8a5f3e8276a8ca05c57378241f3d52b90b22eb988648c8adf3ddd851d2b9389f

Analysis

max time kernel
140s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe
Size

1.3MB
MD5

2b680361d20c86ab1de893c3d0d39a90
SHA1

9a4f75883a7e1dc1489eced1904d053cff23afcb
SHA256

8a5f3e8276a8ca05c57378241f3d52b90b22eb988648c8adf3ddd851d2b9389f
SHA512

10bb6b3f1db9f14dd670e724289ad625bf50eceb8bd7c13a5278df9da38c31b80d68407ab9c690a39cc1c670051c4d07338c2adf6e7f2495ede43ddc9af11aa6
SSDEEP

6144:UqZdkseLzpRRE5ZC2npb+oB+Zz2HG8t0DoEWufVuvw0HBHY8rQ+6bPD3wPSk8ymB:Uq4JAbaz22cWfVaw0HBHY8r8ABjMn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe

Executes dropped EXE 10 IoCs

pid	Process
1168	Nqiogp32.exe
3108	Ngcgcjnc.exe
1804	Nnmopdep.exe
4412	Nqklmpdd.exe
3656	Ncihikcg.exe
1204	Nkqpjidj.exe
4684	Nbkhfc32.exe
1252	Ndidbn32.exe
1176	Ncldnkae.exe
3584	Nkcmohbg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
372	3584	WerFault.exe	92

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 1168	932	2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe	83
PID 932 wrote to memory of 1168	932	2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe	83
PID 932 wrote to memory of 1168	932	2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe	83
PID 1168 wrote to memory of 3108	1168	Nqiogp32.exe	84
PID 1168 wrote to memory of 3108	1168	Nqiogp32.exe	84
PID 1168 wrote to memory of 3108	1168	Nqiogp32.exe	84
PID 3108 wrote to memory of 1804	3108	Ngcgcjnc.exe	85
PID 3108 wrote to memory of 1804	3108	Ngcgcjnc.exe	85
PID 3108 wrote to memory of 1804	3108	Ngcgcjnc.exe	85
PID 1804 wrote to memory of 4412	1804	Nnmopdep.exe	86
PID 1804 wrote to memory of 4412	1804	Nnmopdep.exe	86
PID 1804 wrote to memory of 4412	1804	Nnmopdep.exe	86
PID 4412 wrote to memory of 3656	4412	Nqklmpdd.exe	87
PID 4412 wrote to memory of 3656	4412	Nqklmpdd.exe	87
PID 4412 wrote to memory of 3656	4412	Nqklmpdd.exe	87
PID 3656 wrote to memory of 1204	3656	Ncihikcg.exe	88
PID 3656 wrote to memory of 1204	3656	Ncihikcg.exe	88
PID 3656 wrote to memory of 1204	3656	Ncihikcg.exe	88
PID 1204 wrote to memory of 4684	1204	Nkqpjidj.exe	89
PID 1204 wrote to memory of 4684	1204	Nkqpjidj.exe	89
PID 1204 wrote to memory of 4684	1204	Nkqpjidj.exe	89
PID 4684 wrote to memory of 1252	4684	Nbkhfc32.exe	90
PID 4684 wrote to memory of 1252	4684	Nbkhfc32.exe	90
PID 4684 wrote to memory of 1252	4684	Nbkhfc32.exe	90
PID 1252 wrote to memory of 1176	1252	Ndidbn32.exe	91
PID 1252 wrote to memory of 1176	1252	Ndidbn32.exe	91
PID 1252 wrote to memory of 1176	1252	Ndidbn32.exe	91
PID 1176 wrote to memory of 3584	1176	Ncldnkae.exe	92
PID 1176 wrote to memory of 3584	1176	Ncldnkae.exe	92
PID 1176 wrote to memory of 3584	1176	Ncldnkae.exe	92

C:\Users\Admin\AppData\Local\Temp\2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2b680361d20c86ab1de893c3d0d39a90_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:932
- C:\Windows\SysWOW64\Nqiogp32.exe
  C:\Windows\system32\Nqiogp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\Ngcgcjnc.exe
    C:\Windows\system32\Ngcgcjnc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Windows\SysWOW64\Nnmopdep.exe
      C:\Windows\system32\Nnmopdep.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1804
    - - C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
      - C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        11⤵
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 412
        12⤵
        Program crash
        
        PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3584 -ip 3584
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
1.3MB

MD5
ec06c99b84927a9f22bcc31b135f72ab

SHA1
ddcc25ac93ff36f9a084de49c509515db35cbf0a

SHA256
cd5f52958d8b5f1999a840d122f0ad829027bd91dd54c7cb2eb92f9383ddfeb7

SHA512
d841941112fcee9fdd40e6bd4c2f222c3ff26a88029036f315d313a5c90af95be6711b54b3cef7b01faca968f169e02232ccb97b3610422ae057af5d22377bfc

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
1.3MB

MD5
d183616d44caa790f491edf30d0765e5

SHA1
176bc217643f41133590d8b12c30cdc9a8db2308

SHA256
d21dc538fd72e778e4e13e531effc4f63bffb49937a59842f240c4d937e7ce38

SHA512
f0b6d2e63641bf1c31b46a4af489fe0fe40c5b1b697fc281a4c3114d10f67c56f4253e07dca0ca8bfdd5d386fd9c3bcd063696b571cb4c6de8f06ec248849f19

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
1.3MB

MD5
32e63f94d3857c96a2e2c21e8c79e8e6

SHA1
ad6a29c3cc83dd8aeef43fe23c8d52c91f6a145e

SHA256
29f9c58b47368b69e5a80bb0a156db1675ab38f1de40c7378335550d44a7b5c9

SHA512
72a6926aae48cfd508178e29e01a77c98a2f1bb980fae5ec258961004bb7b09c4a17d6a859195e6426ba11760a249a7f5213d9ff6a7d8b360dac556fd63cc88d

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
1.3MB

MD5
3bd4bee413b20393b365d188d23c4512

SHA1
891457f5ed865ce686af9ad5ebb5f16c2abf5b43

SHA256
634f28ab9c96282578b55770e474020b8cb73423ce503acb0c9c0c7590025514

SHA512
964c4efc3176dff00313a4b4bc3821bb5cf11a7ba1226bd66d875f12f4cb910bac3da4751792bc796201459e9e7d47fcdfb1da16877a10008809ade22f58e336

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
1.3MB

MD5
6eb5dc3321a80d6ef3ff10c58a1d0c11

SHA1
a4f28f083e543736da26610547b820043dc5500a

SHA256
eb8e59c41e365d63fcfd255a5b91ac88c23a637f3d9ca9ffbbe87baab702f5a4

SHA512
5694f0463f80dc94b177443e9d102ccde04c3fcd12badd7a2cac5a3702bde37fd0c4e28d2917310b9c6d7829df61d540ed4ea2fdbbce4c7af0e9d6f254e45769

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
1.3MB

MD5
fbf4c9b7e7cc0f47e3a11582407ad26e

SHA1
3b6c895456ad5dc381e8c71b332fb832584b2144

SHA256
9180e0b8f446bb7cd490298fe9eda8432a7e5d53d48003063dfa7734b31f6288

SHA512
9cfd251d8d9ddf97c197db15b7de37f00d9121cd9fc0867212a6e617b4ac9b7ea3fb5794aba6d558321127c9beb3e65656b58959180cc9589dd49486d7d195a6

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
1.3MB

MD5
7a4394bb95ad84a789955d1697158036

SHA1
e51a9139bc668847742e2c1ea9f0eba61fa44ef6

SHA256
3f459ad6490d443af77d73147f20d26e4cbc92e6c9b622d8e13da5cc9374dcff

SHA512
4b16c0a45882e8b5fb80035758851e44a8f94a49e7ba09c404ff2d240f6f380775c93433539bee76806ac0d693febe0f96e0c9650b50901f142e9917543b27bf

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
1.3MB

MD5
55a25f221023134ac483c27f9412653a

SHA1
e38b09280678a86a1b277ae28131ec2345439c57

SHA256
b78e06ad1063e10d6853b7c2fe439dc82136cbc4f50d4784bab9a626d825d632

SHA512
e5f15678139367548668b097bfbd9914168b318023a293bb265c1638b685be20897816b2154ddb75c1a3d17e82034c5ca2ef7754d14cc10fc4869a54c8fae9ac

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
1.3MB

MD5
4d72e489fd1947cf7f480e33707af245

SHA1
94adba9e3115ef4804d3b7c45f8ff65b3ba75b82

SHA256
671455b735be02143a35d8735cf9cf1897072ae0e8aad93897ccca69bbe4bf36

SHA512
9dd258c6c171c63fe1890e02a7945cda22d4405c703cee8559e5492f4470e1c12d27d05d8973461fc855acebeef1aa9c19e01eb912c71eddb481bec77f218a3b

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
1.3MB

MD5
b7bcbd62cb1ea0789d7cfcca7ab5aca6

SHA1
c8219bea37db74b1e0befc4d82b84d2840174dd9

SHA256
87d7c2acbd5ff1ebe90861f65322f24cfacfae71bd4fd402eecea276f88bb65f

SHA512
2bfcf0c28b87288732baa9dcda2df584fa1dbc6f7dd78610cb466a31fc5345625354693ce128236a11279a510807e496a7905ee8c83c244ad03fbe15802533fb

Download Submit
C:\Windows\SysWOW64\Pkckjila.dll

Filesize
7KB

MD5
95229d8b7dd3b9135c35666afc748299

SHA1
26d85af3c82f445de9543e2d1c63373bc2403ac4

SHA256
8156c5ecde24ab09b76a107a8026e700970d375878ef122a6aaab818360cf7ce

SHA512
3a39ccd4cf14e2cdc1484d69a1c1f447dc9536cb34420eabc6e3300ede2af214b9fc5e3a16d09b1d83971ebfe69a65c5b254e3798b7731276c921653b9ef4d56

Download Submit
memory/932-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1252-78-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-75-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads