2121a242251014710bb7c9fcb1d321e3c222f5ef8ee8740f46b6ee4b11fef323

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

707e7b62979d4310a5eab3bd3f0d0250_NeikiAnalytics.exe
Size

352KB
MD5

707e7b62979d4310a5eab3bd3f0d0250
SHA1

d6c4a4362f241e242e156d39286d4f1e681908a5
SHA256

2121a242251014710bb7c9fcb1d321e3c222f5ef8ee8740f46b6ee4b11fef323
SHA512

2d3b2caa367b09b16d465c88510cbdc61e7be49e773c24c563d6e0838ee5e89bf09ae3cea67e7feadceb6c6a1f33112724d3997cac80d21b4905d0a8bcd724b3
SSDEEP

6144:2tkGXz9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:2tWsUasUqsU6sp

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	707e7b62979d4310a5eab3bd3f0d0250_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	707e7b62979d4310a5eab3bd3f0d0250_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe

Executes dropped EXE 33 IoCs

pid	Process
3856	Lcpllo32.exe
3456	Lpcmec32.exe
4240	Lpfijcfl.exe
640	Ljnnch32.exe
1740	Laefdf32.exe
2736	Lphfpbdi.exe
3532	Mgekbljc.exe
2316	Mgghhlhq.exe
4924	Mpolqa32.exe
4912	Mcnhmm32.exe
3312	Mjhqjg32.exe
4676	Mjjmog32.exe
4552	Maaepd32.exe
2100	Mcbahlip.exe
4132	Njljefql.exe
4252	Nacbfdao.exe
4892	Ndbnboqb.exe
1836	Nklfoi32.exe
4932	Nnjbke32.exe
2064	Nafokcol.exe
3184	Nddkgonp.exe
4780	Ncgkcl32.exe
2876	Ngcgcjnc.exe
3088	Njacpf32.exe
4848	Nbhkac32.exe
4016	Nqklmpdd.exe
3388	Ndghmo32.exe
4048	Ngedij32.exe
376	Nkqpjidj.exe
8	Nnolfdcn.exe
3104	Nqmhbpba.exe
4944	Ndidbn32.exe
1736	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	707e7b62979d4310a5eab3bd3f0d0250_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	707e7b62979d4310a5eab3bd3f0d0250_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	707e7b62979d4310a5eab3bd3f0d0250_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Lphfpbdi.exe

Program crash 1 IoCs

pid	pid_target	Process
4452	1736	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	707e7b62979d4310a5eab3bd3f0d0250_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	707e7b62979d4310a5eab3bd3f0d0250_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	707e7b62979d4310a5eab3bd3f0d0250_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	707e7b62979d4310a5eab3bd3f0d0250_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 3856	460	707e7b62979d4310a5eab3bd3f0d0250_NeikiAnalytics.exe	81
PID 460 wrote to memory of 3856	460	707e7b62979d4310a5eab3bd3f0d0250_NeikiAnalytics.exe	81
PID 460 wrote to memory of 3856	460	707e7b62979d4310a5eab3bd3f0d0250_NeikiAnalytics.exe	81
PID 3856 wrote to memory of 3456	3856	Lcpllo32.exe	82
PID 3856 wrote to memory of 3456	3856	Lcpllo32.exe	82
PID 3856 wrote to memory of 3456	3856	Lcpllo32.exe	82
PID 3456 wrote to memory of 4240	3456	Lpcmec32.exe	83
PID 3456 wrote to memory of 4240	3456	Lpcmec32.exe	83
PID 3456 wrote to memory of 4240	3456	Lpcmec32.exe	83
PID 4240 wrote to memory of 640	4240	Lpfijcfl.exe	84
PID 4240 wrote to memory of 640	4240	Lpfijcfl.exe	84
PID 4240 wrote to memory of 640	4240	Lpfijcfl.exe	84
PID 640 wrote to memory of 1740	640	Ljnnch32.exe	86
PID 640 wrote to memory of 1740	640	Ljnnch32.exe	86
PID 640 wrote to memory of 1740	640	Ljnnch32.exe	86
PID 1740 wrote to memory of 2736	1740	Laefdf32.exe	89
PID 1740 wrote to memory of 2736	1740	Laefdf32.exe	89
PID 1740 wrote to memory of 2736	1740	Laefdf32.exe	89
PID 2736 wrote to memory of 3532	2736	Lphfpbdi.exe	90
PID 2736 wrote to memory of 3532	2736	Lphfpbdi.exe	90
PID 2736 wrote to memory of 3532	2736	Lphfpbdi.exe	90
PID 3532 wrote to memory of 2316	3532	Mgekbljc.exe	91
PID 3532 wrote to memory of 2316	3532	Mgekbljc.exe	91
PID 3532 wrote to memory of 2316	3532	Mgekbljc.exe	91
PID 2316 wrote to memory of 4924	2316	Mgghhlhq.exe	92
PID 2316 wrote to memory of 4924	2316	Mgghhlhq.exe	92
PID 2316 wrote to memory of 4924	2316	Mgghhlhq.exe	92
PID 4924 wrote to memory of 4912	4924	Mpolqa32.exe	93
PID 4924 wrote to memory of 4912	4924	Mpolqa32.exe	93
PID 4924 wrote to memory of 4912	4924	Mpolqa32.exe	93
PID 4912 wrote to memory of 3312	4912	Mcnhmm32.exe	94
PID 4912 wrote to memory of 3312	4912	Mcnhmm32.exe	94
PID 4912 wrote to memory of 3312	4912	Mcnhmm32.exe	94
PID 3312 wrote to memory of 4676	3312	Mjhqjg32.exe	95
PID 3312 wrote to memory of 4676	3312	Mjhqjg32.exe	95
PID 3312 wrote to memory of 4676	3312	Mjhqjg32.exe	95
PID 4676 wrote to memory of 4552	4676	Mjjmog32.exe	96
PID 4676 wrote to memory of 4552	4676	Mjjmog32.exe	96
PID 4676 wrote to memory of 4552	4676	Mjjmog32.exe	96
PID 4552 wrote to memory of 2100	4552	Maaepd32.exe	97
PID 4552 wrote to memory of 2100	4552	Maaepd32.exe	97
PID 4552 wrote to memory of 2100	4552	Maaepd32.exe	97
PID 2100 wrote to memory of 4132	2100	Mcbahlip.exe	98
PID 2100 wrote to memory of 4132	2100	Mcbahlip.exe	98
PID 2100 wrote to memory of 4132	2100	Mcbahlip.exe	98
PID 4132 wrote to memory of 4252	4132	Njljefql.exe	99
PID 4132 wrote to memory of 4252	4132	Njljefql.exe	99
PID 4132 wrote to memory of 4252	4132	Njljefql.exe	99
PID 4252 wrote to memory of 4892	4252	Nacbfdao.exe	100
PID 4252 wrote to memory of 4892	4252	Nacbfdao.exe	100
PID 4252 wrote to memory of 4892	4252	Nacbfdao.exe	100
PID 4892 wrote to memory of 1836	4892	Ndbnboqb.exe	101
PID 4892 wrote to memory of 1836	4892	Ndbnboqb.exe	101
PID 4892 wrote to memory of 1836	4892	Ndbnboqb.exe	101
PID 1836 wrote to memory of 4932	1836	Nklfoi32.exe	102
PID 1836 wrote to memory of 4932	1836	Nklfoi32.exe	102
PID 1836 wrote to memory of 4932	1836	Nklfoi32.exe	102
PID 4932 wrote to memory of 2064	4932	Nnjbke32.exe	103
PID 4932 wrote to memory of 2064	4932	Nnjbke32.exe	103
PID 4932 wrote to memory of 2064	4932	Nnjbke32.exe	103
PID 2064 wrote to memory of 3184	2064	Nafokcol.exe	104
PID 2064 wrote to memory of 3184	2064	Nafokcol.exe	104
PID 2064 wrote to memory of 3184	2064	Nafokcol.exe	104
PID 3184 wrote to memory of 4780	3184	Nddkgonp.exe	105

C:\Users\Admin\AppData\Local\Temp\707e7b62979d4310a5eab3bd3f0d0250_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\707e7b62979d4310a5eab3bd3f0d0250_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:460
- C:\Windows\SysWOW64\Lcpllo32.exe
  C:\Windows\system32\Lcpllo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\SysWOW64\Lpcmec32.exe
    C:\Windows\system32\Lpcmec32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Windows\SysWOW64\Lpfijcfl.exe
      C:\Windows\system32\Lpfijcfl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4240
    - - C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
      - C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        34⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 400
        35⤵
        Program crash
        
        PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1736 -ip 1736
1⤵
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laefdf32.exe

Filesize
352KB

MD5
1932c0fdca5f156476ca95d57e621162

SHA1
e9bbfab286b6b97e6a9ca362a31fa7d2573a973c

SHA256
3a87b0dfab108ebad95c18e94f22aef402b40b4c5c4455855a1179a8c099e900

SHA512
ab0b83d404a45911faecfb88b4a36abc826f7dcc7b7cc57b8220fd07c4ecd9e67991315907c7b5ec4f438be0c35c238818f1055e5a2899471432de3401aaaca5

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
352KB

MD5
a48d7f2fc9ee05ba55fb073c15940e71

SHA1
41e032b556e33ef362e0e1f9b42c7082f4c331a9

SHA256
183e073d221a3ffa19904d60c4756bf8e0a81368610f71888cce9692a350fae4

SHA512
6ed3ed6a76b655cf56aa72b571690bb8c013ff2fff990426fccbd48125938070b704c31c9eafd2f004aca16f67d57bc5278986cdb7dbf5ddfd7a97e916514d2e

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
352KB

MD5
7030a41cd84fcbd7fe03e6abd6ab2b70

SHA1
85db89c6d6792357e7dfdd34050c3298f5c36876

SHA256
4159c7886801d9cce1cf7c335e5190caf10e82f7891b412640f79d1b96030809

SHA512
d9cc695a987262715dc06b7e479bf5763754640963d5ea948969102390d21b7f42ae9b5c366d24a350c0ef1342440d88847d522f8780d45651664ef1b6eeb9d0

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
352KB

MD5
01e2756e03b1f7d7049b72ac8f44bb64

SHA1
277d5ebdb6099560347295cb59b3f6325db5484f

SHA256
e1b1d1614b35596da03a43d5724336537b7f61cff7564e8bbf3cd09922942f9f

SHA512
cd335194ce50bd76e5ac939f4300b620b27b06fb7f99db71c1327cc08e9bc7c364147d6f46dca29316e08f131d423979274cd020edf4ff9a94dd5e4106b55bc2

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
352KB

MD5
3d0d0ed5024255d638e360b3d81a6044

SHA1
c8d9dc23008a666b004a22e0f6673ccc13c23cbd

SHA256
dc2b4a429e7e108a0b33ff4648a1a4eb01d39c87ced8090bf3d5f8ce0888c210

SHA512
1d9948bc1643364b27f2b18301df6ed4e00fde5199fc3853b5d44aec23c99535ab00529f948547a6b7d83164ccccbcf1bdc9467c934fd87d2c595a0238b4d7e5

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
352KB

MD5
1490a6616846f62e732d9a7661e9b3de

SHA1
d400b00015ea0a6bb9311944ccc76be04cb757b1

SHA256
1cbb53661cc315ae5e9cb6ae3c5273d252069a4d289e692057a20ebaf8189024

SHA512
4f48d422f59b692f84be677e6a1faa061d4daafbeb407eee74b63b57c338df266a0e3c46c4002cb17f68d017911afcf345c57ee7c72de7584013f50d2bfa12be

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
352KB

MD5
00071b9b527cdc3d40c4e7dc68d5f41f

SHA1
226301003f7169ad59886ecfaa8e4c978e00ff5a

SHA256
6d02708f5e3c6548e0b58e33e8b016bfed12350a72198764f3c70cb58f467a6f

SHA512
a6460c06d56d8f1f72ef2156cef22322b4fe73a7125d23506a727b3d3899dc41a9c0bca44fa97e525e759046686d048be43fa21a6ebfce1ea58b4a54ead69641

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
352KB

MD5
b22825f70a532ef79325d85f8db523b2

SHA1
b8ee004e95ddca7558aec4522e9ffe0520ab059f

SHA256
c69227d198a52c03d869c0dadaf022850f59b2958c5821512d38cfcb4592b084

SHA512
cceee33c4b6c220124a1246f85644127e26997850f85bc7606e7512f5a0553e0df42844b7b2a16b6cfa36abe5180ef50cee9a234a58e0f7d1b9061ec74180947

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
352KB

MD5
42679afb25c24d706e2d011b83fdc259

SHA1
800163e42c11d1f071ce4afd43c8c7d83695d475

SHA256
58565ac07a911dd147bd21feb86c08a712799d2609dc3cfe690f14aa818a4051

SHA512
61a809dc751980e50c2f6847ee3b44925738eff8189ae87f99fec0007dc165bb92e373c8dbdd6c70b86c2ab06e91d8c79ada1c088b8af655343f6ec9779ed7e7

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
352KB

MD5
1febc03d1fa0633dfd9d1444ae7c4ddd

SHA1
5592952e22955b5122b0a6b11055163257319803

SHA256
95f08ebcc7413b22fb13441c479ecdb07531305525d8049a91656d8ab598400b

SHA512
80a0f66e1e4549ae6eae44cb5bd574824307c194ef0b2437e4a230843405fe1b668b8dac8d8e717ec6b8815a3aec51fc6968491bb7f57a7f4d49e0acf57a6e9b

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
352KB

MD5
137d4f06bc8b3e535d4a84c7d2012b38

SHA1
af56b6cbf757416def9ccfd7cd155867822c7fbd

SHA256
752bf442f6b27fa1668d43d82ff1152d9b131391ec7eef8431b9592826d51aee

SHA512
c52007b5d7cc59d66e9f90b6ef2cadade9a15a7dca18d9e4653c1b8c2d7adf09ed8d89a3d938709ad99560e70d72d37d726685e9a487e463217e5871f6538c4b

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
352KB

MD5
15c469ffc36059668a4c9dad1a3218f3

SHA1
9c10bbd2e4a7e892dcc2e1e62fb246e30c5c8908

SHA256
1c55e5e401b3491fb63c28cf088c038f5943239c83521d316a0c14bdd220095e

SHA512
34ebe4cdf2f23a82ea9f076c29c50170d39b62289e12fd81efe071f2778a29a5b02af110ec22bb0a67fec9d268657dd3eecaa6080afbe3a14fb76929eea8f0f0

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
352KB

MD5
532992c42c1cffe4bd8a3cc96ec6b850

SHA1
fefb3b7b26468d1999740bbe4c879a2758c548df

SHA256
f15bb15c09164cb35d58ed95db7a3114d447c31e0bbafbe2926c8f1c0d87bd27

SHA512
59dc3e82efa237933c52d106f02b24dbb9cdab4a78ae5d1edd73d230b1d74c942c2a51a7c6bbe98d088498f157eaa0ac216b79d49aa425352afd4eabdec94478

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
352KB

MD5
bcf71c79ea77a62ae1795231d3ebc23f

SHA1
37e14ec8e8c7655ed1e9260ae3eafc17eff4cc6c

SHA256
faa058af28c8e9854f88da234df35d030397117e22ce5827ae9924934877f49d

SHA512
5535ea0d917b90b27b3ecf5ec2d3a848b13a84bc0de750389b0c10239e9fafcdb00b77c1b750f637682358aaf8d827f19760f12522379cf0ca57140c19983e62

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
352KB

MD5
265d41506865fa6fd5b197adab3e01fe

SHA1
06987265810ef72566a06732819e271dc9fff933

SHA256
a8bb2dee77f6ec19b55887cab9c0591a199597e74fcce224924f1055b50caed6

SHA512
ac9bd747127d1977df247f8e4d1e09e7241c609787c835a5b9355bd457b598ad7b25ea8cb690ea0ece5a94bc56bbd946a49f161da5fe53cf8cffa8728e818aee

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
352KB

MD5
1e6c5eaa05f79b8da91e9dcb12555ddd

SHA1
ff20612edf051ef2de0f331ec59a186dd265241d

SHA256
cdc856914621014ba1220df7fbe5fe203666a71a9f82e23868b522b39eb9b8fa

SHA512
ca40bde704f5399e2b68e9bb474d9be611503e231058e86979392c5fe733da64a811180c98eda5c59aa74b5cd2ec3c0076b57996f41c7127d953706af96b1f1d

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
352KB

MD5
d7295fa02f75aac39fefe693eb07250d

SHA1
8dcb56a7805b255b835d5a646886eaa24510a4c0

SHA256
c17c9e6304581bac2fe20de5b1180cbb101bf22bf1a0b786cbd579715ddfe69d

SHA512
57e82e76431a770e31e4867bf15d6348c44b468b624e72d87644f5a32a2e238263efde0c051026c4c040425f9531bc96c7bf20acb9ca737122586faa774c8559

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
352KB

MD5
e7031ba8094d1bb85eb8c917627dc727

SHA1
8a2b4672ee31ac094631acdc348eef08c7fddbc1

SHA256
8793c3c7e5cd863d956b497141b1c1da915ccbdae672b5d2ac4f4b4d48003305

SHA512
df518f0818ac8c0129aed52ba5976094bcdf4552f6e788389a516a0471275dbb7e55381d3e6a999a1835d86052f0df7c2a2adeb3ef3687f2443d405dba7830f2

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
352KB

MD5
6c6829f2e1ef51d6e38a3d49df02833e

SHA1
88c4be6aced932b90a74c48ac00819695b1673ee

SHA256
123b5c43ece840bbd21f8ad5bcfce4cc62db1a2492808485731e18c8417f6fca

SHA512
6bbcdf2f6c1b5ead4d5b59278cc5665a0977df473ed2c170be535a98853de746541d89d12ca97d64551fd0514dfebbbf6876b335313d867575c1b1409e90a3f7

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
352KB

MD5
72d3ddfd03487ba602dd27000c563768

SHA1
668dfbd3f7f6f014c4873395c901840240dbf7a2

SHA256
faaa2729a87e7011498a0cc73438e0febf4b134cd477cdf1a3fb978c4ccf12aa

SHA512
16eb7dde1813cf0cfbd13d10dea27358b44928b54a6034b7d1f27ece1f88d047381270877373304d1d9d0a9bfd163c20fb0870ffe30ab8cc0d05d99095826024

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
352KB

MD5
dfa4592696f5ed4d9830d75b50d1474d

SHA1
e41774167d7d01357ce74637a26fd89aff818fbb

SHA256
8106c65a9cdb9b990259b17bd4a3bf2e45f564fa572a8017fb0da2efca71d0d3

SHA512
9316a4091129357c241387606b7fd88e565a426376b6dd48282fb8f92b45f0291aff4aa9452cda2af040f6f5848e7ff7b90bcc3befe80a094db0077824e46eb8

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
352KB

MD5
90a4d93fe25d34a5d7d2c278052fa1ed

SHA1
5ff1bfbca58862e071c3c76b2745b681cda77c5c

SHA256
bf7ccb43abd6579305f3af00070f2523ef7e40976e6c4e52e1fc06a01ad280f6

SHA512
3b9f79d5c4fec2b1247937b23f695638dfdb4ebe86ec9df04f2405799c7d998c1d5840acb085c93014660f25c29eb23f0d88b84d2d46aa3c883b302b43249ac6

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
352KB

MD5
007671d77d7a38b7546f308bed57d585

SHA1
2fcce57562f0fe812cf27bf14a78f28ec67de333

SHA256
b5b8041a091b19faed9386639acd947c1da444bb9aa1244e1fb37d775d328db2

SHA512
9bd184de9a0548d8ac43c99e52a4171effde4edfa4d1235a10200a54b97dda07b66f6013717c719b07806591c4fee7a8a6eb66d36e22e7ce822866d317f7e9a8

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
352KB

MD5
6a3829e21254f56280d2f4ff7ab6ea9e

SHA1
faca975e4fa16467fa7fa299cb75491a820be4fb

SHA256
b7575f4e5b0a25eee20e7da4b4d88ffcee666cf698e3d611417ac462f7fc387a

SHA512
334da660ceb7897c1ecdc17c7cd073d6afbea7bc6e15f2e20ee348fbb42f13c53968f916f6af59566491d337cf2d83db8c4cd68560b4f4c98ecfa84352312971

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
352KB

MD5
74df31248b4d6a8542dab41082741bff

SHA1
ea2520beae78753eb2fae2573b61fd3b6418c4f0

SHA256
502f2b7fc8a8256b3cebb2f577edf2a962617013b499849f8699518615cd47ae

SHA512
1bb15f139f1bbf88ef66324f7676288d9d6a0a2831dcb850dfc530bcdb91e2ac905a248405d491c7004e2f922a32b6e4d76941eb5894ff407aad26776e4d7569

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
352KB

MD5
e4a6ffcbb19e8b509d66b6f66f505833

SHA1
9c69cfafec88f63379ea4fd5cacd679b5b4971d2

SHA256
904697a13e0179865850c82333a6cc677b74c40e2619f1f279b839103e91a67c

SHA512
09d6746111cc842cf0d97e9f9c9ee1555eeafac98faf14c2635aa05c7f27546d9d3f237fc2698978875d45fadee1a21b42460b60162487c81b68e0e7385b0be8

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
352KB

MD5
ccdac218cc0d0d365b90b633f6d04905

SHA1
9f046cc7d3a9ec6c7cd0be91c96dc060ad1e0840

SHA256
ae88e293a775f32c5fe826635295dd7534db11ff14b439025f2fd756debed269

SHA512
4dd3d204349e84cbaabd11faf22de52070700a145eedf6fa2e23a38d7c598ee8721e07703b14c5ca0670e81c3bb38c1a984820f032e269ced023ac31d39570a8

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
352KB

MD5
bf2683bdc8dbd2be9d5859dae5233982

SHA1
022e90263227fe3fc3c1d29891f691a9db513da3

SHA256
3abf960f588f6f613e7d15fd71ee20d24f1990f04f66dd3f78ee0c30c679a9ad

SHA512
2eca6491b309dab56392b3a85a68c19350a30b9c34b21712b21ac03d398c4c279122d9f72a6f12ff9efcf6f271081a9952b99df0e70367b5796cce656580c2f4

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
352KB

MD5
c0fdf09a154f7b4ef6f5242cc02dafa9

SHA1
b810574d88255d277243a4e2b9603e7d790356ad

SHA256
c5da385c6941f02421db2d65a10346c46e0f5a91e58f7b47e66bdedfb4d91ca2

SHA512
2fe96bf8d93fd4aefb371be0e497d42b028c08d675b7f19d1880a39fe2b26de4a39ead2e215ac7da821e9dc4ac2fc5698edc7e5d162a7bd07849b539a2c5c1b9

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
352KB

MD5
ab58d54a50f35899b388cdeb83d5d4fa

SHA1
18bb7fcc137f054e1aa85c1d3d0abce144d9e3bb

SHA256
f2ec698932991dfdc033110a8a528a16a4bd0176927843e8fd0f2a8fb6c51b82

SHA512
a234e81acbafeacf4f490bd6ef9d6a300a1c719d6fb779f8faaaf3b89359db436a9ee94bc28917ebc7947ebfd383d4ff20f8a4692f4f39538137e6b0999e5107

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
352KB

MD5
d48cef3015ba110021ee735ccc46ef2f

SHA1
e12eea7e77acc073cd600230d708da33f9318f4d

SHA256
c22d1d8037802e3a9b69537266e5e7d8ad8b43730afa45c8873b82c7f83ac304

SHA512
aa92523b9f0d0c7acd17e6fb02b662ad9ed5f470c14607ee1cd591da9ccbe422dbae30f7001aae4f884c949cc80363af4f5a50debccc15ac6e485ef3b1bc25a4

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
352KB

MD5
d9c66554f7225cf5342c907f3d50843d

SHA1
993b3b8bff8567e2337c0a992c25e535808f0cdb

SHA256
c28fc85e0bc574ef72b8ffacd9ad57d56616b323c0e0a14670c33cb38bdd5502

SHA512
4992468c434c21c8405709765b4cae7ec10c569a898f98f0bfd95f19d0d71dd8aec0498ca3c27fe14f9ae5aafbb9f7e8dd4052b7b65276052b47366727372d1c

Download Submit
memory/8-263-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/376-265-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/460-322-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/460-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/460-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/640-314-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/640-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1736-257-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1740-312-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1740-45-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1836-247-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1836-286-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2064-282-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2064-249-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2100-112-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2100-294-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2316-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2316-306-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-49-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2736-310-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2876-276-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2876-252-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3088-253-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3088-274-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3104-261-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-280-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-250-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3312-300-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3388-269-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3456-318-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3456-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3532-308-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3532-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3856-320-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3856-9-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4016-255-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4048-267-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4132-125-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4132-292-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4240-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4240-316-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4252-290-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4252-128-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4552-296-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4552-108-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4676-298-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4676-96-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-278-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-251-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4848-272-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4848-254-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4892-246-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4892-288-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4912-302-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4912-86-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4924-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4924-304-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4932-248-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4932-284-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4944-259-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads