ba0b385e11d52ee7937b432092af9096eb4e0a3129c503dea009a3f8154d6c48

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 00:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe
Size

512KB
MD5

1801afd4a34fe65c7b68ed049efbd3e0
SHA1

84ad7199f917927c895fec39c311a0ce31ddc2d2
SHA256

ba0b385e11d52ee7937b432092af9096eb4e0a3129c503dea009a3f8154d6c48
SHA512

5f5fc066a02ab6c311c1151372892d8c499763a29edb2373ec03941dee7800c618daf542f4ae1a6d58909bd25431934c9e12a1027098b4506c451894b519522d
SSDEEP

6144:Ry8UqvSB279853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZ:PSB2pQBpnchWcZ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe

Executes dropped EXE 25 IoCs

pid	Process
1592	Jdhine32.exe
3708	Jbmfoa32.exe
2300	Jfkoeppq.exe
4572	Kbapjafe.exe
116	Kkihknfg.exe
740	Kmgdgjek.exe
3772	Kmlnbi32.exe
4756	Kcifkp32.exe
692	Kgfoan32.exe
3844	Lmqgnhmp.exe
2844	Lgikfn32.exe
5020	Lmccchkn.exe
1248	Ldmlpbbj.exe
3740	Lpcmec32.exe
4904	Lphfpbdi.exe
3828	Lknjmkdo.exe
1040	Mnocof32.exe
1856	Mkbchk32.exe
896	Mjhqjg32.exe
2412	Mjjmog32.exe
4384	Ngpjnkpf.exe
4040	Ngcgcjnc.exe
2848	Ncihikcg.exe
2708	Nbkhfc32.exe
3428	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3664	3428	WerFault.exe	106

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 1592	4484	1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe	82
PID 4484 wrote to memory of 1592	4484	1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe	82
PID 4484 wrote to memory of 1592	4484	1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe	82
PID 1592 wrote to memory of 3708	1592	Jdhine32.exe	83
PID 1592 wrote to memory of 3708	1592	Jdhine32.exe	83
PID 1592 wrote to memory of 3708	1592	Jdhine32.exe	83
PID 3708 wrote to memory of 2300	3708	Jbmfoa32.exe	84
PID 3708 wrote to memory of 2300	3708	Jbmfoa32.exe	84
PID 3708 wrote to memory of 2300	3708	Jbmfoa32.exe	84
PID 2300 wrote to memory of 4572	2300	Jfkoeppq.exe	85
PID 2300 wrote to memory of 4572	2300	Jfkoeppq.exe	85
PID 2300 wrote to memory of 4572	2300	Jfkoeppq.exe	85
PID 4572 wrote to memory of 116	4572	Kbapjafe.exe	86
PID 4572 wrote to memory of 116	4572	Kbapjafe.exe	86
PID 4572 wrote to memory of 116	4572	Kbapjafe.exe	86
PID 116 wrote to memory of 740	116	Kkihknfg.exe	87
PID 116 wrote to memory of 740	116	Kkihknfg.exe	87
PID 116 wrote to memory of 740	116	Kkihknfg.exe	87
PID 740 wrote to memory of 3772	740	Kmgdgjek.exe	88
PID 740 wrote to memory of 3772	740	Kmgdgjek.exe	88
PID 740 wrote to memory of 3772	740	Kmgdgjek.exe	88
PID 3772 wrote to memory of 4756	3772	Kmlnbi32.exe	89
PID 3772 wrote to memory of 4756	3772	Kmlnbi32.exe	89
PID 3772 wrote to memory of 4756	3772	Kmlnbi32.exe	89
PID 4756 wrote to memory of 692	4756	Kcifkp32.exe	90
PID 4756 wrote to memory of 692	4756	Kcifkp32.exe	90
PID 4756 wrote to memory of 692	4756	Kcifkp32.exe	90
PID 692 wrote to memory of 3844	692	Kgfoan32.exe	91
PID 692 wrote to memory of 3844	692	Kgfoan32.exe	91
PID 692 wrote to memory of 3844	692	Kgfoan32.exe	91
PID 3844 wrote to memory of 2844	3844	Lmqgnhmp.exe	92
PID 3844 wrote to memory of 2844	3844	Lmqgnhmp.exe	92
PID 3844 wrote to memory of 2844	3844	Lmqgnhmp.exe	92
PID 2844 wrote to memory of 5020	2844	Lgikfn32.exe	93
PID 2844 wrote to memory of 5020	2844	Lgikfn32.exe	93
PID 2844 wrote to memory of 5020	2844	Lgikfn32.exe	93
PID 5020 wrote to memory of 1248	5020	Lmccchkn.exe	94
PID 5020 wrote to memory of 1248	5020	Lmccchkn.exe	94
PID 5020 wrote to memory of 1248	5020	Lmccchkn.exe	94
PID 1248 wrote to memory of 3740	1248	Ldmlpbbj.exe	95
PID 1248 wrote to memory of 3740	1248	Ldmlpbbj.exe	95
PID 1248 wrote to memory of 3740	1248	Ldmlpbbj.exe	95
PID 3740 wrote to memory of 4904	3740	Lpcmec32.exe	96
PID 3740 wrote to memory of 4904	3740	Lpcmec32.exe	96
PID 3740 wrote to memory of 4904	3740	Lpcmec32.exe	96
PID 4904 wrote to memory of 3828	4904	Lphfpbdi.exe	97
PID 4904 wrote to memory of 3828	4904	Lphfpbdi.exe	97
PID 4904 wrote to memory of 3828	4904	Lphfpbdi.exe	97
PID 3828 wrote to memory of 1040	3828	Lknjmkdo.exe	98
PID 3828 wrote to memory of 1040	3828	Lknjmkdo.exe	98
PID 3828 wrote to memory of 1040	3828	Lknjmkdo.exe	98
PID 1040 wrote to memory of 1856	1040	Mnocof32.exe	99
PID 1040 wrote to memory of 1856	1040	Mnocof32.exe	99
PID 1040 wrote to memory of 1856	1040	Mnocof32.exe	99
PID 1856 wrote to memory of 896	1856	Mkbchk32.exe	100
PID 1856 wrote to memory of 896	1856	Mkbchk32.exe	100
PID 1856 wrote to memory of 896	1856	Mkbchk32.exe	100
PID 896 wrote to memory of 2412	896	Mjhqjg32.exe	101
PID 896 wrote to memory of 2412	896	Mjhqjg32.exe	101
PID 896 wrote to memory of 2412	896	Mjhqjg32.exe	101
PID 2412 wrote to memory of 4384	2412	Mjjmog32.exe	102
PID 2412 wrote to memory of 4384	2412	Mjjmog32.exe	102
PID 2412 wrote to memory of 4384	2412	Mjjmog32.exe	102
PID 4384 wrote to memory of 4040	4384	Ngpjnkpf.exe	103

C:\Users\Admin\AppData\Local\Temp\1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1801afd4a34fe65c7b68ed049efbd3e0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\SysWOW64\Jdhine32.exe
  C:\Windows\system32\Jdhine32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\Jbmfoa32.exe
    C:\Windows\system32\Jbmfoa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\SysWOW64\Jfkoeppq.exe
      C:\Windows\system32\Jfkoeppq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
      - C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        26⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 404
        27⤵
        Program crash
        
        PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3428 -ip 3428
1⤵
PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
512KB

MD5
4e412bfbcfa393ca352d14bdd1a454ce

SHA1
b5f7908472b26a3d91d2081e762ee11501793b15

SHA256
1bc676b34d8aa208fac1485a81612c92ea1a71ce889498f3cc140d25b6144eeb

SHA512
aa99b19c71ffb212640ee39d371b7d88e5e4e919c960373d29a928c6f9a9c878940890aee4c16c34ede56b3d083fd6a7ba1ffa75307c2e21a24c78c89e8e40b7

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe

Filesize
512KB

MD5
84dbb4c2f6f133de40b5d7e7c0626872

SHA1
e334ae154ee2aba278b30eeb68e986daf94dcbe5

SHA256
69750c2589a2f18f88822c3e5ae7cddd4bbd875ef58d5516f343e4e51a3e6356

SHA512
a15bf3454c9449cede3aeced3cf2f95c689eb2adf9ac2d45238303a77aaaa8ca8d4810045233234e75f46b7bce4581ca097f0d5f03074d99771e527aceffcc9b

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
512KB

MD5
cc4e9994853f561059e1c2a19796d267

SHA1
97bde2b45833d7efef05c2c6554a656b1916f4db

SHA256
69961a0d67d769da20c4c2ca984fe5ac02ec01d859b253d49c3fe4e59c2c6920

SHA512
b475650567a7c5accc10afe9d8e87fed3ab882d1e6dfa2db93b4aa86761ebedc25fdbd502c8b591e0edaef7574a5ae18312976f6f8fa70b315c9b064d1e0aa57

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
512KB

MD5
bb9217944367602cbd48f9ff0e0c15bb

SHA1
fc19ee503ea59b6a1b5965139483ea3233407777

SHA256
95b5307eaa7dc0e72102a241cebcf6540e1e5c6b7c04c7fa36d6ce958577d517

SHA512
66ec898f001a9ab9d0314decbe84a9e56ec5304a60dd6a6c69476b3a445a12dda5b13862b5e8e9b25abcc83850b7bd96acd67c699bd87bd5b3a81543dc4d1f6e

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
512KB

MD5
8626c4a5683199add7841aa493a457a8

SHA1
fdea5037bef1ca6fb4383fce8e195bef30509c9e

SHA256
27a9918541f2a15ba7dc4bfec8a6eb2e762c7ef9c09d1ff4b0c74a64aafa941b

SHA512
42a23b43b67c089645e422fc3bbfe82d8ef7435c97978066a1302118c04524e8bb426c7cfec311033ba6d72c9fd317695cb9623fe9cd44809258f7f12d6d7b9a

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
512KB

MD5
9b93b414d3a8804defefa7d3af18446e

SHA1
cf38ef0b89cdce7f510230250967bb810a4cf6c6

SHA256
7a163b191b509b512b32b38fa90931e44c1a2b809755d8160eaabf7fce680e36

SHA512
abf975bb7d5f1b158565858a35023c891b9284797fed67ea2566ee20e08699fd8961209ed53c788180f0193236d3d547d354e0c148901d4f5ee6a259e11505d6

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
512KB

MD5
4a58a1a741af3ef8b34d387931857f8f

SHA1
8e4d0518ca8aaae4edc23bf4175dff373f32d919

SHA256
83a7e1a19ec3f7a3fa4418c1a470a6531039c750bf15ce9108acc9e44fd201de

SHA512
1c86b3e4f3d5b89a1b81e72c3a5ab41aea0eebb5fb8a0cc5878b41edb572a379ff3d904ee09ccc7c32e3970f3cb2adbbd6ff28cca90a1abccdc6b6588df05587

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
512KB

MD5
09bff5d10798cd0381a9e25fa8b6898e

SHA1
70a2b64ad91570bb062e04530553379fb12f7f81

SHA256
fedb883d6520048a6d35ebaacd73151b60bde3ac9b0b394d2aa8ad838149cd02

SHA512
fd00967120bbedeb360f717ed9fa115e582b387c31be5cae9d3c01547fe0af4774cee1276b78fcb0102a443a61fcd614e8d869650a3cc313dd989be117f716cf

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
512KB

MD5
e7f3ef26fc7b92fb37cf6faa8f409e50

SHA1
82715141d979de664de52ddd06e04b31f6602414

SHA256
85479d309fb62dcfe934e56657cecf264d2526676d84e90a58c144c18cdbd75e

SHA512
99c4c98954db0283c351034f7e32a1e02cd94366105f77bf9b945b35dd4ebef25d4a5cb074e8f92c287997a305bf3d834f829d045268f1653c083881e8bd7ae8

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
512KB

MD5
753b4801f45a9c572094765eeb3b7f6f

SHA1
0ec0dfc3ac46857839445cb81e42fbac5e5dfaa5

SHA256
67754eec18c1968b31b4092a385226491f0a2c749493575d3df7e01a78e51cef

SHA512
32c982d60d8835d87fa665a0baa2038efea70f9ee62c80684a86c493bfd66380e1022c5ddfdf32b610b741f124bd7fdb6c251dab77efa6303bbe9d3a603649a2

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
512KB

MD5
9e329b6edb9443cd5ba9a9f2fdcb0bc4

SHA1
7a28dc27072d066d9fb6eb53cb24a9bb0184762a

SHA256
fa29d977033f00b975284768a6eec5983af6acaec7ca2a420cba506462c920e6

SHA512
d31dc68ea2f9f74c9564e9202dfac9ea5852d8cf2f26b20e9f35083bebeff62ea6bb674d715edda7705818a8279f3a9bc175ee00839d4cd295c4e4b41fceed63

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
512KB

MD5
9b19e3e3a9360da4db725b7ac8ebc53c

SHA1
2a2e413537b149101a15823c75a9494d66acd5e8

SHA256
ba66fb10a700caad8c437b3f5bbacd8425caad8c29affd8622333ceb2510db0d

SHA512
b8821b8418610c6ab6faee7d1050baf2b0bb4306b9f34394ef829054d3f374a34a6897a6867a52a5439c9ba95a7c00fc2a62d67a0f49ab7bf73be54f580a95f8

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
512KB

MD5
60611ce3fcba596af4363357d5bec416

SHA1
856d4fcfc0b55cc0d3043e64353c4d15f091642e

SHA256
6a3c4bf23c4657686f196a965d0e97dbccf6ded53962aecbde81dc93e5d46319

SHA512
f92c76a0bb162f3793a339521c1a194448e4441f07971712bcd741d052c92bd87da94c8142656dec11f23153354d2b4135a64a422002317d91aed64fd02aa26a

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
512KB

MD5
28d524a7874bda8f25c7cfb2d801830e

SHA1
5f4d68182e182056ee64cefc61e5f5666c6dcb5c

SHA256
c08825c5022ea33d3932f8c3d8d7dd587b2e7e825bb8e0703023b766e5d6c431

SHA512
563282d26ec5209e82149bbd9b3b1c0de884f1e54bd069ca4a5df205f7bf812176d20a3b93cd5be026949fc4b7738f92572fd241dd3f6a80928ad4551f83c222

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
512KB

MD5
0968f13d37806268267f587e20538bb5

SHA1
564980adef18173513c2c7e384798723e9c4b2dc

SHA256
6147d9767c5426dbf2f3c86ba72ac1943827182ffa16ca98a7b76f0ebc3da5b0

SHA512
25233858ea6720066cb73c214587adf4aac5283d8fdada78e610ad5f95b923c805dc9f26e75f88575fffb0fd3d3115fbeda8959f8d1b9232d11be87bfb9fd640

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
512KB

MD5
b092dc1fd9a6ebc12c90866217fca0c7

SHA1
ee10ab227e3a560355ee83a539a8ecbb806700b5

SHA256
ed2ae621fb115224c45c2c53ca84643bde2a675513c2b38bbcbfd312fc868247

SHA512
8fdf86aa1eea8e7f542e19fe4fb2a09ce648b61332dee243224b6cfa889efdf4cd20da7513446ce10299bc2534ecc3778077a15721f7cd42a7391b1addba5afb

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
512KB

MD5
e6a2dc1adaaa6b3129e8d2d06cdd11f0

SHA1
6594df9584396737bc90beafb5ad73199699feaa

SHA256
b00f25ada59bb21c89381f66b9fc2531155543787ad09a41219834afcea3d1e6

SHA512
49f200f16fa715d96c54256a9536d2560671a960c5540f577b5be09eab66e599b8cc88dd39447d2249b3870fc0f94f6f3ce51dcd71b93752223a95afde629a34

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
512KB

MD5
6bf8fba7b859f6fb4330e8b68459f5c5

SHA1
ca6ec11c520492945b730a9f753fd6c71a3127c6

SHA256
00a4952b883826ef568c65927e2f93b20df655567575d0d2cc0c69118891471c

SHA512
870298897b6f34f91fa47f8cd1ceb8c3aa3af55a95d3441a25b76422a9d74c0907e57c1e32a713d63320c70bf840ecaca880015c72f366aaac6554eded3c8d4e

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
512KB

MD5
600acee6775624be9ae0dbcf1108bca7

SHA1
562acef6d78ff8df90df316aa33729b8a8cc2cf8

SHA256
315692cc589d75e2dc1dec481b6453154786fcc1c6d4939e2a74cc2af61c7565

SHA512
5e84466c8a07b751f143885a3eeff4c96176850ca46b08208b3a23beb89445bd2c130a9c016bcdabf693d55fe202d4f94f7e98480a8985617abdb3c8ff8ca2fa

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
512KB

MD5
c33a5140f0c0a03c14947ea286ff5c85

SHA1
a987b81de924648c0bca501604731337014bddbd

SHA256
acffb38b87e2fb8a88921f7453215ee768e59fcf64fa4f9b09b7f5ccbbc69894

SHA512
8eb0a6d5970bb84814732aae4c6407e5606001418b803aa16f77f06034e1144ee347d0bed09f531e8a497227f75adea74ea54ef9115b74837739a77dd76c4914

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
512KB

MD5
5981d4c6d90f92ce1d1dd9739f651a34

SHA1
8e223aac9b772fa6cc8fdf7d3cd4d2a62ba0da4d

SHA256
90fa1814539e70147f9bb6d14e1dd3d04ccf85828d2a0b2300c60c3f1a466c22

SHA512
0fc090492f3f71f4333ce60611e86216e46e7834843380f295967632f108a1726b0c311ce65ac6fa49785a7c680dd44f99c9541f449d234509f8051d6b8624dd

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
256KB

MD5
383a7f56af026778e696c0374d55327d

SHA1
bcf063e9e0cd8db3969fe503b6fda062826d4e8b

SHA256
b78b405beb24af06e2146d0af5c71d188e5d0dbd2f5654fca694dae7d76a92f6

SHA512
b0ba94a897532340cf78ae0d9be2ad318f37fc90e4f1f6555cd82c35cee8487ed13407e7151f603b2dce6d3ca2efc5ffab21524fa50c8ed53873379c99ef111a

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
512KB

MD5
c1df1915d807b366e3b7553b4dcc118c

SHA1
b105c344c173f7d8fee71c608e9f0f908ece42e7

SHA256
114dd101892e2e23716d75d52d8fcdb2b2578013844985e37a0818d37bd4f846

SHA512
1adad98d038d4af21acf8137eeff192b1b4e061e33c312e3af326d0fbc16b90ad146579219c6826e6737a922310a82a8d63bd0c4ef693841f92cabea5da2a413

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
512KB

MD5
7d51a31482015fefd1e23d7ba19bca39

SHA1
3e9294e33ff4e17ca08b2c020190797888307136

SHA256
64c1e8d513fa12013547a1c4179a6fb5f4372b1a3f93d53acf2d85fa99c5184e

SHA512
960cdbdaa2191239ef09e8d3f1f8d146894056dcac75de53456782bc89d98b36c97eca33e942712f5b07961399a046af7def9d197167db16540e38047cd72314

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
512KB

MD5
551689d0741a9e34e814b08f7c7dc7dd

SHA1
6dd92799536a5b086a2b66305c11d413801a8fc4

SHA256
4d3dc72fd06ecbe8e4fbe53919a7e64f664af1792aa73a4563f6af7ddd5f82db

SHA512
ca56ad138a8c299d8c8cb26ec8987b284350885fc8252c4850f345a3c5be7c122639711047b361219d372a9db7b9e8af6e507cc627cb50a0aae68a5e61a815b5

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
512KB

MD5
286f531c5db5a7b62e1a6485623a22ad

SHA1
715caad9081ddc70e7c273b4ed49e7281a80a29f

SHA256
c4ab78a4cbd3f4818927fdb049c7c17ca03b395877c435cf0df1429fed1c37e0

SHA512
90a5f28d2a8fc9ec5ceafd0320d3b9cec45fea5f50247ca82fd513f8d228f87cd0e21d56634bd296c2cd6934278dcc6f3a662aad4be48df3fb44d161d6d94e5a

Download Submit
memory/116-45-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/692-158-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/692-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/740-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/740-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/896-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/896-226-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1248-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1248-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-202-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-218-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-193-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3428-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3428-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3708-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3708-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3740-201-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3740-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3828-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3828-133-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3844-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3844-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4040-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4040-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4384-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4384-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4484-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4484-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4572-37-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4756-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4756-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-211-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads