8e93a55abef63d4e99c9322c8dfc4698f2aef5389cdace9c15bc2d537fd20274

Analysis

max time kernel
92s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e93a55abef63d4e99c9322c8dfc4698f2aef5389cdace9c15bc2d537fd20274_NeikiAnalytics.exe
Size

264KB
MD5

33faa842af70670c16ed476319c02020
SHA1

8f01da6e875249a94df775f8c99e663c099a28ba
SHA256

8e93a55abef63d4e99c9322c8dfc4698f2aef5389cdace9c15bc2d537fd20274
SHA512

49186a31bec4d46be0e41ff3506750cdfbbfcc6b2668b06ef70a132849360c3b2dccaa292377d6c2b7b0fbbafa68ab0fccb48cc9282fbe88209f287101bf986e
SSDEEP

6144:YfrmUxnpui6yYPaIGckZay1aEI9Kq5pui6yYPaIGckv:Yfrm8pV6yYPOn17IpV6yYPo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8e93a55abef63d4e99c9322c8dfc4698f2aef5389cdace9c15bc2d537fd20274_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	8e93a55abef63d4e99c9322c8dfc4698f2aef5389cdace9c15bc2d537fd20274_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe

Executes dropped EXE 45 IoCs

pid	Process
4620	Mkbchk32.exe
3948	Mdkhapfj.exe
3668	Mgidml32.exe
3812	Mkepnjng.exe
1144	Mncmjfmk.exe
384	Maohkd32.exe
2460	Mdmegp32.exe
2728	Mcpebmkb.exe
4416	Mglack32.exe
2268	Mkgmcjld.exe
3624	Mnfipekh.exe
2912	Maaepd32.exe
4740	Mpdelajl.exe
3116	Mdpalp32.exe
1948	Mcbahlip.exe
1864	Nkjjij32.exe
1152	Njljefql.exe
4912	Nnhfee32.exe
5068	Nacbfdao.exe
4016	Nqfbaq32.exe
2464	Ndbnboqb.exe
3960	Ngpjnkpf.exe
3272	Nklfoi32.exe
3976	Njogjfoj.exe
3892	Nnjbke32.exe
2968	Nafokcol.exe
1736	Nqiogp32.exe
2952	Ncgkcl32.exe
400	Ngcgcjnc.exe
3276	Nkncdifl.exe
1224	Njacpf32.exe
3404	Nnmopdep.exe
3936	Nbhkac32.exe
3124	Nqklmpdd.exe
4476	Ndghmo32.exe
3660	Ncihikcg.exe
1584	Nkqpjidj.exe
5080	Njcpee32.exe
2480	Nnolfdcn.exe
2320	Nbkhfc32.exe
1148	Nqmhbpba.exe
1236	Ndidbn32.exe
4308	Nggqoj32.exe
2948	Nggqoj32.exe
4392	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	8e93a55abef63d4e99c9322c8dfc4698f2aef5389cdace9c15bc2d537fd20274_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe

Program crash 1 IoCs

pid	pid_target	Process
3848	4392	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8e93a55abef63d4e99c9322c8dfc4698f2aef5389cdace9c15bc2d537fd20274_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	8e93a55abef63d4e99c9322c8dfc4698f2aef5389cdace9c15bc2d537fd20274_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	8e93a55abef63d4e99c9322c8dfc4698f2aef5389cdace9c15bc2d537fd20274_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8e93a55abef63d4e99c9322c8dfc4698f2aef5389cdace9c15bc2d537fd20274_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	8e93a55abef63d4e99c9322c8dfc4698f2aef5389cdace9c15bc2d537fd20274_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 4620	2880	8e93a55abef63d4e99c9322c8dfc4698f2aef5389cdace9c15bc2d537fd20274_NeikiAnalytics.exe	82
PID 2880 wrote to memory of 4620	2880	8e93a55abef63d4e99c9322c8dfc4698f2aef5389cdace9c15bc2d537fd20274_NeikiAnalytics.exe	82
PID 2880 wrote to memory of 4620	2880	8e93a55abef63d4e99c9322c8dfc4698f2aef5389cdace9c15bc2d537fd20274_NeikiAnalytics.exe	82
PID 4620 wrote to memory of 3948	4620	Mkbchk32.exe	83
PID 4620 wrote to memory of 3948	4620	Mkbchk32.exe	83
PID 4620 wrote to memory of 3948	4620	Mkbchk32.exe	83
PID 3948 wrote to memory of 3668	3948	Mdkhapfj.exe	84
PID 3948 wrote to memory of 3668	3948	Mdkhapfj.exe	84
PID 3948 wrote to memory of 3668	3948	Mdkhapfj.exe	84
PID 3668 wrote to memory of 3812	3668	Mgidml32.exe	85
PID 3668 wrote to memory of 3812	3668	Mgidml32.exe	85
PID 3668 wrote to memory of 3812	3668	Mgidml32.exe	85
PID 3812 wrote to memory of 1144	3812	Mkepnjng.exe	86
PID 3812 wrote to memory of 1144	3812	Mkepnjng.exe	86
PID 3812 wrote to memory of 1144	3812	Mkepnjng.exe	86
PID 1144 wrote to memory of 384	1144	Mncmjfmk.exe	87
PID 1144 wrote to memory of 384	1144	Mncmjfmk.exe	87
PID 1144 wrote to memory of 384	1144	Mncmjfmk.exe	87
PID 384 wrote to memory of 2460	384	Maohkd32.exe	88
PID 384 wrote to memory of 2460	384	Maohkd32.exe	88
PID 384 wrote to memory of 2460	384	Maohkd32.exe	88
PID 2460 wrote to memory of 2728	2460	Mdmegp32.exe	89
PID 2460 wrote to memory of 2728	2460	Mdmegp32.exe	89
PID 2460 wrote to memory of 2728	2460	Mdmegp32.exe	89
PID 2728 wrote to memory of 4416	2728	Mcpebmkb.exe	90
PID 2728 wrote to memory of 4416	2728	Mcpebmkb.exe	90
PID 2728 wrote to memory of 4416	2728	Mcpebmkb.exe	90
PID 4416 wrote to memory of 2268	4416	Mglack32.exe	91
PID 4416 wrote to memory of 2268	4416	Mglack32.exe	91
PID 4416 wrote to memory of 2268	4416	Mglack32.exe	91
PID 2268 wrote to memory of 3624	2268	Mkgmcjld.exe	92
PID 2268 wrote to memory of 3624	2268	Mkgmcjld.exe	92
PID 2268 wrote to memory of 3624	2268	Mkgmcjld.exe	92
PID 3624 wrote to memory of 2912	3624	Mnfipekh.exe	93
PID 3624 wrote to memory of 2912	3624	Mnfipekh.exe	93
PID 3624 wrote to memory of 2912	3624	Mnfipekh.exe	93
PID 2912 wrote to memory of 4740	2912	Maaepd32.exe	94
PID 2912 wrote to memory of 4740	2912	Maaepd32.exe	94
PID 2912 wrote to memory of 4740	2912	Maaepd32.exe	94
PID 4740 wrote to memory of 3116	4740	Mpdelajl.exe	95
PID 4740 wrote to memory of 3116	4740	Mpdelajl.exe	95
PID 4740 wrote to memory of 3116	4740	Mpdelajl.exe	95
PID 3116 wrote to memory of 1948	3116	Mdpalp32.exe	96
PID 3116 wrote to memory of 1948	3116	Mdpalp32.exe	96
PID 3116 wrote to memory of 1948	3116	Mdpalp32.exe	96
PID 1948 wrote to memory of 1864	1948	Mcbahlip.exe	97
PID 1948 wrote to memory of 1864	1948	Mcbahlip.exe	97
PID 1948 wrote to memory of 1864	1948	Mcbahlip.exe	97
PID 1864 wrote to memory of 1152	1864	Nkjjij32.exe	98
PID 1864 wrote to memory of 1152	1864	Nkjjij32.exe	98
PID 1864 wrote to memory of 1152	1864	Nkjjij32.exe	98
PID 1152 wrote to memory of 4912	1152	Njljefql.exe	99
PID 1152 wrote to memory of 4912	1152	Njljefql.exe	99
PID 1152 wrote to memory of 4912	1152	Njljefql.exe	99
PID 4912 wrote to memory of 5068	4912	Nnhfee32.exe	100
PID 4912 wrote to memory of 5068	4912	Nnhfee32.exe	100
PID 4912 wrote to memory of 5068	4912	Nnhfee32.exe	100
PID 5068 wrote to memory of 4016	5068	Nacbfdao.exe	101
PID 5068 wrote to memory of 4016	5068	Nacbfdao.exe	101
PID 5068 wrote to memory of 4016	5068	Nacbfdao.exe	101
PID 4016 wrote to memory of 2464	4016	Nqfbaq32.exe	102
PID 4016 wrote to memory of 2464	4016	Nqfbaq32.exe	102
PID 4016 wrote to memory of 2464	4016	Nqfbaq32.exe	102
PID 2464 wrote to memory of 3960	2464	Ndbnboqb.exe	103

C:\Users\Admin\AppData\Local\Temp\8e93a55abef63d4e99c9322c8dfc4698f2aef5389cdace9c15bc2d537fd20274_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8e93a55abef63d4e99c9322c8dfc4698f2aef5389cdace9c15bc2d537fd20274_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\Mkbchk32.exe
  C:\Windows\system32\Mkbchk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\SysWOW64\Mdkhapfj.exe
    C:\Windows\system32\Mdkhapfj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\SysWOW64\Mgidml32.exe
      C:\Windows\system32\Mgidml32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3668
    - - C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3812
      - C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        46⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 412
        47⤵
        Program crash
        
        PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4392 -ip 4392
1⤵
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ciiqgjgg.dll

Filesize
7KB

MD5
cc9810a0f6e353ddce418830d2b3f122

SHA1
9d9b863bc9b5f9c5335b7be4aae197ab07c3e2c6

SHA256
82a4ef90948bf3d9b520d635cdc80ddb35b0dd73b68fec1c93368e0f2aa6d8f5

SHA512
70d107124b49862a284fce03b868dde4e4da7e2b460bb5189810c2a6d6bab142fd6d35e689f5f86c95e902b5d1cf4a7a32bdc285bcefb5894a332772c4d5b718

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
264KB

MD5
c4577c45cff1111cfb44ecd9036d041a

SHA1
95f077fc5374bfc91ccb958c3add601e34050f79

SHA256
8e79c8a651e02e09bc273d6718d25a3946da23e2a61a678757bf7c6b20b551f6

SHA512
f43eb10cd2547b00f84dd4cf4dab841472e773d6d7bb068a80bf7295d3c8c2b712ab845efdbb9113e4e9cbf752aeca51f71139d3a3393cb4a6bcd3afe71ad43f

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
264KB

MD5
d052ff2a201a6ee791e712006611a826

SHA1
58a213ad623952239be5b6c6353c149525771447

SHA256
f850293f76898ad70f91c930385bcc4693e7b63ed4ad054f6d5f4cf2c496c205

SHA512
ba5ff0724a11466db3f3bb213e6d5ac482e4e09dbbb5a174e470fdfe9fc9fb02cdd267b2ecb5a82af54accf7b854b1ea5d6b0223294ded1c9d7533d34cc0f9dd

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
264KB

MD5
20ae838dbd2b1551de8104c47fea5db2

SHA1
f5066ba8cf7c897fd7bdbc35548b68c474fd9d88

SHA256
5888c669bff845452313eeadb63c7ae00b39f8841062253af0c26532f4792bb5

SHA512
018d74441273eb1b5e39313d8208d6e4c2413ed06ae62aa5ff0734e1eee139c668ffa78b253211ea3476be58063d6f5f3c2002baee61e89035581a9c4a4c5d66

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
264KB

MD5
07f8b22b982b38fc60c61d8be11c6970

SHA1
cea0b02dcc4b2ad5c9f457fc4e8832ca68c8e9ee

SHA256
f81e51ce7b130303c3a818943c253cb9ab6b0bb056c00e22a21f47c1b90484b3

SHA512
b86141873b837bd23f2211079e74bf51f81cdb45a6774b1fd9a6a480a921f1ce04c840f299b5c295a370d8dcef10b3dc19b16a0f443a68341d8af4a59cff92e2

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
264KB

MD5
0819fdde6964f3a166e1605ad1697101

SHA1
90472086a207842dbbb5dd240171d27c422eba8a

SHA256
fcb61ef4ce0511945aa7b014aac21cc8069842eae7eb774814073be8c461610e

SHA512
a9ea0fc1a15791495881f8eb93845eb58d5e74aa4dadad5cbeba7301c915b6a8558bc238b9866e6d2a3b903f02e111135ae79beb5485db68e261568d7e9e6622

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
264KB

MD5
7b7acecb27cb47b82366b711e7053009

SHA1
a0546dc5d0d6cb1f6a6989b6895ed1e0bc1d6694

SHA256
1ef909d651db6942ade05d9e0e71669954c6b54bb0f8a018dcb7c7ffd96fcf23

SHA512
90f1c09d84e5a46d56d026c32397307bd4357f439698724be084ba8046ea1d1a277904069898078378018bc998a34dc13874178aee7e116fd91e23d4356606dd

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
264KB

MD5
0e5bea2f9d01ed2e9c7e6de0a86acbe7

SHA1
673836c5e599a67cec1186d26a8f707f3cb1ca6e

SHA256
fa885f55e0199e679af114ae789c6fa58f1386351d71f6802cabccd5fb63863a

SHA512
390d763d095e84358bb292fc0a7dea05b1fc06db7bda7e8e17482fc6bf8465403b0b645c3c9d9e662a3d54d88ba0590281479e9d478baef1a6878fe6b3b2c9b0

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
264KB

MD5
82b83940390e4ad6ad1c382a77bd9307

SHA1
911f462bdd458ec0566a8ce6fbc13b9cddd275c8

SHA256
939cd4cacf1166432cf4a1bfd50305e77e68a92b103aab1dbc2fc247d9a9042b

SHA512
0c1de39577afd1413dbfb974272320007f9e2e6d5a6d553480c22d3b507734e3f714eca77e73488658a4e3e9f2f6e9e84a716e0ec153b687a8b7fb4719f67126

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
264KB

MD5
add6166fa3eef66dd10371518c213bc6

SHA1
d5a8e6b961a40bf4e225e0caa7f6f3c3b26200d4

SHA256
f9e34e87de44eba90ae3cc57e2e55bdff10bf6332e8c674e1969b51dce5e9780

SHA512
4b6e37c316d132fe296edeb94fc0277c16d7aeee4c33dc0a6bd92590e3a7b6bdd898fe8c69cfda995d2ee1b280c8670b65ed5810f54c9826e52666c06016239e

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
264KB

MD5
4da19097aa7e9d1dd23699ba34d0ab6d

SHA1
6902009bc0434f5f7d833a840dff53260a2b049b

SHA256
338b923c53b0f0d3fc7e86c747bfefac4265ee8e3eb71c79dda6aee435e1c6ef

SHA512
99765d55b34b36bfc7b730a98d7765a68f2489818a27cd2f6d6bcfc17f57559764f1c5382cfe7330a12aed92ffb006eed02827ede26c25263671ccda3353d6b7

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
264KB

MD5
273ee4e67976b53bc9ba35e07e6dac39

SHA1
1390851fe00ee3384489b52f149b43b827d029f3

SHA256
aa45b80b3ae771e93a23f850d2a545f8fc8ef0c649f41b1cc0d25d1840bac049

SHA512
335b5759f93558ae112420c015263a5c66b0bd13c1d3f7ec1517aa1ef193e914fdd40a74b72a865101f04663ada06e2ba52c03da6446b2216915bcb137b00958

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
264KB

MD5
919f80298d14252754909bb1c8d0b56e

SHA1
5a1cf06633fa4d220ab11659820decd12ea3f105

SHA256
fb3fcc7fae78cd5f75b41d3094aeddda5d3ce4ac06352ec8f4ccf0563ebd54ec

SHA512
22b9a6c8332f12e311e57f3d6f9fdd66f3ce1784d9a8d58c2623bd316cadf0429cf6b51e11f00871c288998db23849cca63afe96c48c63d42942c508e5bfbd69

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
264KB

MD5
bf86b27f04ccda926cf8da7c2f83c191

SHA1
209eb92b8a6a0de4d4022ed13d1a80af862301d8

SHA256
d3aabac539656c8264bea41bd9a292a669985e00e8b01e5840578f0abaf5801b

SHA512
f1870ffa49fbfadc30086b13e2ba6d9fc1d90756433351178269d820601ac7ec9b4ab4b6043c39e544f8e2e578e750332b155dda7889a05f00072dce231dc231

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
264KB

MD5
296c3db2f76b736a8215ddf3fb83261f

SHA1
75cff15c7dc52ef518210757599f60e1364dfdac

SHA256
bc4b34b6990fbb8124e9ea61c1f5e5aaf137120727c31b7eb1f9b2213292584d

SHA512
365e0635ccacd73eb7ff665b33f51f06090eba43731d9633c39144559b610e706a2c0f22a1446b54759cc60c8425fbb10fb65a5bf6cb417b00bab5e6541fdfe6

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
264KB

MD5
cc27cf4cb97f7667234da8d0b6de43c2

SHA1
090fed0721319cea8730c37d6ae0dc35d924fc97

SHA256
874d68fc321e0fef330d3cd2bfd470f38488bf39d302603f1589fe8d1b066e79

SHA512
24886bf8a8c26768189d076d2dbd5e79ef01ab9d3ba37e9e48b4b4e792df9e1a53d47c6e80c94d4c458c5c8a6631318280f03849b99e3d2cf2e911fbb910b899

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
264KB

MD5
89559d32284f273dda333993e3c53fd8

SHA1
49ec538aeb52d59a02e9e4a702eb5a46437ebf2f

SHA256
dfc6079dd0249141847a9f89e5a9618209afc462cf8722c6ef957e0fffd8c92a

SHA512
fce0a833bcad3b53fc3d6f8a953be5e56d58045c54e8ab6fa6adaa4f998580d38913e1973d9b3e8409b6e48dcdfada68dec9f971936ee41607ff746b4b454897

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
264KB

MD5
b3ddd00003bb54856134ae1a8136aa63

SHA1
8937dcb9620b0e17b5ecf4f179bc534eeab6cf41

SHA256
d1c0b8b299d6e1b7558cd69baa7be953cc6fd11d1e95163fcb0559a23fdd68b1

SHA512
fc67215d26c6b0b1b93b1c8b5fae77675ff62e5b248996fe91b5bb2cb6b2df39bfc31363e036c4d8dee8c77310a8793bf84626f96337cf253b067bf9e7484e29

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
264KB

MD5
1659330027ee5fe5306008fc3be43577

SHA1
b18b1741357aea7f1d277d53741d21571c287f67

SHA256
1c4f708e88636da74f455dfc11c6b8ef51a3f27b6be18ac93435a22bed3b3b79

SHA512
2ff2aca7152143b823317ed421474f18ed9545ddc25f7284c2e29bf154d4d0665eb860275438e9f53db42f030861a21a8d87b74feca86befb86e663ccd4407a9

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
264KB

MD5
7bcc061fa3178062d642babb17837343

SHA1
3a524d9dd1a572230a18c60a9f447a659479f9c7

SHA256
38a8c5565213019f5ace6ab4fcfcc460849c133b230de94408a542635de65a1a

SHA512
a8b12c3cc7fcb4b81447b7b67a6526bb9ea4d99704e2382ef67076f656c04954944ab89a036bd9b3ea688623f3cbf159ec8f2e71929ffba6786a096c1f6d5e7b

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
264KB

MD5
b46cd329193f0796c13e811505f510e8

SHA1
154072ee09e545a3d1d5675f6c1c0491276b2386

SHA256
a58a2a1f9b680f45deadabc5ad2edc2df00ec55713bdddd9205c31638fa9b5cf

SHA512
092dfe851d8b32ed143e41af071c62c169e02e4cde4d935d0ac19dd24a49a4c6c5373b4e0936dec6c425748c83160f776a27d060f68b5372b1242995da7ebeca

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
264KB

MD5
f249c884e75f6e0072c915ce94a82be7

SHA1
6661333e3cb84875dfa3a7f5996754fb02a2df26

SHA256
753b5a0e26dcc640f5b965971a3590ad165277560678a269e3b82a30fccd2822

SHA512
3e5f07d1af47e2d57419387f6fbb696797b91a3dbf7c8e2d2bf893c564537f516b0093073d48bbf5cd88ac719300d1c11208e2de917bd499727b041bd67de5e5

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
264KB

MD5
88411722e02e73a4d3416e0bf09454b0

SHA1
ca5531855e98f1d23072bf9f2130ae2dd9669c57

SHA256
863ac0eb872b33ba542a55fdb35ebabf48d3d36f24e73045b1a1b5bcab0812e7

SHA512
b655298975e3ed36f4d8d57498b504f802a6b4f9a064d120240133247f8204993a2554a9bba423026124bbb89c61fa952dc30c618357e3dde8a944ff0da537bc

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
264KB

MD5
586ace39cec3c0cf714fd47b3d5b809f

SHA1
3be1f7df5159e9e26f0af04e95ff80e27e381cb1

SHA256
bff475ed54e723b13cc8878203292e50a74322835343449124dd792544b95d2b

SHA512
6397f3c46f7a9379b72e37523972d95a426888d32ba49f3f53a3a021d22ee66820596c13da1120942afc76e3b08a303d203aadb0892b766d048e73cabe9ac88b

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
264KB

MD5
7954a05fb34012fe0127c2fce7edb411

SHA1
4306aa8abece7b5adc82b4ee06310c362e7c1aa5

SHA256
235a7afc6ab2db49ee3566235bedde4c43c275df401c3180faf2cce22e06773d

SHA512
4acc9338cb39bd4e275be5b760bc39335fccac929efe66b85125c27c902a89bb7313c30ff9f2fb0d14264eaff012b0e1d4675f1fa9a60aee87524e7d4ad0bbcc

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
264KB

MD5
9d70ae4846c21c2f08b55ec82978b48e

SHA1
040a33f363a7b327656a244409290e5db0612821

SHA256
ae429db30d342fe3233f5f0844f3dbe9ae7e721e34ea75e1eff0bfce63c89265

SHA512
da3eedfe2e5f97cc20d0845ebc4049a0668417450466cdbdbb90563a2a1fa3d74c3b99b8555f40eea51b52debae0b40f665a1bb834bc5f2f4ec36c61a5c64978

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
264KB

MD5
676474cef4dc91d917d4ddb439c947ee

SHA1
3642249ef1449765ad7c09a3d7e37ff41c5d772f

SHA256
2f671ef72c8d5d961a4fa18b73789d38ebe874d5eb8ad559c0e42299a75f4acc

SHA512
664ef2c47f1eef4ffb93c010591c1415bd4e0f592ec0c54346b21fe43b22f0f38e446f32bc735e94f0484916ef4e52cd4c38fa3691b3b0c415be6c95eb042247

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
264KB

MD5
b8bc15779a711317fa3cf7b945f0a768

SHA1
215e590b0dac1f112cdc3b5a9a85b12f88001bee

SHA256
2643ee20eae6fedabb53fcbb1d234420a37061285ec46054806c0e7333c06d84

SHA512
a2601424fd640e3bc6dedfc780d6831d7b51027c855456864ed2847ab6472229d9db4f3801e5c780fbf8303900486b9b4194bcfff080ea5c3f27d20ef1dc414b

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
264KB

MD5
f6a1da5652dc4b8f3918081dbe90176f

SHA1
13ee5257a971f400ea0598ccb68369e798015984

SHA256
6e4f53992a41b7ecfc22d366f3cf01f70d27d84a7ddd1e4e27fc2168d75b2e83

SHA512
f7525d63d59d0eb72d9cefa2b074798900dc0e17aa9609ab3d0cb79b1b3d5e588b449c010f6befafe07f902245db8a7e2f2ee779dfb6cb115e0ca68a851b895a

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
264KB

MD5
173285cf2e2f452c6e39344e2c5f7dc6

SHA1
a7914f05d0769f79a4b30e48b283a96e68602912

SHA256
a6c58cf068c09fb51233acaffc357b38cf2774419cbce53969142969d1d627f5

SHA512
2c643bf5e7c8a10fc7f81e3cbb5b0200c4b3e94ed6878972b4b73f178b4612cda9f469c6ebe2f28316121529d2baeb087321eaaf67d1a3510c1570d47dcad43e

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
264KB

MD5
67ffffca1e6bb4dfb409a572d442931a

SHA1
9bca52d7b1bd394da805bf57406f154e6be76203

SHA256
b4adabd875317eb09774dfe5bd32f87c4f6da58afc8c48637f77d9d75579029f

SHA512
b4b1e70c5bd82c841c32f28fef0f6429a4832d2618186a9ebbec86c2e371ce73db81a4e1a967a0db22385f1399b2042bb3fea294e23c32a5d993020f47261a23

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
264KB

MD5
0279437f63ab11adb149e889f7d8d22c

SHA1
6f57e3ffd9b342032f95b461eedfeb1b44d43465

SHA256
ba7e93d347fbadbbf8926bc1aad7bd8b7e811538d421a41c7551f2626e46d34b

SHA512
b8531777c4cec2b46a5def9a474d902fe56ab26a50995c8af4cbb77f0386bcfd60be79e806d1f572469f9213d590821da2afda105aafa1d16c38691ee6b06c2a

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
264KB

MD5
9da4865fd5e1c25ecfddaf76f8e1c821

SHA1
8c93d4afe1b33ee8d90b8459ad231e5650e4361f

SHA256
6e3dd009b6bf829c7e5eb18472a5e8959ee207fe32707ba0f7f237acda1f34a6

SHA512
042ebfc009be458ce704e0ecb0260c984f7ea0bb3db97cf568e08318e29ab7d89c3f560300b3242ccba5ea6baa48fc5caca7c471bf3ad948bed67f206e4da4cf

Download Submit
memory/384-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads