e4646f96f8a5cb631a084c87ea7157549b07c17b0b6b6718fdd47052859c7cf7

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b80aed1cc7dbb7f70dcbb1d721d5cb0_NeikiAnalytics.exe
Size

111KB
MD5

0b80aed1cc7dbb7f70dcbb1d721d5cb0
SHA1

c3b458d1eec0975a35512bfceb418669661f067c
SHA256

e4646f96f8a5cb631a084c87ea7157549b07c17b0b6b6718fdd47052859c7cf7
SHA512

b3d510c84eb957af00afcc9390466aa8e9a39f056ad257d64c515637de03f3a04495c92e25b6a381ee7bfe3834622da0826e8afe767b09fb592628252db8637b
SSDEEP

3072:eTUGFO5rFqpwG/o21LmeGE9pui6yYPaI7Dehib:eTtErMwGwk9Lpui6yYPaIGcb

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0b80aed1cc7dbb7f70dcbb1d721d5cb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe

Executes dropped EXE 35 IoCs

pid	Process
388	Lpcmec32.exe
5040	Lgneampk.exe
1304	Lkiqbl32.exe
3712	Lnhmng32.exe
4932	Laciofpa.exe
3612	Lklnhlfb.exe
2904	Laefdf32.exe
4892	Lcgblncm.exe
4692	Lknjmkdo.exe
2980	Mahbje32.exe
4904	Mciobn32.exe
3268	Mkpgck32.exe
1804	Mpmokb32.exe
4592	Mgghhlhq.exe
4496	Mjeddggd.exe
3832	Mdkhapfj.exe
3228	Mkepnjng.exe
1844	Maohkd32.exe
4332	Mdmegp32.exe
4248	Mglack32.exe
3560	Maaepd32.exe
4132	Mcbahlip.exe
4952	Njljefql.exe
2336	Nqfbaq32.exe
3440	Ngpjnkpf.exe
4120	Nnjbke32.exe
3564	Nddkgonp.exe
3248	Ngcgcjnc.exe
2296	Njacpf32.exe
1140	Nqklmpdd.exe
3188	Ngedij32.exe
780	Njcpee32.exe
4656	Nbkhfc32.exe
3480	Ndidbn32.exe
4204	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	0b80aed1cc7dbb7f70dcbb1d721d5cb0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	0b80aed1cc7dbb7f70dcbb1d721d5cb0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	0b80aed1cc7dbb7f70dcbb1d721d5cb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
396	4204	WerFault.exe	119

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0b80aed1cc7dbb7f70dcbb1d721d5cb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	0b80aed1cc7dbb7f70dcbb1d721d5cb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0b80aed1cc7dbb7f70dcbb1d721d5cb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 388	740	0b80aed1cc7dbb7f70dcbb1d721d5cb0_NeikiAnalytics.exe	82
PID 740 wrote to memory of 388	740	0b80aed1cc7dbb7f70dcbb1d721d5cb0_NeikiAnalytics.exe	82
PID 740 wrote to memory of 388	740	0b80aed1cc7dbb7f70dcbb1d721d5cb0_NeikiAnalytics.exe	82
PID 388 wrote to memory of 5040	388	Lpcmec32.exe	83
PID 388 wrote to memory of 5040	388	Lpcmec32.exe	83
PID 388 wrote to memory of 5040	388	Lpcmec32.exe	83
PID 5040 wrote to memory of 1304	5040	Lgneampk.exe	84
PID 5040 wrote to memory of 1304	5040	Lgneampk.exe	84
PID 5040 wrote to memory of 1304	5040	Lgneampk.exe	84
PID 1304 wrote to memory of 3712	1304	Lkiqbl32.exe	85
PID 1304 wrote to memory of 3712	1304	Lkiqbl32.exe	85
PID 1304 wrote to memory of 3712	1304	Lkiqbl32.exe	85
PID 3712 wrote to memory of 4932	3712	Lnhmng32.exe	86
PID 3712 wrote to memory of 4932	3712	Lnhmng32.exe	86
PID 3712 wrote to memory of 4932	3712	Lnhmng32.exe	86
PID 4932 wrote to memory of 3612	4932	Laciofpa.exe	87
PID 4932 wrote to memory of 3612	4932	Laciofpa.exe	87
PID 4932 wrote to memory of 3612	4932	Laciofpa.exe	87
PID 3612 wrote to memory of 2904	3612	Lklnhlfb.exe	88
PID 3612 wrote to memory of 2904	3612	Lklnhlfb.exe	88
PID 3612 wrote to memory of 2904	3612	Lklnhlfb.exe	88
PID 2904 wrote to memory of 4892	2904	Laefdf32.exe	89
PID 2904 wrote to memory of 4892	2904	Laefdf32.exe	89
PID 2904 wrote to memory of 4892	2904	Laefdf32.exe	89
PID 4892 wrote to memory of 4692	4892	Lcgblncm.exe	90
PID 4892 wrote to memory of 4692	4892	Lcgblncm.exe	90
PID 4892 wrote to memory of 4692	4892	Lcgblncm.exe	90
PID 4692 wrote to memory of 2980	4692	Lknjmkdo.exe	91
PID 4692 wrote to memory of 2980	4692	Lknjmkdo.exe	91
PID 4692 wrote to memory of 2980	4692	Lknjmkdo.exe	91
PID 2980 wrote to memory of 4904	2980	Mahbje32.exe	93
PID 2980 wrote to memory of 4904	2980	Mahbje32.exe	93
PID 2980 wrote to memory of 4904	2980	Mahbje32.exe	93
PID 4904 wrote to memory of 3268	4904	Mciobn32.exe	94
PID 4904 wrote to memory of 3268	4904	Mciobn32.exe	94
PID 4904 wrote to memory of 3268	4904	Mciobn32.exe	94
PID 3268 wrote to memory of 1804	3268	Mkpgck32.exe	95
PID 3268 wrote to memory of 1804	3268	Mkpgck32.exe	95
PID 3268 wrote to memory of 1804	3268	Mkpgck32.exe	95
PID 1804 wrote to memory of 4592	1804	Mpmokb32.exe	97
PID 1804 wrote to memory of 4592	1804	Mpmokb32.exe	97
PID 1804 wrote to memory of 4592	1804	Mpmokb32.exe	97
PID 4592 wrote to memory of 4496	4592	Mgghhlhq.exe	98
PID 4592 wrote to memory of 4496	4592	Mgghhlhq.exe	98
PID 4592 wrote to memory of 4496	4592	Mgghhlhq.exe	98
PID 4496 wrote to memory of 3832	4496	Mjeddggd.exe	99
PID 4496 wrote to memory of 3832	4496	Mjeddggd.exe	99
PID 4496 wrote to memory of 3832	4496	Mjeddggd.exe	99
PID 3832 wrote to memory of 3228	3832	Mdkhapfj.exe	100
PID 3832 wrote to memory of 3228	3832	Mdkhapfj.exe	100
PID 3832 wrote to memory of 3228	3832	Mdkhapfj.exe	100
PID 3228 wrote to memory of 1844	3228	Mkepnjng.exe	101
PID 3228 wrote to memory of 1844	3228	Mkepnjng.exe	101
PID 3228 wrote to memory of 1844	3228	Mkepnjng.exe	101
PID 1844 wrote to memory of 4332	1844	Maohkd32.exe	103
PID 1844 wrote to memory of 4332	1844	Maohkd32.exe	103
PID 1844 wrote to memory of 4332	1844	Maohkd32.exe	103
PID 4332 wrote to memory of 4248	4332	Mdmegp32.exe	104
PID 4332 wrote to memory of 4248	4332	Mdmegp32.exe	104
PID 4332 wrote to memory of 4248	4332	Mdmegp32.exe	104
PID 4248 wrote to memory of 3560	4248	Mglack32.exe	105
PID 4248 wrote to memory of 3560	4248	Mglack32.exe	105
PID 4248 wrote to memory of 3560	4248	Mglack32.exe	105
PID 3560 wrote to memory of 4132	3560	Maaepd32.exe	106

C:\Users\Admin\AppData\Local\Temp\0b80aed1cc7dbb7f70dcbb1d721d5cb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0b80aed1cc7dbb7f70dcbb1d721d5cb0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\Lpcmec32.exe
  C:\Windows\system32\Lpcmec32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\SysWOW64\Lgneampk.exe
    C:\Windows\system32\Lgneampk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Windows\SysWOW64\Lkiqbl32.exe
      C:\Windows\system32\Lkiqbl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
      - C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:780
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        36⤵
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 412
        37⤵
        Program crash
        
        PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4204 -ip 4204
1⤵
PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Khehmdgi.dll

Filesize
7KB

MD5
0811fbd18328a6fbccfa409b7558b2c5

SHA1
54db532545574c2d2bf190345d86fde1f7d51954

SHA256
aa974e4ac2aa59f0133ec0ec04d337e8b8f93654d0b1ae76b4672044d09cfd3f

SHA512
2cf1640ba2b499b9e5ccc2e73edaf09bd1be0b0e770bc542feadd8c01fa1ad22e0db57059448f315e56744bccca0627f0f782322716ae0c78d71e01b887b23d8

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
111KB

MD5
ed8045011b236e35875f7cd941c0e6b4

SHA1
ffc837b5d6236c1a61490ed0feda1d25405130d5

SHA256
2daf66892548713886f52ef9bac895971c142b4518a58defdfd82d931f1bfc5c

SHA512
d6f852811732cede0a0760f9fa46a8a7b3631a20316292ea6acf34e2da5aa0193b05b132260d7a11b08036240503a98c1d78967925d369df5792da9022e6b2b5

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
111KB

MD5
26f05922ae16aabcfd8074b6328902ad

SHA1
acf808f5148cdfa51b13d02e925f3b2a12993d8e

SHA256
ef355ab7af6f450761a23fbc8b56c5b01333a1de2621813c67ae929b40d386ea

SHA512
dd6eedbd599756c50f1b5de88fb9de44e395b195cf58f168ae40602e3ff4b90301257d9a190da45dfd437e781f5a880694ea415cd6fb7c93a7f41c54a93ed99a

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
111KB

MD5
2aefe4e410ca1bf0f0213f5e2ea33196

SHA1
68bf3a7b4e4d25a01b67c2a7b66d3ea3a30610cc

SHA256
972888680aa7b8c516096b616b531cac7479a5cda899f84945c5086336edc60e

SHA512
0c46fcc51dba1c333383989905fdfb430dbb46783d08286c7cb782bd163d3bea084c87befbcb8503108d3adf5f7b291617ae00cf03805a23ba642759b1fba5ab

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
111KB

MD5
3ee7d91cc84e7457cd1e7998db1819ce

SHA1
eb475b7c3ce8c02fd919076b7efcd1eedcd9eccb

SHA256
481f6ccec740f26ace24726606f969e3fe4fcfd5f0fd96d514d910710b6f8b6d

SHA512
7e9510eba0ffc7ee9f805b40f8a33889b2098281a5e534543436804cb8fd25d5aa8bf938cfbd0e6e2836e3a3c07f7445bf459045aede982c387fca4b2ffa689a

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
111KB

MD5
66b85ee0d7cce5510cb8f33e5da52759

SHA1
700798183b3a042519e2d1c04f420c6a1fb29a71

SHA256
2650ca1c1fcf10fceebc7bce277be94d3d65fbe132e5a82d5119334152a69dab

SHA512
ab7ef3232cb6871e4af87030c89d27d6b2b23aab6138abe87025a21ffb08e111a783356fefd2ae28247b4f5f2199400afbeed0839733b021cd95dd275ede3c91

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
111KB

MD5
872fababe472c6164435f143a3eaa0bc

SHA1
b16bd6849b64b6614e169c6af366e5a735479b0b

SHA256
37ecf230b90c5913e07f756c4a80055711509780314b272f76e7222011dba489

SHA512
c52a520e6751bcb225a5bbaa03aa0ab96db0c93615551e8bb9bfde0580486080a98c8ceb91f778129eb3e817c1cb38cb393746df975f308cec505ef0148d6aab

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
111KB

MD5
ccbc6be866e49bb0e6efd66b2a5c19f3

SHA1
059e9fe9fd944bd1a36dc82f8e3b980bdb4e91b7

SHA256
fa698d2196e512758f4cfaf956fec908d7fb607805aed8076777389dd8d032ae

SHA512
a80bfd29f2713f0c0b79c62b711333f0b329a6a30631b5657f0181f7577f163065eee12ee83d650602ddf8791f518878a2418810d83181f0c2fac215ffcb868f

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
111KB

MD5
1650653dc88950e9e005f97cc2d0e602

SHA1
51fa2c71b13019053846b24479f0344f81415dcb

SHA256
70062c3db5b9bfb0a536c58eb9df3b91e3aa43993663ddee2fac2f85e8a0dc8c

SHA512
8e8b86c2625b7c1080c44cd8af83ea1df4b002ce62de4c734ce49ed31d998c89c37d48cd429f19f06360425bef8caccf5b3f8b5d81646cdfcd6484ec3c06cbb4

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
111KB

MD5
c57c333e918ab8e0dd9348c7cb045d87

SHA1
5f9df57b63078759a6e2811f22775cfeeed0d8ce

SHA256
dca16a010f19ebe7d2ab84b27be61819924deb7a4b20bb6e69883062af48aff1

SHA512
e35462c2d5c6ec64e7130e2223f0aa5aa434eb3ea39e74b7982c17cdfc128136378e62792335e191c4d84ccce9b0b9f253a55409e234943c61e401c89d7eb8a7

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
111KB

MD5
11a1c660ad79e415c9d3730a8acccbbe

SHA1
7bae435df02acdc97372e74fa0a1b39deabfd6a5

SHA256
29bc608f50ff3139c83a19daf1c923fbe46f2b98a084dc28e515f64e2aad4ef0

SHA512
020c766acd3ade371d7fd9b4309a4e1b47e8ff3b10cc98c73f88ffb341ad0cf5934c4a45ef8153f2244e424f2fe6e31a70d3c82b42ab09b9a247b7da9e94c96b

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
111KB

MD5
a873060a741a3b6a97bce326c72cbd49

SHA1
7a95c82db47867485f27747e49603c611bcb8643

SHA256
74be651cad9326574a6efb404eb3996ad684d97b2d096dab02b4eac2cdc1c6a9

SHA512
555d2982c04717b604bdbe8422ee3b35374998f8cd8310edac8061669e67d5d8fc07898becf721dedecbf1cbab51140d7689801f589acdc7be24bfb6c6c06a90

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
111KB

MD5
e1e092888a86097765a4a9d3bee832eb

SHA1
0379fbc135e8e2cb340190f752253776e06dc3eb

SHA256
80f2c812213b1b8e027ec6f3cf6b908f2b5d7ba7ca32c816058aa2f3154263ce

SHA512
dd2c54719e6e50bb8bd691f76af8ccb990d28b22d6c13d454c88a508f8c139ad71a113689ca49857c23662764c10805cdf4373baa95c9d04837ab54173497096

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
111KB

MD5
cda6663b67134474c5bb54e1b93ef734

SHA1
17c5c29b737a037c3c68d567314d8faec53fe182

SHA256
12c15019f0047e64d29eff5d7039d808fdfc8929ea90b27a1abfdf5cf2cedca6

SHA512
5eed14388c732d7d55502d16f61556e1e76c48ca32c5f52947a87078acebe3d395d06c528dfcdbcfbf8d013c86f202fa7ed885702a18ce08dfb05b42bb88c62c

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
111KB

MD5
b7d0284b6347e85dcaef1300e075abf1

SHA1
8e707b67f2526806dc85ff6d42d5b5855b6c52de

SHA256
417915bb5f49c5dd361fb6a2ed48f5424c9ffd478543fa7a27b6c891e0f560af

SHA512
22d1e05734cdf1738b10a4b672b9e069c458636e8a9fb5e925042dbf12cd66936f347a7854b00766199453e822d49aabb72a6b073b9851b39e8c515e6097bc94

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
111KB

MD5
a49a1984c7492fd08348ddfdfb126829

SHA1
f47f2856f2f22f38332d83eb6ccc11bebcf88746

SHA256
7ad173d3d119addfc29eec18b359019d0cff8bd5ec6123bfbe370b658009ccbf

SHA512
94e0c27ad24e1f0d5b9f71600fd6be9f0ae373e21558a18fc535ec0be32d59fb4152e91cba7045f883a35c9db897e71e8a690d57abc96ec470c1ba6747b610ee

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
111KB

MD5
ad3b4c38b8d0db4052c067fc4518aac3

SHA1
5f97e7993533be5eac3652fbde37ea8238a234df

SHA256
320ff4fd7813af896c60512d9bd20fb2c0c2bc34e4d6023221536f5043400742

SHA512
6f2ca1a7a4d23b419f76e1a26481387e7386b48c637b3f590eedaa58a93561d495d82fef4515e5bd8e221767b6cda78654cc720fbed46f0889f741ae96af16f0

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
111KB

MD5
931e02a45d02587f03b1e2f1b2cb1688

SHA1
fb4b1c702480074705469bce26babd1b9a71dd80

SHA256
96708b9242fed05c42d861e421637850db389c292be5637019392d6aa794cd7f

SHA512
47f2920d1efaf2ea01cf09885483c6d9e2160e6fd5b53ecec63fbc8282ad3f3afbbf0cd2f6c98209e6a2dc730f7da1d6ad83f1689166803d16ea17c838f68ef4

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
111KB

MD5
7bb2711a8fa8f0e67ab91d02de04d6f1

SHA1
53bf02abc9739cd358e9ebad55fd7363e5867aa1

SHA256
5377aae14e29f73a9e81b98e247e0f58dec8c0500c571cf91f134886cdf7b85b

SHA512
6c1987e2aac96910b76550fd974030d260ef4d180dc01053e32a3a23363c10199209537ae485ec5e73b8928b8d61a5f824a82dd7ce7a300353359e03db74ece9

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
111KB

MD5
17d0d9de86631381bc9490f7f74e7e5f

SHA1
c1221e927eacbe871677a7339612637448c7f24d

SHA256
2ef72e451f625154b3f4675401f347f5d8ed523e5c15fcb02f17fcc5278c194b

SHA512
042900589d98cd23ce5a8b62e927fac3e379851a9265d40c9835f9e0f80a00b9f8fbcdc2bedd691f35fbcc6e44747672e02abcd4978126951c9d2545209fd921

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
111KB

MD5
2b938fe641e8df125bbd691c7e960821

SHA1
216d7a47856d1eb47a0447c8f55f0f30e8df0885

SHA256
52a92ed5d815c7920f2289d43fb95ee5885cf288d01e0df83984849ee44b5b7e

SHA512
fa7ac75fe9d8282a4283004b96961671b4329ddedb438c3d57a95211bb35c1680ad70ac25487126bfe3d4d700a9828324866f6630ca517aa6691c14a07f3308c

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
111KB

MD5
736d6d1219c686b0405cab7892a6b5e7

SHA1
27175152fc5b7f3476505fbe2cddf0da53685d2f

SHA256
4bc9ffffd015b20718f7cb9bd2a24b1492fc3fd8400e91f17d7c10abf9b6881b

SHA512
c9c9633f3ebc77c510bce7dcb13405503813e9f3ccf868ece6079c7ec56cdfc639612d1410746d30443f5143198669fd9178af62cda4f3b0e406579941b0a669

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
111KB

MD5
125ba86d31b47d2d924185e20e572ebf

SHA1
510ed88ed08bbf90fc29b864b933792a7cdfbaae

SHA256
3d945ae08edcb28cae4880a83290af4952633ee6f5b270cdb90e808e210001ba

SHA512
7092dc08945235f1364876fa330bea5ad587cc61c1eb6cbcc3f94e18bec6271e30dcce03a04e8dcc2bea71b18f6c8697bc3363ac309fac79dde780597a519ef5

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
111KB

MD5
43d96b1099405aacc33f8d6eff60e415

SHA1
711305faa31be4a31dcb2c63def219f5b89f13c4

SHA256
a6a974d4d2383a04696e43fc8f07a0a6f6906bd85a7244b1c3ab9faffc822da7

SHA512
da96a858f585ba071af88caea51215c8aa7fec6cd71529313ff19d974afe95f49b389baea86991cc3f3792ee641a3c8eb359d0ba75a1330d7289dbc93f8d9ebe

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
111KB

MD5
44a643e4c075b9497517a6e42eeb5cef

SHA1
bb34b0386bbcae7b39f863f722c9d120e1dc1c7f

SHA256
851e9694b786c51db9aed44b1522a3749fb5a6454183c56623aefdacfbbf75cf

SHA512
d87725824eafb805ea0308af28055e58b94e075692e370bc164d4406c0cd87c1dfdd82f3731d302acd8c8cc06ab519e6188bb9f8056ba3171a56504d84a63bdb

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
111KB

MD5
3429ce0b8f4c0aaa280a027771eb4fc6

SHA1
4632f934341437b4adf5af07c4f66e5a0a770377

SHA256
7a08c866d6a371b914e2399492f084a3724c6dc822da666d8ebb235731a3e3f5

SHA512
14a1738c19c3f0cbf7390accca11b36e82cd5403fca3d1fc051c02a0f612ad5d43f0ed70c878aacf91afc5bd9771395e629836e538eac7d8ef128fc010599210

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
111KB

MD5
ef92931c21d6dba863247e72296db77b

SHA1
375bc4e1107b4bea4f2b588f6dd872e96cf912d4

SHA256
5340b71c59ee8534573365fff4227a5bff946f6306bfb10753c567a278ee85f2

SHA512
44e5f0f60d43b7dcf64a2e546af0eb958a35777ae15e7bffb844e741bdb432ad5ac4c2930d4405d40af406a33a12c68e373c3b66d2aba8edbbdd3b3deeb18eb4

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
111KB

MD5
7f79e538e45ada143138d4320da4f9f2

SHA1
0364e0997d7c7dadc16cb521aba3d48eb699977e

SHA256
9332ae0b9bdb04764e918ff6bacdc235f1ce64b06869fbfa3d57eceec69df84b

SHA512
18c0ef4f54067cb93db2230aa86a38bf2a42cc8f73878680d5acaec92ab4de142b858ee2995dc769bdf65075df384fe0347a6d194d7b1b3607de803a82131396

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
111KB

MD5
2e9a74db753a164a9a0bd6f030169750

SHA1
17dcd7aabbc0950010152dd9ea4469e69cbb5826

SHA256
bdaf0f897eedce8aed4f6fe5d4356f1969c7cabb6895589df8a8b48a6c33799c

SHA512
89a91f8759e297e47c31505c354008eae03a6b01e743f6531d64c9c78aaba7e2a2dc9e8087e1acea269a3feeeae025cbc621e610c0920cbaba640175208a9b95

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
111KB

MD5
a09fca8b04002249843aba7d1002c4b6

SHA1
78d462aac13b970b3ae799c83c16e492bda62fa6

SHA256
c91ba28716a30b561a5ce96f3335ac1cf9d0d11f35314d0d4d879d3191216f4a

SHA512
88d5f47204191741624b4ef9677a419f9eb0dd6c21be830ded119a2079b3c71abbfb3211026743cbe27a29dda8202ce116f8c6d3305656721ab59d0d56bb7266

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
111KB

MD5
892ebec6834f9da150577da9ed563c41

SHA1
3d42e199199bec6fdb99c85c36cf3c42ca738618

SHA256
f9c9464db6078f40df8d48d9af29dcba18783fd04f6a055dd01314fe0c92cc7f

SHA512
3fab9987f06ddcbe09d30b2b83b97e12ca36d837622d02b340dc493473617c258ad7e2686838fa769f13ae4b32a69a5821f39b5e4a7c9002e9e62bd2ae04ca79

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
111KB

MD5
467aa469d6d73e8dc7249842c2beecfa

SHA1
d2ddf0a9678cda0972e13f5745d7a9a3d70377b1

SHA256
54e8304aed82f62ac0f531e78f542b13fed09d7655c41535d51a6f220c32a914

SHA512
90275cacec3fdd6de7861fef98d91dd44fd7ce46721d85a833981c59b0af20007b6b8cbdb61442e2183a013431eca4c71d971f4dc5eeb226b367467b125c33c0

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
111KB

MD5
cb42603d57afc6731f9090d5e16d0cfc

SHA1
8244d47efba2791c2ec45ec3a72eb76d4b36dd58

SHA256
8db8576669bdac9b3f57fb440d432e52d5adb25a5f1cecd1ffff691055e1f06a

SHA512
05e794549eb996e847bfe145d30c89de235098ec8ba819c5a9ae6fec37c0c22c59c5315718168ac25af2730a2053646a1473458d1ed2ebbdac11d4af21bea083

Download Submit
memory/388-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/780-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/780-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3248-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3248-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3612-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3612-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3832-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3832-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4204-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4204-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads