KB

MD5
126b96487c6c47828e3978f8995f2785

SHA1
7ab0e0975ed4d1f02638401c40ecb1f9c672ac74

SHA256
b211cc3f7348aa8c6d9836724a478c6725004ca1a4c44eea3ee285f511087377

SHA512
216bc59224b0249d833223dbfca3da33dabca27d50c563c6ade5d8301314651eda3746c39f03fd4447aacef41079d6597b7a2acde2441668ad30e74ba2b8e0bf

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
415KB

MD5
5d37337c437a1ba2c404115377167e1f

SHA1
a6fb193ca3c9ece4397336f16804fe6f836cf766

SHA256
70c03121ccff7414ff878b6002186197ac7f33820b8f44609aed02b17155ae53

SHA512
f70e1e89879ace7dc5c1accf08a1707e292f880c9b6adb3604711a8d684e91eb40eb8f2deb4e5a35ba07808bd72d661fed196b512ce4003768311344a961ce99

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
415KB

MD5
f5410167e198da5c61b747e9925d5179

SHA1
07b4dac775e0f8234751d92835185b72e68a288d

SHA256
13c350449dee3f7b9d838ed08a1ce936444f652bbec683973f4b8170ce705d0d

SHA512
45815563166832441514002b7e738bf8e6df5b13fb160c46f46aa776ac96ad63fbfd8d39fc373ddd975c7e65a7d8b9d8de1cad15cd40aa996f94ea658eb189bd

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
415KB

MD5
9e04e38b19e56640e429835cc7b5f666

SHA1
14c757809d7c4fa746c7c0082f91cd466d4aaed4

SHA256
e297210b1927af528c546ded560dbdf825016c2ff77b7438b41c37af0fc38fa4

SHA512
5d80957d9b8b2d168bbee880ff129d38fb32633e8062864d890e88b82061be15eb7172506d2446b6f30cd90e54e7b5ab5e0a4e6c5a3c367275340adce9b157e5

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
415KB

MD5
886083ff6c1db62cee6d82be76d1d4c6

SHA1
56b8a0a588a31c1eb879a8bb88ef3716a8588ecb

SHA256
a80865f3784f295f013c8efeb632ee4d3c35d1670c4fb28d5eb4816274e7dc32

SHA512
8c687624f7869e97478932d6404c33d07ed1a741bd1cec9ae45311bf93d5012b51fc626164fd7efc08bb7bf22171fa9315988a8a5779cb0f453e13bba1e5a376

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
415KB

MD5
8a89aed9f2d24beb381b9d039422995d

SHA1
97f9fb34d45583c0c584e9f822ec554e4cbf807d

SHA256
d0e5b99be7df9383ce8a441c8fdb31c04a26c310557395da2507067d13799652

SHA512
5f7b8579763c920fb3c38603b42928704ad396590df2ff21993871f9da3ffa8487a406d711ef163414e0b0224c136c65d315d1a530b8e6fac6954f18c6999023

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
415KB

MD5
0353cdaac5f0bb74411784fe0f81b991

SHA1
98f64214759e8a352686090c168ead9d16a5c1d2

SHA256
d8b1b5cf10229fe508573e1095cbe0b345ab63c912545111819bb34b15bbd4b2

SHA512
83fdf4bcfe1d493092a33677cf6ad776c5639db608e223f370f53e608e59e91a82d8c970231b08debca8d008eef2572b3899e02b04468d0d3dba73177fd8f3a0

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
415KB

MD5
8b7da89790890cf6ba33afee5d68c72d

SHA1
7fb8a623b53146723c68009d7880d0554dd78e04

SHA256
c9b93b8309cf612cc36ce859810f81572a1875d49edada9f38accaa2d5eb724e

SHA512
c6cba8151d0f8bd8a07e48f9407c2ecbb18631da6bf0fd59db61358dd225374b0b5b03a61cfff9a9d7ca78e5d4ad6e7d70e4d7013f22abee7672e14f9128798a

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
415KB

MD5
4593efea82df6cac6c049bcd48441811

SHA1
067a8a02d4d21f7fcb76a2ad77a5eb273f4540d5

SHA256
ce8782723871cf59b383f732fae0414b2b391df2ab479baa287ee538b8baeb7c

SHA512
1007dee4c7582aebe3ff9d4a5a280f04776061b34fa580110f0e98bc31c97002ec4bafa8a79d47b51efdcd719e88b01527ac21de8d71e5a4f1fcc3e1179559a0

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
415KB

MD5
c90e350a75fabcff60f8db33a278e816

SHA1
b5271d6d472a6060ad36c56d16abf905ff5a7df3

SHA256
85566d23971580ade30e63dbccf7b76e01e92942a15b954ac5d2b08531f9fd6f

SHA512
ef47352cc7c3b96b675b15b096d2bb3687e50a8d6595f4d254af6363e8f316b0a560b6409df328979efd1611ef59ef58e1e091059770c19612c5dbe33790f1df

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
415KB

MD5
e9ddd04a388875c309ab29e6244399fe

SHA1
4fb6038a4c396a2384f3e706d87d9389cb839656

SHA256
3dd7836e7e7592a7d089f696a26abfb8496d9d5a359304ad0ca6a476d7154b4c

SHA512
7dd26222da0deaf68316e60a89017ed6d73bb0e6ced7af5db6ad6cad3e608f044f876c2046ede04d32321c13a1a1c977242088bb876ab60ac28e48e889fa6ec5

Download Submit
memory/440-157-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/700-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/700-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/864-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/908-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/908-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1032-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1032-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1588-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2040-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2040-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-91-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3004-107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3220-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3220-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3264-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3272-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3272-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-313-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3524-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3524-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3636-92-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3684-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3684-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3876-295-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3876-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3892-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3892-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4604-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4604-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-309-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads