2a7ecd5c136bc1811cb7c0d78723cae749e9fdd1f0a491a1dda071d4da77bb32

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 01:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2a7ecd5c136bc1811cb7c0d78723cae749e9fdd1f0a491a1dda071d4da77bb32_NeikiAnalytics.exe
Size

75KB
MD5

580986b8e7c17e682ccf21671cf34ff0
SHA1

a4eac5bda7b01b4bd8452d82fbbc678a613fbd82
SHA256

2a7ecd5c136bc1811cb7c0d78723cae749e9fdd1f0a491a1dda071d4da77bb32
SHA512

a705d68a6e41d8b7de7d7790af592e46bf80182e9c8abdec04c10531ea921af98beb2e46ca0152e63035ed32508090736fc6d119bcc45d9a287d5495229e3998
SSDEEP

1536:ns4rhBYqAXmM/8lEiVBTTTTUJv+yrv31cgCe8uvQGYQzlV:zgtXmTEiEAa/ugCe8uvQa

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2a7ecd5c136bc1811cb7c0d78723cae749e9fdd1f0a491a1dda071d4da77bb32_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2a7ecd5c136bc1811cb7c0d78723cae749e9fdd1f0a491a1dda071d4da77bb32_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe

Executes dropped EXE 43 IoCs

pid	Process
884	Mnocof32.exe
3192	Majopeii.exe
752	Mdiklqhm.exe
436	Mgghhlhq.exe
2432	Mkbchk32.exe
4440	Mnapdf32.exe
4980	Mamleegg.exe
2848	Mdkhapfj.exe
4936	Mcnhmm32.exe
2280	Mkepnjng.exe
2240	Mjhqjg32.exe
5000	Maohkd32.exe
876	Mpaifalo.exe
1808	Mdmegp32.exe
1532	Mglack32.exe
4152	Mkgmcjld.exe
4532	Mnfipekh.exe
3852	Maaepd32.exe
1156	Mpdelajl.exe
4860	Mcbahlip.exe
4512	Nkjjij32.exe
216	Njljefql.exe
1864	Nacbfdao.exe
2876	Ndbnboqb.exe
2524	Nceonl32.exe
1588	Nklfoi32.exe
4100	Njogjfoj.exe
4840	Nafokcol.exe
5104	Nqiogp32.exe
2696	Ncgkcl32.exe
3992	Nkncdifl.exe
4128	Njacpf32.exe
3320	Nbhkac32.exe
1860	Nqklmpdd.exe
2312	Ncihikcg.exe
1576	Ngedij32.exe
1528	Njcpee32.exe
1776	Nnolfdcn.exe
4964	Nqmhbpba.exe
4820	Ndidbn32.exe
1820	Ncldnkae.exe
2660	Nggqoj32.exe
2368	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4496	2368	WerFault.exe	122

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	2a7ecd5c136bc1811cb7c0d78723cae749e9fdd1f0a491a1dda071d4da77bb32_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2a7ecd5c136bc1811cb7c0d78723cae749e9fdd1f0a491a1dda071d4da77bb32_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 884	4688	2a7ecd5c136bc1811cb7c0d78723cae749e9fdd1f0a491a1dda071d4da77bb32_NeikiAnalytics.exe	80
PID 4688 wrote to memory of 884	4688	2a7ecd5c136bc1811cb7c0d78723cae749e9fdd1f0a491a1dda071d4da77bb32_NeikiAnalytics.exe	80
PID 4688 wrote to memory of 884	4688	2a7ecd5c136bc1811cb7c0d78723cae749e9fdd1f0a491a1dda071d4da77bb32_NeikiAnalytics.exe	80
PID 884 wrote to memory of 3192	884	Mnocof32.exe	81
PID 884 wrote to memory of 3192	884	Mnocof32.exe	81
PID 884 wrote to memory of 3192	884	Mnocof32.exe	81
PID 3192 wrote to memory of 752	3192	Majopeii.exe	82
PID 3192 wrote to memory of 752	3192	Majopeii.exe	82
PID 3192 wrote to memory of 752	3192	Majopeii.exe	82
PID 752 wrote to memory of 436	752	Mdiklqhm.exe	83
PID 752 wrote to memory of 436	752	Mdiklqhm.exe	83
PID 752 wrote to memory of 436	752	Mdiklqhm.exe	83
PID 436 wrote to memory of 2432	436	Mgghhlhq.exe	84
PID 436 wrote to memory of 2432	436	Mgghhlhq.exe	84
PID 436 wrote to memory of 2432	436	Mgghhlhq.exe	84
PID 2432 wrote to memory of 4440	2432	Mkbchk32.exe	85
PID 2432 wrote to memory of 4440	2432	Mkbchk32.exe	85
PID 2432 wrote to memory of 4440	2432	Mkbchk32.exe	85
PID 4440 wrote to memory of 4980	4440	Mnapdf32.exe	86
PID 4440 wrote to memory of 4980	4440	Mnapdf32.exe	86
PID 4440 wrote to memory of 4980	4440	Mnapdf32.exe	86
PID 4980 wrote to memory of 2848	4980	Mamleegg.exe	87
PID 4980 wrote to memory of 2848	4980	Mamleegg.exe	87
PID 4980 wrote to memory of 2848	4980	Mamleegg.exe	87
PID 2848 wrote to memory of 4936	2848	Mdkhapfj.exe	88
PID 2848 wrote to memory of 4936	2848	Mdkhapfj.exe	88
PID 2848 wrote to memory of 4936	2848	Mdkhapfj.exe	88
PID 4936 wrote to memory of 2280	4936	Mcnhmm32.exe	89
PID 4936 wrote to memory of 2280	4936	Mcnhmm32.exe	89
PID 4936 wrote to memory of 2280	4936	Mcnhmm32.exe	89
PID 2280 wrote to memory of 2240	2280	Mkepnjng.exe	90
PID 2280 wrote to memory of 2240	2280	Mkepnjng.exe	90
PID 2280 wrote to memory of 2240	2280	Mkepnjng.exe	90
PID 2240 wrote to memory of 5000	2240	Mjhqjg32.exe	91
PID 2240 wrote to memory of 5000	2240	Mjhqjg32.exe	91
PID 2240 wrote to memory of 5000	2240	Mjhqjg32.exe	91
PID 5000 wrote to memory of 876	5000	Maohkd32.exe	92
PID 5000 wrote to memory of 876	5000	Maohkd32.exe	92
PID 5000 wrote to memory of 876	5000	Maohkd32.exe	92
PID 876 wrote to memory of 1808	876	Mpaifalo.exe	93
PID 876 wrote to memory of 1808	876	Mpaifalo.exe	93
PID 876 wrote to memory of 1808	876	Mpaifalo.exe	93
PID 1808 wrote to memory of 1532	1808	Mdmegp32.exe	94
PID 1808 wrote to memory of 1532	1808	Mdmegp32.exe	94
PID 1808 wrote to memory of 1532	1808	Mdmegp32.exe	94
PID 1532 wrote to memory of 4152	1532	Mglack32.exe	95
PID 1532 wrote to memory of 4152	1532	Mglack32.exe	95
PID 1532 wrote to memory of 4152	1532	Mglack32.exe	95
PID 4152 wrote to memory of 4532	4152	Mkgmcjld.exe	96
PID 4152 wrote to memory of 4532	4152	Mkgmcjld.exe	96
PID 4152 wrote to memory of 4532	4152	Mkgmcjld.exe	96
PID 4532 wrote to memory of 3852	4532	Mnfipekh.exe	97
PID 4532 wrote to memory of 3852	4532	Mnfipekh.exe	97
PID 4532 wrote to memory of 3852	4532	Mnfipekh.exe	97
PID 3852 wrote to memory of 1156	3852	Maaepd32.exe	98
PID 3852 wrote to memory of 1156	3852	Maaepd32.exe	98
PID 3852 wrote to memory of 1156	3852	Maaepd32.exe	98
PID 1156 wrote to memory of 4860	1156	Mpdelajl.exe	99
PID 1156 wrote to memory of 4860	1156	Mpdelajl.exe	99
PID 1156 wrote to memory of 4860	1156	Mpdelajl.exe	99
PID 4860 wrote to memory of 4512	4860	Mcbahlip.exe	100
PID 4860 wrote to memory of 4512	4860	Mcbahlip.exe	100
PID 4860 wrote to memory of 4512	4860	Mcbahlip.exe	100
PID 4512 wrote to memory of 216	4512	Nkjjij32.exe	101

C:\Users\Admin\AppData\Local\Temp\2a7ecd5c136bc1811cb7c0d78723cae749e9fdd1f0a491a1dda071d4da77bb32_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2a7ecd5c136bc1811cb7c0d78723cae749e9fdd1f0a491a1dda071d4da77bb32_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\SysWOW64\Mnocof32.exe
  C:\Windows\system32\Mnocof32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\SysWOW64\Majopeii.exe
    C:\Windows\system32\Majopeii.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\SysWOW64\Mdiklqhm.exe
      C:\Windows\system32\Mdiklqhm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:752
    - - C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
      - C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        44⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 400
        45⤵
        Program crash
        
        PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2368 -ip 2368
1⤵
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
75KB

MD5
78aff52f149daff228c2ce4063bb6e0b

SHA1
5c3da8670e27f8d5540ceaddf49652979977ff63

SHA256
2c6f44a3b4b3f281ab597c9e3a78f5e0d0fc6970d6cc1e1650be64b6f0cb4815

SHA512
42bbdeb42dbd84660643b56706be24546a082ed65428789e1722fbe910d10c9c4d2b39b788857cda3d6b220775a95d6422e38ab1c9a4c20bc99d4a6dbacd4e20

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
75KB

MD5
b020416e555ec42222c4828bcd1fc513

SHA1
c9fd7f3916680a98f0ffa874d0830292a1ebb59b

SHA256
ad843ff375cbb55e697340d90b4479db8a6ab7941d182aeac875867f4a9291a8

SHA512
ecd3611b81b162c99664114773e2f0db8535f34f81ac05f98109811d6a9a03660675ace8d26b32ede0bd00aa8b7f26543a1fc2d52f403a89f88c0dcd85ec0054

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
75KB

MD5
27894233ad9c2c3bfda653e5ac6f3b1c

SHA1
8b803b0531babbfe23ac46091de8460bebe3578e

SHA256
8b59f6113ae41983f1a2a45612df84932c89180b3d2751cfd354ccd6cd7e283c

SHA512
c6d7bc456a1c17ea61bc810163d33b8916b083b9354d914eb85e58cb3622d6ac9a51582125bc262f6dac196f14864eca7bac1681fd554cb6a376618eeeb07706

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
75KB

MD5
8b86266e70212e2271daefba56cab4b3

SHA1
859e123047cb3f1b20c5e579fc23273f979bb301

SHA256
a0ee69ec3f9e81f57dd4112b51a85ec53d304aee61e18118dbbdccff0ad99bd4

SHA512
42853c23ba9e68ae1ebe231977052695ecb1863324fad16631cd8b22cd7519b3b976460dd9e48c8de7f44bbc8b49d77f798f9ca54f36246bbea889e75089a8ed

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
75KB

MD5
790ae79f1f769be9b328b8d6b673accc

SHA1
2fa027463d227d4bf61feb2fcf830b04f5ab1568

SHA256
b7aae1b966089ec52b4b5a15f128e3d42218341617d54bdf56170bbc7846766a

SHA512
5bed82e0375c1a969732bacd060588976f9d61d0c639bc6f2ba65831ab3d309936ab2e709c9c3bc1785214f2e1cf62d1e7f450a716de24feff4405b9b12edb58

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
75KB

MD5
8e642061abbe98a7f03672edb62a9162

SHA1
eb2caf3493bf937d2b6f867a1af0fc1f02ea2daf

SHA256
92110b894d9020814d0a67a8fc9149fc27a5ded3696d5be350f7613161bad922

SHA512
092372e3d75cc158124ab70f9696f8070d631262c4e3842a7e2c53924c468b0ff8d3695365980aff775ad218dcba373b45930feba25dd0cbc8048f664a70796d

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
75KB

MD5
062257e43b957b34a0759dc6e118dc3b

SHA1
a9d72b15e468af91f793bb4bbdf4f2845fc93d54

SHA256
4b407b54384b1d119963971571e9cfe5c765c0939ac23c7eaaf96138185abbee

SHA512
12c9d802c6342edbd461b07214d64fed0a64fee984d9b4e5e23f9543c50833832e3abc29619cd384d7f7c9019f49dfd3e5983a2e93c42fb2333b32d9b02c79a7

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
75KB

MD5
190d627181f1dcdcc46b1034cd85c4ef

SHA1
831ec5dc7c9db54f953c334e618ea246e8f1e98f

SHA256
38a1f38c3ff8a7c4a2310a6d266d99bde6cd0811f8f7c0831aba2ff22af8d9f2

SHA512
09f7db95deb3b2205baadc6b8acdb8e1c7d51d934ed1ccd451ce3d472f075679fa029f9bb23ac2f0062894c072b7b18c9fdc9bacce645d1c401f0eec0f22bf9f

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
75KB

MD5
af4c0ee12434ebc7dc1445237c6c82d7

SHA1
487840c98798f34aa77a2705706b6805a45b4e9f

SHA256
ba6e7347f238e0745d860aeab53fdf7269f426a977857aa7916f971eff9ea4e9

SHA512
3e5f7c31efe4a43347bea89c1e2222e16c1d6c774be839f1d991140ad691f067f314cbd2d0a517d012438b56e4fff16286c70a37f4d6af8f8b067f1db95f6afa

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
75KB

MD5
b3689aa7986d5842212562149badc0d7

SHA1
c968bbb53898b68b25ca9c0cd1e7a8fc18b8007b

SHA256
db604f0e9dddccc12f6770f65f54d91b8bd15d92b37bd7492f1ac1e80fdd7066

SHA512
4902c91598ecd0bd0dc7aa42a38d1f0ea14dc003dba27763538dfd36be0c711693e15f0addebcda01ab54ad917d6b3d6bc4597a559a017ae5fc8d5786e42f0e5

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
75KB

MD5
53d0de30e382891f2ef23dd363d38438

SHA1
f404cf6501466d19b24c06590b1f6d2916ff468e

SHA256
b636ee6070667e9b37222887e5d29e5f28957b179287fefbb53e62e5d5a56fb7

SHA512
5deb3d4c698e41a5a9df9e4e0394574b7608a7b8cdedec600ca277e2dd6c2d10e0afb9e3de11fbca05c17baf6d861944f4520dd41e4f1387977e2c5a15fb3c46

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
75KB

MD5
846740d25785963c67852b3441183b6d

SHA1
139cf968c1c74d359bb002bfe91a3f4d0a56b79e

SHA256
2b8059cb55f86dc0028cf58b789cff47280fd6d79e0855aecc79227009a8f200

SHA512
abd6072879f41cdc209d021a1fb22895f60c990e20788e6dc4f89cdce1964b217027c0b99ea9919f991bf995971607f7a568b6f43c687625078528e170481ccd

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
75KB

MD5
dd941f583b808b5b11c0df0c60c0fc57

SHA1
3d5c1453e037ae25173302593a9e6166ca3d010e

SHA256
176b2521fa35156a72d5c9b72cfc7412ad26a5a6395050733027761bddc207f4

SHA512
6eb4c02f0d52507485a38ff37b3b47e8617ec5c9b988d9a77bd42be55e5a4880d0ab113b7edef4e3972134f394a3f211a37b450193a48774ea9f1b8d88e96154

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
75KB

MD5
d4f8bf751486d205bc26d721fbc26b10

SHA1
87aa0ecab5d5485754d926ff5969196432b9469f

SHA256
85a36828d21e522533c2ed3e59f39b807231f9a16550e6647c6afef7410f919f

SHA512
aa130c37886094a7698f90bcee51c727f643f79eb984f66923757b2b93f11fec60d47a1c2450b0cbbfbffcd354804935c3aeabf51f4a06c9a495b9716336d701

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
75KB

MD5
00c86886befb1e6c4ce0cfcda96afaf0

SHA1
655d548270a6a3abd69d86558324220a1edad64c

SHA256
bf505840177324cc17ac854344f655617100c05a1d658450a3fa827dcce4fea7

SHA512
f692d03cdd503640f5ff1402016b21fa8733649be597f208fc8114ac2b5af74d2b9ee78694df0d9997b72747337a916641f81057ccbcc392e2653f6a86af88bf

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
75KB

MD5
6f3d4382ae25c703b742dc78e214b373

SHA1
e6efa4594a894d8306ba4a39003fe2e86c79ede3

SHA256
15f874efcb0d65a8bd3aeea6cc7c5b23fe1422ffb5aefe8c1388a4b6eadd2416

SHA512
e06b09dc89e354a8b6b2f00a337f61bf880b19aa4f50dd4664f1009466013a72a28aa084062722a434a895d390346d9068b7d8330acf496efedaaf6e8b53042e

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
75KB

MD5
f39c02624d8eeb5626f9bb51de450a58

SHA1
f9cf59cdbeb4a3b347605d16ad22e54db0e64e62

SHA256
f09e61262df8a6a0fd9a852a25ad2e547d9aaef183dd2e2c9d4157c9776f506c

SHA512
a016d395c39f7b769cfdab5018369190c177582896d18ead78e933f327557ee5c81bc191203b062a54c3d1aeeb165e62b72dd795e93c2ec3002e9e05c68a51fa

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
75KB

MD5
a05083388e8a2d4fbe4b3a097773d6f7

SHA1
c1216b322d95e1425005636bbd1316d693c28779

SHA256
dbaad657dfa75caf1264f138d92c76afa2c4911e96c812be2be64d8e6e555fcb

SHA512
61aeee63fd678d8fac27de7e6f39e7592b9aec798b47a3ff89102e1e60a560fcd060180a1e8d7d272f7e9ad88ba4994f73320e2d685bd2059aed937a705b52c7

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
75KB

MD5
6d7a06f543bd9fbd86833d20ac3dd0c8

SHA1
fbd645d32662bf42071ababb0e22e2fcd7ddc4c1

SHA256
aced89ce933fd5376e88bee9dead58872ee8e56b5f2adf3112bec38248a61849

SHA512
bd08ab927da619cb66cba4a456525bc6701da0d269fb626adcbef71503ec54ebb468acbb7e6e7b9e790e2a68ea6932b1670ad1b7c384ca9d10830e502e5726ef

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
75KB

MD5
5ed2141993651723facf4801d64454f5

SHA1
6506c35931db96f368a9428d4c28dc7063673adc

SHA256
4373e80417f3b03cf259ee06a911c47d1b5b91b5e0af3106f9cf7a740bc51f96

SHA512
4b437f0168963552d07d585135e2c27e73408a9ac32f1dd7aac8463ea36e5dd1894ee602f9214eb93811488dbf692c40c5c85dee424e12c117e8c5ec061c64fe

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
75KB

MD5
aa8578ca2157e71e4feda51fd13ff02c

SHA1
65847fa649204d5144940f6c9521c2089e42d31a

SHA256
b5fcafaa1852ec9aee10e0ba8b8b7b29c3613dba92b01f529e69590b69f38791

SHA512
b79e8428bf983e1528a44259f2098afcf38ca4e2c3daef089d2735f100d11f4d7b841e2b0137bc8ca7579af832dc73d8b61e9b4b1a1a6edecb8e9a7841476816

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
75KB

MD5
15add65742b8c3c968612a8147fa3e9b

SHA1
7b909671486e848db383af13d3edd847f1366455

SHA256
7015a34f5df44c70e30d9f795fd1089e3859438648face480d9e45098eed904b

SHA512
feb65b544f97e31ba263c3d9cb34726beec519599f93675f89de73391ed5353c98f7b9197bd11d14dd6bc4e5fc3abe8f44257b68d31ca547c382e36994eeadb7

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
75KB

MD5
1b9759b82ff8bf6fcaed45be2bd07332

SHA1
97239097c9ab817497fdaf2b16875e67e12af171

SHA256
1f1a3aa7b01e401112c17e4705d0c93bccef4272612f2b7de271b55da7e92870

SHA512
954956031044353fde293a6a627c142b045aa2db1550e8fefb92fac9ebc53d43b534162ea0e8ba816153966702b499c00b61cdb6b5e726a9bb8cc062189a0872

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
75KB

MD5
8a76ebd2a2b781f4d831e8275591496a

SHA1
55c3f2fff34cbeea7159b316f08632d37a061dcb

SHA256
a9e50b69c2c91432f2a419ecb991eefa7b49d308ea8e7d0a7aef1c782cde3c53

SHA512
6cc554adab00c1ae88e49652f229ddb5d5983d534a7c4130d35dea14ad232f6371f9d8ccee85bc0bfa1ce7931b857789fb8f2a3720d5ad600a7152591e523394

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
75KB

MD5
f3505ed9bc48129f613d5077ff416eaa

SHA1
9472cdd90eae8d49c3ac50a277bc969c3b514bf5

SHA256
1eff4aa4fa120a860684f41bc70e2240fb5dcd441c46b9859905c056fadfef0c

SHA512
192936cf5f764d0c414120d907a347cf93fecfaf473b2671c9109a27a4aa4e6e8415c4bd43df4031fe1adfb4331470896d584b78a327f19ec81c8904752d7cb9

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
75KB

MD5
e01007dcfdd9a7f2ffba5fddeb453bfd

SHA1
4034f6535ac0c375bb807e6d71338c343e16cfea

SHA256
c9ff6cbb42f54bf96d716764db374a6af215021c89b4cfd4d1cccac008788ce1

SHA512
9afa94d4c09bf32042cf40e301b9245fdca9b28e827b52bb69bb3cad6190f2f9fdd9828bcff8cb4aeb82dcbdffd04d3f5d92c6ee3c828bec5ffd150a1cce3ee7

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
75KB

MD5
a17e21ed76e301f1acb5186d885e92e1

SHA1
ffe8ef1f24ec186a836761ef42581b1f99bcae41

SHA256
630f743313bd235e914a062b97bbaad9c38d4ced95a2c1fb2dc647b6458be385

SHA512
2a51a913fa2f82c6ff8db5700a4033d8a5e746d4010af0b497acaeec7f2aee05db38787f85f5bab3f3448d3687e602b21611d4123be447e925dc6cf38c86c069

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
75KB

MD5
84318b41fef7a996759218c2a4dcaaa1

SHA1
e6f98d94dc904f5b7a69c907aae5075979432321

SHA256
6155a379ecc7ca22b4e813cdad38f5b3b42895b7cd308c188705165ea6cb684f

SHA512
f927ca122dd1f7bc5247f0bb69d7fb8fc902e051a3609463fc81e94db2fe301bc662123f3baaabef99b79c2a23bc0b2df2f0fa6f9430d9d3c7ba2b9f790b3d95

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
75KB

MD5
3ef915dc6d0952ffa5d6a564f902e19a

SHA1
312f7e3d77c339c596e1bb6fa47e0ce3a9344555

SHA256
5e70026b1cd531c9b4c40fb3e36dec8eccc3f09892691a0ccff13fb8f4f3e9b6

SHA512
18294f4f15bd0ffdf562a540a3ee8389baf6116d7fb49f198e707213c2a5cd5ed64a39457b37b22ef2a733bfaf91487182241864370771e8dab3e62bfd8b34d5

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
75KB

MD5
ef30564565de523dd10a8c6797df32ac

SHA1
a0b96feedf63f634d8149f41f30850445adca5aa

SHA256
06cbc237fa029db6ae0a5d80f063e3a21a453baab9c8523531f2bb02b734f6c4

SHA512
cc8db6da431da2c66d8432b4c2b9ef21a6742ba42b5b206068f2697bf330e31ec83eb0f2da1a726e68e96ed7ff003c1554f3b86873cea3d9a0100da230b406ba

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
75KB

MD5
d1da091a018d9b2356abafe0865473c9

SHA1
56f21f7123e50b820e8318f5cb81adcaaa505408

SHA256
53ed5e9ff92ebcd88c2f2a65af41931164927e0bf0fb7f22a7ac64cc6d17416d

SHA512
a7f9a93e9dd4adce739ea522b6c820ada701b65b7454d664f49707cb787a431fa97b08e2e63df743db5ae523d21ebc6ef54a1bf52534098ee0de81477bb4ed49

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
75KB

MD5
7f4430e436a1b73327402e2a5d51af42

SHA1
e4caa3df1aa32565e4d742bf3a56fe95b23c77e0

SHA256
759606ab57039e8d930467288ca795fc6cadae2cafe4d16d40e72b3c43a79c8c

SHA512
03edebbc75176a45f1dd47baf4c89ff3f9394ef8c30c22a0d6f2f8bbda7e2fd921f620dbc2b37d5141c960a64552d40d5088d9efcd45225c9db9b051d5a195c8

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
75KB

MD5
396ecadbbcb2e250853856ee65dd4a22

SHA1
836df21b244cb1efaae9ea23dad3f2eeeab74568

SHA256
945dc3454af89b9b5fe5d13a53c241fe88846a2d3f652b9e096bf99172189851

SHA512
ec11e26b93339152160b6de0112f9d95ef1b3a72e3c7c64dca839f9f6eae2b9d860b5b1eb03888f3810d42d111450889992381365761958e7214e8961b2eaa40

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
75KB

MD5
3443529269b89df03269e8dbff5feccf

SHA1
f8bfc6f9c35dce931f7bdcf453be7807349dd53d

SHA256
9d8228657e6779d8e085120fd869c63dc26ae18c18ab5445727df9aa4935bfa4

SHA512
ce1a7d3076ecbb6119a2a097fcbb0836d6229224c7df955feaeba8af0c3e32803cb5d3e22c17111a47872c576fd74cdf9a3a660528cdf04164846c8fc58b455e

Download Submit
memory/216-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/216-177-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/436-357-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/436-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/752-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/752-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/876-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/884-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1156-345-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1156-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1528-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1532-349-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1532-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1576-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1576-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1588-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1588-209-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1776-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1776-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1808-350-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1808-113-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1860-273-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1860-331-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1864-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1864-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2240-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2240-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2280-85-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2312-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2312-330-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2368-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2368-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2432-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2432-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2524-339-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2524-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2660-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2848-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2848-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2876-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2876-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3192-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3192-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3320-267-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3852-149-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3852-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3992-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3992-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4100-217-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4100-337-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4128-332-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4128-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4152-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4152-129-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4440-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4440-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4512-343-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4512-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4532-137-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4532-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4688-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4688-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4688-360-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4820-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4820-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4840-336-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4840-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4860-344-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4860-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4936-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4936-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4964-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4964-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5000-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5000-351-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads