f9b1401504ad4ad03638674eba71f8a1ff969ba8fbea6eda845c943c5102baf8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe
Size

199KB
MD5

414d4cf562af0c9eaca881230ccdb370
SHA1

4ce444f4a2adcbddd5d866091875bca5804c164b
SHA256

f9b1401504ad4ad03638674eba71f8a1ff969ba8fbea6eda845c943c5102baf8
SHA512

7c81be802e59b36fefe51558b25c6d9a2538c8b98aaa140991acc36e4df57bf495bfa487364f4d20850dec9f58bd3497794fb6daa4ebdf1cfb9ee597bee8b590
SSDEEP

6144:3jXH4JJc9AySZSCZj81+jq4peBK034YOmFz1h:37im9IZSCG1+jheBbOmFxh

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe

Malware Dropper & Backdoor - Berbew 18 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0008000000022f51-7.dat	family_berbew
behavioral2/files/0x00070000000233fb-15.dat	family_berbew
behavioral2/files/0x00070000000233fd-23.dat	family_berbew
behavioral2/files/0x00070000000233ff-31.dat	family_berbew
behavioral2/files/0x0007000000023401-39.dat	family_berbew
behavioral2/files/0x0007000000023403-48.dat	family_berbew
behavioral2/files/0x0007000000023405-55.dat	family_berbew
behavioral2/files/0x0007000000023407-58.dat	family_berbew
behavioral2/files/0x0007000000023409-71.dat	family_berbew
behavioral2/files/0x000700000002340b-79.dat	family_berbew
behavioral2/files/0x000700000002340d-88.dat	family_berbew
behavioral2/files/0x000700000002340f-95.dat	family_berbew
behavioral2/files/0x0007000000023411-103.dat	family_berbew
behavioral2/files/0x0007000000023413-111.dat	family_berbew
behavioral2/files/0x0007000000023415-114.dat	family_berbew
behavioral2/files/0x0007000000023417-127.dat	family_berbew
behavioral2/files/0x0007000000023419-136.dat	family_berbew
behavioral2/files/0x000700000002341b-143.dat	family_berbew

Executes dropped EXE 18 IoCs

pid	Process
1816	Mdkhapfj.exe
952	Mgidml32.exe
2340	Mjhqjg32.exe
5108	Mncmjfmk.exe
1224	Mcpebmkb.exe
4752	Mjjmog32.exe
5112	Maaepd32.exe
1012	Mcbahlip.exe
4360	Nnhfee32.exe
4504	Ndbnboqb.exe
2344	Ngpjnkpf.exe
4960	Nqiogp32.exe
4312	Ngcgcjnc.exe
3832	Nbhkac32.exe
1260	Ncihikcg.exe
1480	Nbkhfc32.exe
4648	Ncldnkae.exe
3852	Nkcmohbg.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4872	3852	WerFault.exe	102

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 1816	2908	414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe	83
PID 2908 wrote to memory of 1816	2908	414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe	83
PID 2908 wrote to memory of 1816	2908	414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe	83
PID 1816 wrote to memory of 952	1816	Mdkhapfj.exe	84
PID 1816 wrote to memory of 952	1816	Mdkhapfj.exe	84
PID 1816 wrote to memory of 952	1816	Mdkhapfj.exe	84
PID 952 wrote to memory of 2340	952	Mgidml32.exe	85
PID 952 wrote to memory of 2340	952	Mgidml32.exe	85
PID 952 wrote to memory of 2340	952	Mgidml32.exe	85
PID 2340 wrote to memory of 5108	2340	Mjhqjg32.exe	86
PID 2340 wrote to memory of 5108	2340	Mjhqjg32.exe	86
PID 2340 wrote to memory of 5108	2340	Mjhqjg32.exe	86
PID 5108 wrote to memory of 1224	5108	Mncmjfmk.exe	87
PID 5108 wrote to memory of 1224	5108	Mncmjfmk.exe	87
PID 5108 wrote to memory of 1224	5108	Mncmjfmk.exe	87
PID 1224 wrote to memory of 4752	1224	Mcpebmkb.exe	88
PID 1224 wrote to memory of 4752	1224	Mcpebmkb.exe	88
PID 1224 wrote to memory of 4752	1224	Mcpebmkb.exe	88
PID 4752 wrote to memory of 5112	4752	Mjjmog32.exe	89
PID 4752 wrote to memory of 5112	4752	Mjjmog32.exe	89
PID 4752 wrote to memory of 5112	4752	Mjjmog32.exe	89
PID 5112 wrote to memory of 1012	5112	Maaepd32.exe	91
PID 5112 wrote to memory of 1012	5112	Maaepd32.exe	91
PID 5112 wrote to memory of 1012	5112	Maaepd32.exe	91
PID 1012 wrote to memory of 4360	1012	Mcbahlip.exe	92
PID 1012 wrote to memory of 4360	1012	Mcbahlip.exe	92
PID 1012 wrote to memory of 4360	1012	Mcbahlip.exe	92
PID 4360 wrote to memory of 4504	4360	Nnhfee32.exe	93
PID 4360 wrote to memory of 4504	4360	Nnhfee32.exe	93
PID 4360 wrote to memory of 4504	4360	Nnhfee32.exe	93
PID 4504 wrote to memory of 2344	4504	Ndbnboqb.exe	94
PID 4504 wrote to memory of 2344	4504	Ndbnboqb.exe	94
PID 4504 wrote to memory of 2344	4504	Ndbnboqb.exe	94
PID 2344 wrote to memory of 4960	2344	Ngpjnkpf.exe	96
PID 2344 wrote to memory of 4960	2344	Ngpjnkpf.exe	96
PID 2344 wrote to memory of 4960	2344	Ngpjnkpf.exe	96
PID 4960 wrote to memory of 4312	4960	Nqiogp32.exe	97
PID 4960 wrote to memory of 4312	4960	Nqiogp32.exe	97
PID 4960 wrote to memory of 4312	4960	Nqiogp32.exe	97
PID 4312 wrote to memory of 3832	4312	Ngcgcjnc.exe	98
PID 4312 wrote to memory of 3832	4312	Ngcgcjnc.exe	98
PID 4312 wrote to memory of 3832	4312	Ngcgcjnc.exe	98
PID 3832 wrote to memory of 1260	3832	Nbhkac32.exe	99
PID 3832 wrote to memory of 1260	3832	Nbhkac32.exe	99
PID 3832 wrote to memory of 1260	3832	Nbhkac32.exe	99
PID 1260 wrote to memory of 1480	1260	Ncihikcg.exe	100
PID 1260 wrote to memory of 1480	1260	Ncihikcg.exe	100
PID 1260 wrote to memory of 1480	1260	Ncihikcg.exe	100
PID 1480 wrote to memory of 4648	1480	Nbkhfc32.exe	101
PID 1480 wrote to memory of 4648	1480	Nbkhfc32.exe	101
PID 1480 wrote to memory of 4648	1480	Nbkhfc32.exe	101
PID 4648 wrote to memory of 3852	4648	Ncldnkae.exe	102
PID 4648 wrote to memory of 3852	4648	Ncldnkae.exe	102
PID 4648 wrote to memory of 3852	4648	Ncldnkae.exe	102

C:\Users\Admin\AppData\Local\Temp\414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\414d4cf562af0c9eaca881230ccdb370_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\Mdkhapfj.exe
  C:\Windows\system32\Mdkhapfj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\Mgidml32.exe
    C:\Windows\system32\Mgidml32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\SysWOW64\Mjhqjg32.exe
      C:\Windows\system32\Mjhqjg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
      - C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        19⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 400
        20⤵
        Program crash
        
        PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3852 -ip 3852
1⤵
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
199KB

MD5
4e481cd97a6c2acdacd47db403675c63

SHA1
d8564b3364dd139ca206176654a77a4d5e4e7c68

SHA256
c0aa436c412dba71968f9fd625cbe746d200c0ef436df65f42f43e5380794570

SHA512
2ed8161c80b5c02064a1a52bd899fadc97999eeff5b2df36c7f9b8e8aa5906910ef0640beb2ccb3f7a863d0f2839f6eab2616f1b306f92e8fa195c924cc60efd

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
199KB

MD5
fea3d8fd28ed4bc9ee76285627ace8ec

SHA1
869c2cf235f5ee255ddacf20dbb9e866fddde859

SHA256
2dac6cbbf3a4f9a7574f724f4a9c3f05c3c1608f75cfc8129853fa33f6637258

SHA512
3cb2ade5dbeffd1392afd64aaadfb20a2a6b1a6aafb0e31f2e3321ae55d663c88f61e93c1070ba1c3a424f910d53b642acca8010fa06a8be3e8cf01a0b60d7eb

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
199KB

MD5
84af633505c962a043430446f73c8332

SHA1
bc87b1862cd667ecb76159c08b8bfe9dd0751ab9

SHA256
f5aa669c602daca08f177348bc771755ce52ee20bc1199fc231e974c32521bbd

SHA512
1d1190ae6fddf239aefdabae266ad1c761b3c6784434a35bc59173a781e7ad78bc01a029391cd44df76d63b09194dd3028269175ca227b3b4523afef472194b3

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
199KB

MD5
a70f05cf8699854881707e55f44170ed

SHA1
e2d9a182dd7b3ffca8f5676db6574ef0aa2b0bc5

SHA256
09e7d2e6203b8ca70bc58fa4fbfe891cb712d2ec9587a20af3196178f0c7bc76

SHA512
8fcffedb362303f205ca7ac6c0f180964f2e57e04ae2d929aa5c0e62ff7cb8241f319d742534017d4a9a0b9386a4a968d2da818036deb7d1a371bc57732a0f1f

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
199KB

MD5
6d1be1cb09345cbabf50b8977ed03896

SHA1
122352377f90f46260caded66d814e4c5cb7eba2

SHA256
2db2e149e737cc1c65e0625f7373aa9301f39467692b58ab400c0a5426171d5b

SHA512
23b769fb8ec268ae6e1c010b73e1b4b91ca1c5fd141eab1328489cc010e96fcf286792542f72c20514f024183b895514c8a090743b26f4315881ccd9a16fd628

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
199KB

MD5
ca82f0eb6c8b25674c54b2e4271d2dc7

SHA1
a8cc33470e68b03c1450a027713f96c0648929d7

SHA256
b7cc54141478c6037fe5a28eb6a4274899a7dc545cd2d351f1a68e94a65a02f7

SHA512
0650a84e24dbf1522c02bee43437ee7b7d8ca039e969089fcfc298a5f3f644bc5f3f8c3696e40fee28be910f2c8cb75147450fa33bcf13f8a22035b82c3e2efd

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
199KB

MD5
5b0fcbf943c881360abca40ab7121e0f

SHA1
63de96077a730cf675c983471d4a5dee2b539e36

SHA256
c9a1b73d1dee042813ea85f5a57376b969fba2c8b1f29de50d7847e96536ec63

SHA512
0f61c934e4a5e28277be173dc0a7b1458a0fdd7acf1f254ca87ea113a1c073e8aa3bdefbc522b66419df89dc1389f0ecb9cf96f974c694ce0abba38f7a7eb3e4

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
199KB

MD5
56b1fefa0e339f1129e7bf5123ff2454

SHA1
7ea436b577796c4d5a2fac369aa7c55528728923

SHA256
9e8183abb574016323689ab87fdfb45128ea994cf12441f55e75a756d5f558e0

SHA512
2befa6c787ede704fcd42ecbd61d1aa4d232e0db9ab09fea1d2e544d796ed3416eca2633ea7363e49b88520f6de98e57d868e93d946bab1a2b4b6c1106f7781a

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
199KB

MD5
4dbef3d4ba12fae23759d1670e640474

SHA1
ac91b6454bbb8016c8375961f543a8b6e6edcc2e

SHA256
29830d4869c9c2af72d76f42eb88bb5dc2f3c7446934196ae372104b4d64e69a

SHA512
8fc6453b131f80ce442eabe9cec45bbf6f6360b209af7c2a4adde3073a6e27d9cc1bdf8272dbabe1a85b3737c075dbdfa5262a23074e70f5642e1efdd39cea25

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
199KB

MD5
91ffc5b21c833afdfc28e0f0d69ee571

SHA1
e47a2e6364bc4d47a0f61c2fa581dd11d80eace3

SHA256
1f7cad6d9ec6e4099ceef385928a863a1db3b237da43bb82eeeaafc824cbd0d3

SHA512
129ffab6185a6121b7321b6b6410b511b40a23630f5a35d07be8c2f8dbf9aef205df67fa51b56f83501d35142d8f82b17ba9561bebf1115bb388a9d35b2b196d

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
199KB

MD5
4cf1a1f6fcdce7e0c2b2039bdf628604

SHA1
d25ee151bad019afe10a2dea86aa28b8e1326436

SHA256
e507377f550a9474bb4e94b7f4518b26b13f49756c91988dbbb39d07ba778162

SHA512
8414ee6f3196352f0a621f9059830d4051fc588dce1be0dd42fa728a04ba86ae6b07d277102a19b779e75ae4a21243ef2f83eb56387353ac78adff052375b9e4

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
199KB

MD5
0a252208aa1f2a5316712a579543e1e4

SHA1
32052fee7d1ebbe82e64e84d9264d41a6f1d55cb

SHA256
8cbdb99e325ddbbc734f2ec006f54b0e1856f2b6e759630e22398a6fc4526fb0

SHA512
431d2c2df565e10d47ca9e8e890df61002a6f15a1c096ceb9a9ff3faf8f8b38372915d52be7b178fa3efb62d9211046c1ba32e688ebaf5cbcccdf3fd232c4071

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
199KB

MD5
b716081c6e1209bc05c3df0ba8404753

SHA1
1abc3bc68cf346af19704ed106d9a25d44952486

SHA256
7d55f58ea66ed7372499bdb803c6ac6930fff6b322544c0c40111595ec36c1e0

SHA512
7b19f97bfb8539b9308ed2925ae58bda590a11b68d58172069e2096dbc6f3752f0de5ad1fa702c528075293c6a4b732d7bb105a961fe50988d26afed29f31d2c

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
199KB

MD5
e19d110b686362f33871fa3b78acf8e8

SHA1
f36cadf448ef37893b27eeb3468efcc33b863125

SHA256
609ee73fdc07ed8e0b4babedea30d2881b7490f0d181bc8fcb8bc8a2199fb827

SHA512
398fa72fcf7a2ece8fe6abcdcda623cc1f4377c5462e8425d965486fba3b6183cfa71e36243aca63fe786214627d8cc6776e90d40176848809b3f59a76332845

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
199KB

MD5
25e66fff93c65d1afb9d0a14b555d70f

SHA1
f589b4195a9020193f53e2890ec71a061ea61909

SHA256
ef6f61cd78353c671f6bb62b0f8e6da874840fd09ed3aa150081aec5a6a23a90

SHA512
25144edda2707d2fe71344edef7302a21cf25c91c49b900d83fe2affa36cb8936ca40a6c8deb796496304564f2070c47f5bc5ccee5023ecbfda10bc95e522dd2

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
199KB

MD5
d5d624bec873b386e638e0721e5a8b1c

SHA1
422f9de5ffdb312dbeef283feb7fc9a0b0255e91

SHA256
5691c530f46d07a32ab97ca6e6a2500142061b1b966db41179f25a9502199332

SHA512
a504677e26b03997711d77982f0fb5e5984ce122206ec6364b9250fc07e4d590f4a24c736ef2fe0afd70fac4dfd066825b63da2c5bf751aef156ba1d686ee779

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
199KB

MD5
7ec399aabf539a064fb0125afe986b01

SHA1
f5d42fe861c15f39a01f04f8d5e74a357ef7d297

SHA256
a21ca7cc06f55e8535a2e251e1a36a198a63f1ce5c18eee5b7851d17930c8ed6

SHA512
13bdea78e639f3afa4ac6602a55bb479dd3162d4785a685ab2573f361bda33116b1adbab1e9299bd236cd0d8ccb0a6f478efafd3853a2e4e55f0cd0843fe3e6a

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
199KB

MD5
d6a0f4ade58c111f58f1228edfc5b75a

SHA1
6079843a0c6635f3965ab8be2e38c33b2b978cef

SHA256
5a3bf6153168ccde3dd17cc5396a0f02faa49dc8a2ec6dceebedaeb1e35a4fbb

SHA512
971039c2903333425238cfa781ac54092cb44d75b431ab122fa747f5acb0244cfa91b75ef11a3c9956b53093b57f44297551c3bb6d0474e9b79a1b18f7a2c69e

Download Submit
memory/952-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/952-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1012-156-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1012-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1224-158-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1224-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1260-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1260-149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1480-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1480-148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1816-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1816-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2340-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2344-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2344-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2908-162-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3832-150-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3832-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3852-146-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3852-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4312-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4312-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-155-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4504-154-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4504-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4648-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4648-147-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4752-54-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4960-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4960-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5112-157-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5112-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads