8bffe83519fe8889e77701e847a81675c41ae2c6951ca1e54209e9d2f0c6a074

Analysis

max time kernel
131s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe
Size

52KB
MD5

b2224fa26913007c9174c8b06011b480
SHA1

964eafbe209445272a361be79093cfbaf197653e
SHA256

8bffe83519fe8889e77701e847a81675c41ae2c6951ca1e54209e9d2f0c6a074
SHA512

d926d3d1a641147932af84fa4f800c1c634ea67e9a0f61a7ccc8bb9206feb76811e96a792e6434efa6cc5634bcb8c491f477ba30174511d058c60364cd1d9bdc
SSDEEP

768:GbC8oVTZiumrQLSccAO/es8WN4XTIgZrDMDjo0lVOCfOP/1H5F/sGMABvKWe:xTZXuQLx5pq/gZrDMDjo0lY+OhXMAdKZ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkfpon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndebbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndgoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfkcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkoai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkfpon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nohijndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nghgipmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noopjmnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nelhbdlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oendhdjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnkiek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkojooih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nomcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkoai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnkiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nomcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbnlfimp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nndlkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oendhdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndgoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nndlkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oacige32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oacige32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nohijndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqifafjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbibki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfkcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nelhbdlc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbibki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nghgipmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbnlfimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqifafjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndebbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkojooih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noopjmnl.exe

Executes dropped EXE 19 IoCs

pid	Process
1672	Nohijndd.exe
4084	Nnkiek32.exe
2152	Nqifafjb.exe
1912	Ndebbe32.exe
1116	Nkojooih.exe
4404	Nbibki32.exe
2260	Ndgoge32.exe
3064	Ngfkcp32.exe
4692	Nomcen32.exe
2276	Nbkoai32.exe
3308	Nghgipmj.exe
4476	Noopjmnl.exe
3388	Nbnlfimp.exe
2224	Nelhbdlc.exe
1880	Nkfpon32.exe
2856	Nndlkj32.exe
3152	Oacige32.exe
4548	Oendhdjq.exe
2624	Ogmado32.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ogmado32.exe	Oendhdjq.exe
File opened for modification	C:\Windows\SysWOW64\Noopjmnl.exe	Nghgipmj.exe
File created	C:\Windows\SysWOW64\Ccbahp32.dll	Nelhbdlc.exe
File created	C:\Windows\SysWOW64\Qgmjfbdj.dll	Nndlkj32.exe
File opened for modification	C:\Windows\SysWOW64\Nndlkj32.exe	Nkfpon32.exe
File created	C:\Windows\SysWOW64\Ndgoge32.exe	Nbibki32.exe
File opened for modification	C:\Windows\SysWOW64\Ngfkcp32.exe	Ndgoge32.exe
File created	C:\Windows\SysWOW64\Nomcen32.exe	Ngfkcp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkojooih.exe	Ndebbe32.exe
File created	C:\Windows\SysWOW64\Nbibki32.exe	Nkojooih.exe
File created	C:\Windows\SysWOW64\Khbmbp32.dll	Nbnlfimp.exe
File created	C:\Windows\SysWOW64\Lbcojfeb.dll	Ngfkcp32.exe
File opened for modification	C:\Windows\SysWOW64\Nelhbdlc.exe	Nbnlfimp.exe
File created	C:\Windows\SysWOW64\Nghgipmj.exe	Nbkoai32.exe
File opened for modification	C:\Windows\SysWOW64\Nbnlfimp.exe	Noopjmnl.exe
File opened for modification	C:\Windows\SysWOW64\Oendhdjq.exe	Oacige32.exe
File opened for modification	C:\Windows\SysWOW64\Nnkiek32.exe	Nohijndd.exe
File opened for modification	C:\Windows\SysWOW64\Nbibki32.exe	Nkojooih.exe
File opened for modification	C:\Windows\SysWOW64\Nghgipmj.exe	Nbkoai32.exe
File created	C:\Windows\SysWOW64\Ddmnkm32.dll	Nohijndd.exe
File created	C:\Windows\SysWOW64\Eecngcdn.dll	Nomcen32.exe
File created	C:\Windows\SysWOW64\Lcmbkd32.dll	Nbkoai32.exe
File created	C:\Windows\SysWOW64\Fdnnhief.dll	Nbibki32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkoai32.exe	Nomcen32.exe
File created	C:\Windows\SysWOW64\Noopjmnl.exe	Nghgipmj.exe
File created	C:\Windows\SysWOW64\Oendhdjq.exe	Oacige32.exe
File created	C:\Windows\SysWOW64\Ndebbe32.exe	Nqifafjb.exe
File opened for modification	C:\Windows\SysWOW64\Ndebbe32.exe	Nqifafjb.exe
File opened for modification	C:\Windows\SysWOW64\Ndgoge32.exe	Nbibki32.exe
File created	C:\Windows\SysWOW64\Nbkoai32.exe	Nomcen32.exe
File created	C:\Windows\SysWOW64\Nbnlfimp.exe	Noopjmnl.exe
File created	C:\Windows\SysWOW64\Hbfqcq32.dll	Noopjmnl.exe
File created	C:\Windows\SysWOW64\Nelhbdlc.exe	Nbnlfimp.exe
File created	C:\Windows\SysWOW64\Oacige32.exe	Nndlkj32.exe
File opened for modification	C:\Windows\SysWOW64\Nohijndd.exe	b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Pnabddke.dll	Nqifafjb.exe
File opened for modification	C:\Windows\SysWOW64\Nomcen32.exe	Ngfkcp32.exe
File created	C:\Windows\SysWOW64\Kpiecl32.dll	Nghgipmj.exe
File opened for modification	C:\Windows\SysWOW64\Oacige32.exe	Nndlkj32.exe
File opened for modification	C:\Windows\SysWOW64\Nkfpon32.exe	Nelhbdlc.exe
File created	C:\Windows\SysWOW64\Cknhgocb.dll	Ndebbe32.exe
File created	C:\Windows\SysWOW64\Iijjgi32.dll	Ndgoge32.exe
File created	C:\Windows\SysWOW64\Nkfpon32.exe	Nelhbdlc.exe
File created	C:\Windows\SysWOW64\Nqifafjb.exe	Nnkiek32.exe
File created	C:\Windows\SysWOW64\Idmjbagn.dll	Nnkiek32.exe
File created	C:\Windows\SysWOW64\Ngfkcp32.exe	Ndgoge32.exe
File created	C:\Windows\SysWOW64\Lfbpem32.dll	Nkfpon32.exe
File created	C:\Windows\SysWOW64\Nhkglhcn.dll	b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nnkiek32.exe	Nohijndd.exe
File opened for modification	C:\Windows\SysWOW64\Nqifafjb.exe	Nnkiek32.exe
File created	C:\Windows\SysWOW64\Nohijndd.exe	b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nkojooih.exe	Ndebbe32.exe
File created	C:\Windows\SysWOW64\Gejcdjej.dll	Nkojooih.exe
File created	C:\Windows\SysWOW64\Daifcmfa.dll	Oendhdjq.exe
File created	C:\Windows\SysWOW64\Nndlkj32.exe	Nkfpon32.exe
File created	C:\Windows\SysWOW64\Pmkcjf32.dll	Oacige32.exe
File opened for modification	C:\Windows\SysWOW64\Ogmado32.exe	Oendhdjq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2632	2624	WerFault.exe	100

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbibki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccbahp32.dll"	Nelhbdlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmbkd32.dll"	Nbkoai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkfpon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndebbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbcojfeb.dll"	Ngfkcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkoai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nghgipmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nohijndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnkiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nomcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbnlfimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhkglhcn.dll"	b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnabddke.dll"	Nqifafjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noopjmnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khbmbp32.dll"	Nbnlfimp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkfpon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmjbagn.dll"	Nnkiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Noopjmnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nelhbdlc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oacige32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oendhdjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqifafjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejcdjej.dll"	Nkojooih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndgoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nghgipmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfbpem32.dll"	Nkfpon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nndlkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nndlkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nohijndd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nomcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnkiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iijjgi32.dll"	Ndgoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecngcdn.dll"	Nomcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkojooih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndgoge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkojooih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkoai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfqcq32.dll"	Noopjmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nelhbdlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oacige32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbnlfimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifcmfa.dll"	Oendhdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddmnkm32.dll"	Nohijndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbibki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngfkcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgmjfbdj.dll"	Nndlkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmkcjf32.dll"	Oacige32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqifafjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oendhdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndebbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknhgocb.dll"	Ndebbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnnhief.dll"	Nbibki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngfkcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpiecl32.dll"	Nghgipmj.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 1672	3500	b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe	82
PID 3500 wrote to memory of 1672	3500	b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe	82
PID 3500 wrote to memory of 1672	3500	b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe	82
PID 1672 wrote to memory of 4084	1672	Nohijndd.exe	83
PID 1672 wrote to memory of 4084	1672	Nohijndd.exe	83
PID 1672 wrote to memory of 4084	1672	Nohijndd.exe	83
PID 4084 wrote to memory of 2152	4084	Nnkiek32.exe	84
PID 4084 wrote to memory of 2152	4084	Nnkiek32.exe	84
PID 4084 wrote to memory of 2152	4084	Nnkiek32.exe	84
PID 2152 wrote to memory of 1912	2152	Nqifafjb.exe	85
PID 2152 wrote to memory of 1912	2152	Nqifafjb.exe	85
PID 2152 wrote to memory of 1912	2152	Nqifafjb.exe	85
PID 1912 wrote to memory of 1116	1912	Ndebbe32.exe	86
PID 1912 wrote to memory of 1116	1912	Ndebbe32.exe	86
PID 1912 wrote to memory of 1116	1912	Ndebbe32.exe	86
PID 1116 wrote to memory of 4404	1116	Nkojooih.exe	87
PID 1116 wrote to memory of 4404	1116	Nkojooih.exe	87
PID 1116 wrote to memory of 4404	1116	Nkojooih.exe	87
PID 4404 wrote to memory of 2260	4404	Nbibki32.exe	88
PID 4404 wrote to memory of 2260	4404	Nbibki32.exe	88
PID 4404 wrote to memory of 2260	4404	Nbibki32.exe	88
PID 2260 wrote to memory of 3064	2260	Ndgoge32.exe	89
PID 2260 wrote to memory of 3064	2260	Ndgoge32.exe	89
PID 2260 wrote to memory of 3064	2260	Ndgoge32.exe	89
PID 3064 wrote to memory of 4692	3064	Ngfkcp32.exe	90
PID 3064 wrote to memory of 4692	3064	Ngfkcp32.exe	90
PID 3064 wrote to memory of 4692	3064	Ngfkcp32.exe	90
PID 4692 wrote to memory of 2276	4692	Nomcen32.exe	91
PID 4692 wrote to memory of 2276	4692	Nomcen32.exe	91
PID 4692 wrote to memory of 2276	4692	Nomcen32.exe	91
PID 2276 wrote to memory of 3308	2276	Nbkoai32.exe	92
PID 2276 wrote to memory of 3308	2276	Nbkoai32.exe	92
PID 2276 wrote to memory of 3308	2276	Nbkoai32.exe	92
PID 3308 wrote to memory of 4476	3308	Nghgipmj.exe	93
PID 3308 wrote to memory of 4476	3308	Nghgipmj.exe	93
PID 3308 wrote to memory of 4476	3308	Nghgipmj.exe	93
PID 4476 wrote to memory of 3388	4476	Noopjmnl.exe	94
PID 4476 wrote to memory of 3388	4476	Noopjmnl.exe	94
PID 4476 wrote to memory of 3388	4476	Noopjmnl.exe	94
PID 3388 wrote to memory of 2224	3388	Nbnlfimp.exe	95
PID 3388 wrote to memory of 2224	3388	Nbnlfimp.exe	95
PID 3388 wrote to memory of 2224	3388	Nbnlfimp.exe	95
PID 2224 wrote to memory of 1880	2224	Nelhbdlc.exe	96
PID 2224 wrote to memory of 1880	2224	Nelhbdlc.exe	96
PID 2224 wrote to memory of 1880	2224	Nelhbdlc.exe	96
PID 1880 wrote to memory of 2856	1880	Nkfpon32.exe	97
PID 1880 wrote to memory of 2856	1880	Nkfpon32.exe	97
PID 1880 wrote to memory of 2856	1880	Nkfpon32.exe	97
PID 2856 wrote to memory of 3152	2856	Nndlkj32.exe	98
PID 2856 wrote to memory of 3152	2856	Nndlkj32.exe	98
PID 2856 wrote to memory of 3152	2856	Nndlkj32.exe	98
PID 3152 wrote to memory of 4548	3152	Oacige32.exe	99
PID 3152 wrote to memory of 4548	3152	Oacige32.exe	99
PID 3152 wrote to memory of 4548	3152	Oacige32.exe	99
PID 4548 wrote to memory of 2624	4548	Oendhdjq.exe	100
PID 4548 wrote to memory of 2624	4548	Oendhdjq.exe	100
PID 4548 wrote to memory of 2624	4548	Oendhdjq.exe	100

C:\Users\Admin\AppData\Local\Temp\b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b2224fa26913007c9174c8b06011b480_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\SysWOW64\Nohijndd.exe
  C:\Windows\system32\Nohijndd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\Nnkiek32.exe
    C:\Windows\system32\Nnkiek32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\Nqifafjb.exe
      C:\Windows\system32\Nqifafjb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\SysWOW64\Ndebbe32.exe
        
        C:\Windows\system32\Ndebbe32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Windows\SysWOW64\Nkojooih.exe
        
        C:\Windows\system32\Nkojooih.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Nbibki32.exe
        
        C:\Windows\system32\Nbibki32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Ndgoge32.exe
        
        C:\Windows\system32\Ndgoge32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Ngfkcp32.exe
        
        C:\Windows\system32\Ngfkcp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Nomcen32.exe
        
        C:\Windows\system32\Nomcen32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Nbkoai32.exe
        
        C:\Windows\system32\Nbkoai32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Nghgipmj.exe
        
        C:\Windows\system32\Nghgipmj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Noopjmnl.exe
        
        C:\Windows\system32\Noopjmnl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Nbnlfimp.exe
        
        C:\Windows\system32\Nbnlfimp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Nelhbdlc.exe
        
        C:\Windows\system32\Nelhbdlc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Nkfpon32.exe
        
        C:\Windows\system32\Nkfpon32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Nndlkj32.exe
        
        C:\Windows\system32\Nndlkj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Oacige32.exe
        
        C:\Windows\system32\Oacige32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Oendhdjq.exe
        
        C:\Windows\system32\Oendhdjq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ogmado32.exe
        
        C:\Windows\system32\Ogmado32.exe
        20⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 408
        21⤵
        Program crash
        
        PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2624 -ip 2624
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nbibki32.exe

Filesize
52KB

MD5
4e2e6046730eed6de7dddc88487907b5

SHA1
00189e08c9d7d3d38e4f338dcdc599dfcc3ddf96

SHA256
1025ef8d797ceb431902884aa710d9d2d43f4187cf805d33287d4fccdc74e91c

SHA512
fdc6cfee58018d421d78b6620a97b3496aa27abcee8a6d8a60a4e18004d9d36c0c4993a8d84bae0bbf4d19c73afd333f8e35eff46a6ebaa1cd072f564961c1d5

Download Submit
C:\Windows\SysWOW64\Nbkoai32.exe

Filesize
52KB

MD5
cc06835da4f63e445b0f7d3cde7f7ccf

SHA1
6405413a50c32f7f66b256992d31f638a4de2c74

SHA256
875bf8b51f080399b7b861f9fe8fa7d0a182d7775ce603997a3e3b02d33bd48c

SHA512
11bf18d20dba0a86ad9e7214276c2eecbeb694022316576dbfe84ca6145971b44f10ff899727b710136ff26e18222f028c9c81024af19c19fe92a347b4f225bc

Download Submit
C:\Windows\SysWOW64\Nbnlfimp.exe

Filesize
52KB

MD5
8f3574f10ff823d0377a3a0a970bc350

SHA1
97532820f2bffd67a93ef0cb1f746308ef438ec4

SHA256
efd8833dd0c612cb5e7b695e68779cd04202d2b5084e6578518e1f2e27b15044

SHA512
2646c81daa05cb14702522d892e7284230fad9c658fccc6b9d6cb1732fb91f67c41c310e0aec2acc74904df0e9ce6f080bc1a1460bf0aca8f3717b142294e0b1

Download Submit
C:\Windows\SysWOW64\Ndebbe32.exe

Filesize
52KB

MD5
562bf82877831481070fcd07230e8308

SHA1
8657979e4c374edbc7d47810a00725c63ea73de7

SHA256
5efa23ca8ca0d4804ccb43490282af95f0ad8ca7bde109b50f53b127f11cc5f8

SHA512
5309d34ccc76fb8c38e0c3044c82254432cc6dc3df783892202eb1313cc71969f7f79c976b9aa11bd4736507da2ca2029754fde42a989c6078754a96d218634d

Download Submit
C:\Windows\SysWOW64\Ndgoge32.exe

Filesize
52KB

MD5
84f812062cfc107c9b44940d59094651

SHA1
14ddf049efbb35fba9990d2b427d36201e38e13f

SHA256
50dd717c88b01ee7020e56367bbe182ca8ab6f6c23cfd0b9a40c51be823db598

SHA512
e5d8a4bf9ececddf1f65124319a9bfe7c9bdea4de1bb320a025bd09143bd86521cd0ecb5143e00ec582cd2d3b36ae378793dd64895973bcee22bb68bf5d9de39

Download Submit
C:\Windows\SysWOW64\Nelhbdlc.exe

Filesize
52KB

MD5
d1f1a974c2a300138da6410c1e753cbd

SHA1
16fdacb7d615a881473073b4adbaffc67425a775

SHA256
cd4939cf45d55a67f2ecc7fd4e1964088b237943a48132d97f71c291b0d505ac

SHA512
c8f46880017b8d4e64486abb0c7f3cf31d64e46cd8c79cb833850954bcadabacc36169ddd70ea1d13e5102b27e90b4136fad45b4f72fcf6be17997589e13e685

Download Submit
C:\Windows\SysWOW64\Ngfkcp32.exe

Filesize
52KB

MD5
dee3950d069f73f4074a82b052ae7e40

SHA1
f46ce3166a91ed8d0c5e131d0fd95b18ddc0f8d9

SHA256
4abd2fa70b19bb0e25b2bfbc4e2bc7a80ab5db699a0ca8aba331d9599fc16e6e

SHA512
b3ad4289730636119efc4d7bc07b53f7c068c95623f2526f1c223cefd5526ffe54911987cc604085b6e34e46e6433960f390b3a82229fe7317fa4aba5f7ca9cd

Download Submit
C:\Windows\SysWOW64\Nghgipmj.exe

Filesize
52KB

MD5
fbe63a4c2dcd7fa5ba0e771e96baf0c5

SHA1
b8dcb135acc27aeed374e395a4a3e99ea6416d80

SHA256
6adc827eb5bcea1e57a7caaf941d29f4fda5b8c8584afaa2137523be3f3062ba

SHA512
6145b8aea83db35b4a3f7e8245fdee7a165f27eda93d51b4a8cbbe83497e944573051f7b23b5708f70c3e531922d2986ceb8b019591842780843cc6f98747649

Download Submit
C:\Windows\SysWOW64\Nkfpon32.exe

Filesize
52KB

MD5
0f4b08389a9e63af806f7554af2a81b8

SHA1
111cc86a0eeb54e3c1b0ebcdde9d86bd0e29fe53

SHA256
6bb687ec2c45ab5dd1447d8a62937f7ee3a94e60cfa38650468fc84ccadbb563

SHA512
5e6302d4401f35665d49deb6479e41864947cb2ba942345e3779c2134c68086a2d973be3879b81da4e969a7d881dbbbccbf027c70d8d3f3a027a18d5e176ee10

Download Submit
C:\Windows\SysWOW64\Nkojooih.exe

Filesize
52KB

MD5
05226ce7dd4970eaa6ef178ce3f7281a

SHA1
09b186ea32ce9fbaef9cbf33c5514e24f20d85f8

SHA256
57f6993bf4f4e597ce9aa21758af1654fcebdb972c42d20ddf11a769d60a01bb

SHA512
0eda14d62028fe314817874c605c7b884ed6afe49e955d9aaaabe764b1ca976b42d73f61abf51a2120d1b12c60f08c328e05aeb3751f7c52d5b1cbba9a25647b

Download Submit
C:\Windows\SysWOW64\Nndlkj32.exe

Filesize
52KB

MD5
3f83618e00bc2a1707a7d226a2453e48

SHA1
90222cd8ce2fdf66c42cf0ce2944970cabb4c4db

SHA256
86a1acf2574295577db79d6153434b419aff3017775e22cfe39e4069159fe53a

SHA512
8ced76659cdecb034c49edc56225ee100cb885469fd1bd58724d9627a9e82e3e58e63a8fabd5d1a68ca5300c9d25b1e1571f83b0fe6310ac7bced124ff673596

Download Submit
C:\Windows\SysWOW64\Nnkiek32.exe

Filesize
52KB

MD5
95d9cd3b644455b1324f6415c60530fb

SHA1
cc069fc79ba100577830c04d9ff1394763cc9fc1

SHA256
d3504505314c1a2ce792b70c106c5898d74823a5b3375cf3eecc055773fa0315

SHA512
c3513cf6fbd976579700fa722650222c85265c37ed23bf55e7c4b0f3dd8e60f0923acf43d757cac1cd3ab2110068458773ab17c1a4de1ef774588e87216cc047

Download Submit
C:\Windows\SysWOW64\Nohijndd.exe

Filesize
52KB

MD5
c8051d7bf69552f2a3db215ab60cca3e

SHA1
79022cffdceb73e895e99a37d8ea5358539d8164

SHA256
7240f21e391daee86f81128a455b5ad56bc94ee4ef401f203140e0c734e0091c

SHA512
be5a64a08dcbf2a68862074fd45e10c055fb625f343a8bba7f6fce80a01a0b5507f6e7beaa8bca062d4f5b724d642fba63852277a0ca6621c8fd907e7213a2d2

Download Submit
C:\Windows\SysWOW64\Nomcen32.exe

Filesize
52KB

MD5
937f31e7c58635fc809092f5b8e15892

SHA1
6130fa55ebf7652586c7c2fa29c33f758fc8b2db

SHA256
98d4a67de6e9ea506c391a934daec8792939a6d8c06095abbae52805ef3e5593

SHA512
40e0bd4a8e110ed0eb9174e5be3f3833ceca301c46a4cb4e1768c0e890c8080a9177338c6ef9f07d8b18fc6ca795f89528d392e069e70c65d100e7835c98eafe

Download Submit
C:\Windows\SysWOW64\Noopjmnl.exe

Filesize
52KB

MD5
259a85081b43e432d2099404f091dff5

SHA1
f43a3b8da9ecf04cbc1266d31b80de70a37bb9f8

SHA256
e6df8dd09533378b42e8f7f9b2bbbbb5cff5905a762cbfb73ceeedb52d9d002e

SHA512
b5c3ff6cf77091aab00367316d989a65aae6a6c9ca3dca51bce62f0c21c3d96d94823f16b5d9036a35aa21078954f5cd8b91f3622a5165fd142abd622143bf00

Download Submit
C:\Windows\SysWOW64\Nqifafjb.exe

Filesize
52KB

MD5
a11c6fa62c477d12ed652839ea048857

SHA1
339effd0c907aad9fb44b35af20141252ebe169d

SHA256
f4bee6de7fab3eec4993cc593ef65a84ade0560a19a0807884c9893cd86edf50

SHA512
21dae2e34222a7c298a99152b15fdc45366b04e5d4bcdedf170a3a8434984b158b6655c2cb9661280f84db71c32ce14bc2d7779a257c78ce8b44020029353fe2

Download Submit
C:\Windows\SysWOW64\Oacige32.exe

Filesize
52KB

MD5
8309c2f5cf6304d93d59f782ba1885b5

SHA1
afcb05af5a1145517a6e610436da9b43967da843

SHA256
7c5c0e762ff65429e3b55fc5098457419c5f39c1e979bcc13e44a14477a3b006

SHA512
748dffc8048a8c069187963776905e389a524703488a95efa711d268361202252d75bead4cd9d9ab5c3dd1fc92c3665a21da829ca294680a2ddc1e1029143695

Download Submit
C:\Windows\SysWOW64\Oendhdjq.exe

Filesize
52KB

MD5
1dc6d5188dbc0a56112e45a07be536bd

SHA1
15fb97ca90e7f7ed1ab9bae22289da0606b615ec

SHA256
4b1b98bd313891c4b38328384e9fad298a48d04caea5a95f4dec68a9d48a8776

SHA512
f81c2fc637ea88e84d05379dc84db996358892b392133bb51e46f61fb4421797e79f17fbf86440708d019de453c5e77b49e5b1f523336013a6054afbd0c7bf0d

Download Submit
C:\Windows\SysWOW64\Ogmado32.exe

Filesize
52KB

MD5
3097939e9e2fb18b0a408cdf62073dd2

SHA1
e889b6b9d6d951711c331b27e96e3f0c9e4c26f4

SHA256
6d48bb00d2a1b40dcee015af2605ea53a949aa4b7e61064d6b2261a640a9ecae

SHA512
94d70c2016d5bb95244ee5ef17955d3592132b45574ece4283282c361d02f0d8bf4b3315574027a4637ce5180fcae4e78aacf5d301d92d11db3e0414fdc929ab

Download Submit
memory/1116-123-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1116-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1672-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1672-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1880-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1880-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1912-114-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1912-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2152-110-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2152-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-166-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2260-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2260-142-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2276-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2276-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2624-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-164-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3064-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3064-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3152-163-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3152-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3308-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3308-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3388-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3500-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3500-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4084-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4404-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4404-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-98-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4548-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4548-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4692-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4692-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads