23fd71618801cfca2416c007cb0d6c656318b2b885fa0fc79bf38c5b2ea48dd0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23fd71618801cfca2416c007cb0d6c656318b2b885fa0fc79bf38c5b2ea48dd0_NeikiAnalytics.exe
Size

456KB
MD5

e1977e5473f1995a31604a3e83ea90f0
SHA1

5c0326d15cd1d88e7af7807b713b1740d00ccadd
SHA256

23fd71618801cfca2416c007cb0d6c656318b2b885fa0fc79bf38c5b2ea48dd0
SHA512

7591933b1694ca5ab5cef4a7767adb6ce3d854b0ff4720ca65b1eea943ca7295e867f386d366084b32fd462bc3c8bf824f856cf758848d00543bcf5b46cbb5e7
SSDEEP

12288:YKJwIKfDy/phgeczlqczZd7LFB3oFHoGnFjVZnykJGvpHGdm:YKJwFfDy/phgeczlqczZd7LFB3oFHoG+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	23fd71618801cfca2416c007cb0d6c656318b2b885fa0fc79bf38c5b2ea48dd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe

Executes dropped EXE 46 IoCs

pid	Process
4884	Laopdgcg.exe
1420	Lcpllo32.exe
1560	Lkgdml32.exe
920	Ldohebqh.exe
4456	Lilanioo.exe
1080	Ldaeka32.exe
4888	Ljnnch32.exe
1084	Lcgblncm.exe
3672	Mahbje32.exe
3972	Mgekbljc.exe
4424	Mjcgohig.exe
4932	Mcklgm32.exe
1260	Mamleegg.exe
2328	Mkepnjng.exe
2736	Mncmjfmk.exe
412	Mdmegp32.exe
728	Mglack32.exe
3092	Mnfipekh.exe
3524	Mpdelajl.exe
3064	Mdpalp32.exe
1860	Mgnnhk32.exe
2556	Nnhfee32.exe
1160	Nacbfdao.exe
2940	Nqfbaq32.exe
2808	Ngpjnkpf.exe
3044	Nklfoi32.exe
2788	Njogjfoj.exe
5116	Nnjbke32.exe
4492	Nafokcol.exe
4488	Nqiogp32.exe
4116	Ncgkcl32.exe
828	Ngcgcjnc.exe
3968	Nkncdifl.exe
940	Njacpf32.exe
1432	Nnmopdep.exe
4028	Nqklmpdd.exe
372	Ndghmo32.exe
3900	Ncihikcg.exe
536	Ngedij32.exe
1008	Nkqpjidj.exe
3340	Nnolfdcn.exe
1304	Nbkhfc32.exe
4612	Ndidbn32.exe
4652	Ncldnkae.exe
4520	Nggqoj32.exe
3820	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	23fd71618801cfca2416c007cb0d6c656318b2b885fa0fc79bf38c5b2ea48dd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3588	3820	WerFault.exe	131

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	23fd71618801cfca2416c007cb0d6c656318b2b885fa0fc79bf38c5b2ea48dd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	23fd71618801cfca2416c007cb0d6c656318b2b885fa0fc79bf38c5b2ea48dd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	23fd71618801cfca2416c007cb0d6c656318b2b885fa0fc79bf38c5b2ea48dd0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	23fd71618801cfca2416c007cb0d6c656318b2b885fa0fc79bf38c5b2ea48dd0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lilanioo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 4884	860	23fd71618801cfca2416c007cb0d6c656318b2b885fa0fc79bf38c5b2ea48dd0_NeikiAnalytics.exe	83
PID 860 wrote to memory of 4884	860	23fd71618801cfca2416c007cb0d6c656318b2b885fa0fc79bf38c5b2ea48dd0_NeikiAnalytics.exe	83
PID 860 wrote to memory of 4884	860	23fd71618801cfca2416c007cb0d6c656318b2b885fa0fc79bf38c5b2ea48dd0_NeikiAnalytics.exe	83
PID 4884 wrote to memory of 1420	4884	Laopdgcg.exe	84
PID 4884 wrote to memory of 1420	4884	Laopdgcg.exe	84
PID 4884 wrote to memory of 1420	4884	Laopdgcg.exe	84
PID 1420 wrote to memory of 1560	1420	Lcpllo32.exe	85
PID 1420 wrote to memory of 1560	1420	Lcpllo32.exe	85
PID 1420 wrote to memory of 1560	1420	Lcpllo32.exe	85
PID 1560 wrote to memory of 920	1560	Lkgdml32.exe	86
PID 1560 wrote to memory of 920	1560	Lkgdml32.exe	86
PID 1560 wrote to memory of 920	1560	Lkgdml32.exe	86
PID 920 wrote to memory of 4456	920	Ldohebqh.exe	87
PID 920 wrote to memory of 4456	920	Ldohebqh.exe	87
PID 920 wrote to memory of 4456	920	Ldohebqh.exe	87
PID 4456 wrote to memory of 1080	4456	Lilanioo.exe	88
PID 4456 wrote to memory of 1080	4456	Lilanioo.exe	88
PID 4456 wrote to memory of 1080	4456	Lilanioo.exe	88
PID 1080 wrote to memory of 4888	1080	Ldaeka32.exe	89
PID 1080 wrote to memory of 4888	1080	Ldaeka32.exe	89
PID 1080 wrote to memory of 4888	1080	Ldaeka32.exe	89
PID 4888 wrote to memory of 1084	4888	Ljnnch32.exe	90
PID 4888 wrote to memory of 1084	4888	Ljnnch32.exe	90
PID 4888 wrote to memory of 1084	4888	Ljnnch32.exe	90
PID 1084 wrote to memory of 3672	1084	Lcgblncm.exe	91
PID 1084 wrote to memory of 3672	1084	Lcgblncm.exe	91
PID 1084 wrote to memory of 3672	1084	Lcgblncm.exe	91
PID 3672 wrote to memory of 3972	3672	Mahbje32.exe	93
PID 3672 wrote to memory of 3972	3672	Mahbje32.exe	93
PID 3672 wrote to memory of 3972	3672	Mahbje32.exe	93
PID 3972 wrote to memory of 4424	3972	Mgekbljc.exe	94
PID 3972 wrote to memory of 4424	3972	Mgekbljc.exe	94
PID 3972 wrote to memory of 4424	3972	Mgekbljc.exe	94
PID 4424 wrote to memory of 4932	4424	Mjcgohig.exe	96
PID 4424 wrote to memory of 4932	4424	Mjcgohig.exe	96
PID 4424 wrote to memory of 4932	4424	Mjcgohig.exe	96
PID 4932 wrote to memory of 1260	4932	Mcklgm32.exe	98
PID 4932 wrote to memory of 1260	4932	Mcklgm32.exe	98
PID 4932 wrote to memory of 1260	4932	Mcklgm32.exe	98
PID 1260 wrote to memory of 2328	1260	Mamleegg.exe	99
PID 1260 wrote to memory of 2328	1260	Mamleegg.exe	99
PID 1260 wrote to memory of 2328	1260	Mamleegg.exe	99
PID 2328 wrote to memory of 2736	2328	Mkepnjng.exe	100
PID 2328 wrote to memory of 2736	2328	Mkepnjng.exe	100
PID 2328 wrote to memory of 2736	2328	Mkepnjng.exe	100
PID 2736 wrote to memory of 412	2736	Mncmjfmk.exe	101
PID 2736 wrote to memory of 412	2736	Mncmjfmk.exe	101
PID 2736 wrote to memory of 412	2736	Mncmjfmk.exe	101
PID 412 wrote to memory of 728	412	Mdmegp32.exe	102
PID 412 wrote to memory of 728	412	Mdmegp32.exe	102
PID 412 wrote to memory of 728	412	Mdmegp32.exe	102
PID 728 wrote to memory of 3092	728	Mglack32.exe	103
PID 728 wrote to memory of 3092	728	Mglack32.exe	103
PID 728 wrote to memory of 3092	728	Mglack32.exe	103
PID 3092 wrote to memory of 3524	3092	Mnfipekh.exe	104
PID 3092 wrote to memory of 3524	3092	Mnfipekh.exe	104
PID 3092 wrote to memory of 3524	3092	Mnfipekh.exe	104
PID 3524 wrote to memory of 3064	3524	Mpdelajl.exe	105
PID 3524 wrote to memory of 3064	3524	Mpdelajl.exe	105
PID 3524 wrote to memory of 3064	3524	Mpdelajl.exe	105
PID 3064 wrote to memory of 1860	3064	Mdpalp32.exe	106
PID 3064 wrote to memory of 1860	3064	Mdpalp32.exe	106
PID 3064 wrote to memory of 1860	3064	Mdpalp32.exe	106
PID 1860 wrote to memory of 2556	1860	Mgnnhk32.exe	107

C:\Users\Admin\AppData\Local\Temp\23fd71618801cfca2416c007cb0d6c656318b2b885fa0fc79bf38c5b2ea48dd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\23fd71618801cfca2416c007cb0d6c656318b2b885fa0fc79bf38c5b2ea48dd0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\SysWOW64\Laopdgcg.exe
  C:\Windows\system32\Laopdgcg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\Lcpllo32.exe
    C:\Windows\system32\Lcpllo32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\SysWOW64\Lkgdml32.exe
      C:\Windows\system32\Lkgdml32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1560
    - - C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:920
      - C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5116
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        47⤵
        Executes dropped EXE
        
        PID:3820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 400
        48⤵
        Program crash
        
        PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3820 -ip 3820
1⤵
PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
456KB

MD5
894fb65ff5ad453a15986664fce172a9

SHA1
c13100bda3ee9dc38a25d7ba4ca754bd28e0bd60

SHA256
cb951b273e118476ea76006df2c77711e78a139591dd23c1def1b9bcff188c98

SHA512
18a9fd53f32f2745975bb04d7f5785784cc358535e839ea1e9a61ac8908a6b83e8a3e6166e4fa59a6a520deb3c199c64b82b643a97b28574e7b30367f4e28fcf

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
456KB

MD5
354404d43fe05d487b5c05d3f8732edc

SHA1
30e8ee8521880f6584d77e06aa7c2f65c1391a84

SHA256
d337e265b2facbf9091119e3452915a26cc7cf4042cd0154a835ae4813771f11

SHA512
fe24f3813fb7ee1daaa3693c1f671f5e467cbbfb1fb4e9357ae9f558aab81ec31158fa0f00be1f661510a5841509a6f4aa00e60da8774f690fb83c0629e95606

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
456KB

MD5
c0f8bb3f90f0bd26f4bf8fdf450f0d55

SHA1
1446dec40e4f6fa121049d6bbfc13bcd9854a409

SHA256
4f203cbc6c8cedddd4fd17ab0f47fefee455f6a1563b762045e16ace3fb2f849

SHA512
55a3d181e79873ef9b7e6a690f977e5409cd280d69490d1a598e51a0058cf2f382be9f6cfb41b8b87efb148142dae0e021e6c9218c82beb72de615d22fe88a2c

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
456KB

MD5
bc01029fcccdde194ad494b320cd7f2a

SHA1
bf1cec2238a36954ab488f2eea34f91a00424cc5

SHA256
bdb22d8947481385e89d1d25341bd45526c052d45835b425478afa6868ac1a5c

SHA512
6114651b7d5a90443fdf7cd55571323c5cb488e7309f3bc388bbd8894f99ff46955648d31642cd95c26b83960205f2b33ce6393689bc698cf9df3d974a200a43

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
456KB

MD5
759824d81e86950c672376ec18d1cf36

SHA1
cf05eabe47a27bd939661c8d4c5dd753d7cd55b8

SHA256
27aaf9fc608fb637f5985fc3483b3006cdb8aed227fe3c1b01fb111534c54fbc

SHA512
7b0d3ff4c442ad08d04645319d4aa2be3b24124eda94d46e20e54df45ce15839675d571eafa5c56046fe403690bce840f2c08e087070849406bb8b5f5cf3d5c9

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
456KB

MD5
bb444ed3b8daa5e92352c42dbf4302b2

SHA1
84a9878e24110c4a1bc2915a9bdf3a7b72fce458

SHA256
1a25f8a573f9589f8e53eda55fab2bfda15dcace62933c93f8293697c015b47c

SHA512
6174911bb96d19b4234a05dbb3b2ee979fdc3d566b01f75f75bcfe40866a8465155330bccc00254482931f46a4c4ea341e07d0db570a5d7c299d142cdb63a8df

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
456KB

MD5
2fef8c89c83e4fabceca1a0056b0c5bc

SHA1
7d9032dbe96b543670e376d2d20039325c2f2be9

SHA256
03720e1ae24b623ad479a85f55cc46df7e4676af9ff137096f01ad15be9723cf

SHA512
4d38122aa751aba6db12ba0dd12e07a01f77b2c2ba417c8b32be5b5a34c4d233a6a38ac2609e5032996832d6520ba218a9088a9ba4be816505869a3bbb82ec1e

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
456KB

MD5
6d22880cf3b04fea5e1afe3863b29fa6

SHA1
ceb516a796b857ef5c5228a5e6aaaf13fa67a4c8

SHA256
2de5e313848ccb8d12f09202a9c996e19bbb5815e61dcdd868b79fa95352532b

SHA512
2de5417b63b6fb4a826975e1ad7e15434edaa77499d99e47d380a6d0209f9bc37020f5d5cbc6a3d3943e5bcae0121054d7086ba82bba701052b6404a3a2b264b

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
456KB

MD5
2af956e248ea15a78dfdd333ae2c0a1e

SHA1
af046e0082b1fe8512b8ae8e6f5c84f725a67fc9

SHA256
9af1e0fd6bf2f43a998c856b59d120439d57f609d7c5380146090e5d4e6ce65d

SHA512
f80aa8144419d4a40ac467e084e342fcf51670222da6bd2e1c20b43e7ee000cafd440891da4e1be8f56c5f3a0c5c3e43691fd523ee3f5a1cb510842663e73204

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
456KB

MD5
1f0b0eda52bbd103d44bba8df2a0c7d8

SHA1
79b736e8696b828cab55c496eb27bfe82f49d0ec

SHA256
47b8cf7a1f0953fbe681104722017a802d0462048c6e4baa193400dbf0d5f73a

SHA512
793ccab3920622252d6c188417d4cf71985ac37688c311852f056be2756769b7cf0332f771208c2ee941acfea54843ff0f60368ca66cb128a0772c3d38ee2085

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
456KB

MD5
4de65b1b0f307a1ecfd1c02cafecc2a9

SHA1
2cc9f9a460c074793c8c7d8fd3294c02f32baf21

SHA256
098988dfde6ce13b5b7dd2268f3219d9e7d475802bbb61f1c0ab145ca3fd4f00

SHA512
909077069478cd729367e40349fd6e6cd9a97103707745277e5fe5a8043095e0cd01e53032803152f17f72b39ecf124678a1114194439dc78108e2777504ac4f

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
456KB

MD5
4cf7632dfb07f46b669594761f3d8a89

SHA1
52e2e7ffb2707d21abe344e8dc1a87e3b14cc436

SHA256
5a40066f5a48cb7041a91964551d7f70adc9bc098414bea8729b009a77d6d6dd

SHA512
f674a11d7ca4449cd3777c052fdbd785d5463fe5953773293a2ec970cfae003e19843403e9e3fc0818ac491e48f27e5c68504c54d406c0597e6d4fc2575aeac5

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
456KB

MD5
856781986166278024e8c8aa27561d13

SHA1
8a1225f371d8bea3268365b8615381cc81a57321

SHA256
7779eec509e4893e550bf967ef0689e19095362fec0abf5277e249246857da88

SHA512
07a7e015f337b9544e2bee76c3fe1f78732abf6c86bd6a70a44befeec1400740c7ef97cc373bf16d7795c264d4aec43f1585ce16bd4b803037c092a5d10b4e7d

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
456KB

MD5
4748c0211a250552ee90e88fe13308c2

SHA1
a4d4aed35c2a416c4a3c8de8ce7b7b299e16b564

SHA256
7bbd4c88bddbe7f1c68c6ba03bc035bb493c33ce63c117e233c296ad037fb6f3

SHA512
c11b1399f8c64d73f8b8d5ffb41e68055d17bfbf177d0f3ffc7d0ea91e76d6bf92ac5f0c542d212f31c42442ca4f05242812efb5a63fd7235034d936a68e6e1b

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
456KB

MD5
4cb0199f1c00e6369796f28051699802

SHA1
f1d88a708d26795126f979878d20499ca93da11a

SHA256
c6bd7665bda7ab2cd12ab713a9de29462897f99db66385e7b91d770e96b94342

SHA512
5e5236287ace8831147eb07e7608980cb22021bf9dbe99c6b99935495eff8828b84cffe106429f6072f5436d8c4c90e6ea121fdd22aea0f154732a2785575299

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
456KB

MD5
825ce831cf75655dfb5d962a1acccc0c

SHA1
4755a3f8e0a53e662a07d434fe53b31dd5beb671

SHA256
c2959f81fe96c0b6c3e68b3b9ce491e2f77ce93899fd4e425560fd8a5cf568e8

SHA512
4237b25a4dc2939e5f4d78083186f161c80b99333cd66d6dcfccfcac01b8fe5697d9c25a3ceef96f20838492e0b84a39f9161b8fe5d04117e92f5fe0e572d584

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
456KB

MD5
51531867e044d2dc43b0f0979bb292e9

SHA1
4537f5026667341ab03296f1f421fc7717652291

SHA256
935e032c872dbd00d6016e4569a77a02078727bdc463f12d96e251e60778684d

SHA512
58ea1e3a898a2bd2676d18428715acc41dc38efcf10e6006559d57cd4a838619969957d13bc8d76b75ef3496b4aec6299a9827761ee9d7303b08d0d0a5a36238

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
456KB

MD5
d2685da5ae2f3c505cfb14c792e1e14f

SHA1
b475d34d685723b938607c419005d595cb2c7da7

SHA256
e4ab6a87ad263039fb5040b44984defb1955184e2685629b0943593c9101caa9

SHA512
ccc923184316d54d99c323f464cbb74eeb7e8c9237d437f1b56f2453945a82a3f4cfbae9451f115911c988eaf6c8385b0075bbaa4a32854ed9c9333eb0ba10bd

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
456KB

MD5
6217e63e6e10d71b393723a98e337e79

SHA1
4277a188c1468706165fdb7abfb5c805e67628b6

SHA256
d99aa6ae518e92400114568ce4848e9981c43131995fdd79b3c9c99e7a151fe3

SHA512
cb7d168f9619302767f95094693bf2a73de6564a88c2ffeb5004476f4332329c0e3bd2cc212a1921b5aa8a8e1ab34492f94a1c679c7b8181db23f297adcfb9cf

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
456KB

MD5
30ace0d5e2b5d70b1958899d91f99147

SHA1
6b8980b9aa9abcab9f9f0b439fcdc0f4ccdcdf81

SHA256
cc8e1bd6ba64a03acef7ca461f357dff220d6031e296e44702ac9fe845960af1

SHA512
64813689eab89b693e5daf179c615828274e0cee684518a8a818d967b5376a83639cbc7be3e6e4272159d96bb3f9fdf2b02db93fc6b265f3aa2f0ab2dbb336c1

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
456KB

MD5
5d82ef517bf535be587506fb0cc9da4e

SHA1
bb2b3417e9809ce4ef3c35df87927534c6838c32

SHA256
8edf8ded6ab109f72d6e58b4e020cdb3c384fe6f2ff85dfaa0a987fdd93f6aa1

SHA512
80ceea7675894fca9322f1f894f524e7d0d62d091c030a2380bbd99735e706b60804c1af3c13aed73385fcdc59a26fca83baef49c281af059dfb71c6067b867b

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
456KB

MD5
672ca9a433baf5deb23372040bceb1a5

SHA1
49d1f54535e933789f0d89d69c199bc01e41acbe

SHA256
3098bae2547d61283f6798bb5a2ade264ce4733389073cb9fe8c3490a5290cf0

SHA512
fd366a6518aea8d781bb42d8013faf57ecc2fc8b3ec6f32b2358d85b06234f718203365a0cd683e34fc17cf31858f95408a75d1918dd608ce6cb953220cd7aea

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
456KB

MD5
6de9f2efa832dd8ff4e61c860612c245

SHA1
d7f3606c1a8387ab7f37fb169fbfdcdbf20d2745

SHA256
8ba442aa6b16a94a0c30ea9e3fad671e4a732eefdb7a0dee0675865ae850c19a

SHA512
3c3c9d994b02a971c71ec2d25e7a062515b17d7714268d190b0d4921f66eab493b38df79a88e85d44d232c05ac2bb2ea4888b94b3c927b273cf7196a23fd00aa

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
456KB

MD5
acaeacb223a558bc340ea4aa8d9c582b

SHA1
0dfed0fe69307d73561a5d1acee1ed4785e92c7c

SHA256
cb10e34b872dad0f06a3ffed92ba502b2382768abdee9934e080eb49b6017feb

SHA512
da9ef5590432ef3f76c4cbdcd5b3e41638afba149797e0ca3367842666a290b163f6219ba8bcbe624e5ed97fdbee44e5a050d6c687527df730984fbdc4b580ca

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
456KB

MD5
767d971bd91d2649e67b0bf37468b4a8

SHA1
025774a68b27568933a64207fedca3bc6e9a747a

SHA256
8ad405d7247e9c4c1ef42fee74c5c34c4d3cde221aea7a73c9abb1094d7715b1

SHA512
dfa3648f2395973488c7fc7b8c67e69163a78e8e86ba15fc4db334d347559e7841aa9abbc3d4ce7e2c8110a1ebc13a17ba9c5b1cb487f777f92f1af90f6bff19

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
456KB

MD5
7b23bc1e4bb47cb645a2ab761d988fe0

SHA1
8c89f3308c0cdedd5ec47c4b43d41d41efee6e72

SHA256
c93a84f4685fc90df9387e7b9a46eea10e9716fa88d585975deadae2b307ce90

SHA512
842d57157d023658d1ec2d3e62fd6f2e1bdae6b2af2655f7d33f89d6f7307f50f23d3ab0a420042785fe5504772ee1411d0ef2c2789634f1a4d047a3de164bf4

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
456KB

MD5
47d160a38ff86a27118536749d925d42

SHA1
5289d3290ccf380505dd822ff183df4428ef49ef

SHA256
52ce6458d37dda4ac45803123648dd1bf058a8c92f62908ad7e61cd204dfad3e

SHA512
e53661f6bab7e310594ae780606364761a0f60bb2569707b35ab8db9f6de4f3ef5dc4212a2863593fb7b96a945a4bf56cbd53f1252d90aef98a1aaa0e2ee9776

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
456KB

MD5
2aa12b8d8a48932a80141ce52ef8e6ca

SHA1
e4e42ff23d85aff2d3d8f8e95b4766b16f624ca5

SHA256
d3c3f1ad857fece1e46f19a90c66f8e31fa4da1b40330eb1fda2840c50fdbdbd

SHA512
701a70663d4fbed432cda82f68cc05ff2a98a03dfd8abcb13adbbd3801cc610578be0a33dc0accb029be9294e85638213e29beb5170056b3e67316fe7d41a718

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
456KB

MD5
dd5be56b35b2a136806fb57131427dc7

SHA1
e632a19ef02d7d6ad0897fb0b577d08252db811c

SHA256
8f38ddf0c2a9b61f28a081866c3bf7edbd32e8dd44db8456cd1fedffa77abaa6

SHA512
7b94e59072c24acb7171803a5a5009f3994df5cec477c5a663eaa547001a4c5a715a6cdb875126250afe1ed19945e719915bb0ab8d6a42a072e03687e320c6fe

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
456KB

MD5
0d2539a4de7803c82628d21b0118e703

SHA1
203d51fc74f0bfc2a3f5f6c608838079e51b8ca2

SHA256
b42adc3ecc3069bc22ad9589c5696653f7c63b69700e06e7eb8950125fe83f9b

SHA512
067b94707e12aa1b0f053f95853c0b07583e75f5cc85ba8a63ad4156011caae6ec31cb0e6c23fc90257f79528b334c8d1999a3fc911637d26efecf22157ac714

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
456KB

MD5
029f40b35837b67a868057cd662450f1

SHA1
0d8c581f6ba2d1223f19695f4d564f3db377155a

SHA256
b96d12fb490b9299a0d045d4420893cfb585f718982e3a4b79584d36e79df148

SHA512
2a5ed74e6a0a1b62defecd932dd3dd71c537592d243e8a4723762f3dddbbe3bb27a6d7bef18762936d5c5056e4e84ee358deb76c55154896a2cc32053f08149c

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
456KB

MD5
749cda86cf3c14f103b34c9daf6a0f66

SHA1
d5f159e6682b3ba4cf07170d264288cd205f26a7

SHA256
05797bbd367e7313aa19922e25416d6de27d64e3b8d1cb17b18ba437d1be0059

SHA512
8120ded5c6bf955e0d29357701856b6b9c556bb3118c1137c63f7128ec04b0a16bac2fc258c6eef3c6a85a064a39425f1e69b4d822b8d58f6457a94960b326fe

Download Submit
memory/372-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/728-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-4-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/860-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads