c466057efbcab0f813a357546786aebd5b9b163b7a446877b791f61b19d6ee5e

Analysis

max time kernel
0s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe
Size

81KB
MD5

058bfdd3e8d1c30f4ccca5035dd8ca30
SHA1

b7317521cd84e5285abcacf6d553e7133a537a8e
SHA256

c466057efbcab0f813a357546786aebd5b9b163b7a446877b791f61b19d6ee5e
SHA512

c6170c601cbfbf0f1c2533bfcbc18c6fbb3e7de4503247432172ab3208b63603c25b2029900c97661f90dda9d59d15b041bc6a4812468d32c4d135f070755ffe
SSDEEP

1536:BU0Jga6DjIGNvsIaI2pscWl/cjk1AMqz2sbazdDQq7m4LO++/+1m6KadhYxU33H8:20GPoG26EmAMqzBoQq/LrCimBaH8UH3M

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe

Executes dropped EXE 5 IoCs

pid	Process
2792	Mncmjfmk.exe
3944	Mcpebmkb.exe
2640	Mjjmog32.exe
4428	Mpdelajl.exe
2140	Nkjjij32.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mncmjfmk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3192	376	WerFault.exe	100

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2792	2088	058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe	82
PID 2088 wrote to memory of 2792	2088	058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe	82
PID 2088 wrote to memory of 2792	2088	058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe	82
PID 2792 wrote to memory of 3944	2792	Mncmjfmk.exe	83
PID 2792 wrote to memory of 3944	2792	Mncmjfmk.exe	83
PID 2792 wrote to memory of 3944	2792	Mncmjfmk.exe	83
PID 3944 wrote to memory of 2640	3944	Mcpebmkb.exe	84
PID 3944 wrote to memory of 2640	3944	Mcpebmkb.exe	84
PID 3944 wrote to memory of 2640	3944	Mcpebmkb.exe	84
PID 2640 wrote to memory of 4428	2640	Mjjmog32.exe	85
PID 2640 wrote to memory of 4428	2640	Mjjmog32.exe	85
PID 2640 wrote to memory of 4428	2640	Mjjmog32.exe	85
PID 4428 wrote to memory of 2140	4428	Mpdelajl.exe	86
PID 4428 wrote to memory of 2140	4428	Mpdelajl.exe	86
PID 4428 wrote to memory of 2140	4428	Mpdelajl.exe	86

C:\Users\Admin\AppData\Local\Temp\058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\058bfdd3e8d1c30f4ccca5035dd8ca30_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\Mncmjfmk.exe
  C:\Windows\system32\Mncmjfmk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\Mcpebmkb.exe
    C:\Windows\system32\Mcpebmkb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\SysWOW64\Mjjmog32.exe
      C:\Windows\system32\Mjjmog32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
      - C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        6⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        7⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        8⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        9⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        10⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        11⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        12⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        13⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        14⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        15⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        16⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        17⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        18⤵
        
        PID:376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 408
        19⤵
        Program crash
        
        PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 376 -ip 376
1⤵
PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
81KB

MD5
c571052273348e4753c9be4f757c40e4

SHA1
64fe9a59000944cedffe006388db281eb6a875ec

SHA256
39d183119408fe0fd1f93de90e0f764c363d2530babfb7f2f1a4b63c885e1074

SHA512
be05e999bfccf6446e58d9b836f9cd6dbee3dca49f4b02e52120861c589ac6dfd23ad59224b1d4355442014c624e009e82d367650f83096aba9e5f5c7c12f03b

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
81KB

MD5
262330e0e1e7b0c5e7595064445bb8e3

SHA1
c2d23494e4eb17e47ea8085808a6316cc5b23349

SHA256
86ac89d424113b21e3485b83d70f37fe9e96ba82bb3d0540c35c7eb4d730ccea

SHA512
8839f20eb877b3d8dd2ce700d5a41870c2f143033e08a813133a0fa2ded32c80724a911bcb853dc78221caeb6dbd9cadb7b693351325a8426ff3e747f0520522

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
81KB

MD5
39e878e2162132eaaf1e225055dee19d

SHA1
9755fe43f2d250e4d703fe542b15db3117152e7c

SHA256
d2ae461f947226195cf746170dd0bb49fff59d52e79682aeb38c61cff63937cf

SHA512
9b0e40faa5e847a85bfb3102ade9e587669fb7037be60dedca627134c2dccbd7bf28cc6c15398953d738dc520731bd5fc29e9d8b6afe1efb8a498a13a8c708b1

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
81KB

MD5
4309d524f168cba043acf2a452605749

SHA1
307373a4b9b63cc1cec8c139ca57ce1f025af503

SHA256
a033199ac20d8331172c867228401ed8618783ef086ccfa0fce9bc24f2845c4b

SHA512
e288e652d2dd32b9055e3048c7f2b43fd1f8e317e3bf4525ee54784f156db4a17087064de1ba69a205baeb1cddcf9485b40007a57c12df28c2742a7a4c253f4b

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
81KB

MD5
1c67cc69d0fc862f6334b3984502f467

SHA1
370cdaf60d6476353675cea3db50bb38c20966a9

SHA256
0357597c422c4cacec702078626095720f38f626d42c3ff897da01c90f34be91

SHA512
fe3b73746cc5a5ead62201499663f4d8bc6f65c742705dfd4a3d91b423192c0628ac884913c6f1e5c8f8735ba0b449f4e0832d2287f0d663b037ed60165a2989

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
81KB

MD5
4915c4127850df9504907c0d809240fa

SHA1
44637779be136a1e1f2fab8e7478423fccd16c8e

SHA256
abd6bd688a07de6992ffda031b5510df52ddc8d2a5c999bf80dd2ebc7f1b2f74

SHA512
c8e434795140715941ad086bdb624c1d81d21a8ede0b76ff74f1705b4757670e309f31f2efdf2d6fbdc6cc4e02c5951d53eb563d69db9d5dd28dea0c9c0b1abf

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
81KB

MD5
e02328b8eec1691400fd1e161c1c2205

SHA1
b314349d4cc24d54eebaa04fa63bd870b0780d6c

SHA256
87d6caa812a895abf1d4cbf85d7c9b9d8c91eef03e23f22ea3a15a241c387a7a

SHA512
08668e178df0d3f978b2fbd8cc28a0bcdd846cf5991905299884cb1b540c6b2f2a9826c28929af98249e2f96025786029f9a8e8ca61d8781ad88668906088331

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
81KB

MD5
87e27f9fc7e017e119c483971ea0cf45

SHA1
2ad571a48539c9b6df08555ba7c9489fc3db8c7d

SHA256
98edaa7e8c4ef9d06314394b5cc7d7f4735c326d3ead7e474c11c5b0f925aa16

SHA512
dea8a9e9e3187f698b567fa5d136c7df53eb0cf381b1c8b6e15152868e5e9a47a5f86b9344d8b255df105ed86886a86db0340ac2757942e4e8c81821ba6ebeb4

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
81KB

MD5
3e9f7080bbba46728d6aa16dd80652f9

SHA1
dc3357f82be9b4f5eae191f65eba3a94f783e5da

SHA256
fc60bc4914ac05041e8a871b879a41a05fdc8a5f78b52b384d31a2f4a39925ab

SHA512
8e32cb9e716be8c744d3ddde11f7bdd80371a1ec6fdda6873e33f449b758ff176db2a194b6020a7b495ab35bb68fbdb7171728d1ca9ca185c515a21d4d1a2ab4

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
81KB

MD5
dfcbda648fddbc8ae45f74eddc20c8f9

SHA1
adba723184b2798e03cf427a05fa7641496166f9

SHA256
fe57e1b0264793a1c83adecf356102834cde6958b325d7126a9661a3e577177d

SHA512
c6e333d88467ebb29cd1a717cd44b537fdac7b97a220b2a9a691ae0e76eec9cb263c1cd1e74d68c27f67e32a2949b3a83f6e4999e2bdeba5a8b40c4d76b2dda8

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
81KB

MD5
b659a6dd656fb5bf29e2ecec40f52864

SHA1
b564a9e1661206fd82484748d82a99eafd6eba99

SHA256
af9a28bcc76842dc46c3f3c1ffe045766c60462a8d678976e4fef3231f4d1bfb

SHA512
1ae5ebda1b5a889348b1feff0c923a907b50bf33124d7c195f0c43f6d42f776d0c6e66e98d4ba68d2cc89222fc22a75ed76249ebf7482bfe800f0482df369d4c

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
81KB

MD5
0f8752e99252625516da592979953ce2

SHA1
f2eabd8bfd6186dbfba12cb6e013aea64a5be631

SHA256
824ffbc8e2851df65eeed1034a2fd70e5e0f42776ffc0b492c5d12661d0357d9

SHA512
05b0cb1516b35cea653618c63787b7826335a75212f86bb657debf1e674dbe38400874ac938fec89003d5621bc2976138fda26af3cafff7c714b6f11b0a51f13

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
81KB

MD5
92f8370cf88e102dd1e2a4140e071d24

SHA1
add8c12b673a5043f3fb6b08ec992faf07d1e39e

SHA256
2d5d31f42eddfa4a5a0dfcb417ca437c734b50ff0965d9e07886cd17b4f9a2af

SHA512
2ad0e6be959468c3f84b84f4920997d399bacde538bd988d6a12174e2c805958802d0a54c3f2905a7ddb9e19a983aed8b56fa275cfab25376fa9611506c8065d

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
81KB

MD5
4f2b1488f6e93acc3b3a794d84825ecd

SHA1
2f912e27da14d27aa0fab56fc4cc32428e77a85f

SHA256
6fd64b4cd720be0c3c8e30be869a259647fde122d96e325c3340034a5f5e22ab

SHA512
cd1d0221bbda198069a1135b97c5629de71395b17229429d3714e615577eb3cf80b5c5cbddeb79c91ea5ee4d04250b7f7e715358783951843720bbd56e36953f

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
81KB

MD5
9a16ecf556e58f0758c3e2af0bed8286

SHA1
f400fba17178102776f696b28bdc2958f102f0d3

SHA256
08acc63bc60fa0144c519d9891f3de99435a4fa730e1c29228033643a05573dd

SHA512
664190205f89fa388a10f6e5391462a0b14f1db14ce9c766f829ea75dbcd818a75110fe9581073c70c8684fcce27e3997601b0e4a8b40761b02ffd6fe2983543

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
81KB

MD5
0db7e5b891de67d097ca94fe412b300e

SHA1
91b7f7e1eab276d362d893e8036e9f43f77d2c6f

SHA256
a793ab382d91b5ed839146d80cc6894cf95c6895549b34509495b373e434b94c

SHA512
7331992287eda331d325391ece661ec7967d4663afbeba47728132b4a0e381ffdc79057e6e49298cbd4547fe47fa1781c324ccd664bd59fd54c3fc901d7c5e53

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
81KB

MD5
54434800f9d462bfbc5bd45baa092f75

SHA1
fe9662525bc555d27f545185430d0a943f73d168

SHA256
dfe0268d6d573b71538d80034aaffcf74328f9b4b0a2f7ca1beff2fd26e567c5

SHA512
1f1e8a4ec4dc280ac207ee4682f5a21f7e02d4b86e7f966f1007fb3437bb002862076e569a1e976155ebe1ccf073e1c28309825abc9306a88406274d13a2fccc

Download Submit
memory/376-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-3-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2088-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads