8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe
Size

49KB
MD5

da1026c870579b0705f170accbd4fe50
SHA1

fa8abc5768b682b5351880888db04ae1addfd837
SHA256

8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9
SHA512

1fa7457982a97e9cc82d9e0b858942821b73849af06a05575dba9e728dc39026c9527ae2ef2871c7713c0681069f3c9a7903a7f1b0b5d280c499b80b485ec6e9
SSDEEP

768:EjwLtmKo/VFvbWNhMC4w/K+2bFgTEqzLOfNqR/fjehHqVSWW3kg91Zq/1H5C2Xdl:E+StWNhM9w3Ko3OfNqyqVSF3991Zwpl

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe

Executes dropped EXE 10 IoCs

pid	Process
2696	Njogjfoj.exe
1904	Nqiogp32.exe
4800	Ngcgcjnc.exe
3560	Nnmopdep.exe
1972	Nqklmpdd.exe
4684	Ncihikcg.exe
2664	Njcpee32.exe
4024	Nbkhfc32.exe
3552	Ndidbn32.exe
3720	Nkcmohbg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4792	3720	WerFault.exe	94

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2696	1532	8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe	85
PID 1532 wrote to memory of 2696	1532	8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe	85
PID 1532 wrote to memory of 2696	1532	8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe	85
PID 2696 wrote to memory of 1904	2696	Njogjfoj.exe	86
PID 2696 wrote to memory of 1904	2696	Njogjfoj.exe	86
PID 2696 wrote to memory of 1904	2696	Njogjfoj.exe	86
PID 1904 wrote to memory of 4800	1904	Nqiogp32.exe	87
PID 1904 wrote to memory of 4800	1904	Nqiogp32.exe	87
PID 1904 wrote to memory of 4800	1904	Nqiogp32.exe	87
PID 4800 wrote to memory of 3560	4800	Ngcgcjnc.exe	88
PID 4800 wrote to memory of 3560	4800	Ngcgcjnc.exe	88
PID 4800 wrote to memory of 3560	4800	Ngcgcjnc.exe	88
PID 3560 wrote to memory of 1972	3560	Nnmopdep.exe	89
PID 3560 wrote to memory of 1972	3560	Nnmopdep.exe	89
PID 3560 wrote to memory of 1972	3560	Nnmopdep.exe	89
PID 1972 wrote to memory of 4684	1972	Nqklmpdd.exe	90
PID 1972 wrote to memory of 4684	1972	Nqklmpdd.exe	90
PID 1972 wrote to memory of 4684	1972	Nqklmpdd.exe	90
PID 4684 wrote to memory of 2664	4684	Ncihikcg.exe	91
PID 4684 wrote to memory of 2664	4684	Ncihikcg.exe	91
PID 4684 wrote to memory of 2664	4684	Ncihikcg.exe	91
PID 2664 wrote to memory of 4024	2664	Njcpee32.exe	92
PID 2664 wrote to memory of 4024	2664	Njcpee32.exe	92
PID 2664 wrote to memory of 4024	2664	Njcpee32.exe	92
PID 4024 wrote to memory of 3552	4024	Nbkhfc32.exe	93
PID 4024 wrote to memory of 3552	4024	Nbkhfc32.exe	93
PID 4024 wrote to memory of 3552	4024	Nbkhfc32.exe	93
PID 3552 wrote to memory of 3720	3552	Ndidbn32.exe	94
PID 3552 wrote to memory of 3720	3552	Ndidbn32.exe	94
PID 3552 wrote to memory of 3720	3552	Ndidbn32.exe	94

C:\Users\Admin\AppData\Local\Temp\8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8ae75e73c58abf65419f37447e2b8c4f05bc7eb4ab366b09b613d7eccb901ac9_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\Njogjfoj.exe
  C:\Windows\system32\Njogjfoj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\Nqiogp32.exe
    C:\Windows\system32\Nqiogp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\SysWOW64\Ngcgcjnc.exe
      C:\Windows\system32\Ngcgcjnc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
      - C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        11⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 408
        12⤵
        Program crash
        
        PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3720 -ip 3720
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
49KB

MD5
71df41cf2b882ee2a9030da0cd43fcda

SHA1
85b7692a8da69bdc140a319d23679bb8ebceb111

SHA256
9287d74e435cf8adc4a4385d9503fa96cab4c7c63a10ccb13944bca124fecfad

SHA512
c932d435f41df4452e86ec0d2e078964938732005be1fcc5134b2c1a274d316ec799a341e56e8d70c85beab5ebed4e0ff0591dcc4bade9ddf8cecaab793cf262

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
49KB

MD5
c38950ba275f54b1f8dcf6ee95826752

SHA1
c1f14bf97ac20ea3457c761cf0044f4699393eb9

SHA256
69cbc522b7df2c6b37ff9ba6745340fd588af7fb0ee23c49f7d996ac1aef9ee5

SHA512
a47c39e8c171a9d07fa19ce487c8168bd2980dda379e4c8e4e8af95e0923a4ee8526458931ec9dab6c701272fc34c65b65bb2d8eea57395275710c5de9d81e1b

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
49KB

MD5
ef5801bc295eaa80b43fb2d4e6a895a4

SHA1
7a858360669cf5fab85b6ed5de0589f2d7c1f81f

SHA256
b70198dcf5d3f2c1ac5d4538ba4eb8953ebeae9c8f56b3c15315c82de1d10dbf

SHA512
53c3ae25c52b72c5e05c72c732788c420f2cee20b9b2ff6aae851e0b2437fbce94d8f962743f74d5fbb02985de19ae6511607cf7e425ffc61364c76a7c639b71

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
49KB

MD5
2a6234e7e724d1c31903860d3e43d90a

SHA1
86e32b0f6d6a9fb572218188abdf0adf63c6e7ff

SHA256
7166663bc022d0393342247d019b17f23691ab53c73d6ce493222c2e8248faca

SHA512
37d0fc0c40c5cef83f4cabcdd2c3c5ce4a25c9d13074668e5848628a464b690975259986bc990f5d44eb4e6c270067e114f0935d5b7e8132125f2a5e81f9fc4b

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
49KB

MD5
eeda9bce75664054b4d4a9609737f407

SHA1
e9344dbe9b2ce4cafcc567a25c624718dc57fd32

SHA256
b26b140cbceee2ce4af4642ce191802faf8b6e707dba63abed2d4e14954c00ea

SHA512
539f7cabfac373008da04caf03bf26522eeccc46b7b3c0dc440930788e8b7a9bda63d7d07862c0e6766331b25063d43ae756b9d28015a6f228bcc67378c82f30

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
49KB

MD5
73ae8b364e68a91b73bb8ab5008f5ed2

SHA1
20024cd2ac0e954b2c0bf927ccf7eeb29b745682

SHA256
cc8ce0943c2b7fd9a2efde850e6b713562b27121cbbfe6d288c8f8eaf5569b33

SHA512
64edf1e2300acf75759d75bd8293e7a8fac719d6678150d57e8059f1c61bc872d0669e7adfa6efa42e3ade7a441d0dbfa89c38eac16cfd13f94c0d701b29dff1

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
49KB

MD5
6513a2c3892ffb05831143a613bec6ff

SHA1
2614a108e8124b235e2e636961006283f4404e36

SHA256
a822e5285d02dd75fb520822ab8cd89a0882b5a550d1930ea1c33a76d8043872

SHA512
b7cbe578ac24ac8319589d4c2449cd05438d36865d1b9724dbd8dd5e73dec735734ce942e1b2d36f0db08069d27a2252598960360ed6594b90919a2489cfaa46

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
49KB

MD5
afb82edcd173ce3a76e2f32fc1d61ad1

SHA1
22d36ca260de03a78f9c0d6e1d720d8c30822a33

SHA256
34fdbc6ab4cdbd24586b1e63422b31dfed678ff75c6c438246ca056ce0019e52

SHA512
9f43b045a29ccf471ddc635b110c411a9ba90b7c772ab1f213d789ac667b4d2c19f9bab8ba943d2a6bd5b24661df193d4b8d6dfa10625e64774b861e9e9dab2c

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
49KB

MD5
8aba7980629295a72b2fdc79b05da30e

SHA1
5b6d13be6930d87d191fcfa1f1aaf49fdbbf0b43

SHA256
614bcb5749ad201cdcc0f239298345757472e550e8a803c8c87956022326a14d

SHA512
7d2516cdb3413fb6ad6825fc907e814acc2969f109c5d9cdbb48bfc3095ad2f8f0a323ca53bfc2d7f85a2706aabee9cf9cbe57a5e5bf040a0431e996c8b7606c

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
49KB

MD5
e2322de5c8f0c744936900c1c3388aea

SHA1
48f5448afb4b4dddbc433d86f50dc6c15a3a4415

SHA256
70c9b968f4a27a1113ee63890dc71449923cb7ea2ca079ae172bc7c93cb89c49

SHA512
c0f459f825b397153744fe28ef696fb97d72043bb457d700f54a868aa9781880020456c5edd7ee328c16c5f015885b9da90c4ac627552e87639ac40b2b692b25

Download Submit
memory/1532-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1532-101-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1532-5-0x000000000042F000-0x0000000000430000-memory.dmp

Filesize
4KB

Download
memory/1904-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1904-97-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1972-45-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1972-91-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2664-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2664-87-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2696-99-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2696-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3552-85-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3552-73-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3560-93-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3560-32-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3720-80-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3720-84-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4024-65-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4024-88-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4684-49-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4684-89-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4800-95-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4800-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads