b7c63e9504696f9341246a0715d17213067cd31e346ee7a82c1414f2cdfa9bfe

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe
Size

272KB
MD5

7ef6656b3c7ebdb4ad0b0b2055508500
SHA1

0cc309c4dfa3016eb6b06c0e8c0a5c0098d997d0
SHA256

b7c63e9504696f9341246a0715d17213067cd31e346ee7a82c1414f2cdfa9bfe
SHA512

0c7f529a8c6e5b98ae89496fe332b8e049f75fb152d017eb90c3da711ccc7c3b46f91e2218c09798249cefbca4dee7e96a016c881942e6a7063548f40df56e71
SSDEEP

6144:hXbevaHByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5R:hXbFByvNv54B9f01ZmHByvNv5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe

Executes dropped EXE 17 IoCs

pid	Process
3300	Mgghhlhq.exe
3580	Mamleegg.exe
3044	Mpolqa32.exe
4508	Maohkd32.exe
4492	Mpaifalo.exe
916	Mcpebmkb.exe
4488	Mpdelajl.exe
1880	Nkjjij32.exe
2080	Nacbfdao.exe
2348	Ngpjnkpf.exe
3840	Nnjbke32.exe
1792	Ncgkcl32.exe
4424	Nkncdifl.exe
2164	Ncihikcg.exe
3588	Njcpee32.exe
4260	Ndidbn32.exe
440	Nkcmohbg.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3704	440	WerFault.exe	100

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mamleegg.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 3300	636	7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe	81
PID 636 wrote to memory of 3300	636	7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe	81
PID 636 wrote to memory of 3300	636	7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe	81
PID 3300 wrote to memory of 3580	3300	Mgghhlhq.exe	82
PID 3300 wrote to memory of 3580	3300	Mgghhlhq.exe	82
PID 3300 wrote to memory of 3580	3300	Mgghhlhq.exe	82
PID 3580 wrote to memory of 3044	3580	Mamleegg.exe	83
PID 3580 wrote to memory of 3044	3580	Mamleegg.exe	83
PID 3580 wrote to memory of 3044	3580	Mamleegg.exe	83
PID 3044 wrote to memory of 4508	3044	Mpolqa32.exe	84
PID 3044 wrote to memory of 4508	3044	Mpolqa32.exe	84
PID 3044 wrote to memory of 4508	3044	Mpolqa32.exe	84
PID 4508 wrote to memory of 4492	4508	Maohkd32.exe	85
PID 4508 wrote to memory of 4492	4508	Maohkd32.exe	85
PID 4508 wrote to memory of 4492	4508	Maohkd32.exe	85
PID 4492 wrote to memory of 916	4492	Mpaifalo.exe	86
PID 4492 wrote to memory of 916	4492	Mpaifalo.exe	86
PID 4492 wrote to memory of 916	4492	Mpaifalo.exe	86
PID 916 wrote to memory of 4488	916	Mcpebmkb.exe	88
PID 916 wrote to memory of 4488	916	Mcpebmkb.exe	88
PID 916 wrote to memory of 4488	916	Mcpebmkb.exe	88
PID 4488 wrote to memory of 1880	4488	Mpdelajl.exe	89
PID 4488 wrote to memory of 1880	4488	Mpdelajl.exe	89
PID 4488 wrote to memory of 1880	4488	Mpdelajl.exe	89
PID 1880 wrote to memory of 2080	1880	Nkjjij32.exe	91
PID 1880 wrote to memory of 2080	1880	Nkjjij32.exe	91
PID 1880 wrote to memory of 2080	1880	Nkjjij32.exe	91
PID 2080 wrote to memory of 2348	2080	Nacbfdao.exe	92
PID 2080 wrote to memory of 2348	2080	Nacbfdao.exe	92
PID 2080 wrote to memory of 2348	2080	Nacbfdao.exe	92
PID 2348 wrote to memory of 3840	2348	Ngpjnkpf.exe	93
PID 2348 wrote to memory of 3840	2348	Ngpjnkpf.exe	93
PID 2348 wrote to memory of 3840	2348	Ngpjnkpf.exe	93
PID 3840 wrote to memory of 1792	3840	Nnjbke32.exe	95
PID 3840 wrote to memory of 1792	3840	Nnjbke32.exe	95
PID 3840 wrote to memory of 1792	3840	Nnjbke32.exe	95
PID 1792 wrote to memory of 4424	1792	Ncgkcl32.exe	96
PID 1792 wrote to memory of 4424	1792	Ncgkcl32.exe	96
PID 1792 wrote to memory of 4424	1792	Ncgkcl32.exe	96
PID 4424 wrote to memory of 2164	4424	Nkncdifl.exe	97
PID 4424 wrote to memory of 2164	4424	Nkncdifl.exe	97
PID 4424 wrote to memory of 2164	4424	Nkncdifl.exe	97
PID 2164 wrote to memory of 3588	2164	Ncihikcg.exe	98
PID 2164 wrote to memory of 3588	2164	Ncihikcg.exe	98
PID 2164 wrote to memory of 3588	2164	Ncihikcg.exe	98
PID 3588 wrote to memory of 4260	3588	Njcpee32.exe	99
PID 3588 wrote to memory of 4260	3588	Njcpee32.exe	99
PID 3588 wrote to memory of 4260	3588	Njcpee32.exe	99
PID 4260 wrote to memory of 440	4260	Ndidbn32.exe	100
PID 4260 wrote to memory of 440	4260	Ndidbn32.exe	100
PID 4260 wrote to memory of 440	4260	Ndidbn32.exe	100

C:\Users\Admin\AppData\Local\Temp\7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7ef6656b3c7ebdb4ad0b0b2055508500_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\SysWOW64\Mgghhlhq.exe
  C:\Windows\system32\Mgghhlhq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\SysWOW64\Mamleegg.exe
    C:\Windows\system32\Mamleegg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\SysWOW64\Mpolqa32.exe
      C:\Windows\system32\Mpolqa32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
      - C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        18⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 420
        19⤵
        Program crash
        
        PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 440 -ip 440
1⤵
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fnelfilp.dll

Filesize
7KB

MD5
5bdb0c1655e3efef4a63e6a648517ef7

SHA1
0736e4636c88f08e652333b28d9d374c49b9246c

SHA256
90f97b111efcad5a445038938f987d5803e33d552e125deba5343a86b2ba2b81

SHA512
f657ee5c114ae628892ff4d07e5b1d7c3ec4ef6f9ddd46913c41cb8b72b91cea0a0d583931910f27eff744a1f3f5dd666102a32c2d04146d8c82c3e66f038d8f

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
272KB

MD5
02614c6263dea289ab8f8ecf30250745

SHA1
7df9f49b2e693e316dc38abb4aea00b8bd5fcda0

SHA256
1d26e6a5a226d68f163277c1e4f17f676c59c958aa5c01f54a04c6b1a8193c4e

SHA512
fc6c3da590595c0b0c5351018ef966e6f981a77579c6f0bc290faeecafa279cffdaa1896dbdff2b302bb33b4b3c6f1a763a13e786c6c7447be3f598fa47c091b

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
272KB

MD5
fbbd3283ac80000171ca1a58a45f1d69

SHA1
3d59ea8a9adc0e3731a44bb516cc6fb493c78ac4

SHA256
e46a868d657e4cbfa7237792632aa7e70743c41cc0b0cbd7479ca7a5fa1038c1

SHA512
242d00f95a8c28a0b29ff98c55df8d555c56efeba0ca7c1ae9458779eac8f99e8d140a4eb07a1b71a2f4c60ac50633931c1eb14c4b969985c4d98b0eb4fc0b81

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
272KB

MD5
352cfd86ba5631ebc815613a9322eafb

SHA1
87808a89905377692cc25db027a5e3112ee7a0b6

SHA256
d179e3f34b648639daa15c55d1a1e0e5186b5f7f7e84a3e5817e85095d3096fe

SHA512
e05699f3793745414f5ccc274a5715a1e791791c503373833409ea1e31929f89cde246f4588c0afba367f1d1926a9eda83c5d451d3989a8ecd5aab3d7763c89c

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
272KB

MD5
2c4e83afaf58ad01d074663525febcc6

SHA1
d32d341d58dd75a6644aaea7389fa19490d79efd

SHA256
841657295cb758ce69d50f15f445e8780fb821ed8388f398f717ff3995085f55

SHA512
1683e83b5b902ed819eb4db318138d9d4e5686dac9f47a713936924e3c1e1e83f8af68f5528d6632b452b541204a9d1df15392033580c8bd8b9c198e48516203

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
272KB

MD5
c253bf6909c630fd404f263e05eb4d52

SHA1
3d4056293f79d3d31f192c881216e01c6b0cfa54

SHA256
b6e5f670b970511db2d671939a31dbcd61b16ea88dfb609d508f9778c551d3a4

SHA512
228ef43e7cb063391f61de1eeee20424ccc0f86fb40bf90fd24994c36c34be80819900290606a8a4169ec5904846586bafb04c81281b3d2c2f0468eb5e2917c7

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
272KB

MD5
ece2b9822a303af2db7a9ebebfae454d

SHA1
caf0dd6f3b9e61a748abfc74ff0be0148c4e9267

SHA256
d555d254450c5bd4abc24e26540e56a99c3fa169a8ed7e1c0277048bff5418e7

SHA512
0da0d0c4fa9aaebd16b27e48281a3510b7b6891c12692256cda1bd6225d3974e97167222024412ef3ed6674217c1b0c2c918cb48e8b79c3b9158828ebab562ce

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
272KB

MD5
b3792b6343d09e2d6372a7dea38889fc

SHA1
43a60334a09bf8f465c71bd6a476ef38b604350f

SHA256
41c4ceb03e1f031370363911a2ffd20917f2bb48f0cab32db369c8314c093404

SHA512
e918de9241096ba53f87cd7cadbbedfc366491ca0970657523fd27ba7c05e17271b369bd4be8baa00f55a8184525ea9841870940882965395c31b19134bfaff3

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
272KB

MD5
721ebe1656cdf40876f33fffde49b1e0

SHA1
a6e0b73416eaac8dbcbe04ab397a318d1791e3c8

SHA256
74fe38e9700996cbbba12d4021625d41c0b3242f9711fddade63d61add501255

SHA512
0530d38955a5bd1ca612cb510354750f939c299e83aa3dbcbccdd9ca3fb703ac89d13e111eba883500101b8c63b6be18f741a3c7a9fe3d8e01f5500449488fc5

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
272KB

MD5
2cb1e3c4539a217c2604430b49a0fefb

SHA1
1e15afa02d681849cf31ded9e03911e2c91ce5eb

SHA256
0b584da2b69e72cdc31ece0c4c66f6c69c24618e4c4846d58ef0b38e85d2569c

SHA512
0049a0092ec500ca89fbeecfdf4877f93dae19d4b15ae0fced966606b3508694358adc63e57e133379d8623c45e6fb7679a6ed096b02d7b8fd63cdee0ec10d89

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
272KB

MD5
2628235d8cea21d95ab11b39dfafba63

SHA1
0cb9adfabfc4f9032c6627d39e6ae60a65717915

SHA256
2fa81cc546fe49c91745eb5731e89d74afd800051ae61bf4947c7cefe1aa9562

SHA512
7f51cbdf1ba36f748ca16b98a06a441cca78e1d8a35ae773975f76bbbd7976adee8ffddb26d912ccefe6870f2e5d1c0e25989a92a091c9e135f06272799e1719

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
272KB

MD5
b7378dcc68ec50ba2f0503734233bb3f

SHA1
691a8713b77499e8ff836e1c38ef7a462afe7540

SHA256
5031746f1a83b743b974a312cd76683e89840cfa57bf762119256853ab6576df

SHA512
1172f25fdbfc50d229759da3bef2fbdb0a2715c020b7b708ab2759b32002b1c16f544a9cbc76575629b2aa0ca73e2d2c103ce473c2a8dcac5d0abb19a3c0a99e

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
272KB

MD5
830e22880e6dd7e42a1277b90ba28534

SHA1
9a503ec16dbee8dc0078a64dc5494785f06534d8

SHA256
ba979a26ed8601546bcc0f7211a98bc7d08284bb0b43c51cc865ff3ccba0cd93

SHA512
37c80c278c197a5bb8c60c79357422fcfd082401e79bef308200825f3dffc134d96d768774d584345c0d2915e74a6b2c4aa057e13bfedcbf1a60002e3833d360

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
272KB

MD5
4fae874707cbe8ba2eb03986c3e5112e

SHA1
f061620f7277d42203ea6ae1e2a2acca4ae48368

SHA256
fb0ebd9a5ce08b0efe65a5bb1a37f7a6ba38326fa6ca6dcd9e46790d3cc1dadc

SHA512
a463a545d166ee8c1b8da9a763b43e76b91ccbaf67f1705b621d694cd73ec84389f9afcafa8732b66b719ba9e9733f166465751e12c9cc718a178d0b9dcd203c

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
272KB

MD5
5a0790196d73d064979a2c3bc3d2ef49

SHA1
959b54bd054ebdda66481a6e603a7ce2844cb3b8

SHA256
587bb0614059d8f2a628c049b121235e43a605fc03b01ea4704c67ca58c05036

SHA512
0f67dabda565e625af424f4cb0c0be9bc4ba944eff11d21967f89d3c1494f51159c9dfb8e0695f4dbb1305eb367dd9c69a94323cdcaf35859052fdd91c33bcad

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
272KB

MD5
98c44798d2f7dc9d0b1a51d21c7b7072

SHA1
97fe29fb0b0857611022150aced7850c4b24e037

SHA256
35c499ea3bbef3e14ae945aef98c8b820f0ba9abb9a7ce312604bb3d378dc4cb

SHA512
ae668693cff9a06ef78dd2ae42629f7ae9551703941f819aa2907d3aeccc3a26fc8b7ca92366a0c9a9089654d03f14a17deb10fce2f967da7463c416727ea7c1

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
272KB

MD5
4aec23e985b9b6cccd5aded1ee76a40e

SHA1
a3e5ea52fa0a6381079c5efc405c66751a5426c0

SHA256
81b0416de40bacdcdaad3b76ab5bb0eda504a53d2bca21386aefda2652756491

SHA512
240ed8a3223e97f55ba9a280df8041214a807b53101fef06f237d9bde3d27052068cc86b1104a5343b3f0b10be712ddbee3e55b048e8e57e2cf64532b19a058c

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
272KB

MD5
b5904e75874b50630bc88b3c21722179

SHA1
18a6d12128153a5d76131f798f8f6a6a8750d4ef

SHA256
225de62e90cda41493aa749c2824c3ead2e082d0dda65426b866988adb414ce9

SHA512
92c1fac94c0feafe20722225025ca570359e87973adf502099d2c6d789324ead27bd1aa49e2e386c47b1dac2cc08919a8cd130230d863b305b8f5fd95e5ba6fc

Download Submit
memory/440-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads