2f026e7379608d6b1027443f1a4b276681d87d53aeebe4b91a92972542ea6d19

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Size

313KB
MD5

7efd7ddff6331777761f916ff9f4edd0
SHA1

07c8e10eeea6d3e7839e368633aa04d62eed8970
SHA256

2f026e7379608d6b1027443f1a4b276681d87d53aeebe4b91a92972542ea6d19
SHA512

9ead709e07127102c1d396107adf3d20acd48ef35cf6159c48a2e6b84651b769b40c51ba8ae5311f993945563c199e282b24140ffbfff4e7e0efd0efe03e1832
SSDEEP

6144:3neEa0/KQ+CpB6qPgEUmKyIxLDXXoq9FJZCUmKyIxLX:31VKw32XXf9Do3+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe

Executes dropped EXE 11 IoCs

pid	Process
844	Maohkd32.exe
4244	Mkgmcjld.exe
536	Mgnnhk32.exe
4940	Nacbfdao.exe
4904	Nceonl32.exe
3652	Nnjbke32.exe
3204	Ncgkcl32.exe
3212	Nbhkac32.exe
3976	Nkqpjidj.exe
2948	Nqmhbpba.exe
3412	Nkcmohbg.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nceonl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3324	3412	WerFault.exe	90

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nnjbke32.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 844	1144	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe	80
PID 1144 wrote to memory of 844	1144	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe	80
PID 1144 wrote to memory of 844	1144	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe	80
PID 844 wrote to memory of 4244	844	Maohkd32.exe	81
PID 844 wrote to memory of 4244	844	Maohkd32.exe	81
PID 844 wrote to memory of 4244	844	Maohkd32.exe	81
PID 4244 wrote to memory of 536	4244	Mkgmcjld.exe	82
PID 4244 wrote to memory of 536	4244	Mkgmcjld.exe	82
PID 4244 wrote to memory of 536	4244	Mkgmcjld.exe	82
PID 536 wrote to memory of 4940	536	Mgnnhk32.exe	83
PID 536 wrote to memory of 4940	536	Mgnnhk32.exe	83
PID 536 wrote to memory of 4940	536	Mgnnhk32.exe	83
PID 4940 wrote to memory of 4904	4940	Nacbfdao.exe	84
PID 4940 wrote to memory of 4904	4940	Nacbfdao.exe	84
PID 4940 wrote to memory of 4904	4940	Nacbfdao.exe	84
PID 4904 wrote to memory of 3652	4904	Nceonl32.exe	85
PID 4904 wrote to memory of 3652	4904	Nceonl32.exe	85
PID 4904 wrote to memory of 3652	4904	Nceonl32.exe	85
PID 3652 wrote to memory of 3204	3652	Nnjbke32.exe	86
PID 3652 wrote to memory of 3204	3652	Nnjbke32.exe	86
PID 3652 wrote to memory of 3204	3652	Nnjbke32.exe	86
PID 3204 wrote to memory of 3212	3204	Ncgkcl32.exe	87
PID 3204 wrote to memory of 3212	3204	Ncgkcl32.exe	87
PID 3204 wrote to memory of 3212	3204	Ncgkcl32.exe	87
PID 3212 wrote to memory of 3976	3212	Nbhkac32.exe	88
PID 3212 wrote to memory of 3976	3212	Nbhkac32.exe	88
PID 3212 wrote to memory of 3976	3212	Nbhkac32.exe	88
PID 3976 wrote to memory of 2948	3976	Nkqpjidj.exe	89
PID 3976 wrote to memory of 2948	3976	Nkqpjidj.exe	89
PID 3976 wrote to memory of 2948	3976	Nkqpjidj.exe	89
PID 2948 wrote to memory of 3412	2948	Nqmhbpba.exe	90
PID 2948 wrote to memory of 3412	2948	Nqmhbpba.exe	90
PID 2948 wrote to memory of 3412	2948	Nqmhbpba.exe	90

C:\Users\Admin\AppData\Local\Temp\7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\Maohkd32.exe
  C:\Windows\system32\Maohkd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\Mkgmcjld.exe
    C:\Windows\system32\Mkgmcjld.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\SysWOW64\Mgnnhk32.exe
      C:\Windows\system32\Mgnnhk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
      - C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        12⤵
        Executes dropped EXE
        
        PID:3412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 416
        13⤵
        Program crash
        
        PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3412 -ip 3412
1⤵
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fcdjjo32.dll

Filesize
7KB

MD5
9382f0ffcbca2bd40df85986c666dfaa

SHA1
66474deb5d21cc80ef4b752d74251af609922b8f

SHA256
8412abbce33e5f0d97f5b263957b05001fc63ddba3d06c951a8e494da312e04e

SHA512
7b6a03dfc64bc9bfccd02aac81c2466b288a7b55b70f06f5835e9b7f7947865bf459eea94bed78691813499f650e134c17a27224aba949dc2c3b401c1d108fae

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
313KB

MD5
a7a8f708e2769f80dfef1ceee5f72d1f

SHA1
2e282d89f742552e33f2bae946324848abcc4cc5

SHA256
4683c515984d2eb93b09964fd7fdc520ae4ba3c4f62336b05bad8b678314d97a

SHA512
29d7bc5fe4981b8062b62a17d084751f10a7810aa0c0b471168872615eaf377e6847c1ddfea857de6a46da851d0c04c9f2f7b0c71cfd1b5d788c4c3bf74ccad8

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
313KB

MD5
f75878de6390bd5dab4dc4091a368857

SHA1
55cd9218ff0af08f27571a72ea10166276ccedc2

SHA256
69bbac26407dae5ba75e909716a9137a680149f8de47268b1358ae3265a01319

SHA512
ade66cb49dd5e66461489ef7b0626bdf032aebf28965440e117957a5e932da57ee6546705639a418f4d7bc26a3349bd5799e8aa2ff65ef0219b8e97bad73d9e0

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
313KB

MD5
a8576efec8dbfcbd4c9d89b07f62d2ac

SHA1
cde04c94f4d496ea62fde87f9bcd1f44b487dc92

SHA256
a660f5412c5c1f849e1c6c932df2b5a640bd10c08defa0218dd3140e5ca65528

SHA512
33871f62733354bb492679b92e94eb04f269cfefaf1d52403744432fcaff6738f1dd50d8b683fd59d979acb64f3ddaf60472b74ffefffb60413bd7148e8bfa1f

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
313KB

MD5
7dd8d168aa45986974e69cf55272db15

SHA1
d75d735131d45ea4c4d1a4347bbaddb664778fb3

SHA256
bbdbdfd0bd79be427f49441eba6aa8f9b9ebf168415b722c0ff00a75e7c437f1

SHA512
6389b5a5ffb1d3860fdad0266a3725a21f60c8272dbba39b8d4da7718baee33d3f0099d8078caaa6c51f95d602beb4e2f4d3a78765896d2396d40b957bc232e1

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
313KB

MD5
3fd295bd54666a0e0978492b5f5f502a

SHA1
0243b6da282fb541c64337c5b0138154507a434e

SHA256
30969cdd12c39913293d49512faf1d82cefcbc91caf7f10bc1885c0156231815

SHA512
c9ac85d358d4227d521b2588daa3098b4af864f1dcf4eeeae8ecd63447db68509e21ed4d8d057c439cec3b617654492e873d19d630cd559de5d2498ddc5fbd54

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
313KB

MD5
3e405ffea938c93ad18ed4c97ab88f32

SHA1
bfa0c7dcf085cf6e5d4a8bd7c57d268ef1934ddd

SHA256
5f893f1c529bae1bbb91065f844babb00c638f0cd96ba56b4378d57e0afbb41c

SHA512
c4a69f88858228d86ae3a240da3b85095ad517344d77178a70071a15692a9d124eae7b1a3585010c7a1ab7670f329f029b541b8556955e0ae9e8d364f3ebea87

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
313KB

MD5
270699c4ecb08a5617ba180d76ee60e2

SHA1
6f6e335c5c443dd025e5711a0961f648dc4536cc

SHA256
23f1578fb9484babd9e24862fa6a1f35a9f6ab48eab189ed6047a965160e1abc

SHA512
9a826258b573209f37927a0abec99fe49b4211ce3f8a426491c0ef5349caa46289fea17e7bcd10ade7fe56d9594482841b276c196520185881fc657e1acca869

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
313KB

MD5
a1e9c7ad2c6e8d2d1ce1f239fb3b7e8d

SHA1
84742044de8b4dd67751318c9fa1812a77cdccbd

SHA256
478dbac01d8f0d53d56eecd29d542e35e829a564ffed855811edc626d7fce794

SHA512
5270346cecd0bc4477772011ed61e57a58171f115162fe68fd417646cf0fb82f20c3d0caa7ea87f8c77aeb138499acb4ee69871312e7d0baa8b588aaa5a214be

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
313KB

MD5
86ceb37d2b40808330f0c89973f5772e

SHA1
d263dda9672f77332a683692a9e4237ac81bc226

SHA256
37256febf5070b1cf2ca92e166ec3b180301b4a36409ac44ee87af380d1f4ef3

SHA512
c7e17ccaf7dab1d43c388b60228011cf5f9898ed0e7ae574b94dba43106cd0b2e7b4deea74d57a107dfdf4592a2aac9fd5a24cf3ddd86ec39306c95c41bd29ca

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
313KB

MD5
f02e87a48a288f548e8b66d653cab4ac

SHA1
99a1913ca58cdf63e3d57904eab4fc80aad98de5

SHA256
8f10df67018f4044f3954f104c8df90ed5357ae3884ae376908127f5c7108f99

SHA512
f7ed67c95512fd9c9341641cb2f23bb456bab52298e1f9ff0508c7d3fe82825467cf77ff95544afee2091e3d5e3c6478ae3d4415263fb7d563bee793efba17f5

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
313KB

MD5
0a2b7379aa2c3f3cc12464288859528b

SHA1
80fa45bc4b15551185b073718e7abcceb316c889

SHA256
00242d60878ce3515f054944fb825724ed10d9b31edebc553207b58ce8fe1298

SHA512
872e64db940417df50d7e8a11b745688c497840a1047a111fbbcf7f77d21d358e853a016de1c50e1629129ae198899aa0d004d024d0d2b27b5baf3fabbe1a615

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
313KB

MD5
257ca3244df74349e20e248e9289b86f

SHA1
96ec52b06a1691ec11c2cf015dcec495fd7013ee

SHA256
b12c59c7314f7e75f1eb619304ef1e6821a7c97742c10aa415eb8db81fd226cd

SHA512
0ecd561ea4f244b0beb06d373af84645702494f25f25e5908541d24cea3e665f90c2cf89107c6e0628d889d1624a99c0fc8e9754cd6eae37441d83d05e84eb94

Download Submit
memory/536-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/536-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/844-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/844-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1144-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1144-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2948-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2948-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3204-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3204-94-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3212-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3212-91-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3412-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3412-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3652-93-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3652-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3976-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3976-92-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4244-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4244-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4904-44-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4940-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4940-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads