88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe
Size

608KB
MD5

5686dd2de1d39d88bd92f67d27e9b570
SHA1

ebdd4347dca401bd894db9ebde1236faa39488c6
SHA256

88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944
SHA512

b3a1d1beaab1a9423116b763156e07e0179b13308c0198c68a9c92f8f5b7152b4633332dc6808b8b9c89d5abe6e65edc72d99d2294cf66c354ea972814d5189f
SSDEEP

12288:uNwD2AkY660fIaDZkY660f8jTK/XhdAwlt01t:u5AgsaDZgQjGkwlg

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe

Executes dropped EXE 38 IoCs

pid	Process
3452	Mdfofakp.exe
3404	Mdiklqhm.exe
1868	Mgghhlhq.exe
4448	Mcnhmm32.exe
1376	Mjhqjg32.exe
4400	Maohkd32.exe
804	Mpaifalo.exe
1208	Mcpebmkb.exe
1296	Mglack32.exe
864	Mkgmcjld.exe
5024	Mjjmog32.exe
4316	Mnfipekh.exe
2784	Mpdelajl.exe
2420	Mdpalp32.exe
1108	Mcbahlip.exe
3436	Mgnnhk32.exe
2060	Nkjjij32.exe
3564	Nnhfee32.exe
3420	Nacbfdao.exe
1984	Nqfbaq32.exe
4360	Ngpjnkpf.exe
3500	Nklfoi32.exe
1576	Nnjbke32.exe
1784	Nafokcol.exe
2040	Nqiogp32.exe
696	Ncgkcl32.exe
1612	Ngcgcjnc.exe
528	Nkncdifl.exe
5064	Njacpf32.exe
5008	Nbhkac32.exe
4364	Nqklmpdd.exe
3288	Ndghmo32.exe
2568	Ngedij32.exe
2092	Njcpee32.exe
4532	Nnolfdcn.exe
3992	Nqmhbpba.exe
4404	Ncldnkae.exe
4064	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe

Program crash 1 IoCs

pid	pid_target	Process
3856	4064	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 3452	3580	88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe	80
PID 3580 wrote to memory of 3452	3580	88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe	80
PID 3580 wrote to memory of 3452	3580	88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe	80
PID 3452 wrote to memory of 3404	3452	Mdfofakp.exe	81
PID 3452 wrote to memory of 3404	3452	Mdfofakp.exe	81
PID 3452 wrote to memory of 3404	3452	Mdfofakp.exe	81
PID 3404 wrote to memory of 1868	3404	Mdiklqhm.exe	82
PID 3404 wrote to memory of 1868	3404	Mdiklqhm.exe	82
PID 3404 wrote to memory of 1868	3404	Mdiklqhm.exe	82
PID 1868 wrote to memory of 4448	1868	Mgghhlhq.exe	83
PID 1868 wrote to memory of 4448	1868	Mgghhlhq.exe	83
PID 1868 wrote to memory of 4448	1868	Mgghhlhq.exe	83
PID 4448 wrote to memory of 1376	4448	Mcnhmm32.exe	84
PID 4448 wrote to memory of 1376	4448	Mcnhmm32.exe	84
PID 4448 wrote to memory of 1376	4448	Mcnhmm32.exe	84
PID 1376 wrote to memory of 4400	1376	Mjhqjg32.exe	85
PID 1376 wrote to memory of 4400	1376	Mjhqjg32.exe	85
PID 1376 wrote to memory of 4400	1376	Mjhqjg32.exe	85
PID 4400 wrote to memory of 804	4400	Maohkd32.exe	86
PID 4400 wrote to memory of 804	4400	Maohkd32.exe	86
PID 4400 wrote to memory of 804	4400	Maohkd32.exe	86
PID 804 wrote to memory of 1208	804	Mpaifalo.exe	87
PID 804 wrote to memory of 1208	804	Mpaifalo.exe	87
PID 804 wrote to memory of 1208	804	Mpaifalo.exe	87
PID 1208 wrote to memory of 1296	1208	Mcpebmkb.exe	88
PID 1208 wrote to memory of 1296	1208	Mcpebmkb.exe	88
PID 1208 wrote to memory of 1296	1208	Mcpebmkb.exe	88
PID 1296 wrote to memory of 864	1296	Mglack32.exe	89
PID 1296 wrote to memory of 864	1296	Mglack32.exe	89
PID 1296 wrote to memory of 864	1296	Mglack32.exe	89
PID 864 wrote to memory of 5024	864	Mkgmcjld.exe	90
PID 864 wrote to memory of 5024	864	Mkgmcjld.exe	90
PID 864 wrote to memory of 5024	864	Mkgmcjld.exe	90
PID 5024 wrote to memory of 4316	5024	Mjjmog32.exe	91
PID 5024 wrote to memory of 4316	5024	Mjjmog32.exe	91
PID 5024 wrote to memory of 4316	5024	Mjjmog32.exe	91
PID 4316 wrote to memory of 2784	4316	Mnfipekh.exe	92
PID 4316 wrote to memory of 2784	4316	Mnfipekh.exe	92
PID 4316 wrote to memory of 2784	4316	Mnfipekh.exe	92
PID 2784 wrote to memory of 2420	2784	Mpdelajl.exe	93
PID 2784 wrote to memory of 2420	2784	Mpdelajl.exe	93
PID 2784 wrote to memory of 2420	2784	Mpdelajl.exe	93
PID 2420 wrote to memory of 1108	2420	Mdpalp32.exe	94
PID 2420 wrote to memory of 1108	2420	Mdpalp32.exe	94
PID 2420 wrote to memory of 1108	2420	Mdpalp32.exe	94
PID 1108 wrote to memory of 3436	1108	Mcbahlip.exe	95
PID 1108 wrote to memory of 3436	1108	Mcbahlip.exe	95
PID 1108 wrote to memory of 3436	1108	Mcbahlip.exe	95
PID 3436 wrote to memory of 2060	3436	Mgnnhk32.exe	96
PID 3436 wrote to memory of 2060	3436	Mgnnhk32.exe	96
PID 3436 wrote to memory of 2060	3436	Mgnnhk32.exe	96
PID 2060 wrote to memory of 3564	2060	Nkjjij32.exe	97
PID 2060 wrote to memory of 3564	2060	Nkjjij32.exe	97
PID 2060 wrote to memory of 3564	2060	Nkjjij32.exe	97
PID 3564 wrote to memory of 3420	3564	Nnhfee32.exe	98
PID 3564 wrote to memory of 3420	3564	Nnhfee32.exe	98
PID 3564 wrote to memory of 3420	3564	Nnhfee32.exe	98
PID 3420 wrote to memory of 1984	3420	Nacbfdao.exe	99
PID 3420 wrote to memory of 1984	3420	Nacbfdao.exe	99
PID 3420 wrote to memory of 1984	3420	Nacbfdao.exe	99
PID 1984 wrote to memory of 4360	1984	Nqfbaq32.exe	100
PID 1984 wrote to memory of 4360	1984	Nqfbaq32.exe	100
PID 1984 wrote to memory of 4360	1984	Nqfbaq32.exe	100
PID 4360 wrote to memory of 3500	4360	Ngpjnkpf.exe	101

C:\Users\Admin\AppData\Local\Temp\88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\SysWOW64\Mdfofakp.exe
  C:\Windows\system32\Mdfofakp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\SysWOW64\Mdiklqhm.exe
    C:\Windows\system32\Mdiklqhm.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3404
  - - C:\Windows\SysWOW64\Mgghhlhq.exe
      C:\Windows\system32\Mgghhlhq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        39⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 412
        40⤵
        Program crash
        
        PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4064 -ip 4064
1⤵
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gpnkgo32.dll

Filesize
7KB

MD5
d5644b5f5753e38cd64ece7af6544376

SHA1
dcad58cb446d18c0d6e427ded6acbb0555ca99d8

SHA256
2593aa56852c900a72724100c9b5581e2995026968251b3426402310a5070985

SHA512
5ccd82b91370de0405d772654091ea5f0464915c8f2b37ec4cf61f8fe68cdf34a74f4c1b310d50835749d9ccbd6be37635bf9d9de3f69c7a3e08c20c6f78297b

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
608KB

MD5
7d9b33db3ae84e9db9f5181b21ac1cd9

SHA1
8cc90c8ad13a2ecb465a1f087d0efb86a9b44028

SHA256
d12571854a556b3a2316b3a6470f8425681339543f73ec1acc31d34ff3cf5cff

SHA512
f0c8aaa37554dcf8f5aa2286c7059dd85ab5c9d49a7dbda3c9f8962f869cc3da14c850dccb14fb78568082dd4f796b570a94076af35ec6ce9eca57c03b25ee5b

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
608KB

MD5
0032902a8a179379025fa8d132cc344d

SHA1
737016c8c10589733d8abe2a17eadaf71c893588

SHA256
ad9828e48920014196c1d0b115875d5720b373f5550718c7dda3a47d894d9d07

SHA512
4913ffa85c93f3575635561e8146044ec9eaa5f844eb6e2fe2d8c59e349f6f5c9db5cbb7abb63fbebef8392b5775dea55ba539dc3b8ef7533cdf47e38fb58037

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
608KB

MD5
9d650fcb2dc0a1a1fa1d4f0df9ba97a1

SHA1
d2b86eaea51cb84fec8848304b57b4323c76e4f9

SHA256
f23a3bfed1440870e204296e24dbabd63d63f8607b27456530cfbbe1a72c460c

SHA512
a7aac79138d92eb7c55359e231556837ae89d20eb73ac812a9d09f54bac42c20c89a28f1df61401d5a85a37952f6b5f7f4103c8039c1a66ce92e7dcb234a20df

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
608KB

MD5
8cb305e3b4a377efe9375b5faad14b8a

SHA1
3ecae2c228035b1d5026b1d87bb3d96f16503081

SHA256
07b82e502306c0139be6ea72f5c1f11d35b3fbd63b2eae0af8fe10b68d78b879

SHA512
02aa2c594db9393b8a0a93478378cf0dc6237464e3e747fd47c665b40abaf80b740bea1973356d6a73b02cdb7e3d6f8a306a785d867e92c7d3e4b5ec83ede647

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
608KB

MD5
b77a10d6bdb7e4e786d5be002126f5ec

SHA1
8f76127869d5c300cdd5586104c1cdbca9f1ef60

SHA256
d2d1031c877d2f27f05c19d29f8e21b48503c4e8fbbc19ee7946b2ed1d25a3e4

SHA512
242bdcc0a240e90311f8f85b0aef7bd9cd8b2276414c521864fc2d0e798fae4376c881659b971c210c4891ede3eb64b636d5f2c176d164f8350b303a89290934

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
608KB

MD5
f20014c5d790d6b9334a7530360287d1

SHA1
893a1e8a1e0a7d4b5415e9c1a0c154423122a114

SHA256
34ea2b307836ad6b5108deb5cb6e7cce89850d00549ef67bcac96447279e360c

SHA512
3c63ef1bfad2dbf194ab1ad52166d26e2c76c1405af90789ad1c7d2effef024ef54d047a1e21864802c3060dbc0dd33dcdd7c49a9577d2e65cc1635dc1d94a8e

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
608KB

MD5
2fb0391dac42449695059d7e4c0333c6

SHA1
ce70c740ef967c11cdc39d3ce9d558920ad0c880

SHA256
681f6ef577b13d608b25ed3b591fc60a0202490b3337ca44071b3cd904b4f7f8

SHA512
e354a9fa4b9c5c01174732db8299141096a3e4edbce4bca7614362e810bc4bc0d381aab8774a6719828a2587ae5e8b5d34e761af5da48029e1573831fa9d1236

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
608KB

MD5
8b4824af533271de0646fd0468a4dc1c

SHA1
cdc3a2be84393781a441bf0aca56ab5b96cf711c

SHA256
bd46d9ad6928f6997041c9ed238a942aecf9a743cc0b35d5201a1446952fa320

SHA512
b8733e2fb391c56ba858c23c1311f1092a3f01a21227567a758c88661880d1e8609bc632a53d2ec3fcaceacc54a8ea1b3142fd8299f173553b9af9664cf6685b

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
608KB

MD5
e36b3491225da568be98fc29017ecfc0

SHA1
a2fa1a03eed8706827d5cdf2300885f5558fbc27

SHA256
6ea6dab8aa11b67f0fc93b900f8972f9a111670e4fbda1603e31ad16b4b31f24

SHA512
17a12f0bb6d40fe6e22f043899406f71e699ba3c7ed9052ba0c78b4d8b4d817bf51994a8a61ea580dd2ff073d6502c9c9c1ba7a837854a0f6b54197ce5ce4787

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
608KB

MD5
8f7b54d3cc179d85637e594f36e06cdd

SHA1
6e839f3d90bc4f54f899050903689adab79d9245

SHA256
ced319c087a15a1728de3235d41ec5ec647adb31b68ed6a5fb2d47223c96cdc0

SHA512
4a08c1d271be614131f49e795a3c296631c260cf7f31825e1ca9b71c724c7cf71d2dce73951dc4fcdd702037e77e9b0b43962f230df53780e486c390bbb4c200

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
608KB

MD5
8afac0a12aa9099de12004e481979d24

SHA1
a65f2697677044e9d5b7ea53bbfe79cafc62308e

SHA256
e922abd73ef88b1fa78ea7e56f6a5b16dc3fd379095407b71e1dc2685ef981af

SHA512
a5204238ebfddc3629542881a3a6a21ffd636a95b32ae459b5ba98b0dafaf95860a143dc8e02701bfb227d87ab00378abf13da6bd967ad1b3c9860ae4ffd2d0e

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
608KB

MD5
83eba0fdb3d5f3344fcfc1ac74756a86

SHA1
1aa25171c25dab8d6e5eae813493ad6216d648cd

SHA256
bd224b9fee38d7f064003af1b5ac72f3f8d89194f34e24e0c4711cf7360e2c03

SHA512
77915cbca00c09f49903979b6819e43bfd8a523b690948425f51fb636e6806818ff7f7487c4c42526acea5100919c00d4200f87dd630787bf8746433e59fba7e

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
608KB

MD5
174a41087dfcedd8d8c894a75c42d00c

SHA1
4687477d1debf3a1c23d5c5a494d6729a44528ef

SHA256
f0e2b774c8e4f1596cb398f7801a0e178a3c23562b7b1214f99dc74ca7ff2be6

SHA512
90975542988a3c5d9c13f42574ffa80bcf29bdbd69fefc53dcfa419e2e44d2f5b53fa2c708dba86dba7e0dd3454105931307b593cf85c0f7c547e6d24f8688f3

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
608KB

MD5
f7552b5d92e84eb974eb3cd6ca431e11

SHA1
e04d9825ac3799136612d28483c03d522360566b

SHA256
cb86b9e1869c39b109f724c6512470de1af37232846c53ba69b9a6cda8582943

SHA512
2302073678c57b54e14b7d83941e509c33e801634d7aede4de60f3d21cbef1075d9aa2ee0e6a8909d559db5f4447f6a6afdfc95959e896fa11fbdde1f1e0ead2

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
608KB

MD5
afdf5de750f9893ec5046bd1941a5157

SHA1
7f9586316f0d6e32bae31bd5d3d0c28ae73c9218

SHA256
eca3be20bbd641d6486ab6b222097284715a0eb24aaca0599b73f1c93fedab0e

SHA512
3134a9c0785cb435a51f11a30417913aaebada1f8c5d7d217f8e7cdc3895ae7003f1bf0f97f0bf976ee2b9ca18101d1e2f1fc636f9cabf1f6fb228101c689ba2

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
608KB

MD5
f972d2442ebbb58bb5eeab7fc7b37313

SHA1
b46251e3452a05d1eef31893300ab6b5cf286811

SHA256
116225f15d16d7e458c6ef633414bd31f62285b23ed3b22276595b3e3b8207db

SHA512
2fb79faef242694301b643d382cc17274e1cb5b4e4decc202cd24a9380da339d70fbde38a794d85353e401366419092aecdd21198515275936bb739c4511ecc1

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
608KB

MD5
51fcacf03c3b1719c4a748febd518972

SHA1
222ce3195529eb0f312d1670ef01f39976174471

SHA256
36ba2d82697b247c467ed372ed67704d56dbda9f8118d40791fcb76b32a75832

SHA512
1f4479667593d8859317b4706a6aab757767a1d8d7f007a94e5438e1b3a6ccb54fe526d37b12775009f073cefb0e49cc9ee70b3c7b062da9c3d5533cee20df2c

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
608KB

MD5
3307042c4698d2c7de51c4c7b6b923ac

SHA1
32d463225c2d2285ba3620fd8fc3a4d9eff2ad86

SHA256
6f08c08a0d47e4164524da665792ba1d632205bd41572ee3e7bac5cb67fe3567

SHA512
0d71cb8decc06e6c9098cc17e2133b1add5362f622786a7bf3a2d4633373277f707441073650d775eed011bd264d1849c06c387f1fe1fd91a88b684998cc5e39

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
608KB

MD5
8613486ba680a70961824596c8fe9933

SHA1
5b6511ed8da1b989fe24f8c992284f0d67011eca

SHA256
fa4d6fd0fc8b9ce2f0a0952fac0f67d78a5381df814c8b8f23ec256b4ab56f4c

SHA512
2de509007906e773d3bb52066d9c33912fcb6d730d655f83c09062018eabab20f36f9d15401f6cb21709dd472d1e191b4bfb10b14d8786b4e163a4ffd39b63b6

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
608KB

MD5
d398f6d659cdab32178e1322fd344ee6

SHA1
3a122896662b24151ca55bd25e6158ae40f82be9

SHA256
ae537b5d98c02e476e544a17f25fe5240dbbfacad84b69180dc9c44858e3136a

SHA512
b31856fd54df631da1be5c5d8d1674d203f2dd9c47fa0e4b6313ec05c9a609a4be16bc6d404fe15e6c82e538f05c1c2c552fe3132f8066c2c44db243d4195f46

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
608KB

MD5
51f209d13610e30cf0907652f4d5a9ea

SHA1
5dec74b470cdf7c91da5c0156b69c2be29387789

SHA256
eddab6d016224b2bf8e61f8e35d3ff821b12e2f02cc69d6d71c212d77e0f7309

SHA512
f207a9dc307c4c8f5ef29df616bfc71f0bdd5388a7189c433522b5b62de1d031d0ea3a1d9a0f96fd5a8cdaa63c9dd3d4f58a64761580cf20cc8dc25829733caa

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
608KB

MD5
9c3cc6d84bbb5e99a8fbdae9c9162ff1

SHA1
f738334deb02ec6663ee988862c8e2a9cffa85ae

SHA256
945799e68c40c332c8c8aef86e5922099c2dfa89bb5bf0f2f3879b1dc31f394c

SHA512
b676c94e7bb9424b1897dc72db7233a152d872dbd79bd2f736a010ecc9cdd9fcc741e00d85fd881aad2ad8ecf30d13a9a362c95af68916ff39bfe62df91daafa

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
608KB

MD5
fa07f730af7093539b0eeecd46835641

SHA1
fd437c47c7d69e6353d752b07d343da709d1ae19

SHA256
fed9fe1a59102123b9d5a7f77d3367f37302857ea85c9c55db634650af867edf

SHA512
5db2d17785bdd3b8b2205eafe1e5bacb20878e3e3bf70714ad06f2f912d12af63f42c2cecb2e946df65766742d35b92affb9369fcbb2e57bd985a4eb33d2e96d

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
608KB

MD5
75d4ba48eef45c41d5c24d23a25a9106

SHA1
2c961ba92ff7af95801a2fc52c40d53a4287b8e7

SHA256
8f50c01241f4d7a295174c30995e326c3761d3e248851cf151217b4ab6d48764

SHA512
0c266faf0b530a57fc57d6bc3844e851127961702ec66dd7acf48df1405e32053815b7b0446bc6bdd7f7594a8bee95516791996d594b1cf73a460cd77fb5ed57

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
608KB

MD5
b00cca305c85d2109b585e327aee7091

SHA1
f423917f34a9619fa79073f856d49479ece38208

SHA256
771b2389ea25933d5d2dfe5db658dcef2475454c47baf96d202ba0cc61ddb323

SHA512
bf968245403b5d4eeb72a45cd172b760cead01f4c2ab232b79bbb143bc5ad40bcb86f303fc081a7abf3708d693deebb3bd7d2ce7fa59d0ac3082803465449d87

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
608KB

MD5
74d20abac95a772f9ff1cbb6935c536f

SHA1
154a0e39c896d31a70919c07e4780bfe588d4370

SHA256
c52e90c0e0fdaf0f80b6a1dd7a0c155d5441703fbc256d95730081e70468d5d5

SHA512
8eceb3c715b4ec21afcf63e414a3f0a9eff931ca2d01592be4f5177d9480e01d4dc2b274e1f392a19ca4f846e895f3234e18400f9f5e9db314f7a133f09686ae

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
608KB

MD5
36d5de71a85bbff6a3a31c3750639270

SHA1
1783e9575eaaea48ff570096c72320ff412c9179

SHA256
4e0ff22a1ad6d6b9e498ee20a294a0255166caecd53554237512b72958a65269

SHA512
d658c98c81839541d07efb09e043921aa2eaf4c00a9a0b9d9c05ed09c11ff35aab7b74bc6332870f2bc1a50ed3a5c53a45d8f59fa297fcd2cc22f5084a73ae75

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
608KB

MD5
5f4484b8241e3caa5479d85ba7d2d6a6

SHA1
41a1129327e6d612e22548a073e0a4ff23dc22db

SHA256
0ce80395a1bf0510a46f15926cd3aa06db6d0f3208755d7e9905e7f0908c7fec

SHA512
b7881945bbcbb595146606cac83297eac56f1bd2baaed4f13f33cf2903142eb27c6164d364682f56363f328492d852cef49f65a7ad3dc9365d440474d96731f0

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
608KB

MD5
ab772711ab920900a293ddc165e2797f

SHA1
6969e64ae5690b5543680017382c3f86a7dfab1a

SHA256
2f2c5713ece1e4c86dd7d4a95cba0b5dc9746043611e4253ddfad96708164726

SHA512
fec15da3f7e99b3bfbddb1d02339dce408158468b6cbb6b3d01f138fbf5830cb41eb1a2fe7c71f4529878c2441d52ca8c91867d954f6c66600f70689da62db59

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
608KB

MD5
499a356699c2049dc7902e93719a9cd9

SHA1
4beb43d363618533ffc56342c02b46b01088ad70

SHA256
5d1ca116c2233ad05efe45b3a30a70b9928c593d8c061edb808b7b3804f999ed

SHA512
d7bb98208a714da5fdb5d10f0b264a9bf0e241097daba992572dbd6864d7894dca5e1743dc45765fe77791412b924d59c08586205c3c17f6d5c25ab43aa61d3e

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
608KB

MD5
8bc31e85a0eadcec99ec34f9b146c1b0

SHA1
fca097dfe435b8fa3ebe4dfb1a898983d6231f0a

SHA256
b3da4032bc516c4b3d7e135f1b5c48e344aba13936d23d5357f7d8c7c2571f83

SHA512
96d0c34f21b93a2ab7f5aa6d16d5399e223a5dcc134439dbe6c53e75839ccfc585f685999067df6586945fa1725b5c7498d4f9a4979431a3cc4156cd693ae6e9

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
608KB

MD5
c15e2db3814f3145df019d6cac821ae6

SHA1
cdf58ff600791898f2b13da737b09e357facd0a8

SHA256
7239cf107f8c98c1194abba0ffe842625196020b655c37ff5789cc8b5da5d5eb

SHA512
2037e57f8a2dc2c72a73b0a7105c5b4acd51c4a76d06a8e01345589863330f7be35467ce8758ab1990bb962862edb23994a8d90587164a29c6f1be68ea5a903b

Download Submit
memory/528-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/696-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/804-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1208-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3288-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3420-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4532-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads