51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe
Size

669KB
MD5

e0084b4dfe22ec2b31c864b0eb058510
SHA1

c962f2baae655567cdeb7728099beef2b7a409ec
SHA256

51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706
SHA512

e779708998033d5dfdaa8b3527b2a19e9acfeaf1d3a526a1b23fa406be2cf8eb3d496c308b2ddfcb69a476ba32442c8c862bbbc6a6b95ad3e17b0963754ac2e3
SSDEEP

12288:onGPpC7eVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:onpichMpQnqrdX72LbY6x46uR/qYglMi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe

Executes dropped EXE 17 IoCs

pid	Process
3496	Lalcng32.exe
568	Liggbi32.exe
3144	Lkgdml32.exe
756	Lpcmec32.exe
1636	Lgneampk.exe
4508	Ldaeka32.exe
4408	Lgpagm32.exe
552	Lklnhlfb.exe
1620	Mdiklqhm.exe
3936	Mpolqa32.exe
3844	Mkepnjng.exe
3112	Mnfipekh.exe
2804	Nnhfee32.exe
2900	Njogjfoj.exe
320	Nnmopdep.exe
2672	Njcpee32.exe
3708	Nkcmohbg.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1472	3708	WerFault.exe	97

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 3496	4744	51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe	81
PID 4744 wrote to memory of 3496	4744	51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe	81
PID 4744 wrote to memory of 3496	4744	51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe	81
PID 3496 wrote to memory of 568	3496	Lalcng32.exe	82
PID 3496 wrote to memory of 568	3496	Lalcng32.exe	82
PID 3496 wrote to memory of 568	3496	Lalcng32.exe	82
PID 568 wrote to memory of 3144	568	Liggbi32.exe	83
PID 568 wrote to memory of 3144	568	Liggbi32.exe	83
PID 568 wrote to memory of 3144	568	Liggbi32.exe	83
PID 3144 wrote to memory of 756	3144	Lkgdml32.exe	84
PID 3144 wrote to memory of 756	3144	Lkgdml32.exe	84
PID 3144 wrote to memory of 756	3144	Lkgdml32.exe	84
PID 756 wrote to memory of 1636	756	Lpcmec32.exe	85
PID 756 wrote to memory of 1636	756	Lpcmec32.exe	85
PID 756 wrote to memory of 1636	756	Lpcmec32.exe	85
PID 1636 wrote to memory of 4508	1636	Lgneampk.exe	86
PID 1636 wrote to memory of 4508	1636	Lgneampk.exe	86
PID 1636 wrote to memory of 4508	1636	Lgneampk.exe	86
PID 4508 wrote to memory of 4408	4508	Ldaeka32.exe	87
PID 4508 wrote to memory of 4408	4508	Ldaeka32.exe	87
PID 4508 wrote to memory of 4408	4508	Ldaeka32.exe	87
PID 4408 wrote to memory of 552	4408	Lgpagm32.exe	88
PID 4408 wrote to memory of 552	4408	Lgpagm32.exe	88
PID 4408 wrote to memory of 552	4408	Lgpagm32.exe	88
PID 552 wrote to memory of 1620	552	Lklnhlfb.exe	89
PID 552 wrote to memory of 1620	552	Lklnhlfb.exe	89
PID 552 wrote to memory of 1620	552	Lklnhlfb.exe	89
PID 1620 wrote to memory of 3936	1620	Mdiklqhm.exe	90
PID 1620 wrote to memory of 3936	1620	Mdiklqhm.exe	90
PID 1620 wrote to memory of 3936	1620	Mdiklqhm.exe	90
PID 3936 wrote to memory of 3844	3936	Mpolqa32.exe	91
PID 3936 wrote to memory of 3844	3936	Mpolqa32.exe	91
PID 3936 wrote to memory of 3844	3936	Mpolqa32.exe	91
PID 3844 wrote to memory of 3112	3844	Mkepnjng.exe	92
PID 3844 wrote to memory of 3112	3844	Mkepnjng.exe	92
PID 3844 wrote to memory of 3112	3844	Mkepnjng.exe	92
PID 3112 wrote to memory of 2804	3112	Mnfipekh.exe	93
PID 3112 wrote to memory of 2804	3112	Mnfipekh.exe	93
PID 3112 wrote to memory of 2804	3112	Mnfipekh.exe	93
PID 2804 wrote to memory of 2900	2804	Nnhfee32.exe	94
PID 2804 wrote to memory of 2900	2804	Nnhfee32.exe	94
PID 2804 wrote to memory of 2900	2804	Nnhfee32.exe	94
PID 2900 wrote to memory of 320	2900	Njogjfoj.exe	95
PID 2900 wrote to memory of 320	2900	Njogjfoj.exe	95
PID 2900 wrote to memory of 320	2900	Njogjfoj.exe	95
PID 320 wrote to memory of 2672	320	Nnmopdep.exe	96
PID 320 wrote to memory of 2672	320	Nnmopdep.exe	96
PID 320 wrote to memory of 2672	320	Nnmopdep.exe	96
PID 2672 wrote to memory of 3708	2672	Njcpee32.exe	97
PID 2672 wrote to memory of 3708	2672	Njcpee32.exe	97
PID 2672 wrote to memory of 3708	2672	Njcpee32.exe	97

C:\Users\Admin\AppData\Local\Temp\51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\51cb76a5402cb19f3c92d924ffa3e344bb8d5b2077b07443c300c5a17a362706_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\SysWOW64\Lalcng32.exe
  C:\Windows\system32\Lalcng32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\SysWOW64\Liggbi32.exe
    C:\Windows\system32\Liggbi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\SysWOW64\Lkgdml32.exe
      C:\Windows\system32\Lkgdml32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3144
    - - C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
      - C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        18⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 216
        19⤵
        Program crash
        
        PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3708 -ip 3708
1⤵
PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hbocda32.dll

Filesize
7KB

MD5
6e1cf2745db4a7441930e5c5e6bfc3e5

SHA1
c9c29090bc518b7d59815003ed584a4031a5ab66

SHA256
fd7862eb2fa6d8379a9076e2e24b7d3b9bda352122ae09fb144948201f6d0bb8

SHA512
45a1e066edfdf65bfd100e4ca371c368b60358e2e8eaf6a2b2241e5ab0fb0a0c13798345c6d4721b5e0fcee848dc55ab9d0b287cb170b9216f363d98a6dd953f

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
669KB

MD5
8ff25942894dcd73a1c542ec4747d885

SHA1
ce903c54ffb42b59c0118af7268aa02528f3f893

SHA256
5deaa5ee57511b3d78bf351e7d10deb38ec1c7465e9218f5f276b4f212cdacf0

SHA512
9b6ea4e7709ba70c9756fdb116dd2ca8a5547b577e614179cf86c14a0541e855f787502b4d712cfb64fa5e2e71ae96d8960f85b7e162703120abc3e6e2c0f687

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
669KB

MD5
99f865f4dc56137c9f87c0838adf7c59

SHA1
28f6b4297ed24fd590f56fb94592fa389809a87b

SHA256
556b932c7fd2f14648a88e9fcae46d3e0500804f087303335a9f539b03835450

SHA512
ebe9039aef317b77b732bae0cbf915d36f42f9d996fb03717c927114a91f56a04c0d64a1accbe7ed4c5dfb29722e9c499702dbaee2e7cca4e844ebfede3b8929

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
669KB

MD5
18afb243eefbf8ec9d6f30bf52cb0169

SHA1
63a82b8c9da75ed899a45de9b8a13c7ad8095352

SHA256
d71879d11b4bc910d5ea4fb5ab8e91b3eec269e42843caf90e700558589311f1

SHA512
2c65ce503cce0568307accad512580c76a2e65c1354304afa0234bc880b3cf64bc99b947c560201c599a4f00b33bea89f4f4cb191a5f347541b6b620ca6879e2

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
669KB

MD5
59c83dd818e15f07d8c71ab40a1931eb

SHA1
e20c02baa47e01cabc40f587ef2a2d5495a0425f

SHA256
6dec2c1df6b346b115fada173c6175085ee2849258e71db7885bc9f2ab9a2c5c

SHA512
178f424f2adf733d087027eca97457e14422b6a73f93260f775d3f75687ac40b22dfd66114bbb9ce5f1b9ab5fc860f67c70cbbce47f631c8698169b83ee36a8c

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
669KB

MD5
26842e77ec4ff7e3f2c6a4c10c22fa44

SHA1
c67576c679469f77f7ceb806c528ccb73b8ab99f

SHA256
f0052df4b7e2a94eaaad221a9f569ddfdc48f3d12c2100a4520656af2f8aaf32

SHA512
7226d5c30af94559c9d21caebd62cabd5e1f05c5db5234046d50c6aa99cedee3fbd7c1df8a696a599a7ae9192cf7a1c2338975bfd66bde2d94e96c58ab4fbf6f

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
669KB

MD5
bf224d6f84fcd4b38f375eacf74bf48e

SHA1
d815bd9df9fb03691d1ac0c5934a46b9a74e24c6

SHA256
09944d502ecebedd60f8e2d9d05e9289896916e6ca471255730f3ddc312b89e5

SHA512
e3cd06acfd080ed7a346cc2cbd1173e0394b8e04bba39caaeff581a6c9e00d3e066e087a72e9b55f98078e96b4b142b5f5cd98d4352af8bfb9b047d757feef76

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
669KB

MD5
6137f0793e7a06f1f1094d6f784cc49d

SHA1
674da4a862d602e697e9eb5e25f345e87c810096

SHA256
97e7cbbc9392c08a46fae90e81388c6cbdf9f285460878af62c76df777dc74e7

SHA512
24df49a02cbddfbd8e1377c79a812a844ac78dce83ae99f7803aa41c900afd51a8e4d1ba8a6dbed88a2434ad36d4e7dd7df705cf019754904c1e96f2f855821e

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
669KB

MD5
e204198e53d748fd734590e1cdc77329

SHA1
54964293ea069b4be48e4a86e5849ac7173b0e87

SHA256
3524bf6322efcf04f9309b675254d4611e4b099ddb01c71d1695620213ccb908

SHA512
dca89c1791cbf95901d17984d820292e17893e41896b65b81a9872276331924f02230330793bae2900197557f40b4ed6518354bf0d9c976267fde4fbc5de5bc8

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
669KB

MD5
8e7b002b24083526731a968f50f7b78d

SHA1
5c331241bb29a6e7c3182b94d47693cfbecbd3fb

SHA256
a97ccd8f0d0051aa70a02d25b392aabad02723576be437b5f48b3d4dd3161450

SHA512
270c7719135cdcb19b6449f5def92317603743b4ab550ff7b5f059bc23368c63f53d493841254d3916b985289729e82346f12ef628e9c7b452580008b95a356c

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
669KB

MD5
4c7059aee1076815b2ec50a6ec7f378b

SHA1
cbb1f9519cf5fb5eb445ac0ee161e59abdae3722

SHA256
6dce114c1ccf5ab2a48e22cd788f6afa9f0abe404b0160ae9c2d91250bb19ad6

SHA512
83537de64ed302aec8924ae2535ecf0812a0d9fe0ede8d0bff8538ea9ad0dcaf0a30b3e39d09cb092df8965c7023027732de19c4ec1cdd3cec9398c4cb1398e3

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
448KB

MD5
70f2008d34e3630687903f748c3914bd

SHA1
14d939c668be8cecce2181a5e6da7132447c09ac

SHA256
3fafd5751a330b8d35b4546740d0934c635cbad105d4173832afe15b4cc2f17d

SHA512
6f0d80ac590701c9fc31ce65b67e6b2aef8aab204cd31c0f9db46b88c5a48d55129258f683729afa90950bb7fc690faf25a45f8db7659ed1377a347702e6991b

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
669KB

MD5
1cf6235e914a72b386741f6a49523d2d

SHA1
e57ba946c448ceec8304a75a025d23885d9ea2c0

SHA256
ec9155b532567816fb7381145e7038d74267148796f8d4d7e958c68ef99bca6a

SHA512
8210b1ecea25392bb8fc45a5742a71bac986bd96f2cc849adfd998cbe50cbf16ca9a8c302ef2a613f1cfa47b7f5ac0ede01b86e713539dddc8d8afd86e075c40

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
669KB

MD5
aa66c976499550083be641c656106ed7

SHA1
075221e28638ee58687e68a2ece23e2dcc1c21fa

SHA256
7b967fd0f22128449a71e1d1d243283e23e9e3677aaa17f288c1f72d54bc44a7

SHA512
7c35e673c2cc871e6c58625a0a38918ef56e222686342fc5b660c6c3907ab2ee435bf3776f5f7fc16dd252969ca4e6d37a81b62e32a860642a82c39d0ef76315

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
669KB

MD5
1866b7711337b057d889b6304a46c8cd

SHA1
0f29b15ce385af2203f1272ec00bc89d5f8816bc

SHA256
37aa933d31a9041303ac6fbc1517feae73d8659720c2be41d7c0352918c480a5

SHA512
b57ad7dff1eeed313393f0166b9978085b1a06137c42323fdab957e66dc9c8429f3bc319c8463195617081fc5f81d21131e7a9091206dd09bc5eb84754e378df

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
669KB

MD5
e3bbae348ef3379286bef835303330a1

SHA1
e63a7f915944381e6a5a1f8c7256e57d30056680

SHA256
4b5cd8fbd9b524828f8bf9ba14e37632d23902b4fa427cbd006cbb7238829a83

SHA512
6f64e1877cef27968b6867c9b3588ebf1bc0b9ff4a9ad4768e6f1176275e8127989e8f88a0eb8e89dca3ce7f54cb464d1cef15613015f2b12f0b95ded08c464a

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
669KB

MD5
c8e9610574b380aead0959613eab0c99

SHA1
a37a49d7486c6c7f9950091b77c3e2d8faa167f8

SHA256
99b66ad9f85cd473895e2b907d4ae1a8c1f45e16bb401461371b4225a9f98766

SHA512
a8c76202ed47a56770744c3fde22c66c7c67a88f919729c581b36c26367a5b665cc009f66bbf527570d291f8af2d734b2551536b2023acbf1cd8abb60cc49c92

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
669KB

MD5
cff6527a84c874bb802148e059bea1a8

SHA1
d94c20b1f4ff5ca46db1b8fb8afbed932d394f43

SHA256
2d3e3c31ee16f2643d1f55a8202881e73256918c8ce3e07b18dcd8436d64f7be

SHA512
d9c763f22f2a52866b076e3f1d283c030b28e44231e081c42395284ccdf7b6bda521c2d45b304c7fe6b1672973f67ad4e347f79e9f56229c41c11220235d7ee1

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
669KB

MD5
5b2840d0fcb4c029f246caee66fa3b9b

SHA1
74c3ae71e8262d80391425c1791269e5a51e36c7

SHA256
fef97beaf1cc675c7d1ae53e071a15590140f8f9c709b4b83354c5e844aae8bb

SHA512
5873a82a1913562bf81255a0b7b6a2d58e9ff26b93a5aad422a787d2dcb13eed1979683732d90e8f5984e303090d896165e04bcab142405e0788c0dfc0f49783

Download Submit
memory/320-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/320-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/568-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/568-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3844-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3844-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads