09f36627de26c92141bbc63c0f415c7fbb6883181d9eba8f1f1befd204afbf3e

General

Target

10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe
Size

80KB
MD5

10528aaea8ce6b1e3c8d4c88e147adb0
SHA1

376c37002b48cacdfcb31552c2821b258a6af756
SHA256

09f36627de26c92141bbc63c0f415c7fbb6883181d9eba8f1f1befd204afbf3e
SHA512

8311961d015c9dac505c868ea1ff315946565cfd085c739bf7ae780bb82e6850b75bed226d3e9e25bd39c4671080011df95f5a0a9e2fa06f2d09925abca94f1a
SSDEEP

1536:UZZf9R1kSilHocNUA8nUHqkH7gPnUKPruy2LwaIZTJ+7LhkiB0:C9zIocGlnP47+U5/waMU7ui

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe

Executes dropped EXE 8 IoCs

pid	Process
2444	Ncgkcl32.exe
4508	Njacpf32.exe
1144	Nbhkac32.exe
688	Ndghmo32.exe
3992	Ngedij32.exe
3748	Nbkhfc32.exe
2860	Ndidbn32.exe
2812	Nkcmohbg.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1904	2812	WerFault.exe	89

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 2444	3924	10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe	82
PID 3924 wrote to memory of 2444	3924	10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe	82
PID 3924 wrote to memory of 2444	3924	10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe	82
PID 2444 wrote to memory of 4508	2444	Ncgkcl32.exe	83
PID 2444 wrote to memory of 4508	2444	Ncgkcl32.exe	83
PID 2444 wrote to memory of 4508	2444	Ncgkcl32.exe	83
PID 4508 wrote to memory of 1144	4508	Njacpf32.exe	84
PID 4508 wrote to memory of 1144	4508	Njacpf32.exe	84
PID 4508 wrote to memory of 1144	4508	Njacpf32.exe	84
PID 1144 wrote to memory of 688	1144	Nbhkac32.exe	85
PID 1144 wrote to memory of 688	1144	Nbhkac32.exe	85
PID 1144 wrote to memory of 688	1144	Nbhkac32.exe	85
PID 688 wrote to memory of 3992	688	Ndghmo32.exe	86
PID 688 wrote to memory of 3992	688	Ndghmo32.exe	86
PID 688 wrote to memory of 3992	688	Ndghmo32.exe	86
PID 3992 wrote to memory of 3748	3992	Ngedij32.exe	87
PID 3992 wrote to memory of 3748	3992	Ngedij32.exe	87
PID 3992 wrote to memory of 3748	3992	Ngedij32.exe	87
PID 3748 wrote to memory of 2860	3748	Nbkhfc32.exe	88
PID 3748 wrote to memory of 2860	3748	Nbkhfc32.exe	88
PID 3748 wrote to memory of 2860	3748	Nbkhfc32.exe	88
PID 2860 wrote to memory of 2812	2860	Ndidbn32.exe	89
PID 2860 wrote to memory of 2812	2860	Ndidbn32.exe	89
PID 2860 wrote to memory of 2812	2860	Ndidbn32.exe	89

C:\Users\Admin\AppData\Local\Temp\10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\10528aaea8ce6b1e3c8d4c88e147adb0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\SysWOW64\Ncgkcl32.exe
  C:\Windows\system32\Ncgkcl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\Njacpf32.exe
    C:\Windows\system32\Njacpf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\SysWOW64\Nbhkac32.exe
      C:\Windows\system32\Nbhkac32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1144
    - - C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:688
      - C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        9⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 400
        10⤵
        Program crash
        
        PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2812 -ip 2812
1⤵
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
80KB

MD5
5f8a2c5c65ca40a485fb11da50ec8004

SHA1
ab1d13bcc1639ee83242e9cb8f5cf9ee5d6f2cb2

SHA256
699402c3fc23cdea782c02f04017bdb4f5b4316ea230555379c7b7af006d2e6e

SHA512
cb01eabeb86b9a2083d77e41b52706586c1d87533564dab280e83fda2dbd787b1fbf0998b8c0becee1546c159a00904e9baeea6794ac0b95cba058957abdb985

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
80KB

MD5
b24d598bef3d3954b3f1073633b0a5ac

SHA1
dc722abbf5aca154070b1182bb6f3f4520046708

SHA256
c4d86e56ded08644bf3781c62a2e677ceec2aa40fa012339ec942af85c0068c8

SHA512
11382f3778467aa27366660fd0173799f895078294da0479aa2c0758a8dfd45fef8a0ca116a68eb74f3180b9a9a5133e8b6158595e878e833c57c911078e6a5f

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
80KB

MD5
d9363b831af624021040d9b90a22ede8

SHA1
0a8906b368854ab4f53c38e299d7bea02b537d01

SHA256
3c42a8520e9598147be0e98192839919f701de5a5a7dbdbad08727a9293db232

SHA512
c23653a6a543b75ed19119bcbf6d3923c542125078b6adbaf86529e89f3d659a38fd0f07db13e9c029c73438fa9c6b4d3da6bbfe43b424db9feba512408acf93

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
80KB

MD5
b289c1bebf968ec0b3163daae121da2c

SHA1
152eac624fde4778139b05d90991776b25e50bc4

SHA256
f9dd6e746fdb5e3548f50c4f9be3da1128106f2fea528ac7f43ec87828fa486a

SHA512
0419629c4433e108b8f13ca00c3d31aaee123ba0779a8de9ca8e9b4349ddab723afc7098f8428eccb159f1bb99875931c96af872a18547cdc2e81289849d1534

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
80KB

MD5
2a93dde24d7b591f552ca5ae99ddb0ba

SHA1
6a4f0eb215678ad5e0559ddb19abc237985b8b2d

SHA256
a8a51c3ebf4badb61dd9f97650deccc28b93ea39753428610339fa8e62f8d501

SHA512
c738c71c784daf807d9e758810281ff68183e629cb5322b5f3ebc4ab27921d1ced8a89bfed82e0498a6263220b25d0a61a26f8e3b68a14a173788f988b3bdce0

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
80KB

MD5
924c1864fe28ec6533e6e4fc14034610

SHA1
6104ee26a604b90396bcf2683007033c6695a14b

SHA256
81ab26c9f631ac30ad62b5c9960b072e95b81c2d4a47b3d54729b2eb3cbc7b4f

SHA512
7b1959f8f57ea91bbea3f57bfc336761228588206e1d7a5803ef5bb5768a48fd12f4d79e81b6e44cd5575cf8fb04ea5e0b4548eaccfebed3cf0fdcdd4c5f3b09

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
80KB

MD5
8ff019d290078d29909873618e400f34

SHA1
939d6799ecfefe0b1b520242077b805effee0ccc

SHA256
00286ed357805e82eb4ef2fba1c1db5c5f468b086ded249f22a8d27d35bfdc75

SHA512
a0147e4a87743b9a720cb467cfd222a9c0d3dd2fd37440e76c09ef69c23aafac0564b1d3f9d0bc8f1a076d8d366705573ddfde97ff5d90de367c5a1904618140

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
80KB

MD5
8ce5e642a76d4d216b7bccb86c0e7044

SHA1
0e8201a97b93c26bbc2f53ab507d3f71979504a9

SHA256
70c2b130f4bd4bf47a2ca0f5c93bdc29a83ebf340f25b2a4f5d5c96ca8a4c8fe

SHA512
9a66c18cb55355d8b5e598185031ead1aab087bff1c595c40e82a3d6ac5561062bc50838c1f8781b588907cce12856b2164893e9917a71c92061ea3e1077a9d8

Download Submit
memory/688-37-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/688-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1144-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1144-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2444-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2444-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2812-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2812-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2860-67-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2860-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3748-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3748-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3924-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3924-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3924-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3992-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3992-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4508-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads