0ae7b1a3b2775bc8c1a521982f49a594d94df2410c868b9b820e0e600a7c4873

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe
Size

224KB
MD5

a29a8d0bcf2e989b9f2df9b5023804e0
SHA1

c4c193452460fa11b257368387e29e37bcfa0e86
SHA256

0ae7b1a3b2775bc8c1a521982f49a594d94df2410c868b9b820e0e600a7c4873
SHA512

e817df28e1bfa286ee469f94942efe3f542f33df3f9097aff6f7032506c7db96a21411a70af6bf5f28a3f198a90d62f735a35cdadf04e5efa09d2752709550bc
SSDEEP

3072:pYfWjeyCoVjIuYUvIMDrFDHZtOgxBOXXwwfBoD6N3h8N5G2qVUDrFDHZtOgtSU:pYmthB4s5tTDUZNSN58VU5tTtf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe

Executes dropped EXE 11 IoCs

pid	Process
2212	Mcbahlip.exe
1736	Nqfbaq32.exe
4520	Ndbnboqb.exe
4312	Nnjbke32.exe
2948	Nqiogp32.exe
5092	Nkncdifl.exe
372	Nqklmpdd.exe
2304	Ngedij32.exe
4468	Njcpee32.exe
2280	Ndidbn32.exe
3008	Nkcmohbg.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1640	3008	WerFault.exe	96

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2212	2552	a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe	85
PID 2552 wrote to memory of 2212	2552	a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe	85
PID 2552 wrote to memory of 2212	2552	a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe	85
PID 2212 wrote to memory of 1736	2212	Mcbahlip.exe	86
PID 2212 wrote to memory of 1736	2212	Mcbahlip.exe	86
PID 2212 wrote to memory of 1736	2212	Mcbahlip.exe	86
PID 1736 wrote to memory of 4520	1736	Nqfbaq32.exe	87
PID 1736 wrote to memory of 4520	1736	Nqfbaq32.exe	87
PID 1736 wrote to memory of 4520	1736	Nqfbaq32.exe	87
PID 4520 wrote to memory of 4312	4520	Ndbnboqb.exe	88
PID 4520 wrote to memory of 4312	4520	Ndbnboqb.exe	88
PID 4520 wrote to memory of 4312	4520	Ndbnboqb.exe	88
PID 4312 wrote to memory of 2948	4312	Nnjbke32.exe	89
PID 4312 wrote to memory of 2948	4312	Nnjbke32.exe	89
PID 4312 wrote to memory of 2948	4312	Nnjbke32.exe	89
PID 2948 wrote to memory of 5092	2948	Nqiogp32.exe	90
PID 2948 wrote to memory of 5092	2948	Nqiogp32.exe	90
PID 2948 wrote to memory of 5092	2948	Nqiogp32.exe	90
PID 5092 wrote to memory of 372	5092	Nkncdifl.exe	91
PID 5092 wrote to memory of 372	5092	Nkncdifl.exe	91
PID 5092 wrote to memory of 372	5092	Nkncdifl.exe	91
PID 372 wrote to memory of 2304	372	Nqklmpdd.exe	92
PID 372 wrote to memory of 2304	372	Nqklmpdd.exe	92
PID 372 wrote to memory of 2304	372	Nqklmpdd.exe	92
PID 2304 wrote to memory of 4468	2304	Ngedij32.exe	93
PID 2304 wrote to memory of 4468	2304	Ngedij32.exe	93
PID 2304 wrote to memory of 4468	2304	Ngedij32.exe	93
PID 4468 wrote to memory of 2280	4468	Njcpee32.exe	94
PID 4468 wrote to memory of 2280	4468	Njcpee32.exe	94
PID 4468 wrote to memory of 2280	4468	Njcpee32.exe	94
PID 2280 wrote to memory of 3008	2280	Ndidbn32.exe	96
PID 2280 wrote to memory of 3008	2280	Ndidbn32.exe	96
PID 2280 wrote to memory of 3008	2280	Ndidbn32.exe	96

C:\Users\Admin\AppData\Local\Temp\a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\a29a8d0bcf2e989b9f2df9b5023804e0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\Mcbahlip.exe
  C:\Windows\system32\Mcbahlip.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\Nqfbaq32.exe
    C:\Windows\system32\Nqfbaq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\SysWOW64\Ndbnboqb.exe
      C:\Windows\system32\Ndbnboqb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
      - C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        12⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 400
        13⤵
        Program crash
        
        PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3008 -ip 3008
1⤵
PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
224KB

MD5
c5829291c7fa31a56c5e3ebfe071cf7a

SHA1
1d7a2e22f116a4f7826ba296817ff9dde1eff67a

SHA256
fb574d93e3a082b2d82476b2d770f4a94917c61354fed7774de531aa1cbc98f1

SHA512
93e7dacbf5a7d2869e951fe32a0123b72d868a493be24348c6758319231b2f2d2eb751c06cdaa1a5a7d0644e586efcd992946d67273b4e79f8f86d7b24125a7a

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
224KB

MD5
624bee6706cd5aa65b060abfac7b6010

SHA1
5f8a9fe2c434cb456dcd2dc98e95f44e654662fa

SHA256
dd15e6a94c68bdc6b93f812217e90485777d6a019ba6bce75cdce51a71c57f6f

SHA512
04a432c335b03c0a98c9f6ab3e7f70e1078c88292f4ea9403e2caff61978042965b4a072f4bd60211ada77ff2487cc2a816f1c650874db64703b28f040d16181

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
224KB

MD5
31aa963af0a411f9a6a52dfa5ffc53c1

SHA1
48efbbee3b354fdf14610be728fed201a3b0011f

SHA256
f2df83dbfee804c1dda2671ecbcd85f275e2463eb6face94e63a2bf9119d65cf

SHA512
11e1c6e77575746672992390c0143dcf0c3050a9e2d410fcfb59d88f72e9f8c999e15a5db529bfe71d23ecb91a43890df2a77301f97c89472c7f4ffac611b410

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
224KB

MD5
d4631781ae78f611e4167fa614c63687

SHA1
8ea2cfe95a4c6dbfba8511648fea0b9eef0fbb33

SHA256
53b6e5288815cec76eefb9879ac0bc4c3b1057f0dff06dadbfe54b66d6573dac

SHA512
6e9886e3ceeed07b9f3d1b91fdd95564c829e4cc9344a332bd57d2bb2c6b474acb71b984e35e6e217d55a0c76224a18018490c25263f6a2e3c79b8af9ed737c3

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
224KB

MD5
26aabc9a83d542f7465dc9d016013278

SHA1
d8f86a4dae5314b3cec467378b1964b84ab74874

SHA256
33572ed028176359ba6efa5a5e1e495cc909406ab51dd4345dbb866547e68ebe

SHA512
d0b7b36599b960bece0309f34950f56caf8f5e8072ed525c6484344f4a15388cb54d23f1004dde96bd8d3b0a318830ab6df67107dfe6486d970dca96c3ea9eb5

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
224KB

MD5
c2d17d2550f609ad2aea36a0e676ceee

SHA1
6685e8b3f83430321506476742db39b359f8a296

SHA256
3a4ad6dbde72dd3fb28cd6707fcc473c393e831eff7ff806b123c59d9c74ed2b

SHA512
f8a3aadc9a4ed6160131014c1e7cfdc4765ebc486295085c955a1da136362771635f566d9a1c967fc716b5ac9d7c36ce123704101de8065e2016eb551e0ea999

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
224KB

MD5
0fe7eae0c6aa7e1505f740d0a9bb7316

SHA1
61ac9c0021af5f74c34f23b55eda08a175927d86

SHA256
7204146b5442d41f1449672b645404ea1e0b412611869b025243764f13cc9e85

SHA512
bde39dfda6416daa4ee34505a0d9d026c007a7a5277b74481fe89e3fefcc2050f758d48e55b2f998afa6ccf4e6924bbaf73ab04a6b8edf804de92ac544e13816

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
224KB

MD5
e09df967af1cff1daa04c242b8ca0bca

SHA1
62a4c185823f6caf02fc1c6ffd656c54d8bc7422

SHA256
a974d483667851bc464effedd35d2bd4f3c903f774173422792b20de25dd21a0

SHA512
9e50fea626bbc6ce0d3b0e26aa35f85efed0f497b297c2bbb8f3631d3c4ef921e918eb5c7447f7153521353f3cc3c3f9ec0f4f3a56bf27e056ed9e2140ce0322

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
224KB

MD5
946d1f8f740630b5c30631135d490e2f

SHA1
af5b6718731d30af24f3939571a6779b0c9e55ea

SHA256
c1021647409d969e3ffec47cf11730bc6bd6751db862c6cd3e23a86160041448

SHA512
7a915da51e3ba0a2fb71fdb3d532ae8cc2dfa82afea2ddb9258413cd155cd84843facadc2d695b87ceb0a2688cb7a54d4319f18eb5c7e4ae3a3b220578116c63

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
224KB

MD5
7d8f7e91bb4a07b16011db67e12918d2

SHA1
c2ad1c27cb7fcc1e0f97cabd50600225265dd598

SHA256
23221de6ad2b5915bc0570a0b6eb17868fd240ffe8e577c1aaa91ce5e9652e98

SHA512
741ebee8c82ee316c4e3a46edecddefd06e521e8ab3d616ff78ced867d7514b7aa7c59d12e046ea14edccc0db9fb99633983f50dfcc25a54dbbda060040ce29e

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
224KB

MD5
08eb3b3014756ebc8034a0b89ed39643

SHA1
c6dcc9f3b4ac950fcaa73e9d061a6c98475c7b07

SHA256
f07edec2a70c7451e19e349a9719715b3e01fd6aad63226a69bf1df6fd1f054c

SHA512
ca473a5620b7168e94e3a31adb449b3a3ebec1625f6d2c164e3a620eba6e1f6be7fbd24160666ded19a6dc94745c4330e9df37af15a3ae0acbf22f17114b022b

Download Submit
memory/372-93-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/372-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2212-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2212-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2304-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2304-92-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2948-44-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-91-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5092-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5092-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads