1ca2739ad86d167bead36e7c01620973650d63c79a3b9293a7c2a8371f7b154c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
Size

448KB
MD5

2b0466e555997c6ab8455a55eadc2aa0
SHA1

9aaf824471ce9c01722adc00b423fee23c89aa6b
SHA256

1ca2739ad86d167bead36e7c01620973650d63c79a3b9293a7c2a8371f7b154c
SHA512

f36580ad675743ff37bf58878f5920758594704f4d507f9eba3982e9b3091d67fb2a423e6bd30d70aa19b5cb8d7a6375f376a50198801742c6ca4927a1d6ecd5
SSDEEP

6144:/D1k5Ngy46s21L7/s50z/Wa3/PNlP59ENQdgrb8X6SJqGaPonZh/nr0xuIKjyAHM:ZS705kWM/9J6gqGBf/sAHZHbgdhgi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe

Executes dropped EXE 26 IoCs

pid	Process
3052	Kkbkamnl.exe
3144	Lpocjdld.exe
3972	Lgikfn32.exe
5092	Lnepih32.exe
1616	Lcbiao32.exe
3344	Lilanioo.exe
3020	Ldaeka32.exe
2524	Lgbnmm32.exe
1176	Mnlfigcc.exe
3008	Mgekbljc.exe
2992	Mnapdf32.exe
2100	Mjhqjg32.exe
3952	Mkgmcjld.exe
4160	Mgnnhk32.exe
2184	Nceonl32.exe
4340	Nklfoi32.exe
964	Nafokcol.exe
3088	Ngcgcjnc.exe
1796	Nnmopdep.exe
4332	Ngedij32.exe
3756	Nkqpjidj.exe
1064	Nnolfdcn.exe
1964	Nbkhfc32.exe
4776	Ndidbn32.exe
3232	Nggqoj32.exe
4808	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mnapdf32.exe

Program crash 1 IoCs

pid	pid_target	Process
3832	4808	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 3052	1976	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe	82
PID 1976 wrote to memory of 3052	1976	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe	82
PID 1976 wrote to memory of 3052	1976	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe	82
PID 3052 wrote to memory of 3144	3052	Kkbkamnl.exe	83
PID 3052 wrote to memory of 3144	3052	Kkbkamnl.exe	83
PID 3052 wrote to memory of 3144	3052	Kkbkamnl.exe	83
PID 3144 wrote to memory of 3972	3144	Lpocjdld.exe	84
PID 3144 wrote to memory of 3972	3144	Lpocjdld.exe	84
PID 3144 wrote to memory of 3972	3144	Lpocjdld.exe	84
PID 3972 wrote to memory of 5092	3972	Lgikfn32.exe	85
PID 3972 wrote to memory of 5092	3972	Lgikfn32.exe	85
PID 3972 wrote to memory of 5092	3972	Lgikfn32.exe	85
PID 5092 wrote to memory of 1616	5092	Lnepih32.exe	86
PID 5092 wrote to memory of 1616	5092	Lnepih32.exe	86
PID 5092 wrote to memory of 1616	5092	Lnepih32.exe	86
PID 1616 wrote to memory of 3344	1616	Lcbiao32.exe	87
PID 1616 wrote to memory of 3344	1616	Lcbiao32.exe	87
PID 1616 wrote to memory of 3344	1616	Lcbiao32.exe	87
PID 3344 wrote to memory of 3020	3344	Lilanioo.exe	88
PID 3344 wrote to memory of 3020	3344	Lilanioo.exe	88
PID 3344 wrote to memory of 3020	3344	Lilanioo.exe	88
PID 3020 wrote to memory of 2524	3020	Ldaeka32.exe	89
PID 3020 wrote to memory of 2524	3020	Ldaeka32.exe	89
PID 3020 wrote to memory of 2524	3020	Ldaeka32.exe	89
PID 2524 wrote to memory of 1176	2524	Lgbnmm32.exe	90
PID 2524 wrote to memory of 1176	2524	Lgbnmm32.exe	90
PID 2524 wrote to memory of 1176	2524	Lgbnmm32.exe	90
PID 1176 wrote to memory of 3008	1176	Mnlfigcc.exe	91
PID 1176 wrote to memory of 3008	1176	Mnlfigcc.exe	91
PID 1176 wrote to memory of 3008	1176	Mnlfigcc.exe	91
PID 3008 wrote to memory of 2992	3008	Mgekbljc.exe	92
PID 3008 wrote to memory of 2992	3008	Mgekbljc.exe	92
PID 3008 wrote to memory of 2992	3008	Mgekbljc.exe	92
PID 2992 wrote to memory of 2100	2992	Mnapdf32.exe	95
PID 2992 wrote to memory of 2100	2992	Mnapdf32.exe	95
PID 2992 wrote to memory of 2100	2992	Mnapdf32.exe	95
PID 2100 wrote to memory of 3952	2100	Mjhqjg32.exe	96
PID 2100 wrote to memory of 3952	2100	Mjhqjg32.exe	96
PID 2100 wrote to memory of 3952	2100	Mjhqjg32.exe	96
PID 3952 wrote to memory of 4160	3952	Mkgmcjld.exe	97
PID 3952 wrote to memory of 4160	3952	Mkgmcjld.exe	97
PID 3952 wrote to memory of 4160	3952	Mkgmcjld.exe	97
PID 4160 wrote to memory of 2184	4160	Mgnnhk32.exe	98
PID 4160 wrote to memory of 2184	4160	Mgnnhk32.exe	98
PID 4160 wrote to memory of 2184	4160	Mgnnhk32.exe	98
PID 2184 wrote to memory of 4340	2184	Nceonl32.exe	99
PID 2184 wrote to memory of 4340	2184	Nceonl32.exe	99
PID 2184 wrote to memory of 4340	2184	Nceonl32.exe	99
PID 4340 wrote to memory of 964	4340	Nklfoi32.exe	100
PID 4340 wrote to memory of 964	4340	Nklfoi32.exe	100
PID 4340 wrote to memory of 964	4340	Nklfoi32.exe	100
PID 964 wrote to memory of 3088	964	Nafokcol.exe	101
PID 964 wrote to memory of 3088	964	Nafokcol.exe	101
PID 964 wrote to memory of 3088	964	Nafokcol.exe	101
PID 3088 wrote to memory of 1796	3088	Ngcgcjnc.exe	102
PID 3088 wrote to memory of 1796	3088	Ngcgcjnc.exe	102
PID 3088 wrote to memory of 1796	3088	Ngcgcjnc.exe	102
PID 1796 wrote to memory of 4332	1796	Nnmopdep.exe	103
PID 1796 wrote to memory of 4332	1796	Nnmopdep.exe	103
PID 1796 wrote to memory of 4332	1796	Nnmopdep.exe	103
PID 4332 wrote to memory of 3756	4332	Ngedij32.exe	104
PID 4332 wrote to memory of 3756	4332	Ngedij32.exe	104
PID 4332 wrote to memory of 3756	4332	Ngedij32.exe	104
PID 3756 wrote to memory of 1064	3756	Nkqpjidj.exe	105

C:\Users\Admin\AppData\Local\Temp\2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\Kkbkamnl.exe
  C:\Windows\system32\Kkbkamnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\Lpocjdld.exe
    C:\Windows\system32\Lpocjdld.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\SysWOW64\Lgikfn32.exe
      C:\Windows\system32\Lgikfn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3972
    - - C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
      - C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        27⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 400
        28⤵
        Program crash
        
        PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4808 -ip 4808
1⤵
PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
448KB

MD5
d7ec9950f1ec1d7a58a1e28da358b008

SHA1
57622be8f70b69c566841168a1aa70805003e24e

SHA256
32ea1c5c79d72a6fd24847c0d528b529617ab8cb9bee3a7b697c87f475c1fc5b

SHA512
79404c11e25d257664122ca6dfedefa04e2bc251b98b5c2daa2533b771cc14f9a402294e15f3a8fcdf26995c04351e69d987210b5ff04a0ac7301683243318af

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
448KB

MD5
784881353e0f9a6772873d3bfe4da1c9

SHA1
461b1d0218e4ec911d5c23b0df1122a632e6d5ca

SHA256
721eda813ed36dced42cde016bebee1fb32a94398e6188f89c1ab2029d5946c0

SHA512
eca9820fd475c977fa27192ae2465a1362f7f7a0be94eecee74456864c5be76c2d68a96f567abaf427892780b0e08a1a342442ee0c589a2fedac2c89a7048fa5

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
448KB

MD5
7738fb7f96f01d5df1dac611cc469b66

SHA1
914acc3b6a4c249e4da8231f752c2a8fa92a5374

SHA256
3fb25a6158c3238afe2a68becfa5615c3979b7b349c2fa69afd68db111b48985

SHA512
b5f806229b0e3b59cb6b68a032355fd5e044bdd2b966903fba44a6709b57a12e53419ab836897c5a2b8b50cc05a4e42f8ad96c3936c17b0b4ebf8c87677a676a

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
448KB

MD5
cea98fe6b93c57d7f8d98fa08c892a73

SHA1
63bf9a73d10eaaf36a14879bd1d628aa49d923ff

SHA256
ca3fcba87e1ec3798ee4c2195e38e067879b76bf2cc85a3e869b19760c123ec6

SHA512
a8d3d8f621ee6c99dbf0066b782a8f2e237907468e434cfd464d06bac8167b0d949e41c85b80bfa9745f5756c1ea211ba1b6350b3639ebe5f3e54477bec86c59

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
448KB

MD5
d7763643d0f87b813c6f47373efd1cb1

SHA1
0a27373e5433ba06a3c87b8b1d54c91f003e3b25

SHA256
85c340ef8076d15d462b060e0c4e1de2e08f1ffef7412f847e3764390f43a281

SHA512
8b91d53cd40ab0fb51433806b4a706e9e819222f40166c01801542fbfce1472eb5d3d6327e783a0e572859ce87c35f49ab35d441879dce3191211059a6f4cff9

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
448KB

MD5
1b31cbbd6061497b211bd6b362b31389

SHA1
91bbadb468c332f84c5de210fc238ba4975d1a56

SHA256
c7bde397a9e43a6e06e5c77e84b21bcc8e8f145c75990e3fd47b4f0f3f87f45a

SHA512
349939ee7d8dd5b8f2ec50bb5c4e02d4e581ad1856dc76f38b779ac5b0e7717056949dbb4d6f7c05091d7555ea85c99e79d2d51472dbb49a5690a4796308a026

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
448KB

MD5
227c159ad20e99fbcfadae901740f6f4

SHA1
43350c65c87af98f355d9fe98568079c071ceece

SHA256
db4ff7ca29a9f7788b376e9c35bf11da5c7464cca8572b74223c04135ba779c1

SHA512
15069606a7fec5c1d81960bbeb441369ce370f6209babaf167a29afaad407bda23c7338d2d9feca9c45386f2f31afde02d499a020d352e15ec391e2636598f9a

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
448KB

MD5
38f01bd3fa0f835b68b6cf157e1e13b3

SHA1
edecae7c6d45db5fa70f7957385d038174837a8b

SHA256
73f0e9f35cd692d00b6cbf9d46874337d3434aa4776487fc1fb45323a6cbb6c4

SHA512
97b34bed6f1770bce52432103766d4b633c8349731508dcc1871a451aa6315640862e9ce7c7afa728af714463178fcfd1392bd7d52cc7214454803b7eb304299

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
448KB

MD5
4875defd81021948cfeb969f8372a116

SHA1
1a84f81be93cd78e2c5c8e294a394390b5c555c1

SHA256
407b92d8ecadec8c72067a2d6f343665ed047441b3c53276ee9e5b9dc4df6bce

SHA512
3c1b99ab43992e0446a2dc01068d9d56280dfce64a1953a42b020be80cf3cf006b39ca3001670112bb658721882f38a91d0f1e2fd0d59262ec7cc194b52bd313

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
448KB

MD5
f400bf196c968567209c84a3fe1cb6a0

SHA1
16bd18947f94b608c98c129571b23f37ce126029

SHA256
60dc27dff6ace83a7a3f1f4d88ca951242b3856a4f2cb35695fc38044b05a705

SHA512
e9d5ab4414b8b433b8574918ff0c3f25e3bfc3d726889dc4587de768a8f86b9c049b4e869417e9253664b956491871f9efc1a8a1ff77780c3938b7440c6a718a

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
448KB

MD5
7bba562c35da2443804bd7f7c93d3624

SHA1
3cb6629a5d3cb5efead1fa0a5b673e970e2ee7ff

SHA256
9822eeb8ef71f94e7b6ef61d60d9d595ffc4e84198c614531a7145e59040a430

SHA512
f3ac040bbe7b851ae52699f3dfab0aa21d79ee9cc30d2ad061ee712b25ace8a14b90578adf8762204d5f23daceb383ef32d2eeef73569b4ed0489677ea0b8ee5

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
448KB

MD5
4b12d249d03299a947d79755c314268d

SHA1
eb8374b9a8cd99590d446736667ddbd296f8b33c

SHA256
f3153c3e1447b8f7f41b7821077cf4c69a4b8e1fef87fb6627c56df88040a3ea

SHA512
dd2e1eea4e25351f10d7691035e42dfe4415dd7ac8dec1d53c616c83b85335f3cadca69814a36b209d5000e8a893b3af622b11a08c10cfa1a3cb92450565c080

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
448KB

MD5
0b6cb910f10085e0d43a209ffdfd9341

SHA1
4ba2a20ddffc6073e51b51bb1744bab243334e5c

SHA256
6a9a215d9a321ec2a7e328ef7b39bfe5f4b00937a6a960f9f258522881930ca2

SHA512
2f5face5516ea58b8bb413dfc95f4a27be031bc6b9af1b1114b9008166ff1564feb82b8a4af4ca8db2e5eb6903c54231959ac0998153c18f5ad42d5bad760667

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
448KB

MD5
9cc7f6b0af6b4db332ca375eac11baf2

SHA1
8298ccfe7837b2f26a29ba967e26a5be9e1a9d6a

SHA256
da3361a27c61e5250dd50e98eda7f44acdaafc8cafba30ac54f8fc32881650c2

SHA512
3c3b6018bf40d29f87f14cacdfb6c50fada392129dae80316bf5eba349a43e703acf794a1b7b6f5997d93b6212da924b5489fb1e056c1bbcc5ea1f9170b427bf

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
448KB

MD5
e6b98a8d5324375b0a691341a1ca4f9b

SHA1
1fe493115ea48f3c1042049c459f199d1ebbd8a9

SHA256
09c073467c4fe4568d26475680e28ff33ba31bddc4c59f25dd99c842de913a56

SHA512
dc48874b3e4ac71c3bfc4f20cb9f8e17026c5cae7207505983e9fe794fc01b8f678b56e4666383cbf8e20d3dbad44d74525243b93c7bd463b2b75372ede3bd8c

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
448KB

MD5
53ae2398d556f6c2d9e72dd3f6b8c192

SHA1
be094406880e1c5d86a583bd429a2d6656236a65

SHA256
165caa546658040cdbe0a1a2042318927d03fbd306af9b939fa31e43716c764f

SHA512
d442c6abe5b7e5535830d017a06f8ccfc98829bff431029fdef446b632fbc534e7671823230be9fa10c7819867cde883dfcaf400436b461761b40e7da0141768

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
448KB

MD5
923b41a04ead4780c8b70a824019d011

SHA1
7aa8daa9561671c38fb256327fb9bc7e78b57917

SHA256
06a372868eb582943f4ad1b8131da441c2b227193045b4eb2a215c12305b3cb4

SHA512
03288d808149d15a7c2175a90166fcc6329581657bdf95b10278ae60a0f660e62e72ae8daad4b57cd5d2d5227203a99e554199e7ddd4751e750d72252ea05c38

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
448KB

MD5
8b7253053bd3801c3093e7fb56810c03

SHA1
fea583ccdf5c43e1908b6ae1f57dbb428d173f7f

SHA256
b63ca501c395106f5f18e899b3a04423b293d3d7154a7b4c61ea1cfa1bf37c8d

SHA512
065a13f28a15b25c0813f3b8ca964cbae6e2694b377da3bee871686068f61db6493134677a8b6e04a7a80d62de8b03aa733283609639d91369eafbec5c404c14

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
448KB

MD5
f38708d81a12c0ddb8e5e8bb768f1832

SHA1
f9a3f378ce86a501de55cce6d0b0710a38b55094

SHA256
4b4ac29b0c355be571b3bae236abf097391bdee3ef09fc2ece3adc2f36870732

SHA512
bdc04f179d3c0542f3002ea6fb4b300b96e62d1694b387a3112f0ddfc439a14dbae90c6829638e3f8b9716ba0be27ceb0cc925a6415e29c6efdc927f67f246f8

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
448KB

MD5
b9a7985450617e627a8d49f075321ae6

SHA1
7fe72a0fc6c64bfe77c6e5dc154f1c20ee39b92f

SHA256
462db45a3854b7964a5d8fd71eb747ba17af4943e490dedcfd66ac7efaa9b5d8

SHA512
a632611682f129f963cdb18120ba6e670754e3a0a37586aadbfd31cb30579439ca35d4c5e790f0a7a8a9af255a6da7d1df71f7f2b66fdc9bf415b90c1697eed1

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
448KB

MD5
933a401ea066bb9eaa3e9a0a5ffbeb19

SHA1
96ddc82189bc2acbf8c78af45e4e41fc31807966

SHA256
5bf011103098272cc0dee2b934abdc108190fe0d7e7371f2464b2ab496ba0bff

SHA512
1f5ff5222aab5c909ac77ee7ef60f133d83508a7cb302e34ef84e89869f4d0ee391c4e27d9922fed21ab67d962543fab9cd2b2fbb0da6eaa3686124cb897e677

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
448KB

MD5
3b3bdbc1cb034f2e9187a7b55ec717b8

SHA1
434b4368d7f1155cfbe9d6ce245e1be861d55169

SHA256
ce044fd7f5942f0e6bce1bf276fa32740a08673fa23a113fa84eba1d9d082294

SHA512
bc18fa852adf5be7266f776ffd12134b468facfd31e19fac2a8cd9b4f1ab028d73e72bac573a461efc414595ec1db7ff6cf30af19766bdc91e84e813fb3fc9c9

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
448KB

MD5
0f4d06dd0fd458de11129c8deaa63864

SHA1
53adeda4b949f51b0e21b4ddb9db1f7e21426616

SHA256
b3f3c48488116545089ba3c5f1bb9d9db5570204730a8826c661a4e7d85a3509

SHA512
725d9c3b431d60f5e0cbf1aa05df443eac272b08ca95da7852cc1fca4b879f9bd635d74ed9d09f512e6259b6acca57516fd84b0c451fcf6b0ae3abb6e2b97712

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
448KB

MD5
b8e274b5f67b4abdaa3ef74070c7dc99

SHA1
f2d568f8635b34ae4c0f06a4849c5456b5b49ef1

SHA256
1c1d106ae4d42cd4672d3c7750c6d33fc20a7535acbc5194910adbfb14a82d50

SHA512
b03f8a764620325a045be0f28e11a7d3d210514d4ca1dd4b19b4b67ad94d7d8d5f243193d614cb0cb60890e005cd31caa1948f360ea324600013c69b4bf7ffa9

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
448KB

MD5
af0d03e65c738e8b7d6e2ab0e262c4b2

SHA1
078fb442a08562f8f7bb352854e10cef5a66d990

SHA256
63489d717f9c0759c3acb4acf99e19216bffb2f38b8a14a0e3dabee7586e766e

SHA512
2aa65b4c29282e368253caf2df6a4d011b04bc9af0a8216e5e495754a24f5b08b56dc034ac4563593c504513c05249b46d3eae61ea5a6ba5f04662a8b6522e0c

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
448KB

MD5
91eb881eefd1929ccf3a897dc041c73a

SHA1
e97e621bbdefed1f1ddda82cd8a8d0356bcb9214

SHA256
5f5a70068ae38ccf36e01dd94ed22dbf71bdebd1e45af087dd30d1ddd2870b77

SHA512
987670afce0d960249d244dbb7332d77f0cdfd000c989fe067d793853b0d2ba8d44b02c6385647ce1e81e92f382ad8287e9cd5aa340f49038359fc071e609f58

Download Submit
memory/964-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/964-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-210-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1176-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2100-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2100-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-233-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3088-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3232-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3756-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3952-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3952-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3972-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3972-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4160-225-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4160-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-206-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4808-202-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5092-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5092-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads