11735a7e0e268558e47bf5d293871c6795a1d1247b13bffd873ce1c0fb80653a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e59fb9d9b25e0a06913643c7bd250cf0_NEIKI.exe
Size

96KB
MD5

e59fb9d9b25e0a06913643c7bd250cf0
SHA1

afcbd96ecc4967c3d816b087a3c8f96faf19f61b
SHA256

11735a7e0e268558e47bf5d293871c6795a1d1247b13bffd873ce1c0fb80653a
SHA512

aa788c5433b587fe8b4900ec085ce93d6c4403bb63c93c5b28b93c1b79b5272d5bf7c1d9a82b11bde6f5c6d7d99b3ad36e6d5ab6a6bfb671608b23ff5c36adf0
SSDEEP

1536:niLmXp7nub4tuTgC3kUYEA62DhyXz1zs9UAIwmdbStZPduV9jojTIvjrH:nNU4sTVHKyDpmUWWStZPd69jc0vf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e59fb9d9b25e0a06913643c7bd250cf0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e59fb9d9b25e0a06913643c7bd250cf0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe

Executes dropped EXE 24 IoCs

pid	Process
880	Mpkbebbf.exe
4592	Mkpgck32.exe
4080	Mnocof32.exe
4156	Majopeii.exe
964	Mgghhlhq.exe
2992	Mnapdf32.exe
2868	Mdkhapfj.exe
1176	Mkepnjng.exe
4584	Mpaifalo.exe
1544	Mcpebmkb.exe
2888	Mjjmog32.exe
1728	Maaepd32.exe
2844	Mdpalp32.exe
5060	Nkjjij32.exe
2456	Nacbfdao.exe
2720	Nceonl32.exe
556	Nklfoi32.exe
4312	Nqiogp32.exe
1828	Ngcgcjnc.exe
832	Njacpf32.exe
4544	Nqklmpdd.exe
2588	Nkqpjidj.exe
4000	Nbkhfc32.exe
4132	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	e59fb9d9b25e0a06913643c7bd250cf0_NEIKI.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	e59fb9d9b25e0a06913643c7bd250cf0_NEIKI.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3920	4132	WerFault.exe	105

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	e59fb9d9b25e0a06913643c7bd250cf0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e59fb9d9b25e0a06913643c7bd250cf0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	e59fb9d9b25e0a06913643c7bd250cf0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e59fb9d9b25e0a06913643c7bd250cf0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	e59fb9d9b25e0a06913643c7bd250cf0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 880	1048	e59fb9d9b25e0a06913643c7bd250cf0_NEIKI.exe	79
PID 1048 wrote to memory of 880	1048	e59fb9d9b25e0a06913643c7bd250cf0_NEIKI.exe	79
PID 1048 wrote to memory of 880	1048	e59fb9d9b25e0a06913643c7bd250cf0_NEIKI.exe	79
PID 880 wrote to memory of 4592	880	Mpkbebbf.exe	80
PID 880 wrote to memory of 4592	880	Mpkbebbf.exe	80
PID 880 wrote to memory of 4592	880	Mpkbebbf.exe	80
PID 4592 wrote to memory of 4080	4592	Mkpgck32.exe	81
PID 4592 wrote to memory of 4080	4592	Mkpgck32.exe	81
PID 4592 wrote to memory of 4080	4592	Mkpgck32.exe	81
PID 4080 wrote to memory of 4156	4080	Mnocof32.exe	83
PID 4080 wrote to memory of 4156	4080	Mnocof32.exe	83
PID 4080 wrote to memory of 4156	4080	Mnocof32.exe	83
PID 4156 wrote to memory of 964	4156	Majopeii.exe	84
PID 4156 wrote to memory of 964	4156	Majopeii.exe	84
PID 4156 wrote to memory of 964	4156	Majopeii.exe	84
PID 964 wrote to memory of 2992	964	Mgghhlhq.exe	86
PID 964 wrote to memory of 2992	964	Mgghhlhq.exe	86
PID 964 wrote to memory of 2992	964	Mgghhlhq.exe	86
PID 2992 wrote to memory of 2868	2992	Mnapdf32.exe	87
PID 2992 wrote to memory of 2868	2992	Mnapdf32.exe	87
PID 2992 wrote to memory of 2868	2992	Mnapdf32.exe	87
PID 2868 wrote to memory of 1176	2868	Mdkhapfj.exe	89
PID 2868 wrote to memory of 1176	2868	Mdkhapfj.exe	89
PID 2868 wrote to memory of 1176	2868	Mdkhapfj.exe	89
PID 1176 wrote to memory of 4584	1176	Mkepnjng.exe	90
PID 1176 wrote to memory of 4584	1176	Mkepnjng.exe	90
PID 1176 wrote to memory of 4584	1176	Mkepnjng.exe	90
PID 4584 wrote to memory of 1544	4584	Mpaifalo.exe	91
PID 4584 wrote to memory of 1544	4584	Mpaifalo.exe	91
PID 4584 wrote to memory of 1544	4584	Mpaifalo.exe	91
PID 1544 wrote to memory of 2888	1544	Mcpebmkb.exe	92
PID 1544 wrote to memory of 2888	1544	Mcpebmkb.exe	92
PID 1544 wrote to memory of 2888	1544	Mcpebmkb.exe	92
PID 2888 wrote to memory of 1728	2888	Mjjmog32.exe	93
PID 2888 wrote to memory of 1728	2888	Mjjmog32.exe	93
PID 2888 wrote to memory of 1728	2888	Mjjmog32.exe	93
PID 1728 wrote to memory of 2844	1728	Maaepd32.exe	94
PID 1728 wrote to memory of 2844	1728	Maaepd32.exe	94
PID 1728 wrote to memory of 2844	1728	Maaepd32.exe	94
PID 2844 wrote to memory of 5060	2844	Mdpalp32.exe	95
PID 2844 wrote to memory of 5060	2844	Mdpalp32.exe	95
PID 2844 wrote to memory of 5060	2844	Mdpalp32.exe	95
PID 5060 wrote to memory of 2456	5060	Nkjjij32.exe	96
PID 5060 wrote to memory of 2456	5060	Nkjjij32.exe	96
PID 5060 wrote to memory of 2456	5060	Nkjjij32.exe	96
PID 2456 wrote to memory of 2720	2456	Nacbfdao.exe	97
PID 2456 wrote to memory of 2720	2456	Nacbfdao.exe	97
PID 2456 wrote to memory of 2720	2456	Nacbfdao.exe	97
PID 2720 wrote to memory of 556	2720	Nceonl32.exe	98
PID 2720 wrote to memory of 556	2720	Nceonl32.exe	98
PID 2720 wrote to memory of 556	2720	Nceonl32.exe	98
PID 556 wrote to memory of 4312	556	Nklfoi32.exe	99
PID 556 wrote to memory of 4312	556	Nklfoi32.exe	99
PID 556 wrote to memory of 4312	556	Nklfoi32.exe	99
PID 4312 wrote to memory of 1828	4312	Nqiogp32.exe	100
PID 4312 wrote to memory of 1828	4312	Nqiogp32.exe	100
PID 4312 wrote to memory of 1828	4312	Nqiogp32.exe	100
PID 1828 wrote to memory of 832	1828	Ngcgcjnc.exe	101
PID 1828 wrote to memory of 832	1828	Ngcgcjnc.exe	101
PID 1828 wrote to memory of 832	1828	Ngcgcjnc.exe	101
PID 832 wrote to memory of 4544	832	Njacpf32.exe	102
PID 832 wrote to memory of 4544	832	Njacpf32.exe	102
PID 832 wrote to memory of 4544	832	Njacpf32.exe	102
PID 4544 wrote to memory of 2588	4544	Nqklmpdd.exe	103

C:\Users\Admin\AppData\Local\Temp\e59fb9d9b25e0a06913643c7bd250cf0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\e59fb9d9b25e0a06913643c7bd250cf0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\Mpkbebbf.exe
  C:\Windows\system32\Mpkbebbf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\Mkpgck32.exe
    C:\Windows\system32\Mkpgck32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\SysWOW64\Mnocof32.exe
      C:\Windows\system32\Mnocof32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
      - C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        25⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 420
        26⤵
        Program crash
        
        PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4132 -ip 4132
1⤵
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agbnmibj.dll

Filesize
7KB

MD5
0f164129b0602a8cb57f4d961fb934c1

SHA1
ae6de2114566d517a750c939cb2c327b8beccd4f

SHA256
05d8d5b7db1d1d54c1bfe4833c4be32d46b45dc6568f27344a81b38b2d44ad4d

SHA512
f79d16bc0eb54cf4f6a1acf23f9eb5847f918b01b20d2bf3680d07fe0f5b2bfed74814ac3331c408e6af9a4c27d62cfb86ad65b2f551674c11c19a90a9691a26

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
96KB

MD5
a120cc8b50ec52455bf27bfbb8561023

SHA1
e5603865ac6c213de3eccee3c504821827ceeda0

SHA256
24ceec1ada0364777c8a4f3a77d5d8ae443c2e2259ce8fae57172e6ae0e89c6a

SHA512
d17e87671f68add151429d6b759c2508f87461a422d85d3afdfaa973f03c16ca94335691a22df63a3be23999d527fc09afc6d718254aa43a22f4b8badf67b634

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
96KB

MD5
3992701d3f0822cd327eb53bf75b0985

SHA1
4d58b8d693e41dfea7418bb526b97b4ab36b597b

SHA256
eb959f15e5d1dcf9b8224bd2711aede6cdcd2b66db0b8460557f2488a222a77e

SHA512
9bd9c995ff0a7b5e1b6e3379ca54294389c5a27411cf30f5ed740a76803fdd339206141009b69817c7f77a841bff15b190e13e48ad78cfc9711d2c09016b7856

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
96KB

MD5
501ec8b916d3cf625751f0fa86ad3466

SHA1
d8c6266af99a1a83f31a94c8d148ce38bfe4d062

SHA256
d1e768cb8c73b5b75d32ef7c1e29e4d61f48305036c51b0a9e45a5c7597d1139

SHA512
0bc4651a68c20f4fd2ae6630296e14d2d252a8c93987b25b9b9a46b408d6a343a24cd22c397c9ecea8a17246d4b8eeb22c7cd7b090d7b28f86b52504a1195674

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
96KB

MD5
edee82f0d4ac844f88b0e669c1d83abf

SHA1
c5b0d9fb21caab648a382cf83bad78cf54d58eb2

SHA256
8ea59136b6948f9dd4dc5d236b07b3b6a909edaa25e2bc10191ccba789d52b9e

SHA512
6400329a328735d65694abfd47cfff3ca365398c3ad973f026e9251a03214d947bd6c805f922858d020681e723601053f07b305dce7df7c73a61b18cbc573966

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
96KB

MD5
ac19392334708333936390b0f613b087

SHA1
b9be0a05dd316ce31db120f4da87890b7583135b

SHA256
3a3a0a5e743c6a5db0022d5450274e3d1e3d2b0a563f8186a09dedc40fc2151c

SHA512
a1a9962b1e75dc876538114c4f30d414ac50ff98336082f1f5b4712569ce6548e86fb75a301cb8b4acefb401f9068f550c5f1d6758cda770da6efdbb69547405

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
96KB

MD5
2528deb0825a0590159c9ae229a7047e

SHA1
94766dd0a95013f701a73b47a7730655e9dc62e4

SHA256
a681bc161adca70a458553e44fa0dd092057b589004b0fc71c266fef0233c454

SHA512
fb7efe74085d17b08d8d2055d6676ab5a7b5a4c131baacd611737a6dd4ca340abd1c9c6e1d9b8fc968a5d6f4480506573a6878acffc6f32e05040d0a465a709d

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
96KB

MD5
f6274d45bf84d24ac7611963c850a775

SHA1
a7f16ef681e8f5fe95998fa01fc8904d033f47e7

SHA256
fb21d50a3733bcd75ec0293467fce88c64db7f8a14bcdadb613a35ecff94879b

SHA512
fb90c6de984b4eac402d9afbbf914f09dfa40973f18b0b521a89884872521ce03cb959390137c1fcc38f83b4ccbb311cebbaf4216d0abe0d375f0e587a8a8501

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
96KB

MD5
1b6e2ecec2fb280226842133469bebcb

SHA1
6600c653f55254c5e01630a2261e48d9d24c48bd

SHA256
138b83bb41d57e67d26d6940e0bd24541135a2907c4a22f6265bafd2bc9d68a8

SHA512
82b785023540d605d22244a6c28dd4fe162515e56f78112dded4a08a5c33793fa4a85fc14dcbeb6588d575edbd3b70b0f77cf5fd078a4eb3a1a714a1a5803266

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
96KB

MD5
ca53272e8044e51aa7cb21de88c0fe50

SHA1
e16c70dfba712406f07a95ced8a1508da2d11600

SHA256
95a34420b6596cbff0f152ba181fdf86d36c91c6a9e5e273317dff453f613b39

SHA512
7dab060c688c55930230cbab52ed5bb068daf170a43a2ce2da6e333329bde81ada6b4c1ef70e77178d4473702841e55908226b4d637ec1e2ae5f9a4bb6d812d0

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
96KB

MD5
3867eef1f6b25cb2b75f9026e2411ae0

SHA1
1126d1df45031461fabb497d52060c1aaf491e10

SHA256
41799e58e55bd97837c2da6ca31e1f6de44e24e9d7499f855de580612a2484bb

SHA512
d842a6e212cf1669f606e3dd18a6d9ea88c9b82f66e28d16ee3ccf4419ed9e11fa6464a28ef53d12ee96cc4997aae46b1c7a0eb7ebf179ee01437d14b8edc7fd

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
96KB

MD5
13e78c31b587ae20bba982b761e01d47

SHA1
e3db952676654783f58f2d5071aa46a4b0f39b3f

SHA256
42e6c08552b4b6d96fcfb7a63110b3b3dbbb7c9017da5bdce065cafb5c42a314

SHA512
49a7ef62cbfbdf46a5b067426ac705f30520daa96b7f82b589f22a52087a101a9d675479ece799664de2b6117636d91dd4ac3b5dcc7e6e92ef3672389bcc8553

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
96KB

MD5
19568c6f7bf418412eac8237d3577149

SHA1
054217693f0bee81bf5fc8cf2bb28e9dc6b24617

SHA256
fe17610fd71b0c43d7e4d7b9a3efcb11737211eae1887430bdd1c9f72a13a271

SHA512
5cf88092078933ad9a153c332cdccbe01b9c05479ddb7e105d8103bc57c33e225190257364838ca5602bcaa696d1203198cfd327670d0ea4e01db81c5cc7d148

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
96KB

MD5
e9f4341413d46ffc40450e416fa00db9

SHA1
d4c4d8041ba9cb89a61d1376c160acc906837f6c

SHA256
cad93f92954b3e581f47821f5c5a9f19417cd96e3003c2b78d1a19571944338d

SHA512
76c71fc0ce595979bbc74a2da494298cb2873d2a2ea7c80a20cb07ff90ee4da729e756f0fac2087d0ebb8bf79d4136562ec7d5a4ea15603435b8828c8e315010

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
96KB

MD5
3b77cebb8e216777e5f559df42dda844

SHA1
b209172c898a94655dda6205ec0cdc40577ed72e

SHA256
76513e14bf035c76c72cefa918fc8bebe2783361c9185c502690b0fa6650c1da

SHA512
d0339715c2d55ee91165451891aff8769146b8f9fc0b0d92b41cd6f9a8e43ca80715c1f8ce3a960f0279937828d77619f80d25d742252b1fb6fe342cb05df1a5

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
96KB

MD5
584e9f29aa5be25b4ec940ddc474efd6

SHA1
3413e55607a3a2ad6e98b3369269a693c64b8103

SHA256
3a8bb7a3562c3255699163846bc0766ad0676c0b63954b540b47a5548bd791c9

SHA512
061396b2935ac73003ed82f8eb5babd75811cd2118c7367918576c97bca7dbad8165ef0efe4bae2b1f028cd5fae959fbc1cee1b4b55f02333145d164b811882b

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
96KB

MD5
96a5f63ad44049729c3dc3d1c1249cb4

SHA1
5cc27da7cef6b000658799902fcac05294ec7a7f

SHA256
784314480e66a0f43a5065de226c9cf74ee2b873bbceae7a1c82e4bf10a66769

SHA512
0e6dccc5167cc7aca61512f71663492533784d12caa088694d20b7c871d5a4fa5bb85ebb259bb751d0ff9926f3384b660d62398494b100889e8da3598fcf8cdf

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
96KB

MD5
3c0c42a5947d2cc12f13e0434dd5af9b

SHA1
bb773ac1a4f9205198b86ffe03bdb77f91668fc5

SHA256
5515452d5066b85a422a945b467db7f89d8742860bae8b684e8ef3cb3e15ba86

SHA512
006fc5c9ff63055d68f3b456d52250d07348160f260c1dd9f19a472ca9333f2381ad905fd219e07fbc65c3e5fe39080b08a0eaaccb9cd71d1745b10b672d359d

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
64KB

MD5
cd928d9631d562a9f1d48eea687b5d2d

SHA1
6fc3755829b64cc173e983744cef8d52a52672a9

SHA256
fcd8cd72b0a3646e6185ba2e127b2b6160352f9089b4e476d098603fd64af1f3

SHA512
e4cbd9cf1110650de7fdc93f45a14ff5a89f96434271d353c1b015117f9c41ec1d5b7241d0b73dacc73e4c33a6b2f2c1cc97648edb7215c10cc3dc7b0df352f6

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
96KB

MD5
103a41a8700a6eb669c6bcdde5233913

SHA1
4330a0f49eb1c92d8b90a653c481a1a80a8e0d0e

SHA256
a6215cb33bfaa8d1a02bc0801e992e6333e4de75d1e2154f39c0fb7c1663f693

SHA512
bd630a16722e23f561b42df84909518c01ddd00f821b1e350aaaac8a804972438dea091628abc8224a0a0da391c9b3fded0f37708b401c37c288a91e489afccd

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
96KB

MD5
d6db50a61434da0dd7083b630b205eb4

SHA1
307d1fc096911af5fcb1b7534786392415727957

SHA256
266d6968d89280086bfe43591c1cd88562bb5eed07325ca2d10819b51fcfa9ea

SHA512
225886c9a253082f9747b0e586b69db3acc8a6675b5e8fab8ce693d7abba2159d1210b5d88b2822295adab6823a904cf517f6b7db5cc79b4e1b4de783dd6aefd

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
96KB

MD5
8dbbae4b4621f73d5f35a316b99ffdc3

SHA1
4b204e52e0a10a1be1462bfa5e1ffd8fc129604d

SHA256
afe71007a27c1c9eae7e5a2b9a39854cb89d0861a8f2b7a1eba7f39c0a8d596c

SHA512
80aeb6f11539555a5e5c7505464faf5f99f0c821e47dd4ccb920a466a99e5bc08feddc666af9e757cb70acf4d8e99e90ca75701f7382ce529555ed165c3fa5fc

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
96KB

MD5
4025a39510899400e398668a9ebfbc7a

SHA1
df94c10324d8f67dd69e81a5375f4b2689b543bc

SHA256
185d5fccfa62a9901988fdcc07bc2c94650eb9ee0916cf0c7e23547657259a32

SHA512
8b294872fb6bdb1c216bea06885f0b97c1f6840e342d0d37b1226287b0b812bb931922e9358a5b906454661144a1c1ea60d0e8cab78b370ac4966f12002242bc

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
96KB

MD5
41566869d23b8f564300f6c74704eeb9

SHA1
8847192b51f4abb43becef933bffec3ddf09ff4e

SHA256
a488b59fed7d2a481aae26518a9a82047106a74ad22d3ab5c3d2f1744d08e8a3

SHA512
e7c4e1744a562ab1ba73795f6df8031541fa9fc612a111904d86b27b07f09ef2fc06c34e9229bd86c40f15f13475d37e7d6282826431c196a68478e38df5df5b

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
96KB

MD5
73bea5502d8e8189f5a06f8223d6b69b

SHA1
acd8380892bd7e075ff8f3554e1367cfc7da760f

SHA256
a0165c6e3bd8acb1a1dda65592141846f2a91a9038b3d1df601a36e7fc52bbfc

SHA512
d3ae518189574b612d92cca96aa87abb79e93f9678bc5a8c23a0415040a86ccb8032205afa3469916e597114b9c7c2e078d4c8a60d19b12c5e9deeb8bbbaa7aa

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
96KB

MD5
2d4653414401a12a8ce71aa8d735112b

SHA1
63b44c5843af7718ce511cdee653aa7f31e96caa

SHA256
f7909f74db65168783422365f706c37ecce03b43579472444c74a6cced8e8f06

SHA512
e8470d69c74447e2b62ce008c6524046642db0665e818483d8dc586c173b982835fc599b15d975a6422210dfc7b45a2021f777b37b6c15129522d1edb1af3842

Download Submit
memory/556-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/556-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/832-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/832-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/880-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/880-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/964-212-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/964-44-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1048-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1048-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1176-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1176-209-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1544-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1544-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1728-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1728-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1828-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1828-198-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-202-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2588-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2588-195-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2720-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2720-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2844-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2844-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2868-210-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2868-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2888-206-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2888-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2992-52-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2992-211-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4000-194-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4000-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4080-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4132-193-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4132-191-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4156-213-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4156-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4312-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4312-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4544-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4544-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4584-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4584-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4592-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4592-214-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5060-203-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5060-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads