332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5

Analysis

max time kernel
146s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe
Size

144KB
MD5

a5e437feda0428d2400c9b10a73da390
SHA1

20cb26c7d0a9c9e11d67ff7eaaff9ef7245a3f5f
SHA256

332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5
SHA512

e5d9cb0c29282eec6b4476147fb905f4d62094849515291ee1f1b3e6d28f765badd8f7a3429bb505ec9c2a22074b53a0cc0efd87f3fcbbd58e1eead6fd4d631b
SSDEEP

3072:i3evw45VvHQkgr+HcMQH2qC7ZQOlzSLUK6MwGsGnDc9nhVizLrId0:dXHbHcMQWfdQOhwJ6MwGsmLrId0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ndghmo32.exeNqmhbpba.exeNggqoj32.exe332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exeNjacpf32.exeNqklmpdd.exeNjcpee32.exeNbkhfc32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe

Executes dropped EXE 8 IoCs

Processes:

Njacpf32.exeNqklmpdd.exeNdghmo32.exeNjcpee32.exeNbkhfc32.exeNqmhbpba.exeNggqoj32.exeNkcmohbg.exe

pid process

920 Njacpf32.exe
380 Nqklmpdd.exe
2624 Ndghmo32.exe
752 Njcpee32.exe
2260 Nbkhfc32.exe
836 Nqmhbpba.exe
860 Nggqoj32.exe
4484 Nkcmohbg.exe

pid	process
920	Njacpf32.exe
380	Nqklmpdd.exe
2624	Ndghmo32.exe
752	Njcpee32.exe
2260	Nbkhfc32.exe
836	Nqmhbpba.exe
860	Nggqoj32.exe
4484	Nkcmohbg.exe

Drops file in System32 directory 24 IoCs

Processes:

Njcpee32.exeNbkhfc32.exe332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exeNqklmpdd.exeNdghmo32.exeNqmhbpba.exeNggqoj32.exeNjacpf32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Nqmhbpba.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3608 4484 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
3608	4484	WerFault.exe	Nkcmohbg.exe

Modifies registry class 27 IoCs

Processes:

Nqmhbpba.exe332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exeNqklmpdd.exeNjacpf32.exeNggqoj32.exeNjcpee32.exeNdghmo32.exeNbkhfc32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exeNjacpf32.exeNqklmpdd.exeNdghmo32.exeNjcpee32.exeNbkhfc32.exeNqmhbpba.exeNggqoj32.exe

description	pid	process	target process
PID 440 wrote to memory of 920	440	332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe	Njacpf32.exe
PID 440 wrote to memory of 920	440	332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe	Njacpf32.exe
PID 440 wrote to memory of 920	440	332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe	Njacpf32.exe
PID 920 wrote to memory of 380	920	Njacpf32.exe	Nqklmpdd.exe
PID 920 wrote to memory of 380	920	Njacpf32.exe	Nqklmpdd.exe
PID 920 wrote to memory of 380	920	Njacpf32.exe	Nqklmpdd.exe
PID 380 wrote to memory of 2624	380	Nqklmpdd.exe	Ndghmo32.exe
PID 380 wrote to memory of 2624	380	Nqklmpdd.exe	Ndghmo32.exe
PID 380 wrote to memory of 2624	380	Nqklmpdd.exe	Ndghmo32.exe
PID 2624 wrote to memory of 752	2624	Ndghmo32.exe	Njcpee32.exe
PID 2624 wrote to memory of 752	2624	Ndghmo32.exe	Njcpee32.exe
PID 2624 wrote to memory of 752	2624	Ndghmo32.exe	Njcpee32.exe
PID 752 wrote to memory of 2260	752	Njcpee32.exe	Nbkhfc32.exe
PID 752 wrote to memory of 2260	752	Njcpee32.exe	Nbkhfc32.exe
PID 752 wrote to memory of 2260	752	Njcpee32.exe	Nbkhfc32.exe
PID 2260 wrote to memory of 836	2260	Nbkhfc32.exe	Nqmhbpba.exe
PID 2260 wrote to memory of 836	2260	Nbkhfc32.exe	Nqmhbpba.exe
PID 2260 wrote to memory of 836	2260	Nbkhfc32.exe	Nqmhbpba.exe
PID 836 wrote to memory of 860	836	Nqmhbpba.exe	Nggqoj32.exe
PID 836 wrote to memory of 860	836	Nqmhbpba.exe	Nggqoj32.exe
PID 836 wrote to memory of 860	836	Nqmhbpba.exe	Nggqoj32.exe
PID 860 wrote to memory of 4484	860	Nggqoj32.exe	Nkcmohbg.exe
PID 860 wrote to memory of 4484	860	Nggqoj32.exe	Nkcmohbg.exe
PID 860 wrote to memory of 4484	860	Nggqoj32.exe	Nkcmohbg.exe

C:\Users\Admin\AppData\Local\Temp\332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\332652817bed020f4d3550def3681c85d331ecbed8c545ad2011975afc3f7df5_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
9⤵
- Executes dropped EXE
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 408
10⤵
- Program crash
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4484 -ip 4484
1⤵
PID:4816

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nbkhfc32.exe
Filesize
144KB

MD5
c06e51613d435490908c3f55a47f0cc6

SHA1
7b01caef16fef0ee4f0b296dc050f367a46f5994

SHA256
6651a46bcfe5032bc1ec2666d0ba80322a89811962a8686c121624f7a066ee47

SHA512
0fd5e63b72a1d14d775b0e04a8f73126939af66a9392776ea6954967750820838a6796c5bb64509ee176c22dc1deab234e6c5889872e542c22335c27cb92831e

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe
Filesize
144KB

MD5
359f259deb7d42a4da8aebd8a049df78

SHA1
693c42b6809a1de225d8827b6422e5e6d13d2d31

SHA256
94fa0da440650d45dfe59b7628b793f4e1d9837113c2a9784c7766ea3ca2d3f4

SHA512
b8a32a6484e67a69ef863ec8fce449ef8d2114a129d78748db7b1523abc09296e21bf387cf041bf8a14ece232c2a38fd78e96d54b34f33ab7e0b25b8bd291708

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe
Filesize
144KB

MD5
f57f4fdb4e9cef71508e218fe80998ec

SHA1
04726353943922f64e920f4f8694083fa3531917

SHA256
8ce0a61dc5280a9c55108a53111805c970515f00b6a93ec68553050f1a0f7370

SHA512
1d24c70c93a446fef6932b2af3dbe28f3528c764df58c22683de0dee6270b49f290a2352d47f64d58e26216e3a0fb26411b9028fc6f724a7422db9ff7cf3a12c

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe
Filesize
144KB

MD5
83da464a820ac7d711ba359ecd625f31

SHA1
fb9e5164a5c720c66154b3c9212bfb00b1459f08

SHA256
a9250dcbe9a1f7f15b22beed3f8852516d6ede34d813cb7858272876c18d91f7

SHA512
05cf67271dc4b2faef83d30e16bf62e0ddc6dd50093839044af8fe7a2258c417bca55e3bf391b40269f24fac6ee4f61695a45d870ec6cde39343b7f565829732

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe
Filesize
144KB

MD5
f8c74c94a121c92f183fbb5cbadc45e7

SHA1
d6787ab11e564ed8581ea678258f40baa7a55f85

SHA256
6957ae4860c573c891e20acb24f2710cf6d80ddf6a714b0bee2864a421b6bbe9

SHA512
e3301ae5fc3c32b10292f26f3101f80940ff7e6e21867d667974d7de651acd4e2fa6e0652f3549935a3f321a12b49dbcc4a93146a68f51f232d5e217636f6028

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe
Filesize
144KB

MD5
d236826e7eabd7f13090a8c62e4d70d0

SHA1
2d916edae95a7b09259c745e53eb6086ba3aaf3d

SHA256
363f373c2b217b3c366a030a6f67f4a135a6645d2d4556a54c639e9a65e67ca0

SHA512
2d0ad0cb634129925aa550c38bfeff8bf670bfbcd7bff4e023b30b9de9f3be8c9ee9503e3ae2ddc3962c0c1ee51a95e81cc4b180c3b13d960cd53a6fe5aa4a88

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe
Filesize
144KB

MD5
32b97ad716e56eef463db07808fe2e9d

SHA1
a19d7037299ee40d0b367b3b790cfc4d5776cecb

SHA256
8146784341c437f84cd9840932707a505ce2220c34e2df39f0b104f31188fc67

SHA512
762ea55ca159a376208cdbe2c6eb791d659f191fe2f1e7428881933e323d8900b31c785a0d64947e9fefba63c5ac4a85df39586649b1c141dc72165a30d9906a

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe
Filesize
144KB

MD5
df79100e453ed2f1a622be23792ad9e5

SHA1
dc8a5af12df1ff8bfdcb8bfc87ce8e143d8c18c3

SHA256
578417511aeedd9cd9cda300b90b91cb7f25658e9f381c4c26c8bc0705456eda

SHA512
8709fca611d9c2bd3457ce1740becedebe60f5b6eb96a6d98c0cc48e33b9ac0797206859f4772129f507bfea58889f3d919dae1afc5081573f917de3592a5ba7

Download Submit
memory/380-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/380-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/440-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/440-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/440-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/752-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/752-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/836-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/836-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/860-61-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/920-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/920-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-69-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2624-70-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2624-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4484-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4484-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads