8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe
Size

592KB
MD5

c6fa018a88fe1bde7aee8ab7a3a1f9b0
SHA1

258ad19bb0500012ae515cd28375f5ceaba1a688
SHA256

8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7
SHA512

a7932c39b05c2f085e3c312e936b6d9ef46b08000272c65557cc5ef86df5089662de5aa3564daa1acf7cb268c0d5849c35d901f4eab2cf32a778b196b7ae5fb7
SSDEEP

6144:97XC85dFF8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrloBNTNxaaqk9a5:b5d87g7/VycgE81lgxaa79y

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe

Executes dropped EXE 18 IoCs

pid	Process
2352	Nklfoi32.exe
348	Nnjbke32.exe
4560	Nafokcol.exe
1868	Nqiogp32.exe
4240	Ncgkcl32.exe
1336	Ngcgcjnc.exe
4556	Njacpf32.exe
3432	Nnmopdep.exe
4192	Nbhkac32.exe
2740	Ndghmo32.exe
4324	Ncihikcg.exe
1892	Ngedij32.exe
2268	Njcpee32.exe
2280	Nnolfdcn.exe
2920	Nbkhfc32.exe
1960	Ndidbn32.exe
5092	Nggqoj32.exe
4164	Nkcmohbg.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe

Program crash 1 IoCs

pid	pid_target	Process
2032	4164	WerFault.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 2352	4932	8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe	81
PID 4932 wrote to memory of 2352	4932	8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe	81
PID 4932 wrote to memory of 2352	4932	8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe	81
PID 2352 wrote to memory of 348	2352	Nklfoi32.exe	82
PID 2352 wrote to memory of 348	2352	Nklfoi32.exe	82
PID 2352 wrote to memory of 348	2352	Nklfoi32.exe	82
PID 348 wrote to memory of 4560	348	Nnjbke32.exe	83
PID 348 wrote to memory of 4560	348	Nnjbke32.exe	83
PID 348 wrote to memory of 4560	348	Nnjbke32.exe	83
PID 4560 wrote to memory of 1868	4560	Nafokcol.exe	84
PID 4560 wrote to memory of 1868	4560	Nafokcol.exe	84
PID 4560 wrote to memory of 1868	4560	Nafokcol.exe	84
PID 1868 wrote to memory of 4240	1868	Nqiogp32.exe	85
PID 1868 wrote to memory of 4240	1868	Nqiogp32.exe	85
PID 1868 wrote to memory of 4240	1868	Nqiogp32.exe	85
PID 4240 wrote to memory of 1336	4240	Ncgkcl32.exe	86
PID 4240 wrote to memory of 1336	4240	Ncgkcl32.exe	86
PID 4240 wrote to memory of 1336	4240	Ncgkcl32.exe	86
PID 1336 wrote to memory of 4556	1336	Ngcgcjnc.exe	87
PID 1336 wrote to memory of 4556	1336	Ngcgcjnc.exe	87
PID 1336 wrote to memory of 4556	1336	Ngcgcjnc.exe	87
PID 4556 wrote to memory of 3432	4556	Njacpf32.exe	88
PID 4556 wrote to memory of 3432	4556	Njacpf32.exe	88
PID 4556 wrote to memory of 3432	4556	Njacpf32.exe	88
PID 3432 wrote to memory of 4192	3432	Nnmopdep.exe	89
PID 3432 wrote to memory of 4192	3432	Nnmopdep.exe	89
PID 3432 wrote to memory of 4192	3432	Nnmopdep.exe	89
PID 4192 wrote to memory of 2740	4192	Nbhkac32.exe	90
PID 4192 wrote to memory of 2740	4192	Nbhkac32.exe	90
PID 4192 wrote to memory of 2740	4192	Nbhkac32.exe	90
PID 2740 wrote to memory of 4324	2740	Ndghmo32.exe	91
PID 2740 wrote to memory of 4324	2740	Ndghmo32.exe	91
PID 2740 wrote to memory of 4324	2740	Ndghmo32.exe	91
PID 4324 wrote to memory of 1892	4324	Ncihikcg.exe	92
PID 4324 wrote to memory of 1892	4324	Ncihikcg.exe	92
PID 4324 wrote to memory of 1892	4324	Ncihikcg.exe	92
PID 1892 wrote to memory of 2268	1892	Ngedij32.exe	93
PID 1892 wrote to memory of 2268	1892	Ngedij32.exe	93
PID 1892 wrote to memory of 2268	1892	Ngedij32.exe	93
PID 2268 wrote to memory of 2280	2268	Njcpee32.exe	94
PID 2268 wrote to memory of 2280	2268	Njcpee32.exe	94
PID 2268 wrote to memory of 2280	2268	Njcpee32.exe	94
PID 2280 wrote to memory of 2920	2280	Nnolfdcn.exe	95
PID 2280 wrote to memory of 2920	2280	Nnolfdcn.exe	95
PID 2280 wrote to memory of 2920	2280	Nnolfdcn.exe	95
PID 2920 wrote to memory of 1960	2920	Nbkhfc32.exe	96
PID 2920 wrote to memory of 1960	2920	Nbkhfc32.exe	96
PID 2920 wrote to memory of 1960	2920	Nbkhfc32.exe	96
PID 1960 wrote to memory of 5092	1960	Ndidbn32.exe	97
PID 1960 wrote to memory of 5092	1960	Ndidbn32.exe	97
PID 1960 wrote to memory of 5092	1960	Ndidbn32.exe	97
PID 5092 wrote to memory of 4164	5092	Nggqoj32.exe	98
PID 5092 wrote to memory of 4164	5092	Nggqoj32.exe	98
PID 5092 wrote to memory of 4164	5092	Nggqoj32.exe	98

C:\Users\Admin\AppData\Local\Temp\8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8fa61464c4e37d661dfb081db46abea0f7352991561a99783d96478d0b5bd9b7_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\SysWOW64\Nklfoi32.exe
  C:\Windows\system32\Nklfoi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\Nnjbke32.exe
    C:\Windows\system32\Nnjbke32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Windows\SysWOW64\Nafokcol.exe
      C:\Windows\system32\Nafokcol.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        19⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 412
        20⤵
        Program crash
        
        PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4164 -ip 4164
1⤵
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nafokcol.exe

Filesize
592KB

MD5
fade91b62f9e99b8b6ffc1a7264c500b

SHA1
ac0c10df2996a99ea9cc3abe427e0106bcacf856

SHA256
20f2c23fec63042c63185ff3b74af5d164d16ee01fcb78e00fb384f9dff7a8bf

SHA512
1773fd69e136ab2433d5065c974469b072e914e3952d31a506c27a0620093d5dd82a46453058152ee969ab53af6593b5a35e2f9f523ba0caa9bec2c5bc380597

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
592KB

MD5
970ae776abe804b55be727659659d976

SHA1
af118b318a6f114b6c23a912a8c7c729459d7a1e

SHA256
c67ebac1f69a9ac714f20e4b02221bade3808d242e9fb988d31d7f0f6ee3d1af

SHA512
06b76fe4b590f36c1d03d605af425fb04a2f8449946304761c983c093a83f3a9fba05ea3ec26467b519feab28813fb61ae2899a43e09c0e8347bceb0c9edef61

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
592KB

MD5
28fe15aa7dd89a7322fc2a99d7b6afbd

SHA1
f57369bdd5398318690ab7a5e0bddcc72b91061b

SHA256
020def1e4679a4617a0c66550b7f57415942f910b0738f5da0e3400cc932fbb7

SHA512
2111969dc0ab5fdb421105e625e8c7a4138b23258e6af3c78c9ec259b808edf7c0a17cf85a4c3e590a08a3a402ab1bd9a15484105d8430427bd80136c330e21e

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
592KB

MD5
ca95b765ee07f8208a70dcc95ac78e86

SHA1
7b2aa5e73451969bbc911c9f0606942b4bba01d5

SHA256
f0e644ed145564ea07f65be229e6d22d6f8f711c999d0dfcb4cde63a0bbfabd5

SHA512
ee7c4be3d11533fcb4914df7054dc2d52d84d5a42f915e0c1b95810575c21ef3f51d56637ac13391b49900a9f1ac0ef31d2d93935ae36b8facef378d325d657d

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
592KB

MD5
13293eec689d914948c7c8bced77edbc

SHA1
21bc0c34805833875f0a829a47522b7c68df262b

SHA256
1af12d68a9345228d5910ed37546db24b9dd6bf31985c016339ab803bb9fdbf3

SHA512
100f353d4694c9ae0192ee9fad10b48eabd1bc004448c8fc4bb027aa4120fbda1d80810eda8ccae217c2f6b51f629688f30f6ded81b2d43042338deedc1ca3ab

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
592KB

MD5
68bf06ab937d38a317cd53b4f543ddaf

SHA1
cf00fa2a3d8d6a27f43fe2bcf49fc478e9d227e4

SHA256
44257bc71e4fad652c9312a079299d8f3e31d62a0f90e45c1dc1d93a1f6c38c4

SHA512
997811a1fb151c0c7350e803077ffa240f2aef698a658c854fdc78378b6e1dbbd9c7be55f2b5aa07e1a58951033706389f781ca503d8402525233e8ede2a9f69

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
592KB

MD5
458f1f3108e0f24e0c9967a6f4888989

SHA1
fd50d94df626e2ee992601cbc9f25ea69a1fdfcb

SHA256
7182c7aa19c417e8f11faf8bff24144deb429c2cd8663c7ff1134af1d905081f

SHA512
a5650a2ab7a31fb15679d0072c714f0edc018a602f5c35a8a671451139cdb87abcb017b91fae382eef8213c4d41d1a7d41344215a1a0e17a8cf69ae710f28c09

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
592KB

MD5
c5ba4d29a755733a26e8618d04132df4

SHA1
2f6904d41f2da890fddcc6cd1c81e55caf5fb186

SHA256
0d11e53c10c5896f896c1666b5f634379c5d8d7cad2e37dfb55f124f10bd6693

SHA512
99d628bc84fb00278330f23baba0bcf49efe583f0605a25782901f684d9587c4afb9012a23cdb571d945bcd4f5567ac24b7fc6d7a995eb375d04d1b94372c753

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
592KB

MD5
328f24b6e8819c7f0b5e8bcbe3b7376a

SHA1
6798e84f33a326decc65c01ef84f41743dffecee

SHA256
27b8ff72c7ffdb541f58f7fefad420a89a63c0bfa3351ce6a24f01217d2be2b2

SHA512
f337e4da17c47b92a5fc8d469fa9d4385ed7a1f4bb2a7a752f6cfb1c4a948bc52c6d338876a535123da4db62c251b4da1d56c10c58b18b21b776be38c7a97103

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
592KB

MD5
1a1b09224da9272c1cd28153c8c1c624

SHA1
6294c69db0399fa6c0e75265ac12eae7050f2657

SHA256
455a4de6017824fc0a2d09052fd734c8deb7296976fbb777b507bf6e6e167fb1

SHA512
43863d5c4fd8b851449e189d4c44bba7aa5586f06ccb1fcc70cdc774579371225be3c462d55c5fc06e75939cfc5ea7aac669f98ae32210bc0d00776898590f5d

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
592KB

MD5
685c8db9efcea85322ee803bd29554fe

SHA1
f938162d3ca5b268985712bd05ec3243911b5195

SHA256
38cbfd7af4b6b9819135d01315a2412ac59859a0d76a4bd9dea6addf530d3c24

SHA512
43b6b98eb0f33446ebc2b45d43ccc1c4342b4002912a9e4e222ac7d271fbc3f68057eaf432710e0faa29dfd7dced680799da8933e965e4e7e4ef356d8a365601

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
592KB

MD5
61bca7b5720ad8fe8e541e1b783b662e

SHA1
72fe7ea3ef0b0fb6bdd46439102527270f0ccbd8

SHA256
8aaec40a538ade36ee7a88e12c6e243346a141f2f599452c85ed1feeed3764ab

SHA512
482d48bbca79e548d63ade58811957a1958e6332b4e6838678ebbd43a7f9c62c92634934ca08b1ac29353e5d4da5fd07edef9ae59b440fc48f2ec5cef8332357

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
592KB

MD5
1042b014bf12c5dee1284b54dfa5b72d

SHA1
9c048587099595f62549c5827baf997618ddd9c9

SHA256
c0943963c8a4b0f3989219f79b23ea662c164e26003e7c8f739e83ade3a8a879

SHA512
74c59b48711105c4093308f833f381e803e2cc8bcea6511d2314a941103cc1ed634f8ecd4c3afb5dc2899cad22eb6d29ba6325ba462fd38972e95718115b795f

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
592KB

MD5
0b05e9b9eeed955a449cec60ed2dd6af

SHA1
f610c6c6ddec7f4ac114d5e0d027fbb90684af5c

SHA256
c69754592cd18ea7072dc38e1885f34bf5ee7b7d69d79f97d70786f8757ed32b

SHA512
ea2f7b1c97dff72b8b0445fef97f56056d661ebde661892c2b1209ba0790ca4c0125b8a5f72b5b8e6cdc65672dee525bab6b165a8981914d9998ef64bc5c842f

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
592KB

MD5
9652da705a2ba97880e384dc6378258c

SHA1
a39b314789bd74d72accf160dc0200110fc059c0

SHA256
40a18762b28fe2f2afe65820a660be4d7d9e68df0d4d99c8cd82d3b294d7f952

SHA512
714fb87f59b5b2300242b017c838a111c08ef00742cb0c1ddaffd31cf97633fe50701ba7543b658fb4a92635764bd56190322f41764246f1d39730b38d9234f2

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
592KB

MD5
b41b31fd777ee0dd18c81945a2490039

SHA1
96f35e3a2c982a9aa311e83742ef2339a7b260f4

SHA256
a1f5720635523025877caa5e8d0eeff41d77b350764bfa2fcaa0b722daea2654

SHA512
4ae5f9dc63a9955815c1f38fe8f4ea85b40a306e9a40445b944c0c40cebc4ed208c83bee97aa598604a5d2ae2c95b07f3ff438d0498d29fd7783be989041901f

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
592KB

MD5
82e6213c6b99846ad05245e042b126d7

SHA1
ed10d70aace25657894eec2dc5e86b571862584d

SHA256
ab327219857ac43405b2ad9b97ac034477088a40c38be2789d7c4149d208b84c

SHA512
2cc3088e40c7e17ac75743eb7f602866202ae59c24eaefbfec45fd59d72227ca7ed349491cec0194175c2bb4f5c2e31a5f931f1fd9a7b6a335896bfaa94904da

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
592KB

MD5
370a8c017618975641b5e2584adf6cb7

SHA1
50e4be4ae13f6d007b4bc25c05ca17f866fcba27

SHA256
4bab67218e8bd8a8c848d19aaa0f84ee1a4d86148045aa71529d6ac5ec81e35d

SHA512
784e8444e9b2ab1b14749741111f5a3ada70bb70cbccb1fcbd014d0e48379368e3368d732d45706b75ec280904e8cb7aa54ddc7a29cd049d81a2af7ec307aafb

Download Submit
C:\Windows\SysWOW64\Pipfna32.dll

Filesize
7KB

MD5
b26d0b55d838ee00797b209f4755856f

SHA1
817ff2a64c5f3bbb46f949246d9c4874d36e3df3

SHA256
8a15f51d2748023ac694723117cf3d0afb2432026dbd81ac160b0c4705e03f30

SHA512
848a26e0d4b5bc8d3d9732539b5c61431874775a9d8f2b24eecb64b77d87d9694fb88fbf8b3cc968a3d3dd1df4b10679099fc630052a5d41861a6d4cf2eed3a6

Download Submit
memory/348-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads