59a78f8a70ad297a106b5405156fa809ddbb1421ad1b27b6453786bc928bf79d

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1b81019f047d90c1bad2163b939b180_NeikiAnalytics.exe
Size

246KB
MD5

a1b81019f047d90c1bad2163b939b180
SHA1

8842c473cfb431ee804acf7df3bdcea53c4399c8
SHA256

59a78f8a70ad297a106b5405156fa809ddbb1421ad1b27b6453786bc928bf79d
SHA512

51bde48997204a23373de6ae7d0bb730918ec247fac45b80de0879b5476ba2ffab10a796db3a1d5fd08d07c3479de7d570276ba0019c7c236d506a34bedb44d5
SSDEEP

3072:SsUR32n6B60pzbFOJph2B1xdLm102VZjuajDMyap9jCyFsWteYCWS3OF9HqoX:Ss0m6ZNkfh2B1xBm102VQlterS9HrX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a1b81019f047d90c1bad2163b939b180_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a1b81019f047d90c1bad2163b939b180_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe

Executes dropped EXE 25 IoCs

pid	Process
3432	Lalcng32.exe
4584	Lgikfn32.exe
912	Liggbi32.exe
348	Laopdgcg.exe
3224	Lpappc32.exe
2884	Lgneampk.exe
4812	Lilanioo.exe
5016	Ljnnch32.exe
5044	Lphfpbdi.exe
5032	Lknjmkdo.exe
3716	Mahbje32.exe
4456	Mjcgohig.exe
1144	Mpmokb32.exe
4792	Mnapdf32.exe
2324	Mgidml32.exe
896	Mjhqjg32.exe
4528	Mjjmog32.exe
2316	Nkjjij32.exe
4972	Nacbfdao.exe
5076	Nklfoi32.exe
3928	Nqiogp32.exe
960	Ncgkcl32.exe
4388	Nkqpjidj.exe
4848	Nqmhbpba.exe
4576	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	a1b81019f047d90c1bad2163b939b180_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	a1b81019f047d90c1bad2163b939b180_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	a1b81019f047d90c1bad2163b939b180_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mahbje32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4168	4576	WerFault.exe	110

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a1b81019f047d90c1bad2163b939b180_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	a1b81019f047d90c1bad2163b939b180_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a1b81019f047d90c1bad2163b939b180_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a1b81019f047d90c1bad2163b939b180_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3432	880	a1b81019f047d90c1bad2163b939b180_NeikiAnalytics.exe	83
PID 880 wrote to memory of 3432	880	a1b81019f047d90c1bad2163b939b180_NeikiAnalytics.exe	83
PID 880 wrote to memory of 3432	880	a1b81019f047d90c1bad2163b939b180_NeikiAnalytics.exe	83
PID 3432 wrote to memory of 4584	3432	Lalcng32.exe	84
PID 3432 wrote to memory of 4584	3432	Lalcng32.exe	84
PID 3432 wrote to memory of 4584	3432	Lalcng32.exe	84
PID 4584 wrote to memory of 912	4584	Lgikfn32.exe	85
PID 4584 wrote to memory of 912	4584	Lgikfn32.exe	85
PID 4584 wrote to memory of 912	4584	Lgikfn32.exe	85
PID 912 wrote to memory of 348	912	Liggbi32.exe	86
PID 912 wrote to memory of 348	912	Liggbi32.exe	86
PID 912 wrote to memory of 348	912	Liggbi32.exe	86
PID 348 wrote to memory of 3224	348	Laopdgcg.exe	87
PID 348 wrote to memory of 3224	348	Laopdgcg.exe	87
PID 348 wrote to memory of 3224	348	Laopdgcg.exe	87
PID 3224 wrote to memory of 2884	3224	Lpappc32.exe	88
PID 3224 wrote to memory of 2884	3224	Lpappc32.exe	88
PID 3224 wrote to memory of 2884	3224	Lpappc32.exe	88
PID 2884 wrote to memory of 4812	2884	Lgneampk.exe	89
PID 2884 wrote to memory of 4812	2884	Lgneampk.exe	89
PID 2884 wrote to memory of 4812	2884	Lgneampk.exe	89
PID 4812 wrote to memory of 5016	4812	Lilanioo.exe	90
PID 4812 wrote to memory of 5016	4812	Lilanioo.exe	90
PID 4812 wrote to memory of 5016	4812	Lilanioo.exe	90
PID 5016 wrote to memory of 5044	5016	Ljnnch32.exe	91
PID 5016 wrote to memory of 5044	5016	Ljnnch32.exe	91
PID 5016 wrote to memory of 5044	5016	Ljnnch32.exe	91
PID 5044 wrote to memory of 5032	5044	Lphfpbdi.exe	93
PID 5044 wrote to memory of 5032	5044	Lphfpbdi.exe	93
PID 5044 wrote to memory of 5032	5044	Lphfpbdi.exe	93
PID 5032 wrote to memory of 3716	5032	Lknjmkdo.exe	94
PID 5032 wrote to memory of 3716	5032	Lknjmkdo.exe	94
PID 5032 wrote to memory of 3716	5032	Lknjmkdo.exe	94
PID 3716 wrote to memory of 4456	3716	Mahbje32.exe	95
PID 3716 wrote to memory of 4456	3716	Mahbje32.exe	95
PID 3716 wrote to memory of 4456	3716	Mahbje32.exe	95
PID 4456 wrote to memory of 1144	4456	Mjcgohig.exe	97
PID 4456 wrote to memory of 1144	4456	Mjcgohig.exe	97
PID 4456 wrote to memory of 1144	4456	Mjcgohig.exe	97
PID 1144 wrote to memory of 4792	1144	Mpmokb32.exe	98
PID 1144 wrote to memory of 4792	1144	Mpmokb32.exe	98
PID 1144 wrote to memory of 4792	1144	Mpmokb32.exe	98
PID 4792 wrote to memory of 2324	4792	Mnapdf32.exe	99
PID 4792 wrote to memory of 2324	4792	Mnapdf32.exe	99
PID 4792 wrote to memory of 2324	4792	Mnapdf32.exe	99
PID 2324 wrote to memory of 896	2324	Mgidml32.exe	100
PID 2324 wrote to memory of 896	2324	Mgidml32.exe	100
PID 2324 wrote to memory of 896	2324	Mgidml32.exe	100
PID 896 wrote to memory of 4528	896	Mjhqjg32.exe	102
PID 896 wrote to memory of 4528	896	Mjhqjg32.exe	102
PID 896 wrote to memory of 4528	896	Mjhqjg32.exe	102
PID 4528 wrote to memory of 2316	4528	Mjjmog32.exe	103
PID 4528 wrote to memory of 2316	4528	Mjjmog32.exe	103
PID 4528 wrote to memory of 2316	4528	Mjjmog32.exe	103
PID 2316 wrote to memory of 4972	2316	Nkjjij32.exe	104
PID 2316 wrote to memory of 4972	2316	Nkjjij32.exe	104
PID 2316 wrote to memory of 4972	2316	Nkjjij32.exe	104
PID 4972 wrote to memory of 5076	4972	Nacbfdao.exe	105
PID 4972 wrote to memory of 5076	4972	Nacbfdao.exe	105
PID 4972 wrote to memory of 5076	4972	Nacbfdao.exe	105
PID 5076 wrote to memory of 3928	5076	Nklfoi32.exe	106
PID 5076 wrote to memory of 3928	5076	Nklfoi32.exe	106
PID 5076 wrote to memory of 3928	5076	Nklfoi32.exe	106
PID 3928 wrote to memory of 960	3928	Nqiogp32.exe	107

C:\Users\Admin\AppData\Local\Temp\a1b81019f047d90c1bad2163b939b180_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a1b81019f047d90c1bad2163b939b180_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\Lalcng32.exe
  C:\Windows\system32\Lalcng32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\SysWOW64\Lgikfn32.exe
    C:\Windows\system32\Lgikfn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\SysWOW64\Liggbi32.exe
      C:\Windows\system32\Liggbi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:348
      - C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        26⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 408
        27⤵
        Program crash
        
        PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4576 -ip 4576
1⤵
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lalcng32.exe

Filesize
246KB

MD5
0e0b2ead121792a36297df5d169afa33

SHA1
8c522712b5112af6b47fdaffd6d6b5b03d92c912

SHA256
641870d76b90ab094aa269f4f5adc7f969ae29850c6284160cc73868cdc9e0c4

SHA512
981bf3018b70b014ad1564eeeb8275d02c8e2fb5db3763ab657b11686de7fafd6b1fc2f143b5755ba6b41ae60dfe227853933a1289fa5e93fbd33e5212fbc0b9

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
246KB

MD5
e819dd912006e5c8b7fcc8f7d1905fe2

SHA1
8727928a91a5cab2b00853da147ce05d904d9a13

SHA256
13b7a66e438024af1f2bc71dd64e5b999f1b66f3e31010996cd02315966da948

SHA512
6465ab14b01102c601cb25827052ab9ef57d9b7920822a45a88fc3435d22c94c2cdbe5dec17be89de30e43c4f1c3082856b97a3ce395de6435c2d44bea94e5ee

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
246KB

MD5
b34724c429651b228ec15ba2cbd8d02a

SHA1
f3bb09327403f353035daf5f3a00b714a4835d86

SHA256
baaff98ea3ddf07fdb510548602e9b749eeb0b5fae30a0590193f11b6c6cf909

SHA512
c33248cef53c2abe951d8a446e802d975a2c8850180d9789444a7cb30a53ba70da1589b13ca512d81636928cf95a40621b879fc854cc94d513eb3a54458498ab

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
246KB

MD5
73709791437d95c20ab3e7259825681e

SHA1
6c7b6ff0745118bd9c6960a7691b9dbea33c1c1e

SHA256
3a3c8c988c40a42f23d622ead12562bbdd718f1b54c2c84a03186f20374672d0

SHA512
5a8fdd521ea6be7d14e649356052ce2a8a006ffd595b54a36adba77012b28bfc5347bf3619f1149e45fdef499b90ec549ccf88259ccec4700ccaf6dc6a440baf

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
246KB

MD5
04db6103eebc9eed2a1dc3c736feb04c

SHA1
1d57fc403489f5cefb211788b658095aedfa78c1

SHA256
b276d9f36de9e1ee10b9e09b9dde2dc3791928b5e6e609407108188e43754e1d

SHA512
faa05e5882437786e0ec9420acf32383c14b07870bc89e419efe695a4414b1f64853ce65cf0f9863be359b14a74f84788dff72d5aa3233af7d7eac4d5fb860f4

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
246KB

MD5
efa100542c88f1bfa112411014eee348

SHA1
64d5e5de3546f3324143b1c2a3a0f09a2a2b60f3

SHA256
426abbcc28d0cfbb75ff76a7c472ac5a8623501cbf9d006c6aaf4512428389db

SHA512
804fc5a0c34cc45b3a976357061eb00c5943cabc74f74135b1431f63ed2c5b615c4005312a8407a54a8c34807d76a486b75496de66c1440be465db16c19dbb2b

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
246KB

MD5
16bf970656f0403b65dcd9f05ce96faa

SHA1
846c40d0c6e1d316d1d32aeef5fdf0c8d338b81a

SHA256
d4d198d8b917702d9d3f81eb593e0e4ba97659928bf593599d95580ff65e2252

SHA512
7649d6b2a227c9f7f5115fd649dc9dc501137d26e015f31ebeb78d7fbb199a77da0bfc213ce64b7cccbba183be360fceb7baf87cc03b7b5e338b22fe16544fe0

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
246KB

MD5
197ccb906ecaf4f8bd93dad4bf69fd5f

SHA1
803439a335861a56cb2ba06fe736bea86817c6e0

SHA256
49d91e6b9d1baae891cb16f9290d522f6d68d4ce0e1a262f5c309a656ec57b2e

SHA512
a0295ab5642f5f0b4ac1f98be6bb69fe41ffa4e5ea39bcd8fbf482d615db8eb0fe209f9a08631737f3f27fb2a80695b2ff622313ff57d9fa79a185fb00f1fbaa

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
246KB

MD5
8831d0e8fcd8f026c26d69927f93edef

SHA1
b2722f4292f0435462826911ca1f1bed9c336a69

SHA256
4ec37cc7bfa75f454a13ea0497024d45eef0b07050fa4c51228b57b9d960a884

SHA512
f1b71b57a7420806e3e2fcfe35acf0622293b743112ce3089f0de6efe55fc95e263093b388e6b41ef0c398d46817ed612af62c234fb051a98e50a21ee13698f3

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
246KB

MD5
30eeab6811fe375fc449bb43223a53ae

SHA1
ea2151b556cbe839077d1b2161bc81dc37fa9825

SHA256
3310ef3892ce929e109897836f044df1a3e186c55d85787859d0883f3196b7f4

SHA512
6af1e0e474e3292d57b4b95a58bec80f1e38c2d536c53d9ec87c8ed204bfee6a324090c9273e314c2a33af17cc1635a786fd1c11d43152a1ad9af1f275565b8a

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
246KB

MD5
fbdea7c367391858399f2b8b4ffc2a23

SHA1
71a2e17cb7832bafcc5f0d0c764a0d554e931cd3

SHA256
22ddd7c8c99c5e3de825bd0424c4591b6d7dea78ac4b633931a02d32db9c9f07

SHA512
b189f0397c76db6092c5d8660dfac89e8be91ba0943ad216e53f875d26f5a1530afaf990f5470fc9ca6ea7376642b04ef863fe3227547042994a4716d4038f85

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
246KB

MD5
c6a84f3388fd90b2041d7c367a58a066

SHA1
7a4f180ba1c9d6745b6ae66f07bdb32d3f19b902

SHA256
f44cdd3061c5dbb226160c705fda5e8907fa3790ca61f4bda9aea056877da5b9

SHA512
ffaf6ca3aa9e1c077752b19218646da9cfb19219a8a2d74a2f365b107795934543cfd1d6ab040fe3dbc922a1c7112433e0684a6f1629ef9a325d8b039af4fb51

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
246KB

MD5
f6e34818b8fd75a9c0fd7afff8212b0b

SHA1
40f6b432b8fc391802f5f04fc16bf62e7f0bfad3

SHA256
90fc89d9744db63882d41964324c1d7912e47c9429383c885f956f3cd98b7c26

SHA512
945bbca096ba825366d69e0fc1d2db3ca60ff2f8b1c8ea2269b3ebd67207b12c3b6c48dabe4b0cb5ce4d37073043fcd60d3798608844af74169592daa4467d12

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
246KB

MD5
189f3021248f7c9d418fdf129487488f

SHA1
68fa6a903e39efeb1a8dff11beb957a2d94f2794

SHA256
a65b655c614c7d69d430351d9d594b973dddab7f0ef7140da893e94473c94831

SHA512
8a430cf1108aac142f1141994ce9442dc91d05ec1d28399a09a4cf9366916853d4701a70f25339f4729f8030a53dc284659cd39497d021d2942067aa4000c966

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
246KB

MD5
be6aa7bf3ff380dcf14b487997d1028f

SHA1
ed1a43fd7cca69eef41a3088171cc930b92c8bba

SHA256
6f71e51cc07d5a6e6f8c42fb055cb625f85ef6974943538aaa5d78e3462a26ea

SHA512
72e589d4393ec8868b99b470d7436293cac280a89ba4164a17ce1b343fa13c4706284df5e636995d203b42368ab676844cfe003cb87abf19a5693b53e8638659

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
246KB

MD5
eb5866a39b692ed5796f9fef5aadb3fe

SHA1
8d671dc38c7b81fed7fc1a517bebc76ed0a2aae5

SHA256
02f4fc88fd6d35cb95f275bc8e1616705532b888e2a6ac2153fbf2288c70e8ef

SHA512
5c846247e1a32e58438e2955290b4acb3819b16dc9fd57bcff92fa789cfa2a8506c61af89147097eff26a8856ca4ce6760a4df6439d1d17215b78fbf20363df2

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
246KB

MD5
60d327c159a4a2bda4e3d8a4c032db53

SHA1
8cb4c9756f65f548a81710055e5064f1697f5817

SHA256
835e20ad4d91eeb53798be0145f0b81a3e22664313dae4f10880d05f7d04ee06

SHA512
6b32d0dd38d8190e4f33dc2e4ab0df8a397506d492881fd4d134e1d8e05aab2289b9a99be6a47aae9875bc483afc5f4cbd23c2c6b5fcc6771375a9ac34e25dd8

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
246KB

MD5
f83aee9c8e3107491cc6d52b53c3a652

SHA1
acbc61d277429727707677393d461ed5fd627048

SHA256
d0cfeeb59d722eb73efd21ee756ad3250196cfee518d954fc7f4dd8f073ac621

SHA512
7ca6229dc0bc7025bd2e1ea3bed9fd8679ab8bedf21741cb972413140623d6ab0c1e6d961a94efe6f20861eb7c4dae8fcc92ff6e6ca67d0a21ab2185946d3b88

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
246KB

MD5
94e1b6e075ddf55d86095f47b96b1fe5

SHA1
c1e9ccee01939c691b85847c2ce523e3e939698e

SHA256
c25531dc882be18d5fafde37e21f62ad5e76b8705ac329bb41f5df0d7af87230

SHA512
42efb4723efd6c7976cd05f1c0cc2e3f542d5ab8f2f986a728df78b71d7cca0f5ec6edbb2251be97a43f4551c7d7e2afc819565cf9d6e5a5200f12042e969b42

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
246KB

MD5
daf968a739f0e9846a3a5d735f753aae

SHA1
d2b8ee8a2652ca1ac414048cbc42e14a474f4701

SHA256
7a47cfa0313621cabf5c046fa57d28b3dc84835c35aa6941e8b16bf52cc1bca6

SHA512
ff4ca969eaf12c9f0e30bf580cce22374635cca514d590903d2ec11ff1cfc638e86ee191aa46b488021c1be1c33a491389c76c20e380a23f6b5c55f7c062e5d9

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
246KB

MD5
800e63a660000f8e8e30abc3143c2016

SHA1
02cfeccd2160e1bea25a1d578fadfb41d22ba79c

SHA256
d7a15c148788e2c43466328694bbf696499654504425791b0d4703e9d1c6f36e

SHA512
25eff08ac23f2eaa8854b382f02d6c9eca755a9479b8ebe4ba4bb249817a0b489e5c952ce6644f766d6018dafdb313f1d1cdeca2035894a0680f0201e7ad9577

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
246KB

MD5
816d59d47e9da304671e53925aa2e00e

SHA1
e3d3022284e65dd64c5d29fc9049b8a627eb1979

SHA256
3f3b71562423c2cdd0f1ff4adbb96141e3f9f03cc9a8e8ececd2ac54677e68fd

SHA512
8d2f7c2bcbdb85577913a4b411332616a49fe6f7fe217cc7b27371cf13987952c6b7899d284f696da6bcc58b9ef71a2f300d991ebff27b3b80a7f319183bbd7b

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
246KB

MD5
16e24ee84b92bce626bb8e38c82d0d80

SHA1
88e301d6bef2ee527badfaa78e1a038394eb310f

SHA256
7ac350ceb39d41959b2d57f21a8fc28077f5803624292f1ba68f54dbba832d52

SHA512
40b5799c0706fd1429985d4e05c53c4b0deb72f2ad0162980c9c923237e65b5b1bce418dd4a3a6203a582bc60e087b2dc546c4c68dc3c0dc4e99a5c58aa02269

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
246KB

MD5
3b8729f771f5be1734cf0273c8a90a93

SHA1
8c6bfa9f19ddf41e2a9ee04fadb84aede9897d13

SHA256
421cd52f98f56f23fc9a408ca78a0fb56161ef7491d4112150a9fe0d86a85db3

SHA512
09232c34060a9b56b91602132d73844f44d9e6a2e6ff90286995d77d01b20dae054bc4ecfe2657e8c0033da1724e6b791c11459fe74e4444bac96e2f0fd819dc

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
246KB

MD5
095f22bf5ae47d3dbfa925d251846841

SHA1
fc7f0d45769937a9715365871fe23718225cb25a

SHA256
605e3cf23979a9ddc42dd02ae58885b0772ab5d4970a06861f27737ad4dffbcc

SHA512
e2c6e129c4789ce0b40f9306d45ea5878dcdb09344620d352fe90ffcfac98aea8831a0d4c5f23b8ccca5ca0d3eda65fa220f3e9cd65cb84c9fcea1a6e21f18f6

Download Submit
memory/348-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/880-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads