676203564bf69daadd4f9e7fbc43c6140df1d9e3ab53ea5d7d01dea595078abc

Analysis

max time kernel
137s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac8dc6fed5ede103a3e5813049518010_NeikiAnalytics.exe
Size

512KB
MD5

ac8dc6fed5ede103a3e5813049518010
SHA1

7e5f458859740d34f091d438cc027cda2b8307ab
SHA256

676203564bf69daadd4f9e7fbc43c6140df1d9e3ab53ea5d7d01dea595078abc
SHA512

7a94e11179c1612a3800f97ea1538ac198aa43d391bf2a9a3055493fd004418bf4028c47013f12c3a74965a575f645ea1bcda0d17c8878e3d0a463fac8d54a63
SSDEEP

6144:WjWCOD1kZ853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZ:WjCQQBpnchWcZ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ac8dc6fed5ede103a3e5813049518010_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ac8dc6fed5ede103a3e5813049518010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe

Executes dropped EXE 33 IoCs

pid	Process
3512	Mjhqjg32.exe
3044	Maohkd32.exe
4932	Mdmegp32.exe
556	Mglack32.exe
3852	Mjjmog32.exe
2252	Maaepd32.exe
2476	Mpdelajl.exe
3240	Mdpalp32.exe
2224	Mgnnhk32.exe
1184	Nkjjij32.exe
1008	Nnhfee32.exe
836	Nacbfdao.exe
3840	Nqfbaq32.exe
1484	Nceonl32.exe
1888	Ngpjnkpf.exe
4760	Nklfoi32.exe
1876	Njogjfoj.exe
4472	Nafokcol.exe
1052	Nqiogp32.exe
4716	Nddkgonp.exe
1288	Ngcgcjnc.exe
4456	Nkncdifl.exe
2804	Nnmopdep.exe
4916	Nbhkac32.exe
3088	Nqklmpdd.exe
2268	Ndghmo32.exe
4448	Ngedij32.exe
1492	Nkqpjidj.exe
5000	Njcpee32.exe
4056	Nbkhfc32.exe
2012	Ndidbn32.exe
60	Ncldnkae.exe
2356	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	ac8dc6fed5ede103a3e5813049518010_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe

Program crash 1 IoCs

pid	pid_target	Process
1944	2356	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ac8dc6fed5ede103a3e5813049518010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ac8dc6fed5ede103a3e5813049518010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ac8dc6fed5ede103a3e5813049518010_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	ac8dc6fed5ede103a3e5813049518010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 3512	3640	ac8dc6fed5ede103a3e5813049518010_NeikiAnalytics.exe	82
PID 3640 wrote to memory of 3512	3640	ac8dc6fed5ede103a3e5813049518010_NeikiAnalytics.exe	82
PID 3640 wrote to memory of 3512	3640	ac8dc6fed5ede103a3e5813049518010_NeikiAnalytics.exe	82
PID 3512 wrote to memory of 3044	3512	Mjhqjg32.exe	83
PID 3512 wrote to memory of 3044	3512	Mjhqjg32.exe	83
PID 3512 wrote to memory of 3044	3512	Mjhqjg32.exe	83
PID 3044 wrote to memory of 4932	3044	Maohkd32.exe	84
PID 3044 wrote to memory of 4932	3044	Maohkd32.exe	84
PID 3044 wrote to memory of 4932	3044	Maohkd32.exe	84
PID 4932 wrote to memory of 556	4932	Mdmegp32.exe	85
PID 4932 wrote to memory of 556	4932	Mdmegp32.exe	85
PID 4932 wrote to memory of 556	4932	Mdmegp32.exe	85
PID 556 wrote to memory of 3852	556	Mglack32.exe	86
PID 556 wrote to memory of 3852	556	Mglack32.exe	86
PID 556 wrote to memory of 3852	556	Mglack32.exe	86
PID 3852 wrote to memory of 2252	3852	Mjjmog32.exe	87
PID 3852 wrote to memory of 2252	3852	Mjjmog32.exe	87
PID 3852 wrote to memory of 2252	3852	Mjjmog32.exe	87
PID 2252 wrote to memory of 2476	2252	Maaepd32.exe	88
PID 2252 wrote to memory of 2476	2252	Maaepd32.exe	88
PID 2252 wrote to memory of 2476	2252	Maaepd32.exe	88
PID 2476 wrote to memory of 3240	2476	Mpdelajl.exe	89
PID 2476 wrote to memory of 3240	2476	Mpdelajl.exe	89
PID 2476 wrote to memory of 3240	2476	Mpdelajl.exe	89
PID 3240 wrote to memory of 2224	3240	Mdpalp32.exe	90
PID 3240 wrote to memory of 2224	3240	Mdpalp32.exe	90
PID 3240 wrote to memory of 2224	3240	Mdpalp32.exe	90
PID 2224 wrote to memory of 1184	2224	Mgnnhk32.exe	91
PID 2224 wrote to memory of 1184	2224	Mgnnhk32.exe	91
PID 2224 wrote to memory of 1184	2224	Mgnnhk32.exe	91
PID 1184 wrote to memory of 1008	1184	Nkjjij32.exe	92
PID 1184 wrote to memory of 1008	1184	Nkjjij32.exe	92
PID 1184 wrote to memory of 1008	1184	Nkjjij32.exe	92
PID 1008 wrote to memory of 836	1008	Nnhfee32.exe	93
PID 1008 wrote to memory of 836	1008	Nnhfee32.exe	93
PID 1008 wrote to memory of 836	1008	Nnhfee32.exe	93
PID 836 wrote to memory of 3840	836	Nacbfdao.exe	94
PID 836 wrote to memory of 3840	836	Nacbfdao.exe	94
PID 836 wrote to memory of 3840	836	Nacbfdao.exe	94
PID 3840 wrote to memory of 1484	3840	Nqfbaq32.exe	95
PID 3840 wrote to memory of 1484	3840	Nqfbaq32.exe	95
PID 3840 wrote to memory of 1484	3840	Nqfbaq32.exe	95
PID 1484 wrote to memory of 1888	1484	Nceonl32.exe	96
PID 1484 wrote to memory of 1888	1484	Nceonl32.exe	96
PID 1484 wrote to memory of 1888	1484	Nceonl32.exe	96
PID 1888 wrote to memory of 4760	1888	Ngpjnkpf.exe	97
PID 1888 wrote to memory of 4760	1888	Ngpjnkpf.exe	97
PID 1888 wrote to memory of 4760	1888	Ngpjnkpf.exe	97
PID 4760 wrote to memory of 1876	4760	Nklfoi32.exe	98
PID 4760 wrote to memory of 1876	4760	Nklfoi32.exe	98
PID 4760 wrote to memory of 1876	4760	Nklfoi32.exe	98
PID 1876 wrote to memory of 4472	1876	Njogjfoj.exe	99
PID 1876 wrote to memory of 4472	1876	Njogjfoj.exe	99
PID 1876 wrote to memory of 4472	1876	Njogjfoj.exe	99
PID 4472 wrote to memory of 1052	4472	Nafokcol.exe	100
PID 4472 wrote to memory of 1052	4472	Nafokcol.exe	100
PID 4472 wrote to memory of 1052	4472	Nafokcol.exe	100
PID 1052 wrote to memory of 4716	1052	Nqiogp32.exe	101
PID 1052 wrote to memory of 4716	1052	Nqiogp32.exe	101
PID 1052 wrote to memory of 4716	1052	Nqiogp32.exe	101
PID 4716 wrote to memory of 1288	4716	Nddkgonp.exe	102
PID 4716 wrote to memory of 1288	4716	Nddkgonp.exe	102
PID 4716 wrote to memory of 1288	4716	Nddkgonp.exe	102
PID 1288 wrote to memory of 4456	1288	Ngcgcjnc.exe	103

C:\Users\Admin\AppData\Local\Temp\ac8dc6fed5ede103a3e5813049518010_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ac8dc6fed5ede103a3e5813049518010_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Windows\SysWOW64\Mjhqjg32.exe
  C:\Windows\system32\Mjhqjg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\SysWOW64\Maohkd32.exe
    C:\Windows\system32\Maohkd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\Mdmegp32.exe
      C:\Windows\system32\Mdmegp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
      - C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        34⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 400
        35⤵
        Program crash
        
        PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2356 -ip 2356
1⤵
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
512KB

MD5
542a75598d401b87c43c43c3835616b7

SHA1
cbd5f4377bd54d1a6704056a6fce0467d49078dc

SHA256
12c1e01e2034b9e8e92f2735b5ea2c9a684be908f009be843b2cc977fafa76cd

SHA512
158a1c616e765c5e68d249d99520efdab0230e58ed51dc3e1fd51101856b1169cddbaf3d8073a17b9585b01e5df41127870b0ae79a1d7784cc25f5d65d5959f9

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
512KB

MD5
2487dd917d953747d900fe02985dc731

SHA1
4df2b5c3baf0bcb5abfd86102175f0ad6ae7b151

SHA256
154fea8ac04ff4f625b138cc48f6132f1405c3264eedfb7d541b705d901a24e6

SHA512
28adfb1f6bc2bacd09e5ee146777822921c28e81f52cc096dd46813fb0360e35e6db83ecf7dcd6323d944fbf905c93cfec9e3ec85c838f83d86a5dfa8b320e3d

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
512KB

MD5
d24ce943e8d7a0309de719cb7ca4d181

SHA1
ee8a157e3ab99e6889f9a69dcb1cac9c82df5eda

SHA256
a51e6c4e12854e287355917a5ca32c82c204bfe68fc56d9df7d3550c79ee03b1

SHA512
0dc284542f37d7b5f49c25de88b9c19d0aaa23bed6f9dabb98835986bfcb49dffce9ff6ab143e9b2c23015e758266e624f5f0e6316463a792ad1d4bf0135a156

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
512KB

MD5
31e3f72a00028c1f46dd90a5bd41cf9f

SHA1
231555674ea2c99dc2199c38431cd25f3269943c

SHA256
614d46ba57a9ae4a57b33a941f5f6167351a354c38b1c12d7a159157f14fda41

SHA512
136b9968b3a1b64c36a2630bacf79113e5553c8c166f7df01898e0b0d22a2ca0f7398c62fad9ccf7040d21074a27965161e731d0a0dec84e957fc1130a688e52

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
512KB

MD5
796a57f656045757cdcd31fdde8930e2

SHA1
c4cc25504029c8dfe5660e4122f9080d35969528

SHA256
097225159ec9c3334319ff81ae0d9cf1a24444bd0a381f9b96d805c1476f4b9a

SHA512
f51b13769ef5b500deae2e078e27572c5fdb0061c7a259d0f9abfdd9187ae86192fed135cdbf3ef4fef8a6892bae0627cc2598a072a3d46b37e42c2637a0b86e

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
512KB

MD5
f9e8a5c66f0378319b203654e75f4513

SHA1
0c104096dae0480c643ef5079a26260bc6713d8b

SHA256
62420ecae5fb6b6d02f82ab091601e9d0a944aadba92650ca47d209092d8a0c2

SHA512
626c59b482ca12c953d2d98b3982679bae860d5675ffecbe1bc9f16d0ff9c61866fff9f29911ac21b2b5ac9fb4a65710b787a48057ca5793b1867f6ae6c57d32

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
512KB

MD5
2e7e7ea08b6d3561789e765d82c0f79d

SHA1
a64ae8a9fc6ff33d4690a9ade60cb71611d32137

SHA256
0af4c8f5b4f12993b3b9bf3fedee1f8658106ea8b56962e7816710bd955f3fb5

SHA512
114fce61c162ece4d9698e0ad8c620504a974a0ae13ade5f59b52f5516959f07bb5ac07f8bba5ce2ac23790242efb4514fedc35866a2c7dc93c9057171843f3b

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
512KB

MD5
bb3153e0cdbfb2060b535a0981f412a1

SHA1
82759a55150c2d00472b62b823250f566dfcca20

SHA256
03414816169ffa392356a3bc52b984a252f35043c40d2b1cfa39309dff1f5e05

SHA512
ed8e014c5dc972d7eba0247cd526d184183076bff0e765db5090489ce449f3b8d1c362e566da49555f12cf294f26895a3e8fc892026f83616d1296e4443ce700

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
512KB

MD5
8845537389df7b533e4208e2eaa5d347

SHA1
8d081b952c504e44a8e84ca1543cc228e98bcf01

SHA256
e9c08c49f0a8ced1a5593fe2ea42cadd01f01c7fd71683667ff7a17b52156d56

SHA512
c131b2563cc4cabffbaab5cc7966bd1c8dfcfbcfbecb88d26029bef556b8457133280c736368889edc84b2fcf5ce01cbd0289b1b1718f0d493860475d25335ec

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
512KB

MD5
1bcd34bfd8440a447ee60a392074d828

SHA1
58b416bec571be5b82c64b0a464c820174639027

SHA256
969b8c1e9e8760e1aac2597398281c5d4ca2f3fa25b21a30a3bd485a3810675c

SHA512
33d086b90cf768514da76416077c401b398893519cb40afb40dd13515066f21f4e9d9604638c358edf1e9114e49edc978cd980061b5c1187a6e22d8124da7dba

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
512KB

MD5
5c9b79e4c6b7c6f7a1e20e6ec241d7c1

SHA1
61204e44da9c897cbdd90ab62fefe6633da8b1dd

SHA256
95c6304546f4dd76fa9d52155d76e907e8ee7880cb31523fa1f8cf38226950b0

SHA512
6d6dbeb588441f3f74c1b6ad0b6431ac3b993a15fe2b9ed0ddc1ea43f6c47cbba9b052b41ded8fc622be0ff19ce03cd10ad7bf5a7a5a77aa167bce9df5273a3a

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
512KB

MD5
b9440edf4cea2631518d45bcba64c615

SHA1
47ab6446bd23a1683e2916134a7a40a7e9ce546e

SHA256
6b8bacbaa3f5c0616a245086a05c2f7ed76f5a2bd0d0ddb5a0326fb8adbbf47b

SHA512
f6522d5419211b3f2835407603ba509c9ae8a4f5b3797183313c4b47e89d9e61167cd9e53656b05830f6427bf8600ad9cc1c6061a266e4e90fb871ba62e73306

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
512KB

MD5
4baae82170405e8f8af0c67dd04ad14f

SHA1
2c242403fd990c04fbf8590598eda9afcd8fceda

SHA256
ff67bace5e1c29904b722d778f4ab50519d1cc2d78755a24b4aa8fbdff65369f

SHA512
0c24eefe5534ded231c1cb647a1661323b6a9476848471323101465b99289ca1815a48862d86d62d76c77f2fa4a803441af590bc17e99bb3f48939fcc5ce3922

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
512KB

MD5
971b3ba0231c35c008f6cb570fb59c7b

SHA1
4ae8f587b8ab5906ac2e57ff8544a388ac835853

SHA256
4908a40a68591ca54b3feb8554539c8e8d2ba86964b740b23585172eeec4bb4e

SHA512
543ea0b4fb2a383d8f1feeab75e50d8a9fc56d529f8a4ed02c212a810933692021aa8c5cfd730882bbbb6be4d8d77674b0c069b4c3f14deceec0b1df2083ea1f

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
512KB

MD5
a3e9175163f902988b56ac12cecb4ad5

SHA1
2b91eb5e04209261528164ec848f46df84e101fd

SHA256
9059bb0855a105e29aff0298fbcb5093953e4b1ef8d6b7c5239ce3f46c551ea2

SHA512
d0d23b0ef288b4d990b543c30974fc4dac7a4cb914ced842eaf80c897da7a95457a7d0f4ae9c745e99c7741be93b4126e6e9924db4f7f84cbcbe0b975cbe155c

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
512KB

MD5
17e6d3126887ffb2dabaf021c1625b17

SHA1
82d8b50b1e882d1f3b443b2c18b0b2538fe51a37

SHA256
2cd7ac5ee74a789a22513294a11194aeaf1c8716645e13714619c0539a260abe

SHA512
9e8fa1cbf126afbdd232b16512233bce4a0aae5a176bb096141761e9e5a103d1eb5120b475279592ec04d02698e6e359724fef00149dc8a096b23d10b913fef3

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
512KB

MD5
40aff447553427857bc5cf64d876af91

SHA1
d15d0f39b4aa57c7d56cc2ba6f244e71b6d886b2

SHA256
1aa3871bbb80ded7b5798fa3bf9fdcf8a581bbc7d1017594cbf4577b6fdb60e0

SHA512
a6d47f956816d43ee7e99976003546f9f83203d5d6f7f1cb464512bec8dc17bc513c8fb72da480de30aa4033a742cf7bcf0bfe6a70a6603d405c6b4fe118c519

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
512KB

MD5
27ca067892d1f33f8831e34e55d4b0bc

SHA1
cfd6d1578738eb5ab069b1719357862cb0d99c4d

SHA256
d1db3f3821696ad32d3702ccd1fe716e3aad0ead8ead53212c619a76c784e6d2

SHA512
f85a1350f4805ca4ba3c7d5ef88a458a424669a0fe938ee27bec41bf9a40650e0c160a593e89cd3dd717baf777a0fd82472889f159f9f5536b6fa23c7ffd17ee

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
512KB

MD5
880651b628ebaffef1e53a46ba69177b

SHA1
5d92fa8ce6ff9b5a0c9dd89bf712d56e5bdc1172

SHA256
720dc480bf14e9a9583b0cf1754582f25bf508bb6526a77a816ea82d0a6ea7cd

SHA512
ab8419bfbf4c3b0ee291f3786c09530f67e9db3fd0faf5abed7d5d9cbcabf6031557113d21e9c95c1d9fe0dd69d1835a6490ff999e73eb53c42bf3a142635a5b

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
512KB

MD5
ba9a7041f24a98c2a8aef6c81e669bbb

SHA1
5c3741faa6357f18bfb6bf8253629ac31b8453df

SHA256
695b4e1cdd0e66b73920b5adb11d880446c6ba48e4006be07b3e515818e648e4

SHA512
d137327dbf71c772e731731d6001fcf6053478e61edaa187890d4f3bfff1b9c3204d05c825619aa08d98bf2a8b64e944eb1cf553a8e7c6cdb948a68dd3a493f6

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
512KB

MD5
15329878c90f4a0bbd95616df6aa4b72

SHA1
e088580a3ec254ef81a1a3df5d12eebbb5890e33

SHA256
30bf3ccaca5a2b252a03d86b1abc083fe2376ad71678c34ad9067e9d40abd589

SHA512
8bf573903fb467b37d362ef27cd18ebd565c608bf9c97cc9df922a7a2e57d99b216923e6d4ccee2baaf97f6734d763e603313fd8e1d9c044c07169b2aac7ad71

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
512KB

MD5
e11febdb78d76816965e3e4c0cf97b4c

SHA1
8492cfb97c2717523cc061744aa5dcc0c49f6e26

SHA256
5b1a44c92ae2c781a4064308d93f30a5e1f6d9837b2996af82508805598f90f1

SHA512
ce274e5c57b18af2a24c4d28b6f9cfda28a28752503ca619d5e9c2fcf6155ee257e5e87f6f86b5ec38da6da719d98b2f499c9a5d56b6a4f174b33f157bf56264

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
512KB

MD5
f35a7d278a39578e3672e3b38862d278

SHA1
886ce907a113ff6e1b4deed8a117e39f34a514d9

SHA256
293606cc2dcb01c79f6d9be515e2658cb37b3eed9128fd33ea68f413f3b98101

SHA512
011f425aa3a18de0559e4ba8d449cdaa9e27e5f02d80fec984e728e8cf6d3adf7082e9b7614bbe0b15ca001971439eb30192832825b5e9fa0a337b2510936cb5

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
512KB

MD5
5fbf686870b3e085c494ee91f96aa107

SHA1
1004cf73a54cb296ad785c1d1d43fbe863d527b4

SHA256
4f97ce27d754d4337a29cba80ea06bb0f16220721480ee575e79f7b8a0479c24

SHA512
98fc7b78efdda246327569149f33c7cf5118a3bde4d0b23028f68335f59c5687bf01e0ceb12b28c6eba9dec54c991df260e5c994c6925d5369d952d0482a19fd

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
512KB

MD5
b6a229f2ed25d456013aa5c3ed64f135

SHA1
fc38d8b83c754111a37ade68c0ed75ed878e523d

SHA256
873c4cebf85ae63dc20854aa1d485855dfb9fbacd3d3644ff1bdb2d4111ac26f

SHA512
6c81b9d2a232563d78fc9baa756fec619db1de26e90f16b972cba2a07ca7a4b605e91c52d2d29121cb7cc59238a1f88c860d246bb43baaa1516729e7d3cc24e6

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
512KB

MD5
e520cb43f8d3581341a75172dc9ee7c7

SHA1
338eb32142efc327ba43c4388eeba6a693b790ec

SHA256
20c5c84c316fbb53f2ad377017a4b15aa77f09a35d52b82c66b2750214f64d0a

SHA512
12deb94fc0faf68ae525e11e1803257adaf973fab249168828a6ae5cbec2509265b166561b201dfefc814592c852a6e14f8154fdbe584f5fde7ea0d7cf2d3f50

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
512KB

MD5
eac0bc4ddbe6e288c9d9a39a5d051a02

SHA1
9ef1bba97b8a9d705d85c7670a9c0c872fe33f60

SHA256
fcd71cfea07ca2485e242e9e7025a0eb53d497a31dd358162f185caf0b6e1402

SHA512
d2bdc4a5ad327e5e4972b4f43268a52f6b96c9e7bf2334247dc41015f77c2fbe732a19a4bc013fccea47f8d28ebc790cb6a2cb960aef1b128b991f044af98387

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
512KB

MD5
d5bc59e8fdbc85486ceea4306ff0b929

SHA1
0d97dacc8234a0b1ec98030cb7e2997bf48a8214

SHA256
43a5710ff081dc637a033be089e74a160874b71dfb0d4f36b119fbe5d8a18f00

SHA512
7ac6fa2fc1c371e538114f507b92df278b5562b749548080754d3562b9b89eaed3b5a80b734843edd61a9bda2b590cd4c5b8f8b7b31435cdb379db713cebf1b9

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
512KB

MD5
a9946c7285cb29011945a58f987361cd

SHA1
ca70b8898833894952e481e056cd00727a3fb022

SHA256
270469a94a8f254cbdf1c222ca382ca6f7f22fe7faa68a7d73c1ec340b801572

SHA512
ba7fef441bf95852c9930caa4549ecb92e908873710ef2c49a1fe7b68629ce00482a3412fa4a2c1cb5e6ac393ce584b042ef8943d5f2c20754a73e878e2089a5

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
512KB

MD5
fac63d740caee22c37f9f4b4bfe5358a

SHA1
0ce512e194fef1c5a15ce4399bafa8a2439f0299

SHA256
ca35c1d30b4c48ee2217c60bf22c96cb4ac4d30f9a15c036671615d8946bd290

SHA512
9fe539ec705a322260d7ad1c2b9aeb2cc124f678b180c1549d31ae471cd204a034726e196340cb0d4bb862423564729acb973d5b1ef33bf5caf6fca2350323c3

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
512KB

MD5
0263bb77e8db20dc86027a608aa22251

SHA1
816c0b74b29b63c28700da6a7e335a36b4cad9f2

SHA256
f5afd9f9a17ac877a576f50c10d1fd4333ad112ed8a93faf4e79409f8719b02a

SHA512
c206b7c0d8bc17b855d6e414cdddfc075b0c2bc6e9f34d853f792c0c182f889d25cfcb5f2335a425070a1f9b87c2824a3dfa92209dc98f4d3359826e1fa6e84e

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
512KB

MD5
10a2338c67af6bcea8288ea45f09be27

SHA1
b036989ef5eda796c89f5d3586f0928cd8de482c

SHA256
52c17a75608d4034d7a4d727885b6f417415bcffdc8539e2613fbb8999120f11

SHA512
cf12d728acbfae7227c51d595904a85749a4ff5fa881e33a3611846d1386df1481e27b5478913a180b56dd0ced6e41459a26d7dadb118b88c059c16c5a515d2b

Download Submit
memory/60-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/836-276-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1008-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1052-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1184-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1288-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1484-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1876-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-282-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2476-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-254-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3088-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3240-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3512-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3512-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3640-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3640-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3840-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3852-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4056-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4448-246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4472-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4716-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4760-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4916-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads