3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe
Size

319KB
MD5

3039bd6bcfc7417c1cc29065ed7ab720
SHA1

e90f183137898128d0631c3755cb9adf727c9a50
SHA256

3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405
SHA512

96977aa6643e184d8cb0307c812c750ed3dcddea855395dcccbc817b006df5717b33a49325c346816aa40ee838cf40c405933a604cd1254cce752ec172ada792
SSDEEP

6144:EykXMyMHlp4PlXj4IyqrQ///NR5fLYG3eujPQ///NR5f:ETM57YxxC/NcZ7/N

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe

Executes dropped EXE 19 IoCs

pid	Process
1628	Mpolqa32.exe
1416	Mcnhmm32.exe
348	Mcpebmkb.exe
2924	Mkgmcjld.exe
2800	Mnfipekh.exe
3816	Maaepd32.exe
2888	Ndbnboqb.exe
4484	Njogjfoj.exe
856	Ncgkcl32.exe
3056	Nkncdifl.exe
4472	Nnmopdep.exe
4724	Nqklmpdd.exe
4040	Ndghmo32.exe
4964	Ngedij32.exe
1364	Nkqpjidj.exe
3844	Njcpee32.exe
4960	Ncldnkae.exe
4832	Nggqoj32.exe
4908	Nkcmohbg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ncldnkae.exe

Program crash 1 IoCs

pid	pid_target	Process
1260	4908	WerFault.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 1628	2544	3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe	82
PID 2544 wrote to memory of 1628	2544	3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe	82
PID 2544 wrote to memory of 1628	2544	3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe	82
PID 1628 wrote to memory of 1416	1628	Mpolqa32.exe	83
PID 1628 wrote to memory of 1416	1628	Mpolqa32.exe	83
PID 1628 wrote to memory of 1416	1628	Mpolqa32.exe	83
PID 1416 wrote to memory of 348	1416	Mcnhmm32.exe	84
PID 1416 wrote to memory of 348	1416	Mcnhmm32.exe	84
PID 1416 wrote to memory of 348	1416	Mcnhmm32.exe	84
PID 348 wrote to memory of 2924	348	Mcpebmkb.exe	85
PID 348 wrote to memory of 2924	348	Mcpebmkb.exe	85
PID 348 wrote to memory of 2924	348	Mcpebmkb.exe	85
PID 2924 wrote to memory of 2800	2924	Mkgmcjld.exe	86
PID 2924 wrote to memory of 2800	2924	Mkgmcjld.exe	86
PID 2924 wrote to memory of 2800	2924	Mkgmcjld.exe	86
PID 2800 wrote to memory of 3816	2800	Mnfipekh.exe	87
PID 2800 wrote to memory of 3816	2800	Mnfipekh.exe	87
PID 2800 wrote to memory of 3816	2800	Mnfipekh.exe	87
PID 3816 wrote to memory of 2888	3816	Maaepd32.exe	88
PID 3816 wrote to memory of 2888	3816	Maaepd32.exe	88
PID 3816 wrote to memory of 2888	3816	Maaepd32.exe	88
PID 2888 wrote to memory of 4484	2888	Ndbnboqb.exe	89
PID 2888 wrote to memory of 4484	2888	Ndbnboqb.exe	89
PID 2888 wrote to memory of 4484	2888	Ndbnboqb.exe	89
PID 4484 wrote to memory of 856	4484	Njogjfoj.exe	90
PID 4484 wrote to memory of 856	4484	Njogjfoj.exe	90
PID 4484 wrote to memory of 856	4484	Njogjfoj.exe	90
PID 856 wrote to memory of 3056	856	Ncgkcl32.exe	91
PID 856 wrote to memory of 3056	856	Ncgkcl32.exe	91
PID 856 wrote to memory of 3056	856	Ncgkcl32.exe	91
PID 3056 wrote to memory of 4472	3056	Nkncdifl.exe	92
PID 3056 wrote to memory of 4472	3056	Nkncdifl.exe	92
PID 3056 wrote to memory of 4472	3056	Nkncdifl.exe	92
PID 4472 wrote to memory of 4724	4472	Nnmopdep.exe	93
PID 4472 wrote to memory of 4724	4472	Nnmopdep.exe	93
PID 4472 wrote to memory of 4724	4472	Nnmopdep.exe	93
PID 4724 wrote to memory of 4040	4724	Nqklmpdd.exe	94
PID 4724 wrote to memory of 4040	4724	Nqklmpdd.exe	94
PID 4724 wrote to memory of 4040	4724	Nqklmpdd.exe	94
PID 4040 wrote to memory of 4964	4040	Ndghmo32.exe	95
PID 4040 wrote to memory of 4964	4040	Ndghmo32.exe	95
PID 4040 wrote to memory of 4964	4040	Ndghmo32.exe	95
PID 4964 wrote to memory of 1364	4964	Ngedij32.exe	96
PID 4964 wrote to memory of 1364	4964	Ngedij32.exe	96
PID 4964 wrote to memory of 1364	4964	Ngedij32.exe	96
PID 1364 wrote to memory of 3844	1364	Nkqpjidj.exe	97
PID 1364 wrote to memory of 3844	1364	Nkqpjidj.exe	97
PID 1364 wrote to memory of 3844	1364	Nkqpjidj.exe	97
PID 3844 wrote to memory of 4960	3844	Njcpee32.exe	98
PID 3844 wrote to memory of 4960	3844	Njcpee32.exe	98
PID 3844 wrote to memory of 4960	3844	Njcpee32.exe	98
PID 4960 wrote to memory of 4832	4960	Ncldnkae.exe	99
PID 4960 wrote to memory of 4832	4960	Ncldnkae.exe	99
PID 4960 wrote to memory of 4832	4960	Ncldnkae.exe	99
PID 4832 wrote to memory of 4908	4832	Nggqoj32.exe	100
PID 4832 wrote to memory of 4908	4832	Nggqoj32.exe	100
PID 4832 wrote to memory of 4908	4832	Nggqoj32.exe	100

C:\Users\Admin\AppData\Local\Temp\3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3caae260e9c23f72cad9e49ef23ac2d3c3949d87a6e6467ba5ce7876b7e17405_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\Mpolqa32.exe
  C:\Windows\system32\Mpolqa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\Mcnhmm32.exe
    C:\Windows\system32\Mcnhmm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\SysWOW64\Mcpebmkb.exe
      C:\Windows\system32\Mcpebmkb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:348
    - - C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        20⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 400
        21⤵
        Program crash
        
        PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4908 -ip 4908
1⤵
PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
319KB

MD5
f1c74ec0f54c49ee7dcd20e613f556b0

SHA1
e4680af3f3e4374c4cdf2335344e6e6d27ee31c1

SHA256
ba2520333d77075d37f74a667946347b670dd70e1a35a3a72960e0bf939e53c3

SHA512
f15c98ef0c97f7c272bf293f1c99361d0cddeaad9710273d0729a3f5edf764d965131ca4194a339627ef549168cd6875d1b78ce058e19a1b6b5cb722fed3facc

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
319KB

MD5
88ef3dbf42b428f1ce4aa6c1b4ed8ac2

SHA1
9d188e103d3295434a417730107ce2ffd61585db

SHA256
2af0d80e18d422ae10f6cc00f354ff3759637f126334ac9312ec4013c0fc4d66

SHA512
ffa4525de8ef8c5eeab750a56f59ae59c3c5fcf5fb9bf47c09827165604fb0e1276d2b0ddb88202ac54061da8ae3b57fb792174a9a15c490919840685764bbab

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
319KB

MD5
3627d9444bdc9ba54ff3d0a4ddf3c953

SHA1
8a8b753df88138380f9bb63ad1f2a838bf134da1

SHA256
6296b73209f9278909d6513a5e1f960b07239da660ed97b9d2408b50fd6ea3a6

SHA512
76c69e04f4741e3fb7c03824a6d2b42b2be925c1326e05cb269472e71dfffad70b32acf3833b782aaf5e24bfcc8e0fa5c012ef2d23fee375a85912d3e5c26aa2

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
319KB

MD5
76bfcf1b15c0e13879d1c371c8a8ab44

SHA1
f4470373b6617e3f41d912941f51f8b6aeb49211

SHA256
0f3defc3be3836c4903867f7b760262e39d8ec0f201109d9446ae5545f345a32

SHA512
f6925c66688284cd999a9de116f5a50ecf56292e5b8a9e0616aefdcd16e08ecb52d68fc1d93406857ee31d735fe856c499440cda4cf59b2a569a8efdda754384

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
319KB

MD5
dd5eb70e26b373d04e2de52ba7ad6084

SHA1
2fbd16d70dc722a1726427e8f5af49f494a7a3db

SHA256
ac4b6e72095d21d8ecaf5cce35da143f1140b1e69b844d24ed1ee14632b95d16

SHA512
69a6ce1c4a0c70d438030ee040e3949e7d1961047a062f73b25640b61fa3d1ca3230bd89b7acfa174cb7bdfea27f1f47956c2e577f6657c0d2064eda2b9b9e05

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
319KB

MD5
42f7e1564cda11b33431b2591c13864b

SHA1
5da73186b8bda97f5b0d6dd0b0341085c1627271

SHA256
48a2d93d1c221f0d48bee93b2efc56951476361fa9aa15b71dc57473854a3b90

SHA512
60cd968f8e189dee4b148139b32d4e0dfd1483f855dea16f53e807618212ebe53169b31365e35d3705cfae941f5912c924a3d22377a9ef7d6093d91f95b816de

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
319KB

MD5
086ae322283fc0e16664dee53d8cf0bd

SHA1
ecee44faf2377752499fbf9d2c8bc3ce6e303d85

SHA256
ae67aa9500ed480e53c664db35f8511e61744891d1fd85bc0b3353242df75ffd

SHA512
dcf00ae97db7fef271f5922c89825b70628079e329394ef74d05cfafd073458ca79f0f3b896a4117a5815d7e38463b62ef7cfbe9eaa037634995727a90d490c1

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
319KB

MD5
3cac8468980f1c9293c18a5c7ec73e65

SHA1
74f9cf40f543fc35e7c615c84f84fa3fb37dc016

SHA256
78cbf2e63183ce047be873b08dd98875051b853f90d766823e834180161ac608

SHA512
3015aa05c5a06588017d7e7196ba6c951e59097e9c142f1a27469d5efe8abdd91736c1bb59594b29f2d614ce6df5144a01e8f23ced58005ec9e799e835769abd

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
319KB

MD5
ebd432d353c76a5383b69e5f77e2c930

SHA1
6a26368df9fdbfe831f3382942a73c33033327fa

SHA256
515325808c9ec3676def91476e888891ce1e7bc9587e3b7ba481dfb6dc4f0670

SHA512
1c31fa22c6234154c25dc80ffbcf8211e528d54548684312391c3d6a14a60c248969f27224e0f874a47b92afcce2af233b54c51680d84a2314e15cf825addf11

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
319KB

MD5
e209b4cb36f990dc0ac64561202a1b47

SHA1
ac06ff1bcc758bdcf54e49f602666ad5c5c9d4b5

SHA256
595a604dc072ad48a9f902033d8a1e2b138746c7873509194c979616f7cea0b8

SHA512
59e1855f08bb6aea54f7b3b82caf2c4d630a9cc54c0b5a37e89d2d3ef631b68a7e8799e0ecfd0d65ab01d85af03e2f3441a2d27dfb9b7d2a72edc9e1c60c783b

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
319KB

MD5
495cd749332e590d2e9a8857a325d464

SHA1
de24a65ba0d3e1330a0e09a9f0b2ced6f7d3342c

SHA256
aa86c7d51a7405e736d1104eb6fb5bf1f1be5398a91c87519b90a5c5255f2ecc

SHA512
2630b04c03dc48a5fb5d81f5404bd6f3456153613d5e3bb0df6f34ddaa8f5bb4419b8ec050eaffb0678efc6d66eec454715c09d78ffb841270070146c1ce055e

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
319KB

MD5
c350745a1f4483ff3cfd8ffc1c934973

SHA1
ed931fcd75f57dae29be44da05073d67e2ce2d9f

SHA256
eb1eaacfb4324c694c3111b5142ab30cc551022c5d89c2a705b04203c1ec322d

SHA512
1cb300e310aa8dcf7415fc1804af25bcfc1e7a6c1aab2735bec0de1c682e1aa924274c2e33ccea073e385db4292149fe1d726c2f1194b3af9ca36efda40115cb

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
319KB

MD5
068f8a5e5fbeb0ae3d127ab4ac6c47e3

SHA1
cbc185948c76fbf5f10687156ae292c4bac525f3

SHA256
fe7d85dc3e7a69807900e00ebf9b3c9cd3393b28da14ca12af575f9bb05160d0

SHA512
415164965643cd1697deb235d28c0dfa610e9b7a62ba5597cd046791585668e562305f7ab2f35f8a788b7bf657eb2e43b5d99e9d8f9762cf88e2922b0e052b0d

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
319KB

MD5
ebfc5c89118067e4e149128def18d298

SHA1
9b86e1cd7818ea8e54a6c9b90e1ee227432640d9

SHA256
e11047d1a50a357210c5cf832ade500dc3acc5583f6103ded2468241a53597cd

SHA512
5cd45d06d7cc120add229d5cf625b48768b59b14620935c8e504f4175a306d60a65b44f1141928ec8fe5e0e5eef1b255932eb02e2d6041b49faf04faf4abef9a

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
319KB

MD5
fb6593500ab6d5e29887c255611aab33

SHA1
c1b44bf740441e16d6a6e713059be8a17962ef51

SHA256
fc342263b9809507f4dd01a08966c74a6b8ddad7ab8a9df9176f8512254ad3f0

SHA512
25c13939e20170f13258d757f4fd971831175871fc892c02d745b0220efb9cb9cd80f4f0bd2d5767dac908225b9ee0d45bf407c281c13429b80780496014053d

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
319KB

MD5
7a34797480ed1ed438b0539ae50ecf9e

SHA1
d720bee46b502adb98946c74b93769f4bc6269d2

SHA256
84db13af798324621b3196e0441fadf35daaf5f49070b2177b6b350c8be0b0ab

SHA512
2d4cb0516c775e6eeea2b850fa4b8bc6a614a607719952f0374bf00f99679984dab8b663775c4cd6bb5c8a9f4761d948458d0d3da70c872dc12ff3117725d723

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
319KB

MD5
2209ef08d711e94520094165b6af49b1

SHA1
69a85e5c92b406812b72084ec4c8eca9f1a25258

SHA256
be6d5f200b1fee64b79157bc1e34184941c4f0965dea87f72b458f3b4165e873

SHA512
816683fd90c424040c30b24eb0668d32abad246da732dc60b1295a91b313dcaac89cb6ace406ce1aff6051a9b7fc66f11e6a405b33d451547ac514ec62f55a46

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
319KB

MD5
3f62eee7bc2a35d92e5f25871b8880e2

SHA1
424337a9df034300905461fdc318a150abcd723f

SHA256
5c2936699ce59b060a3ecd015cf2a5be4cc413df88516e1702a06b8fe9d1f86f

SHA512
a8833601b9614d27565d051cc676104c9e0c4b888c049df7cd9fd9c26b2d08116a4eda2ec314f044cd3b1a5f8dcc3f684e3315c66e26d4e9b70b19230ad005f1

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
319KB

MD5
1f717556a3b2ce4aec7cacf09d2c1812

SHA1
d59fa4bb4a52b136c644fb569296facecb9c9aec

SHA256
350996100459c9b2c58741b214282e4302d39c5b9b777f11feedadfbadbe3237

SHA512
929727d46d865413d608ff2e224a58274adaf20b8f73397feee6a85d28f7d0bfccb527458dfd7f2d6ba3198b520b07c515a059c14390cf4af3e196b36a36ee31

Download Submit
memory/348-31-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/348-186-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/856-193-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/856-77-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1364-164-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1364-149-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1416-17-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1416-188-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1628-190-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1628-15-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2544-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2544-6-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2544-192-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2800-45-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2800-182-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2888-178-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2888-57-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2924-184-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2924-33-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3056-92-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3056-173-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3816-180-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3816-49-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3844-161-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3844-150-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4040-105-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4040-167-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4472-93-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4472-171-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4484-64-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4484-176-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4724-169-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4724-104-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4832-158-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4832-152-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4908-155-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4908-153-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4960-151-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4960-160-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4964-165-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4964-148-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads