3a4914ee8a6a77ba6947a95fcc6ba333f83dcb61ddf20c7a9e429b8404d70bb0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

596aaba1ff7be2adbc40455f7e771757_NeikiAnalytics.exe
Size

60KB
MD5

596aaba1ff7be2adbc40455f7e771757
SHA1

71f8422c85e186413703c6daf66ee29b17aa7764
SHA256

3a4914ee8a6a77ba6947a95fcc6ba333f83dcb61ddf20c7a9e429b8404d70bb0
SHA512

eabd15585696e584844604c0f4f82273908c1cbe739d6c76511016b5e79c15229fb0d21f271ee693eac066cc082b2ba546df31bf60428f855ad89305b07a942c
SSDEEP

1536:D7+EMo67+PVXCjilRQz3sF7EbJGIA5R4GmB86l1rs:H3y7+PVXCjilmLsF7UVm4GmB86l1rs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	596aaba1ff7be2adbc40455f7e771757_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	596aaba1ff7be2adbc40455f7e771757_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe

Executes dropped EXE 25 IoCs

pid	Process
4596	Mdfofakp.exe
3256	Mgekbljc.exe
2556	Mjcgohig.exe
2464	Majopeii.exe
1860	Mdiklqhm.exe
2576	Mnapdf32.exe
3508	Mdkhapfj.exe
5060	Mncmjfmk.exe
2908	Mdmegp32.exe
392	Mkgmcjld.exe
4180	Mpdelajl.exe
2624	Mdpalp32.exe
1036	Mgnnhk32.exe
1548	Njljefql.exe
4164	Nacbfdao.exe
4812	Ndbnboqb.exe
560	Nceonl32.exe
3612	Nklfoi32.exe
3068	Nafokcol.exe
1236	Ncgkcl32.exe
3348	Nbhkac32.exe
3552	Ncihikcg.exe
3696	Nbkhfc32.exe
3052	Ncldnkae.exe
4536	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	596aaba1ff7be2adbc40455f7e771757_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	596aaba1ff7be2adbc40455f7e771757_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	596aaba1ff7be2adbc40455f7e771757_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1644	4536	WerFault.exe	106

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	596aaba1ff7be2adbc40455f7e771757_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	596aaba1ff7be2adbc40455f7e771757_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	596aaba1ff7be2adbc40455f7e771757_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	596aaba1ff7be2adbc40455f7e771757_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	596aaba1ff7be2adbc40455f7e771757_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 4596	1412	596aaba1ff7be2adbc40455f7e771757_NeikiAnalytics.exe	82
PID 1412 wrote to memory of 4596	1412	596aaba1ff7be2adbc40455f7e771757_NeikiAnalytics.exe	82
PID 1412 wrote to memory of 4596	1412	596aaba1ff7be2adbc40455f7e771757_NeikiAnalytics.exe	82
PID 4596 wrote to memory of 3256	4596	Mdfofakp.exe	83
PID 4596 wrote to memory of 3256	4596	Mdfofakp.exe	83
PID 4596 wrote to memory of 3256	4596	Mdfofakp.exe	83
PID 3256 wrote to memory of 2556	3256	Mgekbljc.exe	84
PID 3256 wrote to memory of 2556	3256	Mgekbljc.exe	84
PID 3256 wrote to memory of 2556	3256	Mgekbljc.exe	84
PID 2556 wrote to memory of 2464	2556	Mjcgohig.exe	85
PID 2556 wrote to memory of 2464	2556	Mjcgohig.exe	85
PID 2556 wrote to memory of 2464	2556	Mjcgohig.exe	85
PID 2464 wrote to memory of 1860	2464	Majopeii.exe	86
PID 2464 wrote to memory of 1860	2464	Majopeii.exe	86
PID 2464 wrote to memory of 1860	2464	Majopeii.exe	86
PID 1860 wrote to memory of 2576	1860	Mdiklqhm.exe	87
PID 1860 wrote to memory of 2576	1860	Mdiklqhm.exe	87
PID 1860 wrote to memory of 2576	1860	Mdiklqhm.exe	87
PID 2576 wrote to memory of 3508	2576	Mnapdf32.exe	88
PID 2576 wrote to memory of 3508	2576	Mnapdf32.exe	88
PID 2576 wrote to memory of 3508	2576	Mnapdf32.exe	88
PID 3508 wrote to memory of 5060	3508	Mdkhapfj.exe	89
PID 3508 wrote to memory of 5060	3508	Mdkhapfj.exe	89
PID 3508 wrote to memory of 5060	3508	Mdkhapfj.exe	89
PID 5060 wrote to memory of 2908	5060	Mncmjfmk.exe	90
PID 5060 wrote to memory of 2908	5060	Mncmjfmk.exe	90
PID 5060 wrote to memory of 2908	5060	Mncmjfmk.exe	90
PID 2908 wrote to memory of 392	2908	Mdmegp32.exe	91
PID 2908 wrote to memory of 392	2908	Mdmegp32.exe	91
PID 2908 wrote to memory of 392	2908	Mdmegp32.exe	91
PID 392 wrote to memory of 4180	392	Mkgmcjld.exe	92
PID 392 wrote to memory of 4180	392	Mkgmcjld.exe	92
PID 392 wrote to memory of 4180	392	Mkgmcjld.exe	92
PID 4180 wrote to memory of 2624	4180	Mpdelajl.exe	93
PID 4180 wrote to memory of 2624	4180	Mpdelajl.exe	93
PID 4180 wrote to memory of 2624	4180	Mpdelajl.exe	93
PID 2624 wrote to memory of 1036	2624	Mdpalp32.exe	94
PID 2624 wrote to memory of 1036	2624	Mdpalp32.exe	94
PID 2624 wrote to memory of 1036	2624	Mdpalp32.exe	94
PID 1036 wrote to memory of 1548	1036	Mgnnhk32.exe	95
PID 1036 wrote to memory of 1548	1036	Mgnnhk32.exe	95
PID 1036 wrote to memory of 1548	1036	Mgnnhk32.exe	95
PID 1548 wrote to memory of 4164	1548	Njljefql.exe	96
PID 1548 wrote to memory of 4164	1548	Njljefql.exe	96
PID 1548 wrote to memory of 4164	1548	Njljefql.exe	96
PID 4164 wrote to memory of 4812	4164	Nacbfdao.exe	97
PID 4164 wrote to memory of 4812	4164	Nacbfdao.exe	97
PID 4164 wrote to memory of 4812	4164	Nacbfdao.exe	97
PID 4812 wrote to memory of 560	4812	Ndbnboqb.exe	98
PID 4812 wrote to memory of 560	4812	Ndbnboqb.exe	98
PID 4812 wrote to memory of 560	4812	Ndbnboqb.exe	98
PID 560 wrote to memory of 3612	560	Nceonl32.exe	99
PID 560 wrote to memory of 3612	560	Nceonl32.exe	99
PID 560 wrote to memory of 3612	560	Nceonl32.exe	99
PID 3612 wrote to memory of 3068	3612	Nklfoi32.exe	100
PID 3612 wrote to memory of 3068	3612	Nklfoi32.exe	100
PID 3612 wrote to memory of 3068	3612	Nklfoi32.exe	100
PID 3068 wrote to memory of 1236	3068	Nafokcol.exe	101
PID 3068 wrote to memory of 1236	3068	Nafokcol.exe	101
PID 3068 wrote to memory of 1236	3068	Nafokcol.exe	101
PID 1236 wrote to memory of 3348	1236	Ncgkcl32.exe	102
PID 1236 wrote to memory of 3348	1236	Ncgkcl32.exe	102
PID 1236 wrote to memory of 3348	1236	Ncgkcl32.exe	102
PID 3348 wrote to memory of 3552	3348	Nbhkac32.exe	103

C:\Users\Admin\AppData\Local\Temp\596aaba1ff7be2adbc40455f7e771757_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\596aaba1ff7be2adbc40455f7e771757_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\SysWOW64\Mdfofakp.exe
  C:\Windows\system32\Mdfofakp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\SysWOW64\Mgekbljc.exe
    C:\Windows\system32\Mgekbljc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Windows\SysWOW64\Mjcgohig.exe
      C:\Windows\system32\Mjcgohig.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
      - C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        26⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 400
        27⤵
        Program crash
        
        PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4536 -ip 4536
1⤵
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Majopeii.exe

Filesize
60KB

MD5
b8e5f3ac127d3c622b276ecce35bfcd0

SHA1
18b1567c4f45090d587553305c96a0f9872d1e61

SHA256
e9eb7322125843c37397787adc32ed9b7e8bd895dc9098c3048a1da0cf913273

SHA512
902a0cc6c707f2b03796fe7e475b066f44e0c0133ce99507871067ccba130789ba42c71ff0f8be07e7fb80b743ea0cea51c54a21ae346c088a2faabf3fb01cf1

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
60KB

MD5
dec47c6f5ecc77ff2a87f9aa176bdeb8

SHA1
8f44f3df05304c024b60964a598e4e4049c5a7f9

SHA256
2ffacff9556a93a085729f14bfd672454963f447fe58dddc8a35c779c5a45b05

SHA512
239d3992e15f425f5b9aad5dc5256a0c114ad997fa678883e7bbf8c5640990e1681136663579dd63d596d937f8049eed1c53431edcc8f50ad513aad3d9bd4041

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
60KB

MD5
28d50d114850338a2eaabf6ba3f629a1

SHA1
3566f398855de602e4d4d9709be20571be32ec3d

SHA256
ae0fc37e8b405b486685a6146972ddf47bf36c5f9f2abc6803cb5508a23b8b83

SHA512
6a823b0663adec8ae9894a2577aa567a3042ab2a9f37f7df4841e9d1c61ed58dbf2dc7af57b6957c7f60ead1f78dfda91e820fa4e1ad0296a1f430fcf641947a

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
60KB

MD5
04e33a32e6c21453dfcf28581e7e9607

SHA1
cfddf3858a44e730e732b6d2a96d5bf0a4df4890

SHA256
b9abdecf786e1046a0058b842898a7ffa44121818186fb90dea4b8753d6e67a4

SHA512
9664ab6d9bdfe8ea613295731266ac754650df71111a8bfbbc8a0915a84a87cbc3cbbb4d2f6a9df20ccf8913816331face91c46a4961014f93f4c6ef103f286a

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
60KB

MD5
f1aba655b0b37b8ca4fd1a7f41807145

SHA1
25a09718fc5b62a41bd4c434607a47b7e2ef60c5

SHA256
cff28872f5c46a689227896793f7e0185a0c7eeba482c142a7972558ae517604

SHA512
f93e0c22895c3ac6432dc2ad993eef0baced7917bc9e5c0789f6de1084f519aea31af74d259554a8b97e5f73ef4d7f6d14f852b17562c1564187897adfca0091

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
60KB

MD5
3d62bb8f380a5c2754ca7f525b71ebd3

SHA1
243d729b130cd59030f8036c66e3bdd0486b4057

SHA256
4d1feca92d7425a7cb7875886045ab5ed82c9f4376f4668e680bd1a1b2d22376

SHA512
7e1b3bc1615051576e70d322278b7f30f195f83ce8f099e985a067f8503155fdfd6d7ecd8d16332ba672516cc5fc7cf9c0b273194b1a5174a418e13ede25a994

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
60KB

MD5
2541f95a81c8ee69f18516a4e87bc83c

SHA1
1f05e20a34e3b42772b87ae4149202b1c6f011f9

SHA256
bf4b6b537a6a260a79b17ad29e793f0e95d955a2c4b3685da84c83b6070dd222

SHA512
8d38bb9d4dfcf49ce1736920040a91733b54aeb24bc7915a8181bfee539d187b765f2649e4b60f9975ab4cbfb52b8ad6030cbfef91015aa6a54fa08dc6dcba15

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
60KB

MD5
553d61f26c6d3075a0912ede5d56de7a

SHA1
6371f996cef5fc5242f7bf668c829fd5dada13a2

SHA256
6ae3e1444e2aad8589da389e47a4672e00ddedfa7f2d7b1ba079ef9b4e62ebc4

SHA512
f75d56ab0455f1caf293bd44a945a931a216c5f12b9cd61cc82d5c5b47bb4b8f124a7550889d4526e5faaa98e9523bcbea060fd22cb0aa7c7263849ed8b3ebae

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
60KB

MD5
8a5f5bf9d1f1e66aae549b340c585206

SHA1
048cf62aac97597faebde8c7033cf18ee9d19c8e

SHA256
b4465a473e79969e0d9e3ab566a9d2b72b53cf755ec6039d88d5558d05f60c0e

SHA512
8b7f8fe62239e3aef4279186d47c7e68415220ffc4ea9a92a06c9a40a35033b9a9b2c3ee04ecc7dc6458d26311773a72a15393508a2ed684cf6e57a6dde0e97a

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
60KB

MD5
8e64599c954b9adf7e7c4398431849ca

SHA1
25c6eed8b05f464795e5bf525e0698540f985059

SHA256
458e6a98e99d236d601f3a7935f0490f590654c6b80da00a50ce5e8dc4e6e40a

SHA512
aa6515fea3a1124daae09964bf82929b63d82966bfc86bc601047fc22b841122ca7d55cc13782e1d9c43429b7d241ed2b41214974d3ad69e79a7ded7ab548f5a

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
60KB

MD5
a4cd6261785e0dbacd68765f91115670

SHA1
8b4a5e80696ea3261f0a2a797c35a26042153333

SHA256
d856aa5a67c3df940023d12cab91b6fb3e0800944f26fe783ead32ca45eb184d

SHA512
e713923e15d25795faa68a75f9ee47e79d39be27cbd065ef6d0cc41da6f8d540fb8b0c26d45444c6c2ea8d5e27363ae87baa4200420d62c68468aeef943a79ae

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
60KB

MD5
07a95098501b000f35e1fabfce332709

SHA1
212b2946af7065ee6373858ce87832e8367437dc

SHA256
fbab3e7f960d504869ca457b1f137cb23247f63f013156a7a63f4643140f69a8

SHA512
1096c8559a1876ffa924c6f095ac4ce16c37a6850e00f31257af662405c7b3b8af54dfa562db2155f321b5f53110348afe4278184cd68783304516a9b7c3d3f7

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
60KB

MD5
4cad51b3a7c440ac46a7ce524493486d

SHA1
41acd61f4c86be1c92a7f561f4b1b5e638080a9e

SHA256
dadded4cd6d098b17ade9e37c6766dde94ea6a6ebcdae6f3fdca24ae5f06d20a

SHA512
b8b0cf93076b83aa679c583d966f163752285a10b1272df04ed1347e0100c672a4a81cd94d6293f335cfdc83d30472e3b2f47ea1890649b40d6fed67ae01bb39

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
60KB

MD5
d20481307f6dbab049ee83df5dba3fca

SHA1
83fcee82e878a07c662752e60ace57d843b4bf15

SHA256
614d569aae4cd754e5d9632c66022070000b1b0bdadec2689fd32e0a8d877fd8

SHA512
dae9d37fe0992cc46ea889df8e1136248ed749babbca3e164586975722d36ad1a6794c40959f5993127b639a4f4200ce331bce5a466503223df4ab295d02fc34

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
60KB

MD5
a6c22b51dbe2457a093c1fbbf2ddb20b

SHA1
c7b60f897ec6d7f3e50a6dfd82db4ae3ae3ded6e

SHA256
e2d32cc09a4fa316419846eaffcdfe05b508a0a3fa757ba827ef6330f429dd66

SHA512
c5fa43cb7738920c07558863388386a0455a7a2d57998cc750870a53700ebbfd1db63992ce38411284ea081c21f06fa0aa7387d500e2c95f986e49d89ac24afa

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
60KB

MD5
e96ecf3467944b232795a0e314ff49b1

SHA1
a68aa13ffcdb84d5092487f59be4be07afc5ff22

SHA256
f9cfefdc60ad19168369c34be5395ee1ab328721d242673aa0e6ec3e40afda15

SHA512
50b5c9e2e5a2d8aa9f1a75107c80944be100d2fc72d1b359f7007213a3e7581c790e59edd5b47a36ae57dcbc63644b3d481a10d243f2d88dc7ec00ac694caa7e

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
60KB

MD5
36eeed3ce7031db0e5fe9da09493b4a1

SHA1
261c6b0759635311ffdd9b0def5669b3a7b87ae0

SHA256
fa9b8a3306d24091f535395edd3fe81dde22f059fa0d4202269db32f050ece8a

SHA512
9b6f7681d0843bc5f92ee81e7f70da55f37d438ddddf2b7b6c40a68069c9afc015cf3391412b7e873623ccf35825b368e11016b1b1e5f92972f3217e4a2c25a4

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
60KB

MD5
9ce8d490f31538b03dd592caae6bd468

SHA1
1bcfb2608c30b6fcc3675ab28b1785815a67c054

SHA256
94f629ae1d77f872a9442afdc77d09c70f41eea28e8be8b8ec6e4ccc703430bb

SHA512
5d81f452ce2e5a32eb7ccc351f12c80977749ad39039f9c380cb7e829f5093042040274a0b594f7aa35ce605b7e7ebc53ece5ba4d8ef9651a5b719bd66f5ee93

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
60KB

MD5
f482bc1ddea31ac5bced66b0ffb58e91

SHA1
ab47b7925e7f1d43bf74e1f2de1a2548ab90f975

SHA256
7196a55151ed366bd1b08cc07a574600b0d6040cb77f008aa9d3ddb70282e4fc

SHA512
f59cb4931f19f8aa1ff61f84e9403be304a5534a85cd1cbbbfe33a2289ab1bea6c1e2a6840a1459f734b27208485ea2677bb0f611d492853baf0a807cc1e3b8d

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
60KB

MD5
a5439b2c3251901f9a45424bb774194d

SHA1
af00e55b051182bc4b9f195af8f21a020ee1c288

SHA256
41f132d47588438def3c739fede93d22787471bd90fd15583391aa15dab4096a

SHA512
a30c4374e5f3a431f57d50039760b27a536bec59e9bfa5c9eb252e0d95e653767a0ff02b376265f9355e5c1489f4b26159ab6334f1b1e55a1b2919db0159f67f

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
60KB

MD5
b04b46ff6f9759528c57e334d99b31f3

SHA1
a77fac9670bbbff33672495397293f0760d86fd9

SHA256
b0834806bbc3ea5a864efa5ef8ccd11744c6922e46e4cd46eb7ab48f77ce77f4

SHA512
49b9a0c027504ef5c4da72190eed3f76b27747745798260d6752d23b91a6514ebec7850a0600e9378740261d0fdd122abe9e0fe309bff59477d6284a53ed73e7

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
60KB

MD5
872d20e85f06dd4e46d55954b677b2dc

SHA1
203663a9ad190fb75cf9cc03032f3cbbc04db214

SHA256
a50f986c4ad54f495336e66bb96da83bcdbe018619f88507178c4d4a3585b21c

SHA512
574872fbe0da535375a935ebd707c9d421a8d2d34f7b8df16ba74b3348d5465b98eefd5aa6016d9f8faa0878c800a4f8e48ac9c91698eca2536a218b855fff97

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
60KB

MD5
3ecb86a719658cedc2821c452e8de978

SHA1
f9b7c3ec22b2d9aa4ee143bfe85b1cb2a20f99ea

SHA256
c360b11135d0e74e81d5af1c8ca2ad340f473de852d1669b979160c95c9da9b6

SHA512
66bcfa7a0302fc808dfa903b478638c0da76a1635b633236f5bb617ffe00ef07da70c809835bfbe7f1603abe8ea02cbf72e66d826412e0fd948c9de0a8b6765a

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
60KB

MD5
bb225ebdff693c337d818dd5fe034282

SHA1
5715eed6e0f85d50a0cd8de14487323c58c2ff88

SHA256
dd27d091877fdaa0ef982123a080caf0072639604c6214d19daf9577d1dc942a

SHA512
5a9a45f343cafa7b7bf116f414b5d9a8a0cda07160195f86254afd70156dbcacd3d3ce2d7a8e5e89e696727ef3958362364031a70c28bcbf5a7d34d816a1f551

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
60KB

MD5
972804620b8f04949b669fceba35d411

SHA1
69780a53befc60d0a99fe35e065a8a573a0b1844

SHA256
74b86ae4657d12ba0e990967631a269789d2a0f03deaa733a0f12368ab17c7e7

SHA512
d72b77177a1e40c5a3fe4b991bb512fbc53af0636f5b7e310ed2b3807281e78c7526d11615d483f2802834ffc7fdcb54110a8912a181246a412263cfb2211e7c

Download Submit
memory/392-82-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/392-243-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/392-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/560-230-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1036-206-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1036-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1036-237-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1236-222-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1236-168-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1412-263-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1412-5-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/1412-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1412-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1548-264-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1548-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1548-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1860-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1860-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1860-253-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-37-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-124-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2556-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2556-114-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2556-257-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2576-251-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2576-141-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2576-49-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2624-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-245-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3052-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3052-208-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3068-159-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3068-224-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3068-226-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3256-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3256-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3256-259-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3348-225-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3348-176-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3508-153-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3508-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3508-249-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3552-185-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3552-219-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3612-228-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3612-154-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3696-194-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3696-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4164-234-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4180-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4180-184-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4180-241-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4536-214-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4536-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4596-261-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4596-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4596-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4812-232-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4812-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5060-158-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5060-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5060-247-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads