0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c

Analysis

max time kernel
149s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe
Size

128KB
MD5

df651e3a2e9ed3382d1cdd09f36c67a0
SHA1

75a93eea1691389af14a9737c1563c2f2098361d
SHA256

0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c
SHA512

8aae9d6971720739f71ad7edb992248a9526b5c85118543c9e94bc9a20bbc13a2feeaf0ebf442a2c1690f9417ceaa751880f2d7543648348fb25299f395d59c7
SSDEEP

3072:705BRcuDgSdr77tRI7DZ4fWeDZ5wkpHxG:7FQcWft4CA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe

Executes dropped EXE 20 IoCs

pid	Process
940	Mpolqa32.exe
3568	Mgidml32.exe
3660	Mpaifalo.exe
4744	Mcpebmkb.exe
964	Mjjmog32.exe
212	Mpdelajl.exe
1560	Mdpalp32.exe
4204	Nkjjij32.exe
2180	Nacbfdao.exe
864	Ndbnboqb.exe
4112	Nklfoi32.exe
1544	Nafokcol.exe
2888	Nddkgonp.exe
2884	Nkncdifl.exe
2844	Nnmopdep.exe
5060	Ndghmo32.exe
3564	Nkqpjidj.exe
2720	Njcpee32.exe
3380	Ndidbn32.exe
4632	Nkcmohbg.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1872	4632	WerFault.exe	99

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 940	4116	0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe	80
PID 4116 wrote to memory of 940	4116	0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe	80
PID 4116 wrote to memory of 940	4116	0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe	80
PID 940 wrote to memory of 3568	940	Mpolqa32.exe	81
PID 940 wrote to memory of 3568	940	Mpolqa32.exe	81
PID 940 wrote to memory of 3568	940	Mpolqa32.exe	81
PID 3568 wrote to memory of 3660	3568	Mgidml32.exe	82
PID 3568 wrote to memory of 3660	3568	Mgidml32.exe	82
PID 3568 wrote to memory of 3660	3568	Mgidml32.exe	82
PID 3660 wrote to memory of 4744	3660	Mpaifalo.exe	83
PID 3660 wrote to memory of 4744	3660	Mpaifalo.exe	83
PID 3660 wrote to memory of 4744	3660	Mpaifalo.exe	83
PID 4744 wrote to memory of 964	4744	Mcpebmkb.exe	84
PID 4744 wrote to memory of 964	4744	Mcpebmkb.exe	84
PID 4744 wrote to memory of 964	4744	Mcpebmkb.exe	84
PID 964 wrote to memory of 212	964	Mjjmog32.exe	85
PID 964 wrote to memory of 212	964	Mjjmog32.exe	85
PID 964 wrote to memory of 212	964	Mjjmog32.exe	85
PID 212 wrote to memory of 1560	212	Mpdelajl.exe	86
PID 212 wrote to memory of 1560	212	Mpdelajl.exe	86
PID 212 wrote to memory of 1560	212	Mpdelajl.exe	86
PID 1560 wrote to memory of 4204	1560	Mdpalp32.exe	87
PID 1560 wrote to memory of 4204	1560	Mdpalp32.exe	87
PID 1560 wrote to memory of 4204	1560	Mdpalp32.exe	87
PID 4204 wrote to memory of 2180	4204	Nkjjij32.exe	88
PID 4204 wrote to memory of 2180	4204	Nkjjij32.exe	88
PID 4204 wrote to memory of 2180	4204	Nkjjij32.exe	88
PID 2180 wrote to memory of 864	2180	Nacbfdao.exe	89
PID 2180 wrote to memory of 864	2180	Nacbfdao.exe	89
PID 2180 wrote to memory of 864	2180	Nacbfdao.exe	89
PID 864 wrote to memory of 4112	864	Ndbnboqb.exe	90
PID 864 wrote to memory of 4112	864	Ndbnboqb.exe	90
PID 864 wrote to memory of 4112	864	Ndbnboqb.exe	90
PID 4112 wrote to memory of 1544	4112	Nklfoi32.exe	91
PID 4112 wrote to memory of 1544	4112	Nklfoi32.exe	91
PID 4112 wrote to memory of 1544	4112	Nklfoi32.exe	91
PID 1544 wrote to memory of 2888	1544	Nafokcol.exe	92
PID 1544 wrote to memory of 2888	1544	Nafokcol.exe	92
PID 1544 wrote to memory of 2888	1544	Nafokcol.exe	92
PID 2888 wrote to memory of 2884	2888	Nddkgonp.exe	93
PID 2888 wrote to memory of 2884	2888	Nddkgonp.exe	93
PID 2888 wrote to memory of 2884	2888	Nddkgonp.exe	93
PID 2884 wrote to memory of 2844	2884	Nkncdifl.exe	94
PID 2884 wrote to memory of 2844	2884	Nkncdifl.exe	94
PID 2884 wrote to memory of 2844	2884	Nkncdifl.exe	94
PID 2844 wrote to memory of 5060	2844	Nnmopdep.exe	95
PID 2844 wrote to memory of 5060	2844	Nnmopdep.exe	95
PID 2844 wrote to memory of 5060	2844	Nnmopdep.exe	95
PID 5060 wrote to memory of 3564	5060	Ndghmo32.exe	96
PID 5060 wrote to memory of 3564	5060	Ndghmo32.exe	96
PID 5060 wrote to memory of 3564	5060	Ndghmo32.exe	96
PID 3564 wrote to memory of 2720	3564	Nkqpjidj.exe	97
PID 3564 wrote to memory of 2720	3564	Nkqpjidj.exe	97
PID 3564 wrote to memory of 2720	3564	Nkqpjidj.exe	97
PID 2720 wrote to memory of 3380	2720	Njcpee32.exe	98
PID 2720 wrote to memory of 3380	2720	Njcpee32.exe	98
PID 2720 wrote to memory of 3380	2720	Njcpee32.exe	98
PID 3380 wrote to memory of 4632	3380	Ndidbn32.exe	99
PID 3380 wrote to memory of 4632	3380	Ndidbn32.exe	99
PID 3380 wrote to memory of 4632	3380	Ndidbn32.exe	99

C:\Users\Admin\AppData\Local\Temp\0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0688932cbc34d269003d91e448a96ee9fb02df826055137eece9115b83d0192c_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\SysWOW64\Mpolqa32.exe
  C:\Windows\system32\Mpolqa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\Mgidml32.exe
    C:\Windows\system32\Mgidml32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Windows\SysWOW64\Mpaifalo.exe
      C:\Windows\system32\Mpaifalo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        21⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 420
        22⤵
        Program crash
        
        PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4632 -ip 4632
1⤵
PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Geegicjl.dll

Filesize
7KB

MD5
e678101f5d2010fb2edc005a1600cdd7

SHA1
740c8b355c5705d6c49bf648ed7456aceeaa303b

SHA256
42dbcaee32913f14063031fab3f4afadd74ac279a2e7ea79a06793a16b8504a9

SHA512
c069be0ce46f20dfb2b5b512b456ca420d14055f68d01cb5edda4e362b516c3974afa39998116a14a67a19e4699703baa828c3a2d568fa2352a2337097abec3f

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
128KB

MD5
b2eb0a29151618ad7ebe097209646daa

SHA1
5275dbf432e2097c5a578d692666d2fe382039b5

SHA256
8eef63559624c416c6a647a827b529de5f13ee0ba0f0a07567d58ff95c852e44

SHA512
6cf96f97424380b5100ac9362a7623fd702029530b3a7937e4d3e13032c75c2b496d90eef7f5df0e6d8f66cb973282001cf283322d381081754156c259cba53f

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
128KB

MD5
fa226ca1eee50bb7c42f383eb0bc37fc

SHA1
d7bea8d95a6bac354b2646fc36ad47b248391389

SHA256
c2ff1fc12863468c2cfa07367e4de89d0ff6aba91430c993a469adcca3ea4115

SHA512
b65655f55bbc74ab00ad721e27359e59273b6b1591d21913414ce88d3192dec789c08a3db8cd4e8a111fd9b6284e937315d9a5f10482262472ea89f4ad264713

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
128KB

MD5
e2d9250e4adc43df599f053ec96baad3

SHA1
c02e790b40c96f0c75c8a9656b2511dc6330d37f

SHA256
954b3723e964f3aca805972473fe53f50927fecae449aad03df743ea7a507756

SHA512
2ccecc8a7b4bcf07c97adc8277e0e83d957b1571a5d020997316a3cb4fc06c40f3f11db652101c53a2c83b7a61ce6d14c1500e427c81afcb64ee8a2d0d89cba1

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
128KB

MD5
4d8669e062253881ee40e4a7639b1df1

SHA1
1c3ccb8f3c763c22583c1165c8617ed3369e1bcb

SHA256
34a65f8648b1c0d06e600021b2c6b79c4edad7895e887b0dce5de277b8859679

SHA512
1cefb902d86e897d5914c6c0e4ae2122ceaff9e0ad5eb8d00db67eb781fb42d260c15ab5c41cc6e3a4301fc11bd5b0dbc529c634c6fcd65e73a6d2e1c7f2874c

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
128KB

MD5
abe5fa1166748a4d0c347ee7b1d9ce00

SHA1
f9bf4dc1f10ca9f407a4acda367dabc0ddbe274f

SHA256
1b5b92689c398963bee3cfd4255abbf9813a9157e4678b5955e2dfb84b6256ef

SHA512
73f9999e360586fa5fc50bbb67964408fdd9f3fce197e477dc35d43d22498a2e07dfa4a1c4f3ec686b36cf5370d18adcebaab4b5fc0cd0f737e179cc439f31c6

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
128KB

MD5
42b17984e0dd149d2ab90770f57b4542

SHA1
7a1a8831cf74c2c086ff556efb640880eaf35430

SHA256
c9c6068db3a30304f260bc946218588fb9c9423e207b4e1852e8bcc226767ecc

SHA512
67bead29a909461d6d54f032a514f35e4cdc3bcdae95cc21620aee0978e2b4055bef71d053ea86b536814c37fa0dc2662eed6b246a31a542c5ee981a10c5eb76

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
128KB

MD5
927374375885189dcd3d45b11f3da182

SHA1
7500ff396c175c0b18ea77bfd6cb13b80e009d9a

SHA256
6f1f4d64db51993cd6ee6b8c4c6aa70bcf80302cce7734142bed8f5126744319

SHA512
6518427baf63d907bca121a199e564d72ec96852ca5b647ee7cff6774714d131e76a923eea5cacebe30a8c3fd4e749db1e047202982afaa8fd2dd26f107efd2f

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
128KB

MD5
a0de878c2a4aa48426fc470c1a417449

SHA1
b9956bb0744afb9971360361fdaef269521a5eff

SHA256
8f1f8655104c5bd4e392b786ecce82aaf29b91ef1c911cc891bd455ff690a181

SHA512
0489b23db50220f2acd8b5b2839ba3de3df10dfd01650bb52104cbd6e882f6deb9e807c4667bf81c75e1e4cc18578647e39b1adcd57e1f98d56129d6379b4407

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
128KB

MD5
9a3420c15f52845d73468f2543ef52b4

SHA1
0c86f202eca5ffe5cc3e24b721877b1b62dcd401

SHA256
ba00e43006d0703af787a43294c5d28a8acbd414a892e2daacb07f55b3f65d27

SHA512
c468a9e5463c8d384cc43401df3bef5f6515a7df541acd34f21f6371086a907e1186fa6ac7950539cc5ad796835b3569671718621b9b5c5f185ec2cb2d76aedb

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
128KB

MD5
da1fa17996858a2508010c20304d7263

SHA1
82d693b3af1a6849e2f2f2ca0f38f959517b9239

SHA256
9cdee5393eca346bf479751b47b7cc9ee19d4762f33cfccc7fce4eda15171ab1

SHA512
be18765e0e2d95c419a9511296a2bff955ceb96b6801735e1a3a39c8c6bb0c42a3fd3cb6ac03802f6b7f60e2457ba1cb34dcbde196a78ce6f8b0d6749ad6bf61

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
128KB

MD5
afcbc4349c987a35cbf2de3465148655

SHA1
72ea9b4202685e60a9e54e1ade1921285dfe5988

SHA256
cc8666ac8873b0ae7d0e7d9a35865f06e8dd2e51539ec874dac9eb453bba7e27

SHA512
b21e2ca5e7aad3eb4b687f4c0829de2de263f1d69118a59a151479639078f67f83278c938d3914c390366a6a2c2b9ffb5fed92505ca073c89cabbdd059e21252

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
128KB

MD5
480389d04a02d00fc5d9747be5fa985f

SHA1
a3067b5952ec6b8f059147e80145221c531f6d51

SHA256
d6b647c84bd973e2a59b1fb0d5029db5bea8bd877eb347744f485153aa9b89d5

SHA512
3f30f9d80084d414c6626c2412d084d4250febade688e6b8cca23bafbffecfc22a67e75920d6a4e763bb3d80588f413a4382fa61e4ce5c0b271c66202eb4f69d

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
128KB

MD5
89a1c6a087d861edb1d51fea4a1c9b4c

SHA1
d412f6c85e47fa8fe76cc67d4e83e0adfe17928d

SHA256
19ed9fa5ccbbe75d751dca555365f45af01cadf52f0138cace341c52baa3c0ed

SHA512
61dea43c553d518a3023ba31252fe2e9b53584cd0ffe60424a48c8d47bbc16bed60efc267a3e8f4cf7e766c7909876456ec7d8d7d1e448ef5c962d4cc751285c

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
128KB

MD5
d580d420896f7856aeda8e2e1ee5d117

SHA1
31b832819fd03515d28a98028bb61bc5d06d1e61

SHA256
50273faf38dcafee0ec7a05a1100089e93f97716b1d3cb520627a04337751bd2

SHA512
d5a8076629530f937d77c7f50276ded5ebb2e4f861c7624a6565f23eb9c914118c56bfddef3bc3c21d96357b464b43db1322fc9e0ed81533f9d3c315a079ad00

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
128KB

MD5
53287cd279eda9343f357e5c77d2a868

SHA1
a89d7031277e49795bb00e12e5fd9238d7fedc4f

SHA256
4114dcf1930a07811563894339d8a0a1a915a227df933e5e72d69dd6083c332b

SHA512
be0093f6b02703119c722eb121f1d1d36a101b785ee3d6717497c27b5c9da92c4cb0b8beecc59db0ca04af636cc4a7d7ea1869174cf163367a0e518653042616

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
128KB

MD5
747f0e42c24688371809f5c14fa163df

SHA1
2c14367ace42a80213b0a3d53b6f209415c41dfb

SHA256
ef0e81e12938986f07f46fef62a39ea6e51bad3a8e513e8ed887ac6bbfc403c1

SHA512
f65cc93003a53e8c48818f6b7f5761535c961da872ab468c4542adf9e1ebc0292a4eda11f939cb090ac1055d65c89e30769df9f4e16afc40bb175ffa55b3ddcc

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
128KB

MD5
a55fe5ab26c4b36f2d0546900a6d5dbb

SHA1
1366e72a927f037fb63b8b2c20bc3119b2715c15

SHA256
f138a9719e108552884eeaa573ec09eb948125f7099004d2d697fbdc8a5ff4eb

SHA512
e231889645c668abf5de7258d3f6d393ef0ecb3b0946f6b15102e8a4fe15be55f9c947aca46633bb15fdd172579288fe72af4a92e17ca4936a7c9286c5835d1f

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
128KB

MD5
01cbe80ed7a8a3ee989f1c508e5e7560

SHA1
cddfcc50928651dfc8457fc11367de4545ffad57

SHA256
847569094154df087b72ecf17ba88d76c4e704bb54a25eeae67e884abf89489b

SHA512
8bc06a85109ea2e72869a9bcd8b4cc69752d008d959d203efff2e4d2ac44c1d7dcf74bfb5baab7ead8cbb79fc6274d486a76d998ea30f985ef5791313c511d70

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
128KB

MD5
1c58662839185ea0dded7ed3415b9c4f

SHA1
714cabaf5983d938644109a51fdb39b63ce318b0

SHA256
92e6ec323cdcf58db1f5d7034b567c9c50b5dd59845678f12ac723ed80516e10

SHA512
586ae6eff0a585f9f56847551052cdddf6ae934fa9157469f73f2fbefb466f7a2ab0de0bee224b2a2898513db6e9daf411089187cf6f4e7357ecbc7e95bec8eb

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
128KB

MD5
6c0fca1b2318e1bcce3872b2e5d092a9

SHA1
dbbdc5551951da9407771b4087a939982f930dbd

SHA256
91878c9affc52b160e5869caaae08b34fc9fafe3bb341e82c0c81a88bcdc6e66

SHA512
7a65ba2273287bf11e5da23b9edabd032d2f97baf69cd11caa9ffc1e8ffce0222e133ada53d39aa3d4ef678d0988b77884ca44b275bd834f62455f26839712dc

Download Submit
memory/212-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/212-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/864-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/864-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/940-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/940-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/964-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/964-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1544-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1544-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-174-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2844-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2844-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2884-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2884-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3380-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3380-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3564-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3564-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3568-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3568-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3660-178-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3660-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4112-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4112-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4116-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4116-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4632-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4632-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4744-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4744-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5060-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5060-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads