69710ac5af8fa408aaa3bc2acfef1dc9d0e0df352c1a4721383d322fd6897e54

Analysis

max time kernel
129s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe
Size

128KB
MD5

57edb733be6323b45f7d3d66ec7756f0
SHA1

4b267777a193612d2890e676ce701c48f41000ac
SHA256

69710ac5af8fa408aaa3bc2acfef1dc9d0e0df352c1a4721383d322fd6897e54
SHA512

71a3f373eea25b805d94d7ea44699927fe22b7315988c2842de46d72ac3fd1791a1b0d5f4a7bbf559b357510063558f8fa864e41e2d9bd429c25b1502c00ff7a
SSDEEP

3072:4yA0FBESSu3a7Js0S5SDrLXfzoeqarm9mTKpAImA:tA0FBeu3SsDMXfxqySSKpRmA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkojooih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oacige32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nicjhchb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nicjhchb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnpcpjfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqnomfem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqnomfem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nghgipmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndgoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbnlfimp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noalpmli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndgoge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfkcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nghgipmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Noopjmnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nndlkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nndlkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqlbgfhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nomcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnpcpjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqlbgfhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nomcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Niegnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noopjmnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbnlfimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Noalpmli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oacige32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkojooih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngfkcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmfkkhl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcnnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcnnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nelhbdlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nelhbdlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmfkkhl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niegnc32.exe

Executes dropped EXE 19 IoCs

pid	Process
1688	Ngcnnq32.exe
708	Nkojooih.exe
1016	Nnmfkkhl.exe
2232	Nqlbgfhp.exe
452	Ndgoge32.exe
4280	Nicjhchb.exe
3796	Ngfkcp32.exe
4316	Nomcen32.exe
4692	Nnpcpjfi.exe
2880	Nqnomfem.exe
4872	Niegnc32.exe
2924	Nghgipmj.exe
4368	Noopjmnl.exe
2136	Nbnlfimp.exe
4164	Nelhbdlc.exe
4272	Noalpmli.exe
4500	Nndlkj32.exe
5060	Oacige32.exe
3660	Ogmado32.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Haaapbja.dll	57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ndgoge32.exe	Nqlbgfhp.exe
File created	C:\Windows\SysWOW64\Ngfkcp32.exe	Nicjhchb.exe
File created	C:\Windows\SysWOW64\Lcmbkd32.dll	Niegnc32.exe
File created	C:\Windows\SysWOW64\Ogmado32.exe	Oacige32.exe
File opened for modification	C:\Windows\SysWOW64\Ogmado32.exe	Oacige32.exe
File created	C:\Windows\SysWOW64\Cknhgocb.dll	Ngcnnq32.exe
File created	C:\Windows\SysWOW64\Nnpcpjfi.exe	Nomcen32.exe
File created	C:\Windows\SysWOW64\Gopebnpd.dll	Nnpcpjfi.exe
File created	C:\Windows\SysWOW64\Daifcmfa.dll	Oacige32.exe
File created	C:\Windows\SysWOW64\Noalpmli.exe	Nelhbdlc.exe
File opened for modification	C:\Windows\SysWOW64\Ndgoge32.exe	Nqlbgfhp.exe
File opened for modification	C:\Windows\SysWOW64\Noalpmli.exe	Nelhbdlc.exe
File created	C:\Windows\SysWOW64\Qgmjfbdj.dll	Nndlkj32.exe
File created	C:\Windows\SysWOW64\Nnmfkkhl.exe	Nkojooih.exe
File created	C:\Windows\SysWOW64\Lbjljm32.dll	Nnmfkkhl.exe
File created	C:\Windows\SysWOW64\Oacige32.exe	Nndlkj32.exe
File created	C:\Windows\SysWOW64\Cmhdhd32.dll	Ndgoge32.exe
File opened for modification	C:\Windows\SysWOW64\Nomcen32.exe	Ngfkcp32.exe
File created	C:\Windows\SysWOW64\Lbcojfeb.dll	Ngfkcp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqlbgfhp.exe	Nnmfkkhl.exe
File created	C:\Windows\SysWOW64\Iijjgi32.dll	Nicjhchb.exe
File opened for modification	C:\Windows\SysWOW64\Niegnc32.exe	Nqnomfem.exe
File created	C:\Windows\SysWOW64\Nghgipmj.exe	Niegnc32.exe
File created	C:\Windows\SysWOW64\Khbmbp32.dll	Nbnlfimp.exe
File created	C:\Windows\SysWOW64\Holjqf32.dll	Nkojooih.exe
File created	C:\Windows\SysWOW64\Gfmifaji.dll	Nqnomfem.exe
File created	C:\Windows\SysWOW64\Fdnnhief.dll	Nqlbgfhp.exe
File opened for modification	C:\Windows\SysWOW64\Nnpcpjfi.exe	Nomcen32.exe
File created	C:\Windows\SysWOW64\Kpiecl32.dll	Nghgipmj.exe
File opened for modification	C:\Windows\SysWOW64\Nbnlfimp.exe	Noopjmnl.exe
File created	C:\Windows\SysWOW64\Nelhbdlc.exe	Nbnlfimp.exe
File opened for modification	C:\Windows\SysWOW64\Nkojooih.exe	Ngcnnq32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmfkkhl.exe	Nkojooih.exe
File created	C:\Windows\SysWOW64\Nqlbgfhp.exe	Nnmfkkhl.exe
File opened for modification	C:\Windows\SysWOW64\Ngfkcp32.exe	Nicjhchb.exe
File created	C:\Windows\SysWOW64\Noopjmnl.exe	Nghgipmj.exe
File opened for modification	C:\Windows\SysWOW64\Noopjmnl.exe	Nghgipmj.exe
File created	C:\Windows\SysWOW64\Jmfijb32.dll	Nelhbdlc.exe
File created	C:\Windows\SysWOW64\Nndlkj32.exe	Noalpmli.exe
File opened for modification	C:\Windows\SysWOW64\Oacige32.exe	Nndlkj32.exe
File created	C:\Windows\SysWOW64\Ngcnnq32.exe	57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nomcen32.exe	Ngfkcp32.exe
File created	C:\Windows\SysWOW64\Niegnc32.exe	Nqnomfem.exe
File opened for modification	C:\Windows\SysWOW64\Nghgipmj.exe	Niegnc32.exe
File opened for modification	C:\Windows\SysWOW64\Nelhbdlc.exe	Nbnlfimp.exe
File created	C:\Windows\SysWOW64\Lfbpem32.dll	Noalpmli.exe
File created	C:\Windows\SysWOW64\Nqnomfem.exe	Nnpcpjfi.exe
File created	C:\Windows\SysWOW64\Nkojooih.exe	Ngcnnq32.exe
File opened for modification	C:\Windows\SysWOW64\Nicjhchb.exe	Ndgoge32.exe
File created	C:\Windows\SysWOW64\Nlofepqg.dll	Nomcen32.exe
File opened for modification	C:\Windows\SysWOW64\Nqnomfem.exe	Nnpcpjfi.exe
File opened for modification	C:\Windows\SysWOW64\Nndlkj32.exe	Noalpmli.exe
File opened for modification	C:\Windows\SysWOW64\Ngcnnq32.exe	57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nicjhchb.exe	Ndgoge32.exe
File created	C:\Windows\SysWOW64\Nbnlfimp.exe	Noopjmnl.exe
File created	C:\Windows\SysWOW64\Hbfqcq32.dll	Noopjmnl.exe

Program crash 1 IoCs

pid	pid_target	Process
4668	3660	WerFault.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iijjgi32.dll"	Nicjhchb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nomcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnpcpjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Niegnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Noalpmli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkojooih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nelhbdlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqnomfem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfijb32.dll"	Nelhbdlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oacige32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Noopjmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbnlfimp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmfkkhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nicjhchb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nomcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gopebnpd.dll"	Nnpcpjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Noopjmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khbmbp32.dll"	Nbnlfimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nelhbdlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgmjfbdj.dll"	Nndlkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holjqf32.dll"	Nkojooih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqlbgfhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngfkcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nghgipmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nicjhchb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Noalpmli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcnnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifcmfa.dll"	Oacige32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nndlkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcnnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjljm32.dll"	Nnmfkkhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmfkkhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhdhd32.dll"	Ndgoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpiecl32.dll"	Nghgipmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaapbja.dll"	57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndgoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nndlkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkojooih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfqcq32.dll"	Noopjmnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndgoge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Niegnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nghgipmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnnhief.dll"	Nqlbgfhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlofepqg.dll"	Nomcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnpcpjfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqnomfem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknhgocb.dll"	Ngcnnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngfkcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmifaji.dll"	Nqnomfem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbnlfimp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oacige32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbcojfeb.dll"	Ngfkcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmbkd32.dll"	Niegnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqlbgfhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfbpem32.dll"	Noalpmli.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 1688	4840	57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe	82
PID 4840 wrote to memory of 1688	4840	57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe	82
PID 4840 wrote to memory of 1688	4840	57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe	82
PID 1688 wrote to memory of 708	1688	Ngcnnq32.exe	83
PID 1688 wrote to memory of 708	1688	Ngcnnq32.exe	83
PID 1688 wrote to memory of 708	1688	Ngcnnq32.exe	83
PID 708 wrote to memory of 1016	708	Nkojooih.exe	84
PID 708 wrote to memory of 1016	708	Nkojooih.exe	84
PID 708 wrote to memory of 1016	708	Nkojooih.exe	84
PID 1016 wrote to memory of 2232	1016	Nnmfkkhl.exe	85
PID 1016 wrote to memory of 2232	1016	Nnmfkkhl.exe	85
PID 1016 wrote to memory of 2232	1016	Nnmfkkhl.exe	85
PID 2232 wrote to memory of 452	2232	Nqlbgfhp.exe	86
PID 2232 wrote to memory of 452	2232	Nqlbgfhp.exe	86
PID 2232 wrote to memory of 452	2232	Nqlbgfhp.exe	86
PID 452 wrote to memory of 4280	452	Ndgoge32.exe	87
PID 452 wrote to memory of 4280	452	Ndgoge32.exe	87
PID 452 wrote to memory of 4280	452	Ndgoge32.exe	87
PID 4280 wrote to memory of 3796	4280	Nicjhchb.exe	88
PID 4280 wrote to memory of 3796	4280	Nicjhchb.exe	88
PID 4280 wrote to memory of 3796	4280	Nicjhchb.exe	88
PID 3796 wrote to memory of 4316	3796	Ngfkcp32.exe	89
PID 3796 wrote to memory of 4316	3796	Ngfkcp32.exe	89
PID 3796 wrote to memory of 4316	3796	Ngfkcp32.exe	89
PID 4316 wrote to memory of 4692	4316	Nomcen32.exe	90
PID 4316 wrote to memory of 4692	4316	Nomcen32.exe	90
PID 4316 wrote to memory of 4692	4316	Nomcen32.exe	90
PID 4692 wrote to memory of 2880	4692	Nnpcpjfi.exe	91
PID 4692 wrote to memory of 2880	4692	Nnpcpjfi.exe	91
PID 4692 wrote to memory of 2880	4692	Nnpcpjfi.exe	91
PID 2880 wrote to memory of 4872	2880	Nqnomfem.exe	92
PID 2880 wrote to memory of 4872	2880	Nqnomfem.exe	92
PID 2880 wrote to memory of 4872	2880	Nqnomfem.exe	92
PID 4872 wrote to memory of 2924	4872	Niegnc32.exe	93
PID 4872 wrote to memory of 2924	4872	Niegnc32.exe	93
PID 4872 wrote to memory of 2924	4872	Niegnc32.exe	93
PID 2924 wrote to memory of 4368	2924	Nghgipmj.exe	94
PID 2924 wrote to memory of 4368	2924	Nghgipmj.exe	94
PID 2924 wrote to memory of 4368	2924	Nghgipmj.exe	94
PID 4368 wrote to memory of 2136	4368	Noopjmnl.exe	95
PID 4368 wrote to memory of 2136	4368	Noopjmnl.exe	95
PID 4368 wrote to memory of 2136	4368	Noopjmnl.exe	95
PID 2136 wrote to memory of 4164	2136	Nbnlfimp.exe	96
PID 2136 wrote to memory of 4164	2136	Nbnlfimp.exe	96
PID 2136 wrote to memory of 4164	2136	Nbnlfimp.exe	96
PID 4164 wrote to memory of 4272	4164	Nelhbdlc.exe	97
PID 4164 wrote to memory of 4272	4164	Nelhbdlc.exe	97
PID 4164 wrote to memory of 4272	4164	Nelhbdlc.exe	97
PID 4272 wrote to memory of 4500	4272	Noalpmli.exe	98
PID 4272 wrote to memory of 4500	4272	Noalpmli.exe	98
PID 4272 wrote to memory of 4500	4272	Noalpmli.exe	98
PID 4500 wrote to memory of 5060	4500	Nndlkj32.exe	99
PID 4500 wrote to memory of 5060	4500	Nndlkj32.exe	99
PID 4500 wrote to memory of 5060	4500	Nndlkj32.exe	99
PID 5060 wrote to memory of 3660	5060	Oacige32.exe	100
PID 5060 wrote to memory of 3660	5060	Oacige32.exe	100
PID 5060 wrote to memory of 3660	5060	Oacige32.exe	100

C:\Users\Admin\AppData\Local\Temp\57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\57edb733be6323b45f7d3d66ec7756f0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\Ngcnnq32.exe
  C:\Windows\system32\Ngcnnq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\Nkojooih.exe
    C:\Windows\system32\Nkojooih.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:708
  - - C:\Windows\SysWOW64\Nnmfkkhl.exe
      C:\Windows\system32\Nnmfkkhl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\Windows\SysWOW64\Nqlbgfhp.exe
        
        C:\Windows\system32\Nqlbgfhp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Windows\SysWOW64\Ndgoge32.exe
        
        C:\Windows\system32\Ndgoge32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Nicjhchb.exe
        
        C:\Windows\system32\Nicjhchb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Ngfkcp32.exe
        
        C:\Windows\system32\Ngfkcp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Nomcen32.exe
        
        C:\Windows\system32\Nomcen32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Nnpcpjfi.exe
        
        C:\Windows\system32\Nnpcpjfi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Nqnomfem.exe
        
        C:\Windows\system32\Nqnomfem.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Niegnc32.exe
        
        C:\Windows\system32\Niegnc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Nghgipmj.exe
        
        C:\Windows\system32\Nghgipmj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Noopjmnl.exe
        
        C:\Windows\system32\Noopjmnl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Nbnlfimp.exe
        
        C:\Windows\system32\Nbnlfimp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Nelhbdlc.exe
        
        C:\Windows\system32\Nelhbdlc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Noalpmli.exe
        
        C:\Windows\system32\Noalpmli.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Nndlkj32.exe
        
        C:\Windows\system32\Nndlkj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Oacige32.exe
        
        C:\Windows\system32\Oacige32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Ogmado32.exe
        
        C:\Windows\system32\Ogmado32.exe
        20⤵
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 412
        21⤵
        Program crash
        
        PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3660 -ip 3660
1⤵
PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fdnnhief.dll

Filesize
7KB

MD5
41f77d797791ebdeb71834514ff11d34

SHA1
6b48fd819eda7f47fbe96e40f43310ceeec98146

SHA256
fae1876ef8e0f7903b9ccd4aa6049215a618b4af255d1bb1a6f4398cb9779957

SHA512
2884b2cc3fc119d40f3d5c0f8bb5f4a722c36e8559c0eb4106f8a81950894a4e969f73e873f100145ed3c74e0891bd36044b6346084fdb585c7113c0a2a8adc3

Download Submit
C:\Windows\SysWOW64\Nbnlfimp.exe

Filesize
128KB

MD5
315a54f5d07ea71af3a11fa875cb0d36

SHA1
11816dd6a7786722bf0bdff8ba421e700ce4344d

SHA256
25f6815ff77fc9a637664c4091cb83343f209dd2c7be9dacd87fa4ff12bf66ac

SHA512
cd254e71dc6eeb528f93b0f93d34076436f4898ac532fb0dacca3cd8e210bd025eb72c7ab82b8bd86484cdcfc8bcc89682decf106823604c293c67b8a6e22d92

Download Submit
C:\Windows\SysWOW64\Ndgoge32.exe

Filesize
128KB

MD5
c07d87d91855228d1627fd27438f0a4a

SHA1
15e3d19339bd0be3d863bd1194172f3ee877cc06

SHA256
26dcdbbf0c524554357bcc86390296a3f343ae3c7593e72e91dcd38d2844dcf1

SHA512
3dd6de8f038f0ac76f29a22909622c35e3f732aaa9ba612991134f3c0d13f51f348a11a071a982323027fefe6dd6dbe7b2e55c406cfb16145c9df6ed6467914f

Download Submit
C:\Windows\SysWOW64\Nelhbdlc.exe

Filesize
128KB

MD5
1c304f3ccca8ac44297f1425fdfba4c5

SHA1
3cf761271c1cf6392e18e7e331e8e5ffdf183bcd

SHA256
c14422286bc42025613dcf546f4a67a711c93cb1b8740d0c1fe0dabd1e72b410

SHA512
c90af90c2adda39b282b01717a210a9a32a1ccd5208d3a100ff2c8a812322e9a09eb80489232db29b575d43992fd07cfbd92ad74cde788be2b4f7b523916e90e

Download Submit
C:\Windows\SysWOW64\Ngcnnq32.exe

Filesize
128KB

MD5
72245af2cd0ab2af633a6b135f3d7bab

SHA1
801b9c7175d9a23a2ff2b54a1e86b923899fc489

SHA256
3f51cfb472585c37dea27aa98473e7f9f5cb72279ac9718d1e9e2a81e97ae23b

SHA512
59a35ba0a5c6a72e3b03059da4fe6a83f6aa6281753673c08d8b3a9846c3d77e2e60f3bc411c3f1df53271683c839b506512f6486d1435a98a670c4c253f6f21

Download Submit
C:\Windows\SysWOW64\Ngfkcp32.exe

Filesize
128KB

MD5
fa6e1420fe5b7ea0e5780cbb5e5d97ff

SHA1
e9a596ddb5086654331adc340792730bee86dd05

SHA256
67ddf3167bf563bf0430085eb0c36e50a09263ad025fc7e63b635df88bb3a3bf

SHA512
6786e8fb523587fb54dcd0862f89091f3013013f90ebcdd3fe9a34202b39d63b3a6a009ae9fce0471c74ef64a4d6725dfaff3d7c861e773cd9a088d32a9b0e0d

Download Submit
C:\Windows\SysWOW64\Nghgipmj.exe

Filesize
128KB

MD5
884cffc530433ae736d1d7a96bb95b53

SHA1
29aab768ea6e6dce72a66f826f84b9b1fe627670

SHA256
7fa0d43a840a74e247e3433b9ac2fca9a9932790a945dca544f2ffad6e15b10d

SHA512
d9574116c684cde4534b413a3fd4519fdea97238f1c8a97a66593c553a27c95e23873d680386acab1506fa18f317224c290b1912a0bd4c508642f9cbc9d9586d

Download Submit
C:\Windows\SysWOW64\Nicjhchb.exe

Filesize
128KB

MD5
9c69cf2523aeb6b7839ccabc774307a9

SHA1
84212ddeb5a451a46ba3775be459d57cdf692bfc

SHA256
a48fccf3dd50c08b2d115b8f1b0914f430f6dade75103b780434d56e3d360a48

SHA512
cac9017fd8e98f20beed75fb93f4a17cd36272b22f9bc1bbeb2fc4a0865fa65a7f37baabb6fe04b5ef42ee1fa2be3b2345a1358a63e09c894faf6cb67e5c9fe9

Download Submit
C:\Windows\SysWOW64\Niegnc32.exe

Filesize
128KB

MD5
b90a1afd240aa5586394ecef8393bfda

SHA1
a3b59b61ab0cc6a0d0280a69f3f05ab434f70cd9

SHA256
8dc8f774d377f14622cab71e5802670c5a5d4dc7749b2564000016e4c16560c4

SHA512
f7eec5c08608f63d2ca23da31bad5d47e8fcef84b133df93241bf2fc86306b116ed45bb02d021cec449e016fd52ee6b8d8f286ab2b7ce5c08ccda0ebbed0b09d

Download Submit
C:\Windows\SysWOW64\Nkojooih.exe

Filesize
128KB

MD5
40d745c0c9382752c71b111dd9d883e5

SHA1
3ed66412b279838b98f2532d2cc68ef2d0264795

SHA256
60d30972a1d46d56e7b49a0f3df23a0a048181c02638f59c8c2957e3f19216d1

SHA512
136d6c30ac86e6281c3ffd67e31dcce90d5f2f2739e0e230f941d5082f067334afc514501cf195780d9cee312b29c1cc3866ac35e285498910694b10d8e4c614

Download Submit
C:\Windows\SysWOW64\Nndlkj32.exe

Filesize
128KB

MD5
3ad30126c76641a1742b455a80c2e457

SHA1
8f741d2098fa52be4d1bdeea50443df6f4e4db35

SHA256
720827e7d7540ceca102de55afee20b499314dd6a5acceb59851100ab5a2318a

SHA512
cde2f0351248ba7bb38eba9aa6de2c4e49d08274c1e84dedb8a38fe5e5cb7608b0b859e7b8d8d40a3415f5fbf6b83a0e37c0e047f08f5eed7d68f977fc4a7dab

Download Submit
C:\Windows\SysWOW64\Nnmfkkhl.exe

Filesize
128KB

MD5
9df1a7c1e1f9e4b6d6b8cae27b216ff6

SHA1
0dc03d87e7950c8b7a732e793b584570b56d6663

SHA256
f6d0ffa534a3452051efdaab38c5a03b43af8dcaeed27e505a57743410070712

SHA512
570fa899ce1f24c26a7dd37be22f7663d15c42ce8a545c82776d809d8315bbaad5f4078144af9801dc09d9c5f0be87624a55ff0134a3944eb796c1936bde51a0

Download Submit
C:\Windows\SysWOW64\Nnpcpjfi.exe

Filesize
128KB

MD5
059527cf963e35217aa49474a3bffc3e

SHA1
c97f3069e7959b29ba80262652be021c61a5734f

SHA256
e222f64020747962f20033d32c7db0837396e722a7a82626d8bc5f58b7c3f8b2

SHA512
f2424aa082399a925541294ae8883e3a3401079c17c3f184e00e2860ae81c889faf0d1cb7dfcfb96e0680e19c766edbdaef270b99cc1c7559f92206f522e8afd

Download Submit
C:\Windows\SysWOW64\Noalpmli.exe

Filesize
128KB

MD5
16bdcee555ba77f44e73663eed6de317

SHA1
1032772048a7681c15561b71599deba70e2e82c2

SHA256
14ec318fb38b75b302b7c37e2e325f0c70e87337ebdb2016a84fc12813f6dad9

SHA512
c4249058282d02d0e682061e93e2cef3662a47df90972207bee874945663eda2fd540688208fa801574e2f3c7fa7bad57577ca322fe322445166b60f724b97eb

Download Submit
C:\Windows\SysWOW64\Nomcen32.exe

Filesize
128KB

MD5
e770d05fd4ba4a6f218ed9babb44ed5f

SHA1
676804afb526d15a17026054ee406cd2b78f21e9

SHA256
ef4d8a7f4f72935bfad2f0bddc51c2e4a6f70d35a199180a1f8b1ebb9ee8ddd3

SHA512
36c46d047bb077951b74355b5e848a315dd2becc8a4cd5e45462d8a7e9a520f7f07e0c23652e1fa589d1ff6c65edcfab2be938d9df76e17b15ddfbcb73eb0ac6

Download Submit
C:\Windows\SysWOW64\Noopjmnl.exe

Filesize
128KB

MD5
f55149bb5aab920f7421902a4a6003a7

SHA1
753e967a642a9ed443136a8bcfeb76c64bf890e1

SHA256
668f203b369321e5395f29d183cd17a48c10f3bfde9c3a7fdbaffb81525af892

SHA512
d828b1761e18d1a434b0f94fd38680a4580fdfed4b85eb9a95592f5ab88c184a55dae4f53a5a01c77bd27cf233a4ceeb6f0a31509663b24b44a429b70d419826

Download Submit
C:\Windows\SysWOW64\Nqlbgfhp.exe

Filesize
128KB

MD5
c34babce1385802263946092ece4eab2

SHA1
1196ff0fcfa9263ffcb9bf98195a45a780d40ef1

SHA256
3584950d8ed28596e38d7a8b385e189cd0e475f2a9ab2ce4d4d7657fd0cdcd1c

SHA512
1f67a220849a4d0544bd7d3ca785467a1a91d51e4f5ac1e53a6138ef1f2d17863cd4d47bf777d3a5c346abc3e8f6ec75a667d6fd7d368685c622471fa6e558a1

Download Submit
C:\Windows\SysWOW64\Nqnomfem.exe

Filesize
128KB

MD5
9a9be4ff9629aa2eba873a23af596ff8

SHA1
70ff0875b9ee6e0295e4a62311ae8d7ec6201cd4

SHA256
a19dab6de20896b6afca289a0b47ea64092112a74ec2b0ddd178055d923d63c8

SHA512
1ecc73da3eb023126580be1b22aca8b95f3fd14724f39a26bace57ce877f0490e30d5e6ae8c05bd65649a49f9ae878bdc16d32ce8dfaa1a46ea2ba25ea1f17d1

Download Submit
C:\Windows\SysWOW64\Oacige32.exe

Filesize
128KB

MD5
0bc29cd3eda6d968ae485218df350e8f

SHA1
12829c3ae1a1049b48d10dde7332f0e02807410f

SHA256
eb8b5627409835b8da115b6b48909e0fb8df99046ab4d164a567c610f9fd12c0

SHA512
69976095b84de2d8a2cd6f8dcfdfe3f480c1e753b06c49fd41f30f286e403b54bc54262423bf18ed96867b101b1a800aefea9e421f6d2b4cde17b8cc32fc912d

Download Submit
C:\Windows\SysWOW64\Ogmado32.exe

Filesize
128KB

MD5
62029bf6d42f20460c114e931985a6df

SHA1
59bbdcd398e602aeb78aa5e82e9f77908a47494e

SHA256
15fdb5753f3abdca13e117fd9164a5cbade67ce7c43cdf74746bf1538fb2574a

SHA512
d740a0167da38a670ee41bbdc9883d65830bc832ce47dc6debd7e7a3414007a5f844dddec782e1b86add2caa5b55f9045d7efb8a024d0f95e22d61861a57fe36

Download Submit
memory/452-44-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/708-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/708-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1016-26-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1016-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-12-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-158-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2232-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2232-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3660-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3660-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3796-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3796-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4164-157-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4164-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4272-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4272-155-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4280-52-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4316-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4316-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4368-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4500-154-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4500-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4872-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4872-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5060-156-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5060-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads