41d6584b47148deda14ffbc7e0d176fd3e8fe2cbfadffcc8b16e5958b6a48de1

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

221c2b8186a59a90f1a295509a4c5a90_NeikiAnalytics.exe
Size

512KB
MD5

221c2b8186a59a90f1a295509a4c5a90
SHA1

4903fb607d7f5aa464a4fefa45492158f8e8f4f7
SHA256

41d6584b47148deda14ffbc7e0d176fd3e8fe2cbfadffcc8b16e5958b6a48de1
SHA512

c1676499cc3fecf5794e082a4d043b24f9af64723869b079bf3d0d25c797429a32af6d9c32eab1fdf806932d326424d64eee889f150b2c8e6f1627934e42ff10
SSDEEP

6144:mSUT3MWBzc4/UZP8VU5tTO/ENURQPTlyl48pArv8kEVS1aHr:mSUT3MezGUG5t1sI5yl48pArv8o4L

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	221c2b8186a59a90f1a295509a4c5a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	221c2b8186a59a90f1a295509a4c5a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe

Executes dropped EXE 26 IoCs

pid	Process
4168	Lmqgnhmp.exe
388	Ldkojb32.exe
1284	Lgkhlnbn.exe
2408	Lnepih32.exe
512	Ldohebqh.exe
2116	Lilanioo.exe
4592	Ldaeka32.exe
4440	Ljnnch32.exe
3296	Lcgblncm.exe
4732	Mjqjih32.exe
3308	Mgekbljc.exe
4648	Mgghhlhq.exe
3064	Mnapdf32.exe
3200	Mdkhapfj.exe
3292	Mncmjfmk.exe
8	Mpaifalo.exe
4548	Maaepd32.exe
1824	Nqfbaq32.exe
4996	Njogjfoj.exe
1880	Nqiogp32.exe
1648	Ncgkcl32.exe
4172	Njacpf32.exe
464	Ndghmo32.exe
1420	Njcpee32.exe
4656	Nqmhbpba.exe
4704	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	221c2b8186a59a90f1a295509a4c5a90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	221c2b8186a59a90f1a295509a4c5a90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe

Program crash 1 IoCs

pid	pid_target	Process
5012	4704	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	221c2b8186a59a90f1a295509a4c5a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	221c2b8186a59a90f1a295509a4c5a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	221c2b8186a59a90f1a295509a4c5a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	221c2b8186a59a90f1a295509a4c5a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 4168	3724	221c2b8186a59a90f1a295509a4c5a90_NeikiAnalytics.exe	83
PID 3724 wrote to memory of 4168	3724	221c2b8186a59a90f1a295509a4c5a90_NeikiAnalytics.exe	83
PID 3724 wrote to memory of 4168	3724	221c2b8186a59a90f1a295509a4c5a90_NeikiAnalytics.exe	83
PID 4168 wrote to memory of 388	4168	Lmqgnhmp.exe	84
PID 4168 wrote to memory of 388	4168	Lmqgnhmp.exe	84
PID 4168 wrote to memory of 388	4168	Lmqgnhmp.exe	84
PID 388 wrote to memory of 1284	388	Ldkojb32.exe	85
PID 388 wrote to memory of 1284	388	Ldkojb32.exe	85
PID 388 wrote to memory of 1284	388	Ldkojb32.exe	85
PID 1284 wrote to memory of 2408	1284	Lgkhlnbn.exe	86
PID 1284 wrote to memory of 2408	1284	Lgkhlnbn.exe	86
PID 1284 wrote to memory of 2408	1284	Lgkhlnbn.exe	86
PID 2408 wrote to memory of 512	2408	Lnepih32.exe	87
PID 2408 wrote to memory of 512	2408	Lnepih32.exe	87
PID 2408 wrote to memory of 512	2408	Lnepih32.exe	87
PID 512 wrote to memory of 2116	512	Ldohebqh.exe	88
PID 512 wrote to memory of 2116	512	Ldohebqh.exe	88
PID 512 wrote to memory of 2116	512	Ldohebqh.exe	88
PID 2116 wrote to memory of 4592	2116	Lilanioo.exe	90
PID 2116 wrote to memory of 4592	2116	Lilanioo.exe	90
PID 2116 wrote to memory of 4592	2116	Lilanioo.exe	90
PID 4592 wrote to memory of 4440	4592	Ldaeka32.exe	91
PID 4592 wrote to memory of 4440	4592	Ldaeka32.exe	91
PID 4592 wrote to memory of 4440	4592	Ldaeka32.exe	91
PID 4440 wrote to memory of 3296	4440	Ljnnch32.exe	92
PID 4440 wrote to memory of 3296	4440	Ljnnch32.exe	92
PID 4440 wrote to memory of 3296	4440	Ljnnch32.exe	92
PID 3296 wrote to memory of 4732	3296	Lcgblncm.exe	94
PID 3296 wrote to memory of 4732	3296	Lcgblncm.exe	94
PID 3296 wrote to memory of 4732	3296	Lcgblncm.exe	94
PID 4732 wrote to memory of 3308	4732	Mjqjih32.exe	95
PID 4732 wrote to memory of 3308	4732	Mjqjih32.exe	95
PID 4732 wrote to memory of 3308	4732	Mjqjih32.exe	95
PID 3308 wrote to memory of 4648	3308	Mgekbljc.exe	96
PID 3308 wrote to memory of 4648	3308	Mgekbljc.exe	96
PID 3308 wrote to memory of 4648	3308	Mgekbljc.exe	96
PID 4648 wrote to memory of 3064	4648	Mgghhlhq.exe	97
PID 4648 wrote to memory of 3064	4648	Mgghhlhq.exe	97
PID 4648 wrote to memory of 3064	4648	Mgghhlhq.exe	97
PID 3064 wrote to memory of 3200	3064	Mnapdf32.exe	98
PID 3064 wrote to memory of 3200	3064	Mnapdf32.exe	98
PID 3064 wrote to memory of 3200	3064	Mnapdf32.exe	98
PID 3200 wrote to memory of 3292	3200	Mdkhapfj.exe	99
PID 3200 wrote to memory of 3292	3200	Mdkhapfj.exe	99
PID 3200 wrote to memory of 3292	3200	Mdkhapfj.exe	99
PID 3292 wrote to memory of 8	3292	Mncmjfmk.exe	100
PID 3292 wrote to memory of 8	3292	Mncmjfmk.exe	100
PID 3292 wrote to memory of 8	3292	Mncmjfmk.exe	100
PID 8 wrote to memory of 4548	8	Mpaifalo.exe	101
PID 8 wrote to memory of 4548	8	Mpaifalo.exe	101
PID 8 wrote to memory of 4548	8	Mpaifalo.exe	101
PID 4548 wrote to memory of 1824	4548	Maaepd32.exe	102
PID 4548 wrote to memory of 1824	4548	Maaepd32.exe	102
PID 4548 wrote to memory of 1824	4548	Maaepd32.exe	102
PID 1824 wrote to memory of 4996	1824	Nqfbaq32.exe	103
PID 1824 wrote to memory of 4996	1824	Nqfbaq32.exe	103
PID 1824 wrote to memory of 4996	1824	Nqfbaq32.exe	103
PID 4996 wrote to memory of 1880	4996	Njogjfoj.exe	104
PID 4996 wrote to memory of 1880	4996	Njogjfoj.exe	104
PID 4996 wrote to memory of 1880	4996	Njogjfoj.exe	104
PID 1880 wrote to memory of 1648	1880	Nqiogp32.exe	105
PID 1880 wrote to memory of 1648	1880	Nqiogp32.exe	105
PID 1880 wrote to memory of 1648	1880	Nqiogp32.exe	105
PID 1648 wrote to memory of 4172	1648	Ncgkcl32.exe	106

C:\Users\Admin\AppData\Local\Temp\221c2b8186a59a90f1a295509a4c5a90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\221c2b8186a59a90f1a295509a4c5a90_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Windows\SysWOW64\Lmqgnhmp.exe
  C:\Windows\system32\Lmqgnhmp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\SysWOW64\Ldkojb32.exe
    C:\Windows\system32\Ldkojb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Windows\SysWOW64\Lgkhlnbn.exe
      C:\Windows\system32\Lgkhlnbn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1284
    - - C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        27⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 396
        28⤵
        Program crash
        
        PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4704 -ip 4704
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
512KB

MD5
18306913894b59606ad9c3e202b8b117

SHA1
c1ce1dd3575c4a75835dfc6ebb656bdd621d9cdb

SHA256
9fd2fefdcd054db106eccbaf7e034a8643ebc38aa6323b78f4cc194718e4e706

SHA512
713f7fbe3bc575ec60e541b0c72175b9209b2ff02c9f98523be250b53d301c8c8fd95305057377e43a74552dba5454b6d07849ffebf364fb189e6c658d809a55

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
512KB

MD5
8ae74aceea217b596eab6b9a6bfa79bc

SHA1
179085e4e61e00eb4fe8284edd6ac0cf204541e0

SHA256
09bf1d39bfb364ace02e8418ce3b697562f400825c160257a902a3c919ee4195

SHA512
2214f818c4a3ee6ffa682f5f5b285833c9978a4e65fa3d41b6264174249cb2b41ce5c1f3777103f0b212e0334b49690a7ad87243d82f19ce00c12acbd90a7493

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
512KB

MD5
2448f3b887b1b06fcd5229867366b291

SHA1
2f4a7be62bca9c0cef9fabe4ad4df6d386b7a700

SHA256
2c2f11d2a8a417b4d122dce1455dcea6a8d5fb9d7294dcc30fefb63d62a8cfac

SHA512
49869d0d7454c36be2f42342fd57cfa03c2c529cc2c18273c11c9681c9b2e1f31a09cc042335553e997791bc183147d86556cfb20a6d87fa0d86acfe407af59f

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
512KB

MD5
a465ead089a31e4499e0e1a2f114f490

SHA1
475794bf595f73c2077d609cd6fecb9cd50862c2

SHA256
fe38f1a1b204d965be096e1cad081e5ca4f58bd4ce37195edb7a79134946b2b6

SHA512
118805d7e8986db75a1c80764c70422ace59c200fc76c19580dc231c90e9cb08daa67a6b999558ec2fdde9c504f30e01b90d2c38d68b84f08fd0dd77d5231581

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
512KB

MD5
7ad59cdb23e961a234a4d23b2fe81e04

SHA1
dde6b087aaf826f6f6ad0ade3ed676cf9c35a87a

SHA256
1f0ea8e4563f2a3619e33b4aab081b60e8776935fc5747ac624f71e821a09965

SHA512
0a3ef717f846b423582c61a63088c95cb152c9713d2bc34cc69afeb8b5faed8938966d272ce66db880b4a2dae7465bd68a372a9dd19bfc54a6f6422d4c80a4d5

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
512KB

MD5
2d4e368caaf8bd60230cc7d7833180e5

SHA1
95a5048022e9b55885a0a5429d435405952fa5e9

SHA256
908cd5f258dde2c6b9f9e5a506f34b17fda8b5ebd678ab90e9b31597ba030d07

SHA512
66b0f5a03cf00910987dd0a64d8f8bb19e4cdade15f7bb310e7228e57310eca70cb12feb87be3099ba9e189863d783958bd5ea34d7fe4b7e7ed1c2ac049baa7b

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
512KB

MD5
11859256fa81514ffebc65d81f7b5765

SHA1
9a097ede622fd9aec75f9ac02f21112e26fefd0c

SHA256
32c6e1ebf136a75cc549f610ff095d283f7bea13c95b2e24abd10e8c98ac104e

SHA512
9a06922bf5e3e3dfe2ad6348284b5f2f02338cd044e61b576ae92b57d2cb8293bf1d2ee9702c6412c528bbe533f47878f68bd9b8071e7b8f59b0eef2fd6bf321

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
512KB

MD5
4facdec3d48a2480440db8a0bfd3afb1

SHA1
2503dbc00920960eb34affff3b217832e4590c2e

SHA256
13140fcf529d0221989f3dfe9d18d8ab4b8a011eaad3447830f58609c99df7de

SHA512
bd4db254ca0ca199efe5b12d1e8ab8215da8da3b09cfc7cf503d99ac2b18110fc2b029213e08dbb71e9b97274ed2b49ac6ffe3b92e692a78c4812cdd4d890daa

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
512KB

MD5
72b2075fa9afdd9865501a8c4e0a170d

SHA1
e07dd0c415baec72c4f7fe8506b379c028259028

SHA256
17f62d56cb2a46063292229e7d56b11ffa5ddcda47cae81ceb87b4fe894644ef

SHA512
d49267747c393418435e9debd43982d425ff64409d9aff1a1f7f705f29858d8293680b1b96ad10eadbe16a2dcfd5327cd4bf72b2dbe7ecf97706e5a0870cd700

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
512KB

MD5
491f1fad41d3fd953758d402a5188b95

SHA1
671e805da0439283af2109a8600fd0e6c54e18c5

SHA256
3f0dcc997555362f123009daf24aad18aea045e7981972e44dd21a33bf3e8de8

SHA512
4a5d34fb3e9449ac0e0fa3e3d34d602f0dda84160c677f64184f7536a481661fc0d41c6ca05c52b25b9fdd2fbbd3cd4a280abdf321558e8f701a193891af4508

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
512KB

MD5
d5028497c0733bf4a29fdf6ec6452a4b

SHA1
f59482882f9bfda30bf76d7a49e9e7bece0d5367

SHA256
b199df54971ea0dfb09d17ca211792bcb2d6bf91cf6ead504f8a19e0daa374e6

SHA512
8312cb489cc7c2bad18e917cb01fc5bc0ab188d8376cd541de4e2a888bfdab4ab84090f0a9fa14b81355a04ad2605a3ba36eee8124bfc7668a89a403f2c57a30

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
512KB

MD5
50b5fb0b27620b827f8c76bbe45134b7

SHA1
a458990d8674d9341b77eea6a90f961747c8a03c

SHA256
a0a21d08ceec94168ddaaaaf326bf77557068f8c75229a62e7257c4c27d6a8ca

SHA512
523f3e0293288fe4b0d777d473829d9e5a3375ce56a62dd36dee2bc1c079cefd0a9946b7aac7ec4e7efe9067742d355b6f47c29aa89de8e671938402f0e67b9a

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
512KB

MD5
cd49068c027dc75cc986728d4edba923

SHA1
c0e561e765fbbd52969a8bf312df6aa62932c9cc

SHA256
c905bba5ae8b68fe5a2856ef1b2438157f4d40c97c246ce00610381e58793689

SHA512
cfd540c6dfb9a3df904700c8ea9b78680a37d0536db1dbff84c7545b673aa53502dc10aba5e42937a46b6a914c2d10d7fe0df0a23d211330c8d529850a2b6459

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
512KB

MD5
b9291e5084bd57e35b388c2d88833236

SHA1
e68cfbf81a1e264f75ef2be23994551d7163a863

SHA256
24fb825bf45c2b8fc9c40bacf7625d136951600199f85da952e7c6c1a46d3ad9

SHA512
9dcf70999d7546737988879e502902de1451cb187bdb2672d2c6127f0e697b5261dcb74af6d703b30091645bb9783f4a83a07a2f9dbff72996f6ae87831e6727

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
512KB

MD5
edce717838abab324216c3d506a2cf78

SHA1
53f61fa0b959422f26ac6e92f2c9a920b4c9ea81

SHA256
cb6ce83b3e5a31a167dde36ab298edb07d352bded19940ec66a680215469df30

SHA512
c86dd9c0504694dda4caa0f464227469a8c87b7ef91a7f4e012dad859d13dfd85b32e215c693237e7bf795d2cb3d22a07105f9c9904ff3a1ecd774f00c94b896

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
512KB

MD5
4ecbf5dce41267149ea7ed9509d91ac4

SHA1
4d2d91dbe7ee7c12b0fda9334d034318a7b6defc

SHA256
1e01881f2914a4081a12ff07a4e2bbbaf4eceaf85545662d931c0667a69fa373

SHA512
90d718e03b55216d2993a716362b71c383917a71d3a9bebddd12dd4528fe8ae57bd72abc3715469b61af63413428c2a0532efba0b936cbb25b7e0172b49a0dfa

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
512KB

MD5
c816d8e778cf4318cdbfb77e27ebbcc2

SHA1
66733017282095e0d929510de28174726a43cf4e

SHA256
abf38a2d5f32f1a2e6a1bafe14493b60e2c49008b14e8b637a3f68adff2e8941

SHA512
7982884811a9c78a384c3d13c3f91d625d428ea05a8fae39a19e6c892df9405d3ed8ff32da81d58de2a9473dd03e984f0d0df030d7b54b52294e30447b4dec70

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
512KB

MD5
45aa27d13a3894937cb87b73d99d6bf7

SHA1
400a1682bde3d0dfa0f8807b936c1c55df92cf70

SHA256
4dc19b373df1ae90d1d48fdead4646e7f0504232fcb25ee050a0cec8cad79810

SHA512
d87dfffcfbabeacc776b054f14d0057f457c66cae600f4996862a535cf80f2dac18c96f1bf45039ba2dca9a69c49851e5393b77ce3337bb4d3e2ea308f847691

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
512KB

MD5
3deee7ddeabc9f05f9108f63883478d9

SHA1
8c2c87288b2d7daa39865ee92193c7142db6e936

SHA256
77115077f122b3ecd31dba5b3822bd340a673ae73a027bc9280145d278e94f53

SHA512
046557c19beb65e59607ac2d76fd1e24176cffefe4dfe7c23ee00aed6f40b0d240728ef032204a8ca1ff1119d769b935c2316041559dc343638c3de8cc66ca44

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
512KB

MD5
6b81730d3665f88582adc764f73b9848

SHA1
2c2575ca5f279ea81d30dfc0717460687a17d295

SHA256
c965246b94623d68aaa36ca5b05db008d3d04fd8181f69a2e2fd120cd0a824e3

SHA512
fbfc50e0e4c4d35dc2fcb919d0bd9090e3db1746f911a315fe2d776d3a19421c8689487fc1c5e3229341173c0da5906e98a0e7daad457c56fe8de99f65ef6d37

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
512KB

MD5
60d25210748f33eb01c70246c889573c

SHA1
314f07425c579853c7e1bfc05c8b4b16201d596a

SHA256
2769de6ac99435f10d2883188c5e47334ac5e4cf06aeb47b4519e87b91ff9ec5

SHA512
83456f8043ab1aa541c5f22d20cfe41a5e287f554f55a5ba0d07d58a38f2f2db9937531e345eccde68c1ad4e182cbf232b32c00f0a78b4ce38f5968580deca14

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
512KB

MD5
46766cfdfbeb8e7b46d7c5fa7291351d

SHA1
5ac0c72dad752fe6dc2d7a58151d9cc1b84c5db8

SHA256
10b33447e83d3e3efc0cb946d3b60ffa8a792b4a0b2df863eb7af3fabcfe4926

SHA512
00a127c738081f0a5832d06033d1c6f3cf17fe73498d5831227450ba722463fdc1619c439bc467e71c6cbb6249115f98ab6a7ecfe8c925f01ea8b2e987b92065

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
512KB

MD5
9a42dc098f72d5131a01b7316b0144ba

SHA1
106d3f7d4c0ac5904fe7537647ad617fcfeca697

SHA256
265badea630462522e48ba095dd446e4fd07a9a2be883c58d4138afde7d0c3bd

SHA512
4bb1b55d79a5871e3379d289cc78d57f73bdbe8d94fcd0d1db21f8eb48161f7321b81f2f18cb08bb85478d7fc0a0d3d79abaec7ffeed9aa0fe538ff70df5044a

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
512KB

MD5
fc01243d3e1b416d949a7b28c11b8de7

SHA1
52c3fdcf202f7037097be141ae0da7c3fac0fdc1

SHA256
33f1c6a5a9488583963cb04f6f2760b8097d274150fec7216cc9035157654b8f

SHA512
0c5c6445ab6b167b77951436c48db566e6068dc1e60f4672e079e3cc4b6e44b6b8bf3313ac9de79dd49f027dc29ec1b698fc40d5d742956ed8ec9fa00032082b

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
512KB

MD5
3d99ac6cc7bcb890bf99f92b65075665

SHA1
7010ee91811eeceb509e49b5de964060a2fde9ad

SHA256
8ad3251ba4d5c0cb7f0faa6d518c78fb4769deb6a93dc9a6cc03b134bf79da55

SHA512
dbf5f0ee4c8ef4d0d6cfeb6c9a928cd236b7b8c0bed14ee8fc9a22083869e4afe67bfde59906d786fa45c2d9767f2b83991e330f16cd531077809ffae5c7703c

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
512KB

MD5
27e627b016b036080ba87a07537057b7

SHA1
f2a617be06936572f5d49511e6c9bf35c50979ab

SHA256
1062507e793a7f5e629793bb225486f806e4d9049fbd1c4542de765b30b24514

SHA512
70e82ff93c5f2f7ad47376a82f225d0770b032e28642049edce8dba39e6d74e05cae6e24f7f703e874ffb282f7e8dd3ddf93f5533e806b30235b4e7e6be0dbf5

Download Submit
memory/8-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/388-254-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/388-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/512-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/512-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1284-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1284-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1880-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1880-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2116-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2116-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3200-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3200-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3296-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3296-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3308-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3308-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3724-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3724-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4168-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4168-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-226-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4648-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4648-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4656-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4656-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-211-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4732-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads