4c891702d96f88db082e7335ec67761fdd6ccfe8ec5c07f243796dc77ec2910b

Analysis

max time kernel
140s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c891702d96f88db082e7335ec67761fdd6ccfe8ec5c07f243796dc77ec2910b_NeikiAnalytics.exe
Size

385KB
MD5

0fec7607e37f0ff26cde3d4b59d7fdd0
SHA1

8275bbb979c8e64771ea32e90e61fa6aba33e26e
SHA256

4c891702d96f88db082e7335ec67761fdd6ccfe8ec5c07f243796dc77ec2910b
SHA512

5f009f372f19881caf9ce28967b4219d206f3f7d034f507116529bea30f5d33d3a352c089b7bd75721a65caffa519f36839bd47104735444e04a1314ec61fd07
SSDEEP

12288:NjLOcmy59SLWy5jy59SL3y59Ey59SLAy59SLZy5iy59SL:NjEy7oWypy7o3y7Ey7oAy7oZyUy7o

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4c891702d96f88db082e7335ec67761fdd6ccfe8ec5c07f243796dc77ec2910b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe

Executes dropped EXE 39 IoCs

pid	Process
2288	Mdfofakp.exe
624	Mkpgck32.exe
1336	Mcklgm32.exe
388	Mnapdf32.exe
3056	Mpolqa32.exe
3752	Mdkhapfj.exe
3688	Maohkd32.exe
3160	Mdmegp32.exe
4616	Mglack32.exe
3188	Mkgmcjld.exe
240	Mnfipekh.exe
4532	Mdpalp32.exe
4224	Mcbahlip.exe
2488	Mgnnhk32.exe
2096	Nkjjij32.exe
3968	Njljefql.exe
3912	Nacbfdao.exe
900	Nqfbaq32.exe
392	Ndbnboqb.exe
2264	Nceonl32.exe
4680	Ngpjnkpf.exe
1580	Njogjfoj.exe
1924	Nnjbke32.exe
4976	Nafokcol.exe
4540	Nqiogp32.exe
2592	Nddkgonp.exe
3944	Njacpf32.exe
316	Nnmopdep.exe
1508	Nbhkac32.exe
4152	Ndghmo32.exe
3256	Ngedij32.exe
1904	Nkqpjidj.exe
3952	Njcpee32.exe
4436	Nnolfdcn.exe
3296	Nbkhfc32.exe
3416	Ndidbn32.exe
1968	Ncldnkae.exe
1260	Nggqoj32.exe
3428	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	4c891702d96f88db082e7335ec67761fdd6ccfe8ec5c07f243796dc77ec2910b_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	4c891702d96f88db082e7335ec67761fdd6ccfe8ec5c07f243796dc77ec2910b_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe

Program crash 1 IoCs

pid	pid_target	Process
3460	3428	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4c891702d96f88db082e7335ec67761fdd6ccfe8ec5c07f243796dc77ec2910b_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4c891702d96f88db082e7335ec67761fdd6ccfe8ec5c07f243796dc77ec2910b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	4c891702d96f88db082e7335ec67761fdd6ccfe8ec5c07f243796dc77ec2910b_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 2288	4448	4c891702d96f88db082e7335ec67761fdd6ccfe8ec5c07f243796dc77ec2910b_NeikiAnalytics.exe	82
PID 4448 wrote to memory of 2288	4448	4c891702d96f88db082e7335ec67761fdd6ccfe8ec5c07f243796dc77ec2910b_NeikiAnalytics.exe	82
PID 4448 wrote to memory of 2288	4448	4c891702d96f88db082e7335ec67761fdd6ccfe8ec5c07f243796dc77ec2910b_NeikiAnalytics.exe	82
PID 2288 wrote to memory of 624	2288	Mdfofakp.exe	83
PID 2288 wrote to memory of 624	2288	Mdfofakp.exe	83
PID 2288 wrote to memory of 624	2288	Mdfofakp.exe	83
PID 624 wrote to memory of 1336	624	Mkpgck32.exe	84
PID 624 wrote to memory of 1336	624	Mkpgck32.exe	84
PID 624 wrote to memory of 1336	624	Mkpgck32.exe	84
PID 1336 wrote to memory of 388	1336	Mcklgm32.exe	85
PID 1336 wrote to memory of 388	1336	Mcklgm32.exe	85
PID 1336 wrote to memory of 388	1336	Mcklgm32.exe	85
PID 388 wrote to memory of 3056	388	Mnapdf32.exe	86
PID 388 wrote to memory of 3056	388	Mnapdf32.exe	86
PID 388 wrote to memory of 3056	388	Mnapdf32.exe	86
PID 3056 wrote to memory of 3752	3056	Mpolqa32.exe	87
PID 3056 wrote to memory of 3752	3056	Mpolqa32.exe	87
PID 3056 wrote to memory of 3752	3056	Mpolqa32.exe	87
PID 3752 wrote to memory of 3688	3752	Mdkhapfj.exe	88
PID 3752 wrote to memory of 3688	3752	Mdkhapfj.exe	88
PID 3752 wrote to memory of 3688	3752	Mdkhapfj.exe	88
PID 3688 wrote to memory of 3160	3688	Maohkd32.exe	89
PID 3688 wrote to memory of 3160	3688	Maohkd32.exe	89
PID 3688 wrote to memory of 3160	3688	Maohkd32.exe	89
PID 3160 wrote to memory of 4616	3160	Mdmegp32.exe	91
PID 3160 wrote to memory of 4616	3160	Mdmegp32.exe	91
PID 3160 wrote to memory of 4616	3160	Mdmegp32.exe	91
PID 4616 wrote to memory of 3188	4616	Mglack32.exe	92
PID 4616 wrote to memory of 3188	4616	Mglack32.exe	92
PID 4616 wrote to memory of 3188	4616	Mglack32.exe	92
PID 3188 wrote to memory of 240	3188	Mkgmcjld.exe	93
PID 3188 wrote to memory of 240	3188	Mkgmcjld.exe	93
PID 3188 wrote to memory of 240	3188	Mkgmcjld.exe	93
PID 240 wrote to memory of 4532	240	Mnfipekh.exe	94
PID 240 wrote to memory of 4532	240	Mnfipekh.exe	94
PID 240 wrote to memory of 4532	240	Mnfipekh.exe	94
PID 4532 wrote to memory of 4224	4532	Mdpalp32.exe	95
PID 4532 wrote to memory of 4224	4532	Mdpalp32.exe	95
PID 4532 wrote to memory of 4224	4532	Mdpalp32.exe	95
PID 4224 wrote to memory of 2488	4224	Mcbahlip.exe	96
PID 4224 wrote to memory of 2488	4224	Mcbahlip.exe	96
PID 4224 wrote to memory of 2488	4224	Mcbahlip.exe	96
PID 2488 wrote to memory of 2096	2488	Mgnnhk32.exe	97
PID 2488 wrote to memory of 2096	2488	Mgnnhk32.exe	97
PID 2488 wrote to memory of 2096	2488	Mgnnhk32.exe	97
PID 2096 wrote to memory of 3968	2096	Nkjjij32.exe	98
PID 2096 wrote to memory of 3968	2096	Nkjjij32.exe	98
PID 2096 wrote to memory of 3968	2096	Nkjjij32.exe	98
PID 3968 wrote to memory of 3912	3968	Njljefql.exe	99
PID 3968 wrote to memory of 3912	3968	Njljefql.exe	99
PID 3968 wrote to memory of 3912	3968	Njljefql.exe	99
PID 3912 wrote to memory of 900	3912	Nacbfdao.exe	100
PID 3912 wrote to memory of 900	3912	Nacbfdao.exe	100
PID 3912 wrote to memory of 900	3912	Nacbfdao.exe	100
PID 900 wrote to memory of 392	900	Nqfbaq32.exe	101
PID 900 wrote to memory of 392	900	Nqfbaq32.exe	101
PID 900 wrote to memory of 392	900	Nqfbaq32.exe	101
PID 392 wrote to memory of 2264	392	Ndbnboqb.exe	102
PID 392 wrote to memory of 2264	392	Ndbnboqb.exe	102
PID 392 wrote to memory of 2264	392	Ndbnboqb.exe	102
PID 2264 wrote to memory of 4680	2264	Nceonl32.exe	103
PID 2264 wrote to memory of 4680	2264	Nceonl32.exe	103
PID 2264 wrote to memory of 4680	2264	Nceonl32.exe	103
PID 4680 wrote to memory of 1580	4680	Ngpjnkpf.exe	104

C:\Users\Admin\AppData\Local\Temp\4c891702d96f88db082e7335ec67761fdd6ccfe8ec5c07f243796dc77ec2910b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4c891702d96f88db082e7335ec67761fdd6ccfe8ec5c07f243796dc77ec2910b_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\SysWOW64\Mdfofakp.exe
  C:\Windows\system32\Mdfofakp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\Mkpgck32.exe
    C:\Windows\system32\Mkpgck32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\SysWOW64\Mcklgm32.exe
      C:\Windows\system32\Mcklgm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:388
      - C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:240
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        40⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 400
        41⤵
        Program crash
        
        PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3428 -ip 3428
1⤵
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maohkd32.exe

Filesize
385KB

MD5
305e3520f09d0c155138bdd0bd425613

SHA1
8413640d474a054c5c248c82d561114c32fb5692

SHA256
a953696ef57640905e3583d88d435fe7ce5aa14810ca73aeb445336229f6978b

SHA512
d069574db1cd1a0aca9abc18a89df2cdbe91fab1d9f6938338541be11788f3a25c9e7935da8f266222d6006e2b3b77b6017596280e0659761ab5b6c7c4108fd5

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
385KB

MD5
4dfc60375720af15af588eaba2857026

SHA1
8b8145c69aeb79fcb04f71dd01460df556cbb0e2

SHA256
2a475ad0f607c0172692fb3f48baa7db9c1e255d4f293544b6404fa21328fea5

SHA512
c7df5a08e9cc10b4c7d40107539b1fa1d81c351e0ab7e876d7aee59281c46c416e2b81aae86d4faad231df01360f77f5ff95862625d2834e42779dc8acf24f66

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
385KB

MD5
0c3dc9489c6321b4d2d409a6daeb2395

SHA1
a1d4b02be9712bb283dd665c8c3c1ce375280ba1

SHA256
d148c32061b5bf9bad1d6993df790865d113c1dafe35d2ff7f61586c961ef0de

SHA512
21e92be8a7224b5c7a33b708b64571d3887a0ac05d979a906a6f6dd0724b19a8ef8626fb7a89349f86ad83f1916cafddb931fb5dbff19f5241597e40d4906d6c

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
385KB

MD5
418861392b6dc1a0a5dd669c92fe80da

SHA1
2b4c11c138de3a7aeb2fdfa8f47c71c815acc3f0

SHA256
f7201cc0ec40d68e5fb78522f65b739e2b18b7a87ae511fb50c81700d174abbf

SHA512
0f610867f42fc203aacfc593e343ff5dc628daaa44950bc1ddc054b7e94077d60229a273703feb3c3820ead963cc654b32a851cd44790fd7adad4c7c9579c32b

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
385KB

MD5
8ac09f69b7c6cfcf49d4a17f5cd3c06b

SHA1
53bfd9f8e977747c5a088d9e77573d50e271d5b4

SHA256
f6efe96e2d26fdca0de0dd35a562412c1e9cbb7bfd8fe3338044fc756b284262

SHA512
b81641c1185e6f92b329cd4092277738ac2f449decf39c49349ec01822315e2c78ddf9deee4a6c06d63cdcdd0fe197313f8071e43f29aefe67c7b1d7e78b1ee3

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
385KB

MD5
da624fc6def063e6252a9b50bc2ce7e3

SHA1
6b9d14e33941637d3e4c93cd77c6e4b6021ae7c3

SHA256
0312450a275f69ea8a537021415edc564dc81c8195d9cb6f8ff797600c414ade

SHA512
8892f66afef7cdf682db16634f8c9c2336e36014fc0f1c5f1cce20944fb378bf0963ab1bb7e9d60d5b4b7559e0b018b5cd17a82a0fbf149474f10705050d5938

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
385KB

MD5
d493ce1e9866a17a6ad67c96593f243e

SHA1
20f124a73af64276e84213aaafe75d107d23157d

SHA256
5d518cac80b0a6794da0ad2c301cc1fcc448beef2d50e09d2fea5b28a304d8d1

SHA512
2dea7c9dffa49a64b8a558c209eb8877a76bea2b04f3b87f8876847d17f5735ffea3f8c23b668cb805f6ac357f9259cb29fd2feb382efcd40effc2066c3fa410

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
385KB

MD5
8d41d4a4f467f38d598af137a38893b9

SHA1
a316e5c8852558b470178fcdaf4b1d2683260315

SHA256
ba14572801f7c5fc879232446c94381fd74ecdd91951329b0b0b006f5116352a

SHA512
2bbf145372c6fb16259555ad7a953ffa1d25e4c32ddc7aad49d5336877f807d12746169e2894588c3ec19eb4f13eb7e5eae1d2c7453cbabf5a0e10eefc91dcf5

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
385KB

MD5
a1e437fdc7c3d92200a9b23f2427b9e5

SHA1
968013e0daf361f0ac03662b9c5073b5987c54da

SHA256
be43150e4d98ce16e9b0c14dcb55ff1c2607a4349eb9fbd6cbe06bce82b1969d

SHA512
5ce13bca5c8dbbdf1b3f73f976d9023789f778c9cd1d7fca1384a4348030622bb1f0c17646f900cab528da3ca333d0d3794dd6b4f98d9e256939cfb1de613e09

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
385KB

MD5
3c947b407290ea3fe3b34d9a24872693

SHA1
4a09753f9ffb38ddedb9e6e5f4aae4611675c944

SHA256
9c809d9cc75ce35c77421094873c598ee9cd0ede84a63a4e6c54ebcfc18362be

SHA512
27099443c4287d6086c4b9992a54e5e332b20df2187f7f1de51f77f860ba25605171eee6950270e8f6d5da22fe1b1102d72562cd17b49e50e0ea6a2b275495ca

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
385KB

MD5
6ede0d55cea94aa9699a98c83ad5b5e5

SHA1
e7e6adbee66e31b99f485c7dad7e4fa73db6babe

SHA256
bc35cd3a05ccc3f5c11c6c537c19871ac090de3104d426291c6e27fb5b5c9c9f

SHA512
5e6ed6b265a915686035d5a7d84bb512b6d5eee1cf9d5c714c703e7f3140cf7bb4fee9895b8987582c13f2cfdeeb205ced8619ccc275abe12115b1c6a4e06460

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
385KB

MD5
f0df5a60683e2d40f1cafac67bd83994

SHA1
11b620a294d2941694e1a2fd0861b0dd0135727d

SHA256
27f84fe9a0b3461ba8aefd7a6baf66f49edcc1c4e2e47c8d3bc152fcbba20365

SHA512
e7f497b6de015560d15d7d9bc92e90101338c05bcfd3ae91d64b828df7c073fbe2b887968026f98aa9a0e1de7bdb54b69fa08eb90ce7516e58a82ae2a8a6e68c

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
385KB

MD5
a7becd99b68f8ac45b8e02f313e0505a

SHA1
94f7cff661e3a27d339b150c6c79fdfd6f5f1090

SHA256
262b46cfea30c8031f987b7593dc0055cad0f82a11216c77102efa3601d4978e

SHA512
8dc42c88e9167e094f055fd29eee7c4db91b60b7986f5facecb730e213afc50f3319802fb29fd9b887c90138e5e2d408034994365097d0dc385bd4bd54ca6087

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
385KB

MD5
4c7b635185e77d2fd7c4223fd8aa63c9

SHA1
fe4c354dda7414ba47d452f2f3ed7add73290e43

SHA256
a876bdadde9f7e697e8011d4fdfde550e0f258e1ed29bfcec59d2d593758f380

SHA512
e71f341392fc3717c25c4e94b5b68acadd73d8d9ee42027c173d1b99cbb70cceb97ee90653030c0eae159fe4039cbd35ac02b5f38694d14fe9756bee257edcf1

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
385KB

MD5
ce3f6dcc0b29eabd89718faa0b9a416a

SHA1
87af4ad982622adf9494067283a2a81df75f46ef

SHA256
5d463f9d80a64ec1013b613fc7e45de7964f5c97977bd1ce0de4677af0d4e196

SHA512
9a88d33108849c74ec5d9ddd593e754b9b92f680f682a5ce162edb97e4b15d15f4a1c55c8e9ab5ec336f005a8662f29d74d0299ebce7b1ec21b972ec5a279cb2

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
385KB

MD5
90952dcd7f1f18320a1fd80726fc1e94

SHA1
962f70ea4f154cc9e698d6b2bada65fbbb8dd967

SHA256
3dc216c6b7dbdf376bbd27ad0df7760c3792786992ed2e1f1529e2b5a8746494

SHA512
4287102071f811465c67e6b41bf312eaa19570174505c4444533a86cbc411b14bdb9d9599aab8491ddf5a20dc4d2c20a0ce36976c36f79fbf5acc1ebdd72b24f

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
385KB

MD5
1e3b4034564a69308145bfa63bc7faca

SHA1
e7aa1f741ea8ad224596b9847c77dd78c3576775

SHA256
59b6c994b0d2dc4e4aa7e655340c21021803bea57114947796aa6b4985b0b41c

SHA512
8191e8c7e5d516be543f65b288b26f44bd44f6c5c14054e9889735195dc90c70ce6c4d9349f305f763de30d0bc0e281d48b8f2353cc25c849c4a6c4a774b2767

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
385KB

MD5
18781f14d10586c080a55193f7daa84a

SHA1
2aaa072acf71d9b25c08242e7cb96c1fac777a30

SHA256
21d75cf8fa00b33dc8147f0cb32be6395c82b961cee8cf9523aaf95977844262

SHA512
f6cc531eb0d4f25f0c25977481e1d6579bc81547496d075b35dc2322b1805a7572371d701a20cae82c6d5bf3e86d33ad8cc30f7d1375712780396e266c76891c

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
385KB

MD5
e2a373adea1df04359ac6fcf428690b1

SHA1
5610deefd20baa7bf23c029c2e4e14b6853ce331

SHA256
e03ea0a2e94c9cb5d2904d47539d6d2496180ffad53d195ddeaa2634979d3293

SHA512
b71fb9cb71628b3409ec1c2a09e72e137de8716e52416d06d2df4f3fc81c98a3a6a3ed5db564cce57349f318c60e1a878632fc0d690f5cf4118ac9290f5b2f0d

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
385KB

MD5
4c92bf9ac6d5011c16558b203d16ab64

SHA1
3a7a6b59f58561e2a93f74f36064897aaca24e55

SHA256
10abf53b8070babd2ee9b4b87711b0f44610a228df22626c4a3982f07feaece4

SHA512
df5137e77ffd1f65869bdde192be7fbddd9b474d688f0d8eae2f77b343d00acf69dd33a9107f9e73e15cb17cc38b5d123814fe368e14309b833233cd080c0a6c

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
385KB

MD5
25231af1017a6d691e54f242998b35f3

SHA1
e656513f326ad7191eb1ce15428007df90a59bf1

SHA256
c97d1f6c41e1610fdb2edf5f3499bd8e45b524975b8e6c636d11906f1d8ced1d

SHA512
20c59081b598e831f367efc0d9f5486ba1bd43fc05e9784f0bf7a9e0df984055dd19b7b0d06b1726de212ee70a87c1eb31377c0f58857415c715af1dbb21e636

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
385KB

MD5
fa951d238fd718ac1943b2c0b24bc6b3

SHA1
f77762f796ef7ad71f1e5826ee3cf0965105bb90

SHA256
c27e3febbad2662b8790960095f3994f44948b9e7c3f86fe164f05160c445fbc

SHA512
19c8cb38bf6b769192cabe317a029a547787a83f3138f105b097272cc306c8c1aa72f92cc1ed73215910d1f8944435b1de94bad84d74d53dca2865485cfa0a07

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
385KB

MD5
975e59f2957ad58304f3ec0d104aca75

SHA1
7f7036ba8edd063e249a68d791925cbe828e8aa8

SHA256
8323d65bfab6ccd95f7cd186945321f8f1e779d39056f859012bcf6fd32c4e79

SHA512
2bbaa7039975f3f46426043109cbcc5b08ef7eb0a1fafa9a7d085557f592408fdeb4e2308be681c77e238c475bfb010ed7ce6784be1139defcc5c66439cc97cd

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
385KB

MD5
fa2d95e5928edd0dbcbcb86d1706ca35

SHA1
1d0450743122685af21663654e71e0a8c54b7814

SHA256
a0e27f495aa43a3ee782aabc764bfd6cef53109e2438c520fc34ba2d75c5772d

SHA512
4fbc0f8a8c10ce1440635dbe66a7c14eb0b3a7504f5ab3e2bc671a6e0768a2ecae316143d608ac39df770c5bc04c2fe7fb8533d03309929092653283febac15a

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
385KB

MD5
1f14bb776d1280c38dcf17c4e9c3b571

SHA1
bb29b6f6201057a76a7a6e40f9db5f825a69194b

SHA256
e4f4eac8e7ae36e1296c8da56752fadb2cd849b0460f735c371eeba74f1e22e0

SHA512
7a70925b9561678d4ed6fb3bb4c9f882f5b0ce7b8a71ec82e7f001ecc08d3677a3c860d248bc337cf6f780dc92dcfe400b3d59a0159f31eafd64aac46a0d6333

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
385KB

MD5
ba56146f0de114cdb0e494aaf1a64020

SHA1
12fd8d4b2882b15d5c3da49cd8a98a2e7c939716

SHA256
d4c83306956e856d0ebf1bf39996eb65b08b438a79dff1322cdf44f083b6de97

SHA512
98cf4949c6cb740b20d9ff7d5ca32cf17211ba2b9b817c54d663da3deae4756a8136f818e5c4f7341b7a033eb46f3a7060d0c0298ea86868f0d711592b113a0c

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
385KB

MD5
5bc404e9b99753e135f10c4b9d437e68

SHA1
9a2c2d2e30a2dcb60e160287f884b031d7d4b657

SHA256
e7dbfeac42ad1b03315bea001e419baf6700cc217516bda18fe78ddc91e6d78c

SHA512
b5c7d7142588fa69dd52034a428bef2a6b436be55a7e9f6935c5eb2fec6525a4902d43289c7498956efccb0e388ed2ec27120411fde9870af0b1408d6252e01e

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
385KB

MD5
4d0c1504d8787705f2d5172310f12d55

SHA1
572d50c51116a254eb7f221ebfb6c3b315cc2ebd

SHA256
b91bfb95d57b29acf86bc6183e59f280a5c2f54e7527481d2662b2577692a8b9

SHA512
f96d3489306bc00978b2f8842bda6731e2f8e8fb1e8f29e350545f7534f584f8156c1a514e3bca30967f7ec9fda5cb044ad942f75b6e7aeba5710d9ed7cee94d

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
385KB

MD5
7ce71be8e5129f7db2c9d5d976efe080

SHA1
39273908615329b57c06b33a997c138ff1e3415b

SHA256
c3c3b312c32f7e3153872d0467b80a1946afd96e854d4ea56c05d56c268419fc

SHA512
462ba08ad72817257b0b808824da92369fa796a823b421e0dbb63c7350d16311fb9929ec97d28c893c1b26975b2ca882f2e724e7f1ac323e5fcfcbc03dae9f1c

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
385KB

MD5
eed5423cdfea23b47dfe4c5db8b27295

SHA1
458be57d37a48c73b70ec351a922abddafdc258e

SHA256
bb96ca8abafd79b4b6476ffac47b1cfd44402b1b603cad91aca2f4e0c08fb5b6

SHA512
198dbc942915a2ee5bc43327e3d45b449b31942edbf5b5b5058c81e80a1e16925f04adb2be337e83a8fc448ee33ca4712d88e4555b7a51fb3af5ba603189ef41

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
385KB

MD5
20b7df35d7598e00f17e7df6cd29f14d

SHA1
4ff4e857410b47492b1e6264ea1ad24ce8bc26a1

SHA256
9caa1152dfb9b63e6dec8270019d58b120bfc010d070cfe941fbadd52a765a7d

SHA512
6f23541f2861c22d7422749bc543d39059a2c637ed04a0b0c2c574dbaa206491301ce627e3b58417d2841c1677fcf909e8f842d32442a7249e16c48b81f29f61

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
385KB

MD5
d75da4a09fa2e6effc8b1746dadcf5a2

SHA1
18b48102e91642242394cb95c8b25048c40da462

SHA256
386d82e7ccfec918429f64378a475603f7aa326d661836f6bf008c8b3cbb2dec

SHA512
fd8427508240dca9e4a27bdae99a563472f46f2e7f6fef127695b1e24e8c75a669eb9d3b4b5d5061e02c0d9020505d2b63d7d88d6a54cb68eb6b95eaa903b548

Download Submit
memory/240-352-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/240-271-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/316-288-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/316-318-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/388-366-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/388-33-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/392-279-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/392-336-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/624-17-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/624-370-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/900-278-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/900-338-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1260-293-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1336-368-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1336-24-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1508-316-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1508-289-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1580-330-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1580-282-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1904-296-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1904-310-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1924-328-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1924-283-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1968-300-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2096-344-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2096-275-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2264-280-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2264-334-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2288-8-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2288-372-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2488-346-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2488-274-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2592-322-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2592-286-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3056-45-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3056-364-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3160-358-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3160-69-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3188-354-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3188-85-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3256-295-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3256-312-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3296-304-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3416-302-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3428-291-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3688-57-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3688-360-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3752-362-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3752-54-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3912-277-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3912-340-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3944-287-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3944-320-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3952-308-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3952-297-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3968-276-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3968-342-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4152-314-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4152-294-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4224-273-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4224-348-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4436-306-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4436-298-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4448-374-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4448-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4448-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4532-350-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4532-272-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4540-285-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4540-324-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4616-356-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4616-84-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4680-281-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4680-332-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4976-284-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4976-326-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads