bffbe23377b1dd365febb000be1b376d0d29c0023fba70e4169cba3d862604d1

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe
Size

242KB
MD5

5a69108e9b01faa1f5e68c68628576d0
SHA1

867702d47237903b326ef96d2bff9e1eeece3e59
SHA256

bffbe23377b1dd365febb000be1b376d0d29c0023fba70e4169cba3d862604d1
SHA512

0f646f488cfdda255e663e2293215453f3ae2f615d6679bc763e1896ab2ea153cbd16ed1d48687c80765a934c26bf3db1c78a0c2a645d4601154ce2aff03a1d3
SSDEEP

3072:NSN9O0jV5UUsxxV6V8ZLB6V16VKcWmjR:NSN3vsxxV66LB6X62

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe

Executes dropped EXE 18 IoCs

pid	Process
540	Mpmokb32.exe
4664	Mkbchk32.exe
1968	Mdkhapfj.exe
1264	Mkepnjng.exe
2752	Mjhqjg32.exe
2288	Mpaifalo.exe
2112	Mkgmcjld.exe
3228	Mnfipekh.exe
3868	Nnhfee32.exe
2960	Ndbnboqb.exe
632	Njogjfoj.exe
3600	Nafokcol.exe
2556	Nkncdifl.exe
2280	Nnmopdep.exe
3488	Ndghmo32.exe
4732	Nnolfdcn.exe
5088	Ncldnkae.exe
3220	Nkcmohbg.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3212	3220	WerFault.exe	102

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 540	2008	5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe	82
PID 2008 wrote to memory of 540	2008	5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe	82
PID 2008 wrote to memory of 540	2008	5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe	82
PID 540 wrote to memory of 4664	540	Mpmokb32.exe	83
PID 540 wrote to memory of 4664	540	Mpmokb32.exe	83
PID 540 wrote to memory of 4664	540	Mpmokb32.exe	83
PID 4664 wrote to memory of 1968	4664	Mkbchk32.exe	85
PID 4664 wrote to memory of 1968	4664	Mkbchk32.exe	85
PID 4664 wrote to memory of 1968	4664	Mkbchk32.exe	85
PID 1968 wrote to memory of 1264	1968	Mdkhapfj.exe	86
PID 1968 wrote to memory of 1264	1968	Mdkhapfj.exe	86
PID 1968 wrote to memory of 1264	1968	Mdkhapfj.exe	86
PID 1264 wrote to memory of 2752	1264	Mkepnjng.exe	87
PID 1264 wrote to memory of 2752	1264	Mkepnjng.exe	87
PID 1264 wrote to memory of 2752	1264	Mkepnjng.exe	87
PID 2752 wrote to memory of 2288	2752	Mjhqjg32.exe	88
PID 2752 wrote to memory of 2288	2752	Mjhqjg32.exe	88
PID 2752 wrote to memory of 2288	2752	Mjhqjg32.exe	88
PID 2288 wrote to memory of 2112	2288	Mpaifalo.exe	89
PID 2288 wrote to memory of 2112	2288	Mpaifalo.exe	89
PID 2288 wrote to memory of 2112	2288	Mpaifalo.exe	89
PID 2112 wrote to memory of 3228	2112	Mkgmcjld.exe	91
PID 2112 wrote to memory of 3228	2112	Mkgmcjld.exe	91
PID 2112 wrote to memory of 3228	2112	Mkgmcjld.exe	91
PID 3228 wrote to memory of 3868	3228	Mnfipekh.exe	92
PID 3228 wrote to memory of 3868	3228	Mnfipekh.exe	92
PID 3228 wrote to memory of 3868	3228	Mnfipekh.exe	92
PID 3868 wrote to memory of 2960	3868	Nnhfee32.exe	94
PID 3868 wrote to memory of 2960	3868	Nnhfee32.exe	94
PID 3868 wrote to memory of 2960	3868	Nnhfee32.exe	94
PID 2960 wrote to memory of 632	2960	Ndbnboqb.exe	95
PID 2960 wrote to memory of 632	2960	Ndbnboqb.exe	95
PID 2960 wrote to memory of 632	2960	Ndbnboqb.exe	95
PID 632 wrote to memory of 3600	632	Njogjfoj.exe	96
PID 632 wrote to memory of 3600	632	Njogjfoj.exe	96
PID 632 wrote to memory of 3600	632	Njogjfoj.exe	96
PID 3600 wrote to memory of 2556	3600	Nafokcol.exe	97
PID 3600 wrote to memory of 2556	3600	Nafokcol.exe	97
PID 3600 wrote to memory of 2556	3600	Nafokcol.exe	97
PID 2556 wrote to memory of 2280	2556	Nkncdifl.exe	98
PID 2556 wrote to memory of 2280	2556	Nkncdifl.exe	98
PID 2556 wrote to memory of 2280	2556	Nkncdifl.exe	98
PID 2280 wrote to memory of 3488	2280	Nnmopdep.exe	99
PID 2280 wrote to memory of 3488	2280	Nnmopdep.exe	99
PID 2280 wrote to memory of 3488	2280	Nnmopdep.exe	99
PID 3488 wrote to memory of 4732	3488	Ndghmo32.exe	100
PID 3488 wrote to memory of 4732	3488	Ndghmo32.exe	100
PID 3488 wrote to memory of 4732	3488	Ndghmo32.exe	100
PID 4732 wrote to memory of 5088	4732	Nnolfdcn.exe	101
PID 4732 wrote to memory of 5088	4732	Nnolfdcn.exe	101
PID 4732 wrote to memory of 5088	4732	Nnolfdcn.exe	101
PID 5088 wrote to memory of 3220	5088	Ncldnkae.exe	102
PID 5088 wrote to memory of 3220	5088	Ncldnkae.exe	102
PID 5088 wrote to memory of 3220	5088	Ncldnkae.exe	102

C:\Users\Admin\AppData\Local\Temp\5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a69108e9b01faa1f5e68c68628576d0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\Mpmokb32.exe
  C:\Windows\system32\Mpmokb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\Mkbchk32.exe
    C:\Windows\system32\Mkbchk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Windows\SysWOW64\Mdkhapfj.exe
      C:\Windows\system32\Mdkhapfj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
      - C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        19⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 408
        20⤵
        Program crash
        
        PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3220 -ip 3220
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
242KB

MD5
431e4d80b5171943f258b5805d4f94ae

SHA1
5457e0c8fe0e90b66eeb898f547611ef76dac2af

SHA256
3d632b8c16ec12e16fee1e7281edc98a8ecb8d88dca004587282ca42afc08dad

SHA512
17f0bf35a7824d6de7143da5fedcd044469951ca12560a5aac8606c26f45959f8cfe80ba138166897888901d05177516e3af67495c3e0ac8ae5026ccb40ac189

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
242KB

MD5
7c46f3efc32190c6330d1707f2d900ae

SHA1
a25214b042d965b7cc894941e1be05dac7649db2

SHA256
9f5b83fa32d87dd70a41c557b0a8100ad412054d0d7120e33c5a84c03cb36726

SHA512
b8e9330dab976ee332beae5c8c8944eebfbe65598f2fcbde22d7fb9092d20d427b429308771d4ff42e49b0db8c8900b999ee827c5c5180d7d1f9920d52baaa89

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
242KB

MD5
736ae7a94c791cc2b74f50a26ed67bcc

SHA1
3924e99a9d4d33ee2ef47ec677e1c339e58a73b6

SHA256
657b62b19ce0e119a40a5f61e7377be1443f582c20efd4b16d40eacefa5affc3

SHA512
9a96be6a9dae5c9c5f571694e6e51c9ebda7945ba2808f10912be06ca269f438d57abfff3a236317615a702821148e259732d73993115cb1c0aa69c940477b31

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
242KB

MD5
56eeed353a5c386d9c3d9327f5b37ab2

SHA1
6ab4d326fd082469bed519fe0edc3251163fa8c4

SHA256
d98558da93f4781b0476ae33af7ef9f56c792118956a15e45090f6ead1560378

SHA512
57e555405d6f6447a81ecea99a08eca720329fee58e8eb85577d6d637be1d6aac2ee8b57108fd1f2dd21ec26f6204f236c987a861b79acdd1bddda6a01e02f8d

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
242KB

MD5
17897d651229bafa3465c8be5055d8a2

SHA1
f186e6d271580bce85ef1c2231c5854dfd82705d

SHA256
d4b0ad6d11bb0498e7ed4719194a193ff69d931e3c93f3125ee1951cdd31880c

SHA512
121feb74d80fdb03be9f793c3db4c47b1c0a676b3f971d23724c19c35b05415ce0b7ad88397c976f76eaa7cdb12c56a9fcc1b5c05f66f888ced4581b8c3bc416

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
242KB

MD5
bd5ef32e16e5a16dc949a1c2f3b4a61a

SHA1
f36e130cf6ac315138415b7b7c9fc3d653a7bf1b

SHA256
7375fc08ca38f23f919ba231bd62aaabfe4f995051608d34f60a99840f6bd45c

SHA512
804cd22d900217b107f1079258c2c22793bbfb641127a06452619023509f7bd8d504da458ef2a6ef62c60b05f9998bada88192dd6bec7de6bfb007a82026c339

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
242KB

MD5
e0bb0af0dd44ee927b0838994cb7090a

SHA1
ff6a38ed061d16877572dd2a70bb3cc8ff2846b9

SHA256
078e893cb5ee356f3618d7b04f73c49d811d096f5198ea953967e951108c8512

SHA512
20ae6de1b3dcc9445cb9c96efc11edd2ca0aa82c0c20772adbf2fd3bdb6f5143cd801703e7e069f8b46b111c5e67ca422d21b57db421960bd4c75715a3032184

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
242KB

MD5
c76a65b9ab70ace3bea03f6b856cac3f

SHA1
415cbdfae474704816d9b00ef9dcc3b1eccf3690

SHA256
a4cee1980f2ab0da6dcff0b50427640548ef358119a050419b45f1518dd79efc

SHA512
99a19fcd26e803841281ebdce9db220bb98fafc70856f4a3298788c6451d053f12f2b3aee1e0e8ed449976e333bca5cd3cf188dc1a318d15096dc7e2be65242f

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
242KB

MD5
526eb9e854567741295d8ed80904ae3c

SHA1
8350eb54c5da08c46c756888550fe7404721ba16

SHA256
77c994f8f81487f7ff1b5932eb7b89e090d033580b219991eac1503350517117

SHA512
45d17dc57e1a2c6385a76eb00b747e8395c2edf371c80945d83f246a4f1965ae2e76e4982cb0043579601bbd852907e8c17396d7104f4b009ea1f15ebfbdbd56

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
242KB

MD5
6ac445e8fcba2546cee4bf11df6e5a1f

SHA1
8b423c1451bd225b463f0e645b306374e3c9b287

SHA256
6b2af897d3914e3a7b1c9593e072616aa7de56e66ae455c7f9b4921e412b3279

SHA512
e0ae03052127fc5d68f4658b14faed10b45ada06ff196d4c5dc182886b36a865b5593f3125ba758717ced9776527958c8b0c5ebaa634a4538d0a30fe6247decb

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
242KB

MD5
d7e5fea6a7efe7d08ec116f27e5a2bbe

SHA1
b2d8f4610064de5c94776a159e6ed7003f2b560d

SHA256
b46a48e2abca58bcd210273b21425f56fb3954d04b3ba6e2c4d7e02a7710e1a5

SHA512
9445bfa37aeb7dd1081df08d334d57ff1b2bb6b35239cdb8ae015e2180aca0857ac2a6bd12922aeb30304032b5c74185c0749ac887bafbf7e96a8545ff239719

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
242KB

MD5
926d94410afd308021aaded4c60681b3

SHA1
447d089e72def36ed91b9c6bd4296980feb4aabb

SHA256
e042071aa95bfaea9cf6878cab6c5d166c4f7d8f9873cf77151f696c44dcdf1b

SHA512
0f04109220a1bcdbe0e2e868700be9b994c5718bad92efacc9c47908cbda1b6de4674140f28945e74a601b6c67182d8d57536490ab6ce5536c244393905f1108

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
242KB

MD5
b84af8c98c5bab2375ccd4f74265cfab

SHA1
4f713d5198a0c48c43110953dcb166ce83273cc5

SHA256
3c60119c0febd3cacd22457e952628f39fa5a1d4128b16b5f67707e58dbba90e

SHA512
3bfeb48ed77c3e7ddfcfdc5321e23abcee78233bffb4498112ba0f28880c606151422b9337bcc4e5f38b9f6e63e201c76bb48b602b33cb5d6c52d819319ca6ba

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
242KB

MD5
a0e0f870b4b6f5228e1a097e75f362f8

SHA1
92421d03c575fbc354508476214b2ed799ff20f2

SHA256
6642c024b852ace79a5f752b695021abd1f24dd0b9384a400df62da5c0e6e506

SHA512
6c0098e8e6c38bd7df49a895967a46979826e9ca50b497dd37fc8025eb07fde823f72b28696804dac1d11d82538c3d7d9a5e7fc0e28dca22f4a7e1f7befadd38

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
242KB

MD5
edcd4f49108c3ce9fd065058b2eba48a

SHA1
463ea2e66a08eb88e6ba3bb1be30a3663b350e38

SHA256
76e45c3290354ca70d5e5556af6210b118287fa10c7adc0960fe8311609e97a8

SHA512
43dab1c27403607ca77a33a227faf1091eafd8106322000a2c3754574ec79f1d8a3941d63f6f746ed0f9e59fde382aa02ddaea0cad01486f4c63c9139a4cee0e

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
242KB

MD5
cbb78ebdeeb8859ee60701eda8041579

SHA1
e4665ff76cbf1a90f72af18986a55fbf7445c4e3

SHA256
b4a4ee8a7093548c77b0e897a6b1a5939bb899a947972d07849027285e36a696

SHA512
cbe5c29328f13dd73b7622d6fe2c3846afe92bbaf7aa43f27951863dccebbd7af52dd5286cd59c3dd59308c3b904ee3cf1f5a1dd4c4024b3053092b875ec8ff9

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
242KB

MD5
1a66b48d6672df6c06f037e5529c67b9

SHA1
ecdd7df040ef53498a73763e25e8e8f218a39983

SHA256
d13851bb4aa9d6b1f2c1371e8e9bb16512778f56429204e53eebced93430941e

SHA512
51af22c1fb2d62688b1216e3d41c89335bb082248e8270a87b562cc2d45c21a44b8367dd66936d3afae64e59034997c8be3e4d3326d7196831bb26823d9aa12f

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
242KB

MD5
c2ba3048f81e52abbed417b060928f8f

SHA1
f36cfd8078b123da32d9062bb68c186469413472

SHA256
d571bcbe17855476cadb2a1839eaa2a63f3f7152324090a1d2ec89dc89bb3a86

SHA512
7b5a9984cd1162bba387a53591ca6f5b50735f484ff207be5bc1144d7fd721e702ab6c13b2d759719d084aff265382b97629f356b417f3775a40d0105b33e076

Download Submit
memory/540-179-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/540-9-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/632-182-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/632-89-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1264-37-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1264-173-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1968-175-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1968-29-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2008-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2008-181-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2008-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2112-167-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2112-61-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2280-153-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2280-112-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2288-54-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2288-169-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2556-156-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2752-45-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2752-171-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2960-161-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2960-81-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3220-144-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3220-147-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3228-165-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3228-64-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3488-119-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3488-154-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3600-96-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3600-158-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3868-163-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3868-73-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4664-17-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4664-177-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4732-128-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4732-150-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5088-136-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5088-148-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads