efdd94a5576bc35ca6314cbfe9402a9163743dd4c4ed1f1ca8d5fc66a52fafb1

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe
Size

80KB
MD5

9706ece39e13a68c9b882be4d7abaac0
SHA1

be9572b84ade8b61ad26b2b81442a6ea4be6e663
SHA256

efdd94a5576bc35ca6314cbfe9402a9163743dd4c4ed1f1ca8d5fc66a52fafb1
SHA512

caa3ccbe2fd70861500de3ae47de49f544b38a42655f8011be14a3c14c9f98a3c8a0a8f7e13ee135f863c9b9fef29d2634e274c0a40699e5072e44f02fc0c6ad
SSDEEP

1536:LBRIi0gSqws1D5fn4WfMTmbf4S2z2LYSJ9VqDlzVxyh+CbxMa:LBx0gSXIpnwTofzDJ9IDlRxyhTb7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe

Executes dropped EXE 23 IoCs

pid	Process
3316	Mjeddggd.exe
4868	Mnapdf32.exe
1060	Mpolqa32.exe
3400	Mkepnjng.exe
4000	Mjhqjg32.exe
3296	Mpaifalo.exe
1244	Mcpebmkb.exe
3680	Mnfipekh.exe
3240	Mpdelajl.exe
2040	Mcbahlip.exe
3272	Njljefql.exe
1740	Nqfbaq32.exe
2080	Nceonl32.exe
4816	Nnjbke32.exe
2248	Nqiogp32.exe
3048	Ncgkcl32.exe
592	Njacpf32.exe
5108	Nqklmpdd.exe
1820	Ncihikcg.exe
3060	Nnolfdcn.exe
3968	Nqmhbpba.exe
2984	Ncldnkae.exe
4724	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mcpebmkb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5028	4724	WerFault.exe	107

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 3316	1628	9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe	82
PID 1628 wrote to memory of 3316	1628	9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe	82
PID 1628 wrote to memory of 3316	1628	9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe	82
PID 3316 wrote to memory of 4868	3316	Mjeddggd.exe	83
PID 3316 wrote to memory of 4868	3316	Mjeddggd.exe	83
PID 3316 wrote to memory of 4868	3316	Mjeddggd.exe	83
PID 4868 wrote to memory of 1060	4868	Mnapdf32.exe	84
PID 4868 wrote to memory of 1060	4868	Mnapdf32.exe	84
PID 4868 wrote to memory of 1060	4868	Mnapdf32.exe	84
PID 1060 wrote to memory of 3400	1060	Mpolqa32.exe	85
PID 1060 wrote to memory of 3400	1060	Mpolqa32.exe	85
PID 1060 wrote to memory of 3400	1060	Mpolqa32.exe	85
PID 3400 wrote to memory of 4000	3400	Mkepnjng.exe	86
PID 3400 wrote to memory of 4000	3400	Mkepnjng.exe	86
PID 3400 wrote to memory of 4000	3400	Mkepnjng.exe	86
PID 4000 wrote to memory of 3296	4000	Mjhqjg32.exe	87
PID 4000 wrote to memory of 3296	4000	Mjhqjg32.exe	87
PID 4000 wrote to memory of 3296	4000	Mjhqjg32.exe	87
PID 3296 wrote to memory of 1244	3296	Mpaifalo.exe	88
PID 3296 wrote to memory of 1244	3296	Mpaifalo.exe	88
PID 3296 wrote to memory of 1244	3296	Mpaifalo.exe	88
PID 1244 wrote to memory of 3680	1244	Mcpebmkb.exe	89
PID 1244 wrote to memory of 3680	1244	Mcpebmkb.exe	89
PID 1244 wrote to memory of 3680	1244	Mcpebmkb.exe	89
PID 3680 wrote to memory of 3240	3680	Mnfipekh.exe	90
PID 3680 wrote to memory of 3240	3680	Mnfipekh.exe	90
PID 3680 wrote to memory of 3240	3680	Mnfipekh.exe	90
PID 3240 wrote to memory of 2040	3240	Mpdelajl.exe	92
PID 3240 wrote to memory of 2040	3240	Mpdelajl.exe	92
PID 3240 wrote to memory of 2040	3240	Mpdelajl.exe	92
PID 2040 wrote to memory of 3272	2040	Mcbahlip.exe	93
PID 2040 wrote to memory of 3272	2040	Mcbahlip.exe	93
PID 2040 wrote to memory of 3272	2040	Mcbahlip.exe	93
PID 3272 wrote to memory of 1740	3272	Njljefql.exe	94
PID 3272 wrote to memory of 1740	3272	Njljefql.exe	94
PID 3272 wrote to memory of 1740	3272	Njljefql.exe	94
PID 1740 wrote to memory of 2080	1740	Nqfbaq32.exe	95
PID 1740 wrote to memory of 2080	1740	Nqfbaq32.exe	95
PID 1740 wrote to memory of 2080	1740	Nqfbaq32.exe	95
PID 2080 wrote to memory of 4816	2080	Nceonl32.exe	97
PID 2080 wrote to memory of 4816	2080	Nceonl32.exe	97
PID 2080 wrote to memory of 4816	2080	Nceonl32.exe	97
PID 4816 wrote to memory of 2248	4816	Nnjbke32.exe	98
PID 4816 wrote to memory of 2248	4816	Nnjbke32.exe	98
PID 4816 wrote to memory of 2248	4816	Nnjbke32.exe	98
PID 2248 wrote to memory of 3048	2248	Nqiogp32.exe	99
PID 2248 wrote to memory of 3048	2248	Nqiogp32.exe	99
PID 2248 wrote to memory of 3048	2248	Nqiogp32.exe	99
PID 3048 wrote to memory of 592	3048	Ncgkcl32.exe	101
PID 3048 wrote to memory of 592	3048	Ncgkcl32.exe	101
PID 3048 wrote to memory of 592	3048	Ncgkcl32.exe	101
PID 592 wrote to memory of 5108	592	Njacpf32.exe	102
PID 592 wrote to memory of 5108	592	Njacpf32.exe	102
PID 592 wrote to memory of 5108	592	Njacpf32.exe	102
PID 5108 wrote to memory of 1820	5108	Nqklmpdd.exe	103
PID 5108 wrote to memory of 1820	5108	Nqklmpdd.exe	103
PID 5108 wrote to memory of 1820	5108	Nqklmpdd.exe	103
PID 1820 wrote to memory of 3060	1820	Ncihikcg.exe	104
PID 1820 wrote to memory of 3060	1820	Ncihikcg.exe	104
PID 1820 wrote to memory of 3060	1820	Ncihikcg.exe	104
PID 3060 wrote to memory of 3968	3060	Nnolfdcn.exe	105
PID 3060 wrote to memory of 3968	3060	Nnolfdcn.exe	105
PID 3060 wrote to memory of 3968	3060	Nnolfdcn.exe	105
PID 3968 wrote to memory of 2984	3968	Nqmhbpba.exe	106

C:\Users\Admin\AppData\Local\Temp\9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9706ece39e13a68c9b882be4d7abaac0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\Mjeddggd.exe
  C:\Windows\system32\Mjeddggd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\SysWOW64\Mnapdf32.exe
    C:\Windows\system32\Mnapdf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\SysWOW64\Mpolqa32.exe
      C:\Windows\system32\Mpolqa32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
      - C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        24⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 400
        25⤵
        Program crash
        
        PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4724 -ip 4724
1⤵
PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
64KB

MD5
202f3949586313107af9079f14044f3e

SHA1
f6864677685098115eafa25d9662587879376962

SHA256
7017106a975656e4d8f5a90f217e2b27873bd1c8e6c873a51ca98cf34b02fbfc

SHA512
a5f6ae78737bc58aff8a9a9b25a3589e6473a4ca028194d2c3ec20554faea5cdd0471c3eb0655ea87151a0e2e25b077f949d9f7df9198812cc5dd98c5da48db1

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
80KB

MD5
4e02022e2a23302fbb57a9555665f675

SHA1
63254a2a70ccf8b6d7713e373e0445f1e27ac2f6

SHA256
bb6fa960dcaf7ffc7cf4319293546cc89b85eef813374efc9f947a00b538c856

SHA512
b5bf68229c32d20954920e6e9d888cd53fa00167dc24a4cb43cc582cf1cf95e101ea05920cdcbe288d5629f58db35d1426d204c5c82e482ba61f538ade04b4a0

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
80KB

MD5
0878af3d5150c2c0e001be1d33814148

SHA1
8e1b88f215536a3161ee6633115433a9d84be485

SHA256
1269baf6969200a7f691b02c098f31e2ff10344f6de4d7712faaf848c79ae739

SHA512
4206509d15c6cb75eb23582fbebf9a0a3d8e2c9359b6e7371d84a021034760368def423ff6df04e685e1f619574f48c7583c1cc408ea31f262042c55ec1adec7

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
80KB

MD5
f0e18b117b33867b3c26a2e85f776d90

SHA1
697479aaa8c285d0a3e55428c72514e920239245

SHA256
0ffd9b8c1983173d9a7b60edfa9ea6804b316e3890cff03a1c84dee8e2c2e2a7

SHA512
b094d87014cb72e2a93e14f0c50a3f0726de04e5b300941d18dc2265026fa9196bf94d7444c9466bd230e06def13f5c306a11d4616a36e5877b886dd71ada1d9

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
80KB

MD5
f6d4c7d2166fd05c5b0dfbbc4f0ea47b

SHA1
7370dc87838918673d810c36902760b40db293ea

SHA256
5ab74708b03075282e7ee065d820614d7729846502e5a775025cb1d4b20978da

SHA512
98acc7cff101d011b39449afcb1ffcb5ae458aaa2ef67324da5e2795c11970e8ccbdb547025a90f622989b2ea97328ae99b2c03a81583bcfeb30f4e04ca9a81f

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
80KB

MD5
e2b247877c32a02d2a42fa2cc85a8be0

SHA1
c3dd10bace2e37254a2755930ea1e00e16175e12

SHA256
de67f87e04968f6ee3e2dfc66ad8e6427198d6b19a816518809122bc7ddf2570

SHA512
5713bbbd04d0a9194d6c3b9dc7589993d44aaa53351d62de8d6c4db529588c74d29c790d2698dbe4e00db6f61683b49f2e4c5f39fd1a6402c61ffef2ce12c24d

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
80KB

MD5
de968a09f96d4f24b7f87c660676bc2e

SHA1
bc9608f9b6e9c8c1b3a0ba9c671ee1188e27df1f

SHA256
acc20a174eeeda4addd23d64f490d0ce476caf0c47a1c4eb001fc85a1b620bc2

SHA512
84c15787d9b224be485547a64a0f21489b049b2ad7250995d1ac8774d1ef198e8ce525b5fd9606ae8d9112f04854ccc04bee870583ff1185353c8a443a13afb7

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
80KB

MD5
47ea0a537a8e285efe5dbb5d0819defa

SHA1
4205a7d2fc91ea981f781beb3a5701755eb6d261

SHA256
11f361285a421b4f29869447e08657593a9268ab3a65edaf91d972b6a3cad222

SHA512
5f355e6c389849f7ecd76193106e64e31c5f9fbe8195e2bf4a6600319185479c60db6296970b360d35a73f961d491a5449d5e95660df6388c722e579026a0c44

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
80KB

MD5
0a9b373fa57c1afc93ad3534400319ed

SHA1
a792c3e284b5bfde09a6f6d70043cd29e4215346

SHA256
c1fa15a428939763c785f7d0cb54c8ad189fca110d62532738dc99b72326ce74

SHA512
464eb86c73842ae6a8ce077d7d32c69687bb5de309bb824e3c25133def5681aea848e9aedd68d2040ad02063ae644f98fa5dbb44b5b26a0a977c6cb319e14cf3

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
80KB

MD5
ea3fca9bcc06a0167c8fff53a6957eeb

SHA1
de75d639e5616c2ea8dc68177892904e9688ffe6

SHA256
1aa213a4550a4d4ee2f39d9cec37dbbb7ff0a4dbfe953515380acd5f1901fa96

SHA512
ba8aae7b4f1ed0e02fcb2985b1ec2a2f6652d3d1620308efbc493f5661ee28faa9ade4fb0e4b4efca715e2005adc7af83c056c27e23d3964ec9e788fda3e27d8

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
80KB

MD5
e0119fe66b34b7d6a4f1996a7f788492

SHA1
708b76980526d5d908fe050a72b87f6e5a442992

SHA256
30e6da4de716747cfbbf23796b8141aa2be4e698f4a4b34b751fe0cc72edc6b3

SHA512
9462ae55baacedab5f951a13e03c42e90181eb3a623c1ae4bc9d2b466e5fcd16454ca8d127f5a9127ee809bfbfd82c33cb910bdcebae2dddd3904665be472232

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
80KB

MD5
808620a22a6e127459f0fcc2c39975ae

SHA1
64dfab8ab44683c929ef0171cda7ad8cbdaa5633

SHA256
e2609afafb22b5f06384f71e514735ded7625659e6b10c4d5472e05245323017

SHA512
d43b20e8c93ff23181813e08beb71fb5408d11b71da59ca1e5b7c423ff9d55fde4074d3359dbc028ad89360ca85539d711def2c602f2705270b1bd116ead8076

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
80KB

MD5
aaa430673d096f2e1ce091e2fed50f12

SHA1
f08c950157a286f0605bf9505bbb04c0e789b2c4

SHA256
c2a7f1d38d7267bfdee91f7fdf7b25eaa18e473ea27b607107ca54945acd0b35

SHA512
4547c3df2c1d0003bfa02047c91d0ff38f8d02edfedcedc31dc4463184ffb74e80801579c6e3870250625dba0058b1f7c85efce2972f1a18261eb7794d660ce1

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
80KB

MD5
4535273fb51bb0a341ae06ef6268d6da

SHA1
b22a5c369106e57051d4635ccb8e105516eab912

SHA256
3ff8a646a0b369a02560c5c6d5ddc9b5f226b22e4ed19bebbac6c910352ff7a7

SHA512
d393e9f8ad5bc4d08dd6bf4b4fe7426fd830033bcbe101cd9fbbb6f5cb9c4ede998f59b4ec4bb017d3637c1bb6da50ddfd16f8c9fcd2c9282824575a9dcdb95f

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
80KB

MD5
6a1ceadef71e63f5d29e2ec004fbc3a6

SHA1
1012f2b72de89717007199f3aa9b87be294c4569

SHA256
0079c0eb23244f4a19909ec1c5628674124690a206182e0795515a62c3a9cff6

SHA512
b5c95c4a2aed250f2ccbe23c22f8169e0da3af5588454a0a1e3970d0330f7b41980c4f1f636a117922cd0a03cc46de7f9f23f107ff59a29a5ebb0757213a71e6

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
80KB

MD5
b2858342052e93aaae45b4365b242592

SHA1
c348e27557e0ea7f317ab730594ee50dfccd91f9

SHA256
f37121feb4e1fa910c89b0233cc45b650b53928b3b0fc8937c86076bd7a307eb

SHA512
f2e75cdf3b1b62b8f55aba1496a5e9af6fbdb0bb684d49680aa5bd27760ec65bcfb9de09a9defd2daba8f270b35f919b1e7414ba02fe21a2d4bddfd8d3c48ed2

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
80KB

MD5
4c718658172f5c030c8dee2c911ab4c2

SHA1
76d707528254b87698e25fa0e839d2c6a8af8791

SHA256
211ed16cfe83bd08f1305c0dbf9747e445ad26d006984fe7771eff752725dd6d

SHA512
19f7435b54db27fed4dc4f55d1506efb1cefdc131027bffaa319803d73c5685be2fd418afe0bf418867bb98908f000a682babb7a34af36c3eaecefccca649c0c

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
80KB

MD5
f6737d888ff88ccd49ad63f0264ae408

SHA1
42b95e15e85c30a6bf8d8bbfc4a32cfb8eca9ce6

SHA256
f2f7de45498c65d43150f13d2a233150616e14891762187bf48a7e26c3920a9c

SHA512
1d9ed5379a92d254fa36cc2e320eaf66336859369acdced4c60b75540384c18abb171da22d594caa8d4ea82809952eaff17fe95f415b362c369b402c03e733c7

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
80KB

MD5
bf89ee21bebfb2be0c320333f651c5df

SHA1
c0038e654efbe6b685240996fd888d877167682a

SHA256
00155bd22744a02314f055a42a25f5b231868870b16c0f2c409ae1a82e258931

SHA512
a38ff505d5b79b013e9fbe7c9fecd1b4c6ab48b8240afd599b02a112adb7e63502bf3038ab8daacbd48ce0432599462e962a886a3ab2d281ec7753122877d1f0

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
80KB

MD5
74fe16bf793db6124e7cc5bc62606a2d

SHA1
ef0647e9a3cd3b9362716cc8fcdd346f2ff1c23f

SHA256
07ffb8bb81fa1a34b3d03f13183f0592c59acad124b81d05e0e915fa43aa6eac

SHA512
3aee01fbef31618f461da6d516d0f305def466f7c4294162f6070686db707531471b6bf2f53e7124b8983471046887706163b2d7f73ff621e5560dce045db6f2

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
80KB

MD5
87b5d8465d964a5eaaaf05eb07d69b94

SHA1
ffdc8b14cf832ad2539ce7b7edc4e0fac137d50d

SHA256
4ac44a8d5e194cf454f623e438be343a009a67a066a08319d60beeae753d8a3f

SHA512
e42106796cb0f0e2b951de03f836ac78981faa42f3126a726295d83b767e8163773902305157983e9cc8262a83272b401230a050e5b66d08c859dd52c1ad9827

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
80KB

MD5
c7b6daa88013e95ee5f391a7a774c034

SHA1
38fb460a1326132d21ee4cce93f516328c28c436

SHA256
0cfce02b69ce59cc1a736c37d3279cf3cb60a91f8fd778fac753a7fd3edd673c

SHA512
9a7a69db9f495b984d4c8b0ed653ee9a8e72ef6db1fe8b8afa0693476d6486b12a35ba68c2e598aced682e39225f9755d0a7d5e5ab9487c42a624b320158766f

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
80KB

MD5
78f8b1014ed96db7d50360cc78489938

SHA1
49d98168cef24ff3b4921d709597ee08ff6b87de

SHA256
9d1fbb3b059df705b9bd5d71ae316ddd26b76182ce15729ce2a9d78f1401dd58

SHA512
2ef6f4f2fc00d9a2dd6c28bc7689ae4d31adbda2f2d9250d229b76eea9514ee3313df24a2fb9e7dbc917d783e9f0e0414a7dfc7cdc0889c1c53d1d848fa9ac74

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
80KB

MD5
1b9fec5c00e9568f8f99b73583d88a41

SHA1
643fc91b380f237f7810f6698a68d0c6ee8497ec

SHA256
97e32d0120aa3d70c0fba9d8476c5a1b0e353ebde324e0bd536e44a461c20749

SHA512
18ce7d95ce4ef85db1c394f3d890cd82efde46cd4a237a8afd3585c7a6b0d205a0e6904ae52ecf2259acae6418a1f93c1e106d664d97a7db4655f2435605d315

Download Submit
memory/592-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/592-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1244-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1244-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1628-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1628-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1628-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1740-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1740-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1820-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1820-190-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2040-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2080-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2080-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3272-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3272-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3296-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3296-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3316-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3316-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3400-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3400-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3968-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3968-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4000-203-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4000-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4724-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4724-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads