38aeb164bd6eb8618ddc96ccb9c6baa071c79a19afd68a735045d92474336956

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe
Size

194KB
MD5

db5901cbcb6f599f43e7ad7856fd6130
SHA1

076b573f5b867b6d320c0c99b638630443782270
SHA256

38aeb164bd6eb8618ddc96ccb9c6baa071c79a19afd68a735045d92474336956
SHA512

70fd37dd343eea0454c44fcf2316d7ca263a0df255702372327436649c4744960d2cb26eb852804b40f39558dc88f1f6db2d536dabc51cb49c326e980c680ff0
SSDEEP

3072:uJeebpcNcuQhtmMIM/kEmMIGumMIc/1GV:uJkCt5/pbuh/UV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe

Executes dropped EXE 19 IoCs

pid	Process
2320	Mjcgohig.exe
3452	Mpmokb32.exe
2212	Mkbchk32.exe
1236	Mcnhmm32.exe
60	Mncmjfmk.exe
932	Mpaifalo.exe
1648	Mcpebmkb.exe
3624	Mjjmog32.exe
4580	Mdpalp32.exe
876	Njljefql.exe
3880	Nnhfee32.exe
1532	Nqfbaq32.exe
5044	Nceonl32.exe
5016	Nddkgonp.exe
4032	Nnmopdep.exe
2184	Nqklmpdd.exe
3152	Njcpee32.exe
116	Nqmhbpba.exe
3760	Nkcmohbg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2992	3760	WerFault.exe	100

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 2320	900	db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe	79
PID 900 wrote to memory of 2320	900	db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe	79
PID 900 wrote to memory of 2320	900	db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe	79
PID 2320 wrote to memory of 3452	2320	Mjcgohig.exe	80
PID 2320 wrote to memory of 3452	2320	Mjcgohig.exe	80
PID 2320 wrote to memory of 3452	2320	Mjcgohig.exe	80
PID 3452 wrote to memory of 2212	3452	Mpmokb32.exe	81
PID 3452 wrote to memory of 2212	3452	Mpmokb32.exe	81
PID 3452 wrote to memory of 2212	3452	Mpmokb32.exe	81
PID 2212 wrote to memory of 1236	2212	Mkbchk32.exe	83
PID 2212 wrote to memory of 1236	2212	Mkbchk32.exe	83
PID 2212 wrote to memory of 1236	2212	Mkbchk32.exe	83
PID 1236 wrote to memory of 60	1236	Mcnhmm32.exe	85
PID 1236 wrote to memory of 60	1236	Mcnhmm32.exe	85
PID 1236 wrote to memory of 60	1236	Mcnhmm32.exe	85
PID 60 wrote to memory of 932	60	Mncmjfmk.exe	86
PID 60 wrote to memory of 932	60	Mncmjfmk.exe	86
PID 60 wrote to memory of 932	60	Mncmjfmk.exe	86
PID 932 wrote to memory of 1648	932	Mpaifalo.exe	87
PID 932 wrote to memory of 1648	932	Mpaifalo.exe	87
PID 932 wrote to memory of 1648	932	Mpaifalo.exe	87
PID 1648 wrote to memory of 3624	1648	Mcpebmkb.exe	88
PID 1648 wrote to memory of 3624	1648	Mcpebmkb.exe	88
PID 1648 wrote to memory of 3624	1648	Mcpebmkb.exe	88
PID 3624 wrote to memory of 4580	3624	Mjjmog32.exe	89
PID 3624 wrote to memory of 4580	3624	Mjjmog32.exe	89
PID 3624 wrote to memory of 4580	3624	Mjjmog32.exe	89
PID 4580 wrote to memory of 876	4580	Mdpalp32.exe	91
PID 4580 wrote to memory of 876	4580	Mdpalp32.exe	91
PID 4580 wrote to memory of 876	4580	Mdpalp32.exe	91
PID 876 wrote to memory of 3880	876	Njljefql.exe	92
PID 876 wrote to memory of 3880	876	Njljefql.exe	92
PID 876 wrote to memory of 3880	876	Njljefql.exe	92
PID 3880 wrote to memory of 1532	3880	Nnhfee32.exe	93
PID 3880 wrote to memory of 1532	3880	Nnhfee32.exe	93
PID 3880 wrote to memory of 1532	3880	Nnhfee32.exe	93
PID 1532 wrote to memory of 5044	1532	Nqfbaq32.exe	94
PID 1532 wrote to memory of 5044	1532	Nqfbaq32.exe	94
PID 1532 wrote to memory of 5044	1532	Nqfbaq32.exe	94
PID 5044 wrote to memory of 5016	5044	Nceonl32.exe	95
PID 5044 wrote to memory of 5016	5044	Nceonl32.exe	95
PID 5044 wrote to memory of 5016	5044	Nceonl32.exe	95
PID 5016 wrote to memory of 4032	5016	Nddkgonp.exe	96
PID 5016 wrote to memory of 4032	5016	Nddkgonp.exe	96
PID 5016 wrote to memory of 4032	5016	Nddkgonp.exe	96
PID 4032 wrote to memory of 2184	4032	Nnmopdep.exe	97
PID 4032 wrote to memory of 2184	4032	Nnmopdep.exe	97
PID 4032 wrote to memory of 2184	4032	Nnmopdep.exe	97
PID 2184 wrote to memory of 3152	2184	Nqklmpdd.exe	98
PID 2184 wrote to memory of 3152	2184	Nqklmpdd.exe	98
PID 2184 wrote to memory of 3152	2184	Nqklmpdd.exe	98
PID 3152 wrote to memory of 116	3152	Njcpee32.exe	99
PID 3152 wrote to memory of 116	3152	Njcpee32.exe	99
PID 3152 wrote to memory of 116	3152	Njcpee32.exe	99
PID 116 wrote to memory of 3760	116	Nqmhbpba.exe	100
PID 116 wrote to memory of 3760	116	Nqmhbpba.exe	100
PID 116 wrote to memory of 3760	116	Nqmhbpba.exe	100

C:\Users\Admin\AppData\Local\Temp\db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\db5901cbcb6f599f43e7ad7856fd6130_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\Mjcgohig.exe
  C:\Windows\system32\Mjcgohig.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\Mpmokb32.exe
    C:\Windows\system32\Mpmokb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Windows\SysWOW64\Mkbchk32.exe
      C:\Windows\system32\Mkbchk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        20⤵
        Executes dropped EXE
        
        PID:3760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 400
        21⤵
        Program crash
        
        PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3760 -ip 3760
1⤵
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
194KB

MD5
2fd7768816edc8059fea1390c7aa9c45

SHA1
d71589b839e1f0fc1ca303d5afeffeffd4ee9eb4

SHA256
5fcc301e08f9ed2b1787bb12df2059a07ff21065518828e8336092c1716bd999

SHA512
0137ad7efcb124f721d3ae8a22cad09f3ea86ea76daf30d08df6161e03c6c1396572716b219dbb20e217b12d5d4602aeb4cd935b1c482863f7534dd979edb1ea

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
194KB

MD5
fe093f85556e807ca62aa343c70b5922

SHA1
047d7f11bb3e465960948ac9e370f361b395bb98

SHA256
08aa82ec0ca6fd92745d206393c1bfca0038ca759c4fcbaaa460e4940d3b6d99

SHA512
ff77c77ca131c4feae987be8dafd4211da9404d6e6e77c33b52c7bc0d7eabd309cd756e8edf2d00b4dbadb4cc5012b382dd89aeb475c0a1ce0e691ba21073ccf

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
194KB

MD5
6338ba72e6f76bcef112d081b47a338a

SHA1
2f388deed9cbdcb93818130ef19c52b517d584d0

SHA256
5facf2ce8c4cf617b1df0f751aa6b2c3baca9868df7090021516bffa4fbb0d31

SHA512
2e706bb383c6969d7eb5d2280a5cddf8ab7b456a27fc8528f770102adb453a4c6f82210b08952aff68ed20a266172f000305a141bf76d2fcb9daa26504960dc5

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
194KB

MD5
84d45e8d8a7293d5daeb95d0b4a0380a

SHA1
59d967d4b4d57f760e31187d8509aa16f1962fb6

SHA256
3957858b5e8c024ce3ec9454a9c62fc404fb917de29ea25184030385c4e1139f

SHA512
8e09262d7229abb182c5a36d8c2c6e1c900284cbc1a0a64fe1e7391061c0836609663955b5e5e2f46503471a9670f73da6f91b7765cb4f0e114f6e0373f56230

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
194KB

MD5
c3e30b2db572b067ecf03ad9a6cdd261

SHA1
67be18a321701cbfeb431dc9dcb9c7729109e80e

SHA256
9a42cbb6c1f676a77da4e36ec7f7f24435b6c0e988000656b82f544bfd6bb086

SHA512
3647990e5eb5ed2f95be4b0ff678d93bbf0a1e479ba1a377ce51defc337b13bb1f476eaa40c7b74494c6a4de2f90f0fd306bb7c36935a1f4209956bbadb6a7cd

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
194KB

MD5
4283199f138686f5789d2402eb2bbf61

SHA1
08569372d075b9c01103f1b5cc0da9e0613312d2

SHA256
327f2f65871affe9a9e1e86e5373bfb1c4d2ba80c505c18a691c5cf42a33f3cf

SHA512
0207c612e288c511ef1e202d6d2e2321fade8f95e0a9a0f5d614b34a2c888e15ed46f16a3166fd8737695e629cef7ea74e51c6947f5b887dc18e0044551e9625

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
194KB

MD5
eedf42ebea40c0d56bc1df792e3e6e0a

SHA1
12bda599836d834410c3dc71c1514f5ec10c9299

SHA256
b1322b5ab2a58d962fd8e51c90ac4b2e57e69ce32be45810f12c50c9125def64

SHA512
1e3e9dc3a64d448d42801cce344e41f21b59d8c90c3090890f788b1291e396117934107a54d45e9a68f642b75b86bf673c36358080ed8bdd4994e7f3e73563da

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
194KB

MD5
f7c0d868d3ed863c9fbbf9675e837ab5

SHA1
26833b4508a6b1a41f327c1d1452c3abc65e82d3

SHA256
4a68c4e9f97b8983c91289278a49655b949be6c772d25ee93799f0b098b50a2d

SHA512
7d85231da8bbc685d7135f2b28c60cd3bfbde6cdbe3359db90d7e50c4ced6b7ae76928f3974411d029a6acc7a8d6d16c94181119f747f33232c366aa9ef57516

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
194KB

MD5
149cecf2ec3ca6f7d2b763ac31dc771a

SHA1
621eb4ad66a2b316cb664e409c53af5b40e450f6

SHA256
055ec12c9f166363f71ce8224f9184857af3d41eba4fa00e41e771f6af984f73

SHA512
8c6c66d97f78041b4523c5361a999900194a88ff588561330e7b99f3de1d7499be2f2a8a2c285b00bbbc2c03011bdd89f959e1ff492cb9444e7f0ba9eca612dc

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
194KB

MD5
0b9b347d12a0fcf2d938fdcfccc10d04

SHA1
373bcb2cb5081d09ed9e74bb1476445bac18847f

SHA256
900c212f844ed6ae69744a61a0fbf24d65ce3fc35847010df93856b2b329978a

SHA512
68fbd8e0d3010efc8646be5ee09e7ef53cf06b4d9dfcfa17c63189bcad31427c6a7711c9521c9a3d8621a14a303902df1cda95983ad3a4b668b429822e297c81

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
194KB

MD5
23ad70af1c4b9618983b6173f92ec813

SHA1
23dbcf424138a5d3797b80d6a597ab9796cbc28d

SHA256
ceda4940de06ad56c392e28a8f15d878716fd0ac8f84471b029f6a5ee5134eca

SHA512
a63fd35a6c6008e9be29852df24647d2659736af1720b8d6de4597494927a5197c1e9b2336e59922e251699e90ebeddd0769be26641f6809cfe37da07dad4dcb

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
194KB

MD5
e3786df865fdf9126361da2521b72945

SHA1
090f676ad5c24f9c2999df060f71a170a85eb4fb

SHA256
a9a47fac69c578a6e3aee0850dabc77ce012a0c77b54f308f139ae2104374d8d

SHA512
11b4d1537fab0c649a211f416602b8801af942e74396dbb370067bd8f9cfdaf2c01eb78e7e9ebdd5bef6b475085f42f522bfa053b0f5afdae043814e62f481cc

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
194KB

MD5
4edfff79d5ac73a4600d3c6915e01a33

SHA1
31a0ac740d4ab02eb72ad9d8bb2f78ee977b7fb1

SHA256
8c682b1adc2777d727e1bad3423c1f1f6e235f80b23a7549c118f636bb0c48bc

SHA512
0ecce2a2a257d2b7d1590310b94850d3a58e34f172115dbaf886ff4fc3c84af4631184d6ce9da0870982e58a43bbaa9b5084549457c51c67581432f1ed1b2a04

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
194KB

MD5
87cb64bbf58ba470e34fa02fb498b6e8

SHA1
252d8cc42435aa184bcaacf173cd72e39ae2d7a2

SHA256
db313b0653741388ce5abc076fad4218b44b8489768868fb7dd2bb0dbeaa8fdc

SHA512
c53a8fa241b4c0301f8949bdccb6146672f57a521b8c7ccd64a1bc736f19e9a2865b3c89c78c7bd80d238e0018964aaa43f6cafc1d9efe07851e814221a55c8c

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
194KB

MD5
4411b7e4e9707f3acebdc37abfe18fcd

SHA1
a866d01ed422a0b4d189a69228566641e6ebbe21

SHA256
20cc52e7ef46b474829143687c75aebe84b66b2edf23b068a836cda50d0a8fd3

SHA512
d6f605b983cbf8270c46b7c2173824e200c16ce8e53b7914b4e64b3fad875a2e7e42887a5421ac7b96c1a0a90dd768db633c5c791ee8279f5b2665e02912d876

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
194KB

MD5
9f0b65d5b5cf50f9c4ca441fe7a1233b

SHA1
f65e46608a41a0ea49c92f308ba71841205109c7

SHA256
c3d893b6cb33b9be586b5bf2819e0e811658e9f487167640c6f56a2e62a117b3

SHA512
394452ddaee9719cb57a3c48ebff1a698ba9801d5c6c8a6046175641a3aa7d6b16f35e451a4aa43fd31663502fbf425003641c55d53e7f549cd4d7d0887b1f23

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
194KB

MD5
cd3dc1426d69d34998b0f233782517ed

SHA1
1fdf69b96e9e9967bdd57ad76dfc42a6a522038f

SHA256
095782bfdb86597b276d64ea3a748053527ebf7086ba4643b344a6d6c43657cf

SHA512
18668089c022385e2181751040d0c7493b05576a862b2de0b05758a5b400718b313085a3b082ff74a4e77e45a1f8c6d1279e552d9e68265d567120fda6b37847

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
194KB

MD5
536822a2f499e4912c73811b33f0ed8d

SHA1
0a1a2d436526a809dcf13b9f071d9ecf1f0025b4

SHA256
c3fb4e37fdb90734ac47ef9aabc21f721d05750968523141abdef4c45da1f054

SHA512
b3d63087c08ab9881c7e5a874a287fe269090671dc1440b5947ada255955dda0346706f778aa9817b06069140cb44937b826500fa59a46bd7f4972380bc20d8f

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
194KB

MD5
53efb0bfc2b54a2c2f36777e6c5baaa4

SHA1
b2326331e13ea68933bf40d1e0681834a79affa6

SHA256
80317b9f0ce22074c4106ad4b4412dfa163e94f37966baf74d8e40a812c5c14b

SHA512
16868df89f3690e7fcb3caa69927e4fcd19e76898856f3bd1fb5604fcca0ab0fa18956e6e21a3f780fccb99fc8a419f9ef1b08121d44995eb48249917786bd01

Download Submit
memory/60-180-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/60-44-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/116-154-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/116-141-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/876-84-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/876-170-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/900-190-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/900-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/932-178-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1236-182-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1236-31-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1532-95-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1532-168-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1648-59-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1648-176-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2184-125-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2184-158-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2212-24-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2212-184-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2320-188-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2320-8-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3152-156-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3152-138-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3452-186-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3452-16-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3624-62-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3624-174-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3760-150-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3760-152-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3880-91-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3880-167-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4032-160-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4580-172-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4580-70-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5016-162-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5016-111-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5044-164-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5044-102-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads