5dfe4c41171135b8b33e3270ed9011212c5efde16c447cc4dead010c06e0b5df

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe
Size

232KB
MD5

d05f0aeb8c3f9006cd3e9f2c544e4dc0
SHA1

c6d06a8d27c6252caf0d53550082e0597bcf6dd0
SHA256

5dfe4c41171135b8b33e3270ed9011212c5efde16c447cc4dead010c06e0b5df
SHA512

9b506916d0888d5b5a9038782fb8bd262ceeb43afbc722cceed8c5df1d117cf031dd09ffc0f3646f79c47ce7609374f71a5faed02efee89f97e76cfdc2ed4438
SSDEEP

3072:XqYqqcLVoQlcnl55gMD7usluTXp6UF5wzec+tZOnU1/s5HH0AU/yRvS3u121Tzlz:frcLklpD6s21L7/s50z/Wa3/PNlPX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe

Executes dropped EXE 26 IoCs

pid	Process
4796	Lnepih32.exe
4780	Ldohebqh.exe
1728	Lgneampk.exe
4452	Lkiqbl32.exe
3700	Ljnnch32.exe
2660	Lnjjdgee.exe
4628	Lknjmkdo.exe
2896	Mnlfigcc.exe
3640	Mciobn32.exe
4008	Mkpgck32.exe
3088	Mpmokb32.exe
1092	Mcklgm32.exe
3260	Mamleegg.exe
5008	Mdkhapfj.exe
5096	Mkepnjng.exe
2532	Mpaifalo.exe
2836	Mkgmcjld.exe
3620	Mpdelajl.exe
3836	Nkjjij32.exe
1584	Nqfbaq32.exe
5080	Nklfoi32.exe
3944	Ncgkcl32.exe
4248	Nnmopdep.exe
2336	Ngedij32.exe
1572	Nbkhfc32.exe
4648	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4116	4648	WerFault.exe	110

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 4796	3224	d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe	82
PID 3224 wrote to memory of 4796	3224	d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe	82
PID 3224 wrote to memory of 4796	3224	d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe	82
PID 4796 wrote to memory of 4780	4796	Lnepih32.exe	83
PID 4796 wrote to memory of 4780	4796	Lnepih32.exe	83
PID 4796 wrote to memory of 4780	4796	Lnepih32.exe	83
PID 4780 wrote to memory of 1728	4780	Ldohebqh.exe	84
PID 4780 wrote to memory of 1728	4780	Ldohebqh.exe	84
PID 4780 wrote to memory of 1728	4780	Ldohebqh.exe	84
PID 1728 wrote to memory of 4452	1728	Lgneampk.exe	87
PID 1728 wrote to memory of 4452	1728	Lgneampk.exe	87
PID 1728 wrote to memory of 4452	1728	Lgneampk.exe	87
PID 4452 wrote to memory of 3700	4452	Lkiqbl32.exe	88
PID 4452 wrote to memory of 3700	4452	Lkiqbl32.exe	88
PID 4452 wrote to memory of 3700	4452	Lkiqbl32.exe	88
PID 3700 wrote to memory of 2660	3700	Ljnnch32.exe	89
PID 3700 wrote to memory of 2660	3700	Ljnnch32.exe	89
PID 3700 wrote to memory of 2660	3700	Ljnnch32.exe	89
PID 2660 wrote to memory of 4628	2660	Lnjjdgee.exe	91
PID 2660 wrote to memory of 4628	2660	Lnjjdgee.exe	91
PID 2660 wrote to memory of 4628	2660	Lnjjdgee.exe	91
PID 4628 wrote to memory of 2896	4628	Lknjmkdo.exe	92
PID 4628 wrote to memory of 2896	4628	Lknjmkdo.exe	92
PID 4628 wrote to memory of 2896	4628	Lknjmkdo.exe	92
PID 2896 wrote to memory of 3640	2896	Mnlfigcc.exe	93
PID 2896 wrote to memory of 3640	2896	Mnlfigcc.exe	93
PID 2896 wrote to memory of 3640	2896	Mnlfigcc.exe	93
PID 3640 wrote to memory of 4008	3640	Mciobn32.exe	94
PID 3640 wrote to memory of 4008	3640	Mciobn32.exe	94
PID 3640 wrote to memory of 4008	3640	Mciobn32.exe	94
PID 4008 wrote to memory of 3088	4008	Mkpgck32.exe	95
PID 4008 wrote to memory of 3088	4008	Mkpgck32.exe	95
PID 4008 wrote to memory of 3088	4008	Mkpgck32.exe	95
PID 3088 wrote to memory of 1092	3088	Mpmokb32.exe	96
PID 3088 wrote to memory of 1092	3088	Mpmokb32.exe	96
PID 3088 wrote to memory of 1092	3088	Mpmokb32.exe	96
PID 1092 wrote to memory of 3260	1092	Mcklgm32.exe	97
PID 1092 wrote to memory of 3260	1092	Mcklgm32.exe	97
PID 1092 wrote to memory of 3260	1092	Mcklgm32.exe	97
PID 3260 wrote to memory of 5008	3260	Mamleegg.exe	98
PID 3260 wrote to memory of 5008	3260	Mamleegg.exe	98
PID 3260 wrote to memory of 5008	3260	Mamleegg.exe	98
PID 5008 wrote to memory of 5096	5008	Mdkhapfj.exe	99
PID 5008 wrote to memory of 5096	5008	Mdkhapfj.exe	99
PID 5008 wrote to memory of 5096	5008	Mdkhapfj.exe	99
PID 5096 wrote to memory of 2532	5096	Mkepnjng.exe	100
PID 5096 wrote to memory of 2532	5096	Mkepnjng.exe	100
PID 5096 wrote to memory of 2532	5096	Mkepnjng.exe	100
PID 2532 wrote to memory of 2836	2532	Mpaifalo.exe	101
PID 2532 wrote to memory of 2836	2532	Mpaifalo.exe	101
PID 2532 wrote to memory of 2836	2532	Mpaifalo.exe	101
PID 2836 wrote to memory of 3620	2836	Mkgmcjld.exe	102
PID 2836 wrote to memory of 3620	2836	Mkgmcjld.exe	102
PID 2836 wrote to memory of 3620	2836	Mkgmcjld.exe	102
PID 3620 wrote to memory of 3836	3620	Mpdelajl.exe	103
PID 3620 wrote to memory of 3836	3620	Mpdelajl.exe	103
PID 3620 wrote to memory of 3836	3620	Mpdelajl.exe	103
PID 3836 wrote to memory of 1584	3836	Nkjjij32.exe	104
PID 3836 wrote to memory of 1584	3836	Nkjjij32.exe	104
PID 3836 wrote to memory of 1584	3836	Nkjjij32.exe	104
PID 1584 wrote to memory of 5080	1584	Nqfbaq32.exe	105
PID 1584 wrote to memory of 5080	1584	Nqfbaq32.exe	105
PID 1584 wrote to memory of 5080	1584	Nqfbaq32.exe	105
PID 5080 wrote to memory of 3944	5080	Nklfoi32.exe	106

C:\Users\Admin\AppData\Local\Temp\d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d05f0aeb8c3f9006cd3e9f2c544e4dc0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\SysWOW64\Lnepih32.exe
  C:\Windows\system32\Lnepih32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\SysWOW64\Ldohebqh.exe
    C:\Windows\system32\Ldohebqh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\SysWOW64\Lgneampk.exe
      C:\Windows\system32\Lgneampk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
      - C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        27⤵
        Executes dropped EXE
        
        PID:4648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 400
        28⤵
        Program crash
        
        PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4648 -ip 4648
1⤵
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
232KB

MD5
7243e301c2704e8cef369b5998f90863

SHA1
7968eab30cf3f7b0e43e76667a6711f6b4e9fa85

SHA256
0fe1852695759c4a8724c4b3cf674372d73e85860abfffda0c80b819883234d9

SHA512
34f90bf3a10d4cd0191646b4176c4c270f08bd10026ace920b7b24e6a3eedb2c53731ffeed80e85c2afbaf51d8b2c2781b9aee59189c62c376a0f04a8de2fe0b

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
232KB

MD5
4c875f3ee0b99f9469172bc7c35db198

SHA1
788dd6279feca166a12d9acedfa8f70208d6a1a4

SHA256
f65fbb828ef836a2ed1855c2717b9346f4501473315dffe2eff212ede207e8c4

SHA512
9f8c9b6ac3d1e3320e9422ab90a99572773dbd56a13e5264f265f59b56650365ec28fa05f0349750466d294c74d8eaf925c975c56948027e0d5fa359802bbba1

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
232KB

MD5
7420dc8c5f16e39b02b441786e9f27ea

SHA1
1f5d392ddb73fd88935745717a9278e59228f3cb

SHA256
219ba59477766596a7019499a3d82cc0915214dc487dcf81dc4bb67926c850de

SHA512
6009978f4e3277a79b5db3815cb395c8f140c9225ada6d4b3d1138028009a25a291a0b767302a30634ec17acf65815489cf3a17ae30d519273f7accad080b8ac

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
232KB

MD5
9709b12985ccd81ef3d03bdc809968f0

SHA1
75e6fcee1e334358dac85c3e2602fc0a7f8c89a9

SHA256
6f054787a5083ecfa31cabf3009393c3151b07014f80311e03f092aecfc5fdee

SHA512
13b59034c192ce390ed6dbce0f5cd02b0fa2a8e141f81b7eec6c1663bb9881f3bf604802c749d9842fffe884452f562d1d28a8554563755589a69cfdf5d8207c

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
232KB

MD5
84078ab442902c700af1e2db9079ad15

SHA1
a75ebb4b3c4f00c53b445d5ae96b1ad6a5bb63ec

SHA256
c2b2af6884777b0fd53772028ebf74448468a4b5f29626287fafb2609a09d989

SHA512
b996e23397e7252d5a1e89c1ff4c254ccbdeb05f18d92967a4ff35a6456465acf463de8e53718a38f692ca26c3e54a884bc0f2259ab43ca6d935418b1f7c304b

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
232KB

MD5
d35a481b060778d5602f51aada56c944

SHA1
9bf94646ed122ac0394298b7d1c2d01a4f0d94d3

SHA256
3b073e3eed31b8d499ab13a0b7e5c51e28daf8e999ae59415c043427bb697af2

SHA512
155fe9ff1518bfd171a1f006d75a6f5c091b89aefb1634a236883cc3dfaade715d7bb9b4f1d46fd9d9cd7239fa77c5fbb8ba4f6145280fbad92cf455a51e251b

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
232KB

MD5
78bc050b6c65abeab101b9c711df92c3

SHA1
351f79bcc45df59be4eef87f7c2ab74d643d9eaf

SHA256
58dd9627c3a739cf8cf67634ae927e235b8de1544840757fc61ade9898e04121

SHA512
d9b20e0ad60f07997bd539d899f6d3eccd47751ac0f9295f0aac7eec5a047a0b90e6cd0dfe11fe65e3267bff6f0ec2dcc7f9e5b43714a7bbc92500559458ae20

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
232KB

MD5
eb9019f30540de61c357570cb8e2f200

SHA1
92f4c2a7f5214d085c521f03cd848b2930ce8da2

SHA256
dc658f2f5352d2b602a32152596f7ddac88ade9baa87a5422ac1325a1a1f6c74

SHA512
7582fc5fdadbdb2e04634bf4dc801118fa149faf7be67623a0145c32edee0b665437005cd0320fa1f9ee6d61dc0e8b93b4c4ed377d1eab2225256330d1459c63

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
232KB

MD5
e2e0c491a604606bdcba4e5f511adadd

SHA1
6f0bc71436f3b978e3a1a264e42b31de8f7f5548

SHA256
ad3ae557122515b7d3be2e1d63a409f5261bf07c43ebe167b55c38d75a06d70a

SHA512
1c4cc7ea6ce0994c27b0a1714ff4beb63f73590c304338499af7bccfd2c088d805c71b178d08e9c0b499ccd765dbfcd3a501e80be295d38ece839f9c445b82d5

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
232KB

MD5
b9c633aa38f92bf4b1aa5b5f9c4673cc

SHA1
1cb40518e5f1f33962087396759534420ee56fdc

SHA256
1f151c02103004aca32b29e0916f8ffc15f28d9095587d87a19f0812c298ee6b

SHA512
31165b8bc79f44800eec24a1b8682c623e25f54134d898dc2ef2043a06a52fe818a425b022d1de05c2d173662f81351c118723a44035a557147701def1accc46

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
232KB

MD5
b1b477bd9e631de051a582ec83b6c025

SHA1
285ea24b5c0b26ecbaf81456d88a109ce5904cd2

SHA256
b13848f22af6241ffa123a7d8c4940abe7732e7e4c9d2e490321e6052c0959cd

SHA512
df77aa8362bcfc898a38088bf13a765e01f837f76d5e21dd8cc5b2ebe62405f7396aa30907666a208bc50d6eae9265af30c744455e4d173de4515a14c6796e95

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
232KB

MD5
d8247b5d496eb25c4d63444117a08c0e

SHA1
9096629b133b426a717c3fe85f69b91afeb263b6

SHA256
eb345f4e351e6f8e443fa898270a0c6836c4932fe53bd9158351ab0ed56bbbb7

SHA512
8ff15e1da84d3f39414acb38a60c7f508437a3ab97b50e82ef4d35103b3e0281c3a9eb7bb5884e50931201564a5a44ea6cabf91f5b67d21ea568a48df58c30f4

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
232KB

MD5
1031e987ec9a343be1a6886d7640c483

SHA1
2af85346c74ce8630dbe2fc7d918bb423e2fd836

SHA256
a2b08fb4c1688e477082fd2f13cd2edc70ee2fe626cf29f1f5f5277e87ec918a

SHA512
8a6f1797cd38cf81b5ad74a99b28a13e282c4320c34bd2ae10ece1e1cc5d97bf4c377059732dcd00160316ea89b62658c81f66e138bbdc6969dfcb2ffe43d951

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
232KB

MD5
416a9a473c4e939336618a6b8dcbd214

SHA1
9e61376fcaec152fd63daeb45588f18fdb0301dd

SHA256
8b5b8f40490c2c569bae2d77276fecf33b19ca09bdda17b8a1869a594494c155

SHA512
2f91142f4ef9d8f8a25df43400488c640f9aade1ec9e2bd724eeacced79b3ec7bc7c2792539eb59a86c7a8046e0d261336ffdb4a9afdc2895c27f2f7cf8de1a3

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
232KB

MD5
bd40561b4965d4f6033faa7f1bb00c00

SHA1
4b6077e213c75f31ccc40d9985e55ac5ececd6d0

SHA256
c2f2e817a7309508c4b75c102f27caee381a2881d32d6e535682ba9bec6cef4f

SHA512
61eaa5f44687c9884777ebce74dd84d05539e08d37871d301d190ac2393298d8a98fd877f930d8d91d9468cbd72513b318702d4c533af0d7abd140658c514e1c

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
232KB

MD5
8a639a5b585a47b6aad8d58087d3db2a

SHA1
a4837eabfedd082232b9a963ee83431966205922

SHA256
ebde4da69882e1b7ac2fd524b2af465aa9583c5bb8978bd419eea2d133f98e00

SHA512
6f24f9f842e82db61b048ff98b0384bc681cbde545c45bcc3bcc3703accaaad85762e1aaa1825cabfbb724c2a2abb9f30fbc22131d114306751b6a7ea26a1c28

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
232KB

MD5
64723bcbd57cd7f081d9cbaf8b4c6033

SHA1
a62fd60e18e10f727d9ccf263099574bea35b88d

SHA256
ccc0814bd173b1ba9d59e2db8ac22df33d7e2bc96192eca66f8ee388a8659086

SHA512
2ee61a97cda75198e9aa6917d12e8a9552b14b67030c8fedf35092717c49fcb482a5ebd09dc4fef996832687d27438595ec5b1a4b04ab958b84c4d5964bbf6d9

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
232KB

MD5
6a3dc89d3af54a1f1427b338b3342da6

SHA1
8c52001ad035360153adc96cf4dcbeb1ea2b24d4

SHA256
391e62c3509d07418f5c45ba5ac2a572f3fbad3058df072047aa6a452d934d3c

SHA512
670cb58ef5d5eacee209c8dff23fa6c81cd61b2901519de116bb720e663e4baf26ff532ff6e1302a03fae9c78b4972265be0f5cd88425f0f3fe622cf331ee3b4

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
232KB

MD5
0e6ecd416fadb2424f157640e7ed16d6

SHA1
357ca36a1fdf3e23815f6fb4440c20e67e3afb95

SHA256
947c057d6773552b14e99c8dc43827a0568ae92d3da2948ece843ff3980c5d92

SHA512
4774d88c5ece247f1907982e9166c045b65141575431f89080f86cc68fc84715287855ebdc53487b16f5aea030f1984a333b1165fab5db1f1539455d3db1f5f9

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
232KB

MD5
27535f576225783b6ad97e6dbc8aebb5

SHA1
ab95d18093769d814754b6c1af861a8291b5ca73

SHA256
fadaff496da24bb21e6cb277bb93999782b221ab911f31894c5b9e5706017974

SHA512
97f0b0054ee6782a768a9675e247d921e9ff3aab24236908b9d8e9d60eb5d50cd04e4423720f31871c8ed806eaf3e1c4d0b17db3453822c59e86334cc6c0dfbc

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
232KB

MD5
06e467c929c5eaf22f75a41238585e78

SHA1
7d6c12439c468b6e96d30c15e3e964b183b6df6b

SHA256
82f5537da6755b6b5cb2e90bae547322d173971c8e6dfc29b274f5623f9e754f

SHA512
f5b8510a3e888676a4157849a2443ac79ba3a9e3abb20ba4c3b2eb40db0ab521f479385e8cae128b60271d1276c3762137102da8035c2379a2fa232b7bbb89d8

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
232KB

MD5
e06c1f7f8d626183f28d6b4fc1519015

SHA1
cb7df316abb22851f0ef40b629bc8b98e0fedf95

SHA256
c597fcd72cddaee247a0b8e67209c9fd8b9975b81b956ea0ef1520ebc5c93c2a

SHA512
c257a2c44dd1652f474b65eb9356560cb3d77aabb6a864aff4081ddd7d7164ae4d4f5fc6ea279594d43e91ad940cafd6a62b63eb3a748fd22a3ed30bf4498b8b

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
232KB

MD5
bd6bfe5aab8bd767277a7893cf41823c

SHA1
1cee5d617983bf78ebea2e29dc7d0ef3db12d3fd

SHA256
e3c3b49013459395654c0cf60a0fcd5c6fed01b751a239c2bffd09effd2e630b

SHA512
4cd64417b47e5d134011b9ea4d66d7e7edbf9c5b6b0beae92c8bbd4c6349b8a49d466107606635f7967ba6b8a4d3c229104d126ba074c23fd6d04f2183060f01

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
232KB

MD5
2d959746064bba68ba65e9a367edef2f

SHA1
20c7f2499cb895f039fdd5b2252223cddb10e2a6

SHA256
d28a3c0e1161823394bebdffbdd5ec0a7cac6159dc2aa4efb69902b3cd5bdf39

SHA512
9f7990822605a175656ba9e5a7f45777100202ab1d232d619d2b609811b9a1bccf35a35418c44128eeb309d289a8419f8735c91cecc9f1fb755bd0317bc18285

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
232KB

MD5
5c9f4bd7c069f8e2f2eb7afa0127dbc0

SHA1
59bfc77f47002177c970031b1c2961aa13dc2527

SHA256
aade9a54f17f30996f05c63cc5d7ed10e42a8f627e5d5caf2a87c6dc8d5c7876

SHA512
54833fc55d36395a521b3fe95b513c5860b960d7c772669d407ec2536692b4504e2fc2dbaf69b204b0928bcf010881ce7191c3876994f4cbb91077387c3d8b86

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
232KB

MD5
9f83034a672df0ca784b197e36cdc275

SHA1
8afd2d683663e881ad7be0de47b87a76ce5d18a0

SHA256
8d196c35029c736f19359ee4d261fe4c35cb2531938ef88e8ff5781b77fa894c

SHA512
60b1db75bddbdb4b71419e191a268173bef0b331a4ff545e8396c7c1f3cc268438cba065a271c674121bd4b910e0497600a40a43efdcd00c657194ff9816a6ea

Download Submit
memory/1092-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1092-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1572-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1572-211-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-254-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2336-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2336-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2836-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2836-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3088-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3088-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3224-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3224-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-225-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3640-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3640-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3700-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3836-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3836-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3944-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3944-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4008-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4008-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4248-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4248-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4452-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4452-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4628-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4628-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4648-209-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4648-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4796-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-233-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads