7836ba7bd91846871897d806e24fa11693c38abf294ed7e5ba8d6baf83790f59

Analysis

max time kernel
93s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe
Size

192KB
MD5

a2c22dc4ddef8a5bc22208300c151490
SHA1

6627919319846d004cad6c8dbed28b483b53f361
SHA256

7836ba7bd91846871897d806e24fa11693c38abf294ed7e5ba8d6baf83790f59
SHA512

4697cc6b983639225f3f2c5fb906e0a85e5b2910d26b6ed17b38ee45306cdf9407653ee8ab7113e3123fddb211851f18027c4b884d0ac13989de94cc64ca0177
SSDEEP

3072:AQZCS4E0M5/CGJztMDvhHhDn5C9o3kremwc/gHq/Wp+YmKfxgQdxvzSTsXXoT2z:A095/dp+vhRn0o3/fc/UmKyIxLDXXoqz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe

Executes dropped EXE 25 IoCs

pid	Process
1952	Lddbqa32.exe
2012	Lgbnmm32.exe
3128	Mnlfigcc.exe
1652	Mkpgck32.exe
1500	Majopeii.exe
4048	Mdiklqhm.exe
1404	Mkbchk32.exe
4816	Mpolqa32.exe
5004	Mcnhmm32.exe
2328	Mjhqjg32.exe
4536	Mdmegp32.exe
1412	Mkgmcjld.exe
3528	Mpdelajl.exe
4984	Mgnnhk32.exe
4416	Nnhfee32.exe
5076	Ndbnboqb.exe
3780	Nklfoi32.exe
1932	Nafokcol.exe
984	Nddkgonp.exe
648	Ngcgcjnc.exe
4808	Nnmopdep.exe
4620	Ngedij32.exe
4576	Nnolfdcn.exe
744	Nqmhbpba.exe
1852	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3620	1852	WerFault.exe	109

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 1952	3700	a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe	82
PID 3700 wrote to memory of 1952	3700	a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe	82
PID 3700 wrote to memory of 1952	3700	a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe	82
PID 1952 wrote to memory of 2012	1952	Lddbqa32.exe	83
PID 1952 wrote to memory of 2012	1952	Lddbqa32.exe	83
PID 1952 wrote to memory of 2012	1952	Lddbqa32.exe	83
PID 2012 wrote to memory of 3128	2012	Lgbnmm32.exe	84
PID 2012 wrote to memory of 3128	2012	Lgbnmm32.exe	84
PID 2012 wrote to memory of 3128	2012	Lgbnmm32.exe	84
PID 3128 wrote to memory of 1652	3128	Mnlfigcc.exe	85
PID 3128 wrote to memory of 1652	3128	Mnlfigcc.exe	85
PID 3128 wrote to memory of 1652	3128	Mnlfigcc.exe	85
PID 1652 wrote to memory of 1500	1652	Mkpgck32.exe	86
PID 1652 wrote to memory of 1500	1652	Mkpgck32.exe	86
PID 1652 wrote to memory of 1500	1652	Mkpgck32.exe	86
PID 1500 wrote to memory of 4048	1500	Majopeii.exe	87
PID 1500 wrote to memory of 4048	1500	Majopeii.exe	87
PID 1500 wrote to memory of 4048	1500	Majopeii.exe	87
PID 4048 wrote to memory of 1404	4048	Mdiklqhm.exe	89
PID 4048 wrote to memory of 1404	4048	Mdiklqhm.exe	89
PID 4048 wrote to memory of 1404	4048	Mdiklqhm.exe	89
PID 1404 wrote to memory of 4816	1404	Mkbchk32.exe	90
PID 1404 wrote to memory of 4816	1404	Mkbchk32.exe	90
PID 1404 wrote to memory of 4816	1404	Mkbchk32.exe	90
PID 4816 wrote to memory of 5004	4816	Mpolqa32.exe	92
PID 4816 wrote to memory of 5004	4816	Mpolqa32.exe	92
PID 4816 wrote to memory of 5004	4816	Mpolqa32.exe	92
PID 5004 wrote to memory of 2328	5004	Mcnhmm32.exe	93
PID 5004 wrote to memory of 2328	5004	Mcnhmm32.exe	93
PID 5004 wrote to memory of 2328	5004	Mcnhmm32.exe	93
PID 2328 wrote to memory of 4536	2328	Mjhqjg32.exe	94
PID 2328 wrote to memory of 4536	2328	Mjhqjg32.exe	94
PID 2328 wrote to memory of 4536	2328	Mjhqjg32.exe	94
PID 4536 wrote to memory of 1412	4536	Mdmegp32.exe	95
PID 4536 wrote to memory of 1412	4536	Mdmegp32.exe	95
PID 4536 wrote to memory of 1412	4536	Mdmegp32.exe	95
PID 1412 wrote to memory of 3528	1412	Mkgmcjld.exe	96
PID 1412 wrote to memory of 3528	1412	Mkgmcjld.exe	96
PID 1412 wrote to memory of 3528	1412	Mkgmcjld.exe	96
PID 3528 wrote to memory of 4984	3528	Mpdelajl.exe	97
PID 3528 wrote to memory of 4984	3528	Mpdelajl.exe	97
PID 3528 wrote to memory of 4984	3528	Mpdelajl.exe	97
PID 4984 wrote to memory of 4416	4984	Mgnnhk32.exe	99
PID 4984 wrote to memory of 4416	4984	Mgnnhk32.exe	99
PID 4984 wrote to memory of 4416	4984	Mgnnhk32.exe	99
PID 4416 wrote to memory of 5076	4416	Nnhfee32.exe	100
PID 4416 wrote to memory of 5076	4416	Nnhfee32.exe	100
PID 4416 wrote to memory of 5076	4416	Nnhfee32.exe	100
PID 5076 wrote to memory of 3780	5076	Ndbnboqb.exe	101
PID 5076 wrote to memory of 3780	5076	Ndbnboqb.exe	101
PID 5076 wrote to memory of 3780	5076	Ndbnboqb.exe	101
PID 3780 wrote to memory of 1932	3780	Nklfoi32.exe	102
PID 3780 wrote to memory of 1932	3780	Nklfoi32.exe	102
PID 3780 wrote to memory of 1932	3780	Nklfoi32.exe	102
PID 1932 wrote to memory of 984	1932	Nafokcol.exe	103
PID 1932 wrote to memory of 984	1932	Nafokcol.exe	103
PID 1932 wrote to memory of 984	1932	Nafokcol.exe	103
PID 984 wrote to memory of 648	984	Nddkgonp.exe	104
PID 984 wrote to memory of 648	984	Nddkgonp.exe	104
PID 984 wrote to memory of 648	984	Nddkgonp.exe	104
PID 648 wrote to memory of 4808	648	Ngcgcjnc.exe	105
PID 648 wrote to memory of 4808	648	Ngcgcjnc.exe	105
PID 648 wrote to memory of 4808	648	Ngcgcjnc.exe	105
PID 4808 wrote to memory of 4620	4808	Nnmopdep.exe	106

C:\Users\Admin\AppData\Local\Temp\a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a2c22dc4ddef8a5bc22208300c151490_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\SysWOW64\Lddbqa32.exe
  C:\Windows\system32\Lddbqa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\Lgbnmm32.exe
    C:\Windows\system32\Lgbnmm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\SysWOW64\Mnlfigcc.exe
      C:\Windows\system32\Mnlfigcc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3128
    - - C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        26⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 412
        27⤵
        Program crash
        
        PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1852 -ip 1852
1⤵
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
192KB

MD5
40f8142ac9649dc223bbaf85f6edf1b7

SHA1
34d7043f192f6ac3454b3f9c9e2f1945446f0e04

SHA256
ee1841b779fc07c2031b44d6b96d8e08a24420a9e9f36fb717a1262fa2442386

SHA512
2e17248dcc5d3aec93d1b016c36321f06b7af26a69cfee880954c385c6515d63b466702c16d4e3d3af674df770f7a429ca1ced78694ac150bfec1d610c5360e5

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
192KB

MD5
0bc2c1050bec7686e1359874ec4e6cb4

SHA1
94e7242de9700bbc03c2ae213944119b640c67a0

SHA256
4e395e47234f7bb9b90ff22afb0b517a3f225006789cfaa616eb685c7e498b05

SHA512
53fb6b5a674d68a36b65614291face03e4a4244b4f74adaf8c372a2fd01c47e54e6745ae71373f8c09ff933bf7967bc8fd7c002410aa3c501368df19cd8fe77e

Download Submit
C:\Windows\SysWOW64\Lnohlokp.dll

Filesize
7KB

MD5
9404721dd4235cb3a2804c7206ac0f16

SHA1
77a11452cef7b599c41031c81a945c78e1ff3e67

SHA256
7dd926eb37845dd732ea361ab066bfb3e41d58868c45cdfa6a1f0cb1d9ea5a3b

SHA512
4a133551728f0f21b3b8424426fbe4fa5829fcc6083c6066fe63286cf26ce1512789e32ccf92c63f33de6773885bc12ba9af15f7efc836eb53b206b9068066e7

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
192KB

MD5
c7a4402a088ab26f56f89e830a7fe928

SHA1
aa503684c2a513f696eae63f0677ac077a53d196

SHA256
9e27b3aab844a1c063d0fc52480b80aada0b846b81a49e6a84187c1891e4753d

SHA512
a9872a2057cc081efd428ecc9d1ed6757c18b1de483050d5f94dd31313fe6233bf22c392201f0c249b3a57a11594eab31035a574b87428da2e0ebe59f0fbd6ed

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
192KB

MD5
d4add009aa6562e74bcf054f2f20e1d6

SHA1
c039c37765170e02f3233875b9fa0f9f2e9eaa45

SHA256
e696fad775d0cb3ccc03d95f041b1fa148a10ff9188c065659015af0f5b02547

SHA512
69ba7e300cf3ff93bbfe22cbf4e5dd62a2dd81e461ebb82e90d21904c51e4c7e2103e71878502e7bd04d5f6c0931a7b3c7190875dd2aa4bc1a238c36e6cddc5f

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
192KB

MD5
aa13da9d0fcecdba444d5b22ed46c843

SHA1
af179e5b9a6e776f50f9a17bda0a052323ee625f

SHA256
6f84fe6e4695af0189650b8ce889fa8d641d4088e1989464fa4ec7cac8a7fa41

SHA512
bb5e86aa0d5e3217ad23342a2799ba46fe45c4b52610bae3885ffd4b2423bd6bbf5fa4675ce59937d3dc10275f5688a67a2ef57d67deb93cb7212182632dfe37

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
192KB

MD5
0fec30dc57eabbbf2371df0ba8fe886f

SHA1
74af7584202990fb8b4693457ff59f6d04d42575

SHA256
a52dd0385547092cb3e321da2f4dba62c0f988a00cea48aafb6623bdc478cfea

SHA512
2a2a1a322b970887e4ed34073c33f4749b6441580070ce2d1ab267c28a391ddfdf6f8617225b3002252b9de470e71268be1cfab0a78d9f7d276a7101a31de190

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
192KB

MD5
ec5a80d5ea00519e8177b8d212a4c456

SHA1
3be0691c8292a17ad94313b4e4e508961a531f11

SHA256
a3d92031b71dc2b0a56f05c1e661c5adced4421aecb7f76205a73f99d20b2564

SHA512
84c9c75f31869b9257ba79e11c6b10564b1a5f4630b2d28ece8f42c7fba43edf81e5f5cd0fbb4f70d228c2a853b8924c6d73bb0de3fa1625ccaeadee14fbbae8

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
192KB

MD5
9486af719de85bf108ddfb6b15ec7348

SHA1
0d41e3a3ad875978cd52a126a9272de2111f7fe8

SHA256
a842ad683761c8c5c5365708eb74854bf1af5c9e85bbfcb38c40e1f46d5c1290

SHA512
db7ac72839f132a40a887c7b2361094d91e3dc2b0960d96aa590228a752d8441994e1b5810e0d24b97eb2779d7af0a0b511f4311c8dfdb68113c288609d6525b

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
192KB

MD5
af7eb3f0780f944ad207b7cba9292535

SHA1
7c626dcb40affca5fb1b93a4864cd70467732bde

SHA256
c9d89f8b288e0ab42ff8a13efd63e278e094349d14176c3b3fcfa0b616757a1d

SHA512
54a8e3797f82084f66278dd317a2151f3e578277ae53ae2da1663448df0ed6388858bd70c4f568dda5c3c2fc1a9092ba4152253ebda5cd4b9392136f28f6b757

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
192KB

MD5
386fcfccbdb003a4425d9d789505748d

SHA1
a4dc6be0257460cc81bdea964a09023e5d1f59ed

SHA256
ab8faf28a54d76841b123bb359e9c37ff0d3fdd73eba5e915c90233f5edc3dce

SHA512
6d4d570ebc7c2a4df3a589c1c5cc6f9ce388855757d0ac9e5a8717724c17753639a0784e231664eb27117497e345a6f22265611fadc6966b1480e9299e88a717

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
192KB

MD5
860e3b82bb44d456718dff55d7384be2

SHA1
ea328a4ddbb99d76f20d6534b5064982683d62e2

SHA256
d1ba2056c26bc024bba8a9961a64dfb9be2d49daeccfcc2e3c9a8e98c7e6a593

SHA512
f8ccdb41c72eb29f043580350bd9a98b7f5dbb5bcf36aa463419e7c2f73336679390edee2ff80ff06b9f46992455304221eb70ddb2b7385f0c0b04de5f0c66c9

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
192KB

MD5
886e52fe2e0316a616987feb697466dc

SHA1
57704ee42dcf1403c430f77335c5e1b9303892cb

SHA256
e39dca273e533588f8b1c878e447183345d6b61ad378d9485ef0af4aeee166c6

SHA512
98fded58edbcd64b7e8e566c561fc39414d863414352d68a356120c7f9e0c5f7420474d171f69b697dbe268d209162bd3cc1b92ed33d03c6d6acb11b846aa516

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
192KB

MD5
93c6ac4197ed0c8ee3188ccd338c4bc4

SHA1
4a7f0ba37b9fe4d14d1653f84732b7824ed80856

SHA256
1746d7a37c90efc7101aca6095b60d8a18d82ef8f74ad4b103305a3a2fbc4047

SHA512
09b9f58e1700c2319ccca1fdd08ce3543050598afeb31a2d0483a22e3aab88cb2671ad7857ff67544c757be4b8faff35caa10a0bbc3e776d94f64ca302f72ffc

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
192KB

MD5
a465dbaed69a281a455682feeaaeb7af

SHA1
6d962ae5fc530df179c2fc470fb44e4d34f3432f

SHA256
af9de485264b96a7d3f39cefd9f7440351353ed402c284afbb1ff96d87f88e45

SHA512
49f3f4e15aebd1f829e2772e281a6a2f075a41bd09196ae145b5567b705575442b65f0872b9372cb0af68b91e3c7c362e783dfa8998fe722b29184bb788c7f0f

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
192KB

MD5
bebe2637a59982e9fae1324a256fa453

SHA1
6f4e53ddca08e068d145181edcc5daf3ca032f4b

SHA256
065fe131121f57fe6d72fb9d708dad103d03c8aacb8496749d0df8126913af81

SHA512
27d0309f203e32edaec76fa46672d8384ea2ec952f645ed7fbd2af3d786e26a2ac2ed2c058b73be96573b36380e97df9583410c45430fd23ac3fbf1deddddd7a

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
192KB

MD5
62519f55e37c1272b0d778ed09d40d13

SHA1
1af13872e2d9820b861ad06e1cb44b3d5e43584a

SHA256
d159179375f3c148acb6de5db2d34b441d59f46d2c6c80e3fd86009e148801b3

SHA512
ca607bd7479762e18c04400e639ae0fc633c35081352aef8d5bc4f656ad723c0c68f97d68eb6da6fc9fe26e8e863d61f5ce1c6cf1b3ab9888bce32047b8a7647

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
192KB

MD5
a71734419f32fbf1bce2afeb04667735

SHA1
da251d7c11a796d561804a577c3929a2e5815731

SHA256
5bce223b195e38c131d8b1cb1fe897cd391b078a1fd1c8fa0f5006c5e896e3de

SHA512
12adcf89199bec64b09fd43fc82172acac0eada19a26e65830ab34d7e050344970ef83218e7fc72c160b62ea7b769df3357b75855bfb225483b1c220ecfee21c

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
192KB

MD5
d5c18adfe51fb5cab35f6e7a1f557e1e

SHA1
750d03681e5aad0fd6e4eefca75411e0020095f3

SHA256
110083d54e5b5737d29553aa735316d528927e1fdda614814ad252fde7b47942

SHA512
43d6fc8e9121e02b56687620fc9b9a3c40719eb11f47c572f613b341d8f3d63565ca4384916cc658969b03a9c296b2e6f504582552afb2250d095928ad6dd720

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
192KB

MD5
ec6c0a3061acd3c43a77ceb6a35c13d1

SHA1
a2ec566eeed727889665cce0b64860d5b957ad40

SHA256
c2dc1543b1d82987fe9ff133b9b1a1d2e37e4a0914465539a1f9a65a9ae809f1

SHA512
ba3d79fab84f514f5b81c42603f217aefe35e577091d0e9f1e47e272f4529383317e58b70f1a9a9da4e8d466e02f919d924f30057e15a849f0e522462e285ce4

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
192KB

MD5
24e76ab286b678d71db94402bdc40b4f

SHA1
36313b20a58ff8b52c43352a406bbd7f4b4c2448

SHA256
534c2ed6a803932f6cf19b8354fee1f6555257a0a32766dd1299ce48479dc784

SHA512
c086c2741eab550a4e62ebb9fdc70490cc5270edf7db11239330551c5a9b59cf2146763381f3d993952c91c5e490d33f871712005d98abe3f1bf210dabfc9728

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
192KB

MD5
94e767974d979f4694f9a6db05cb90cc

SHA1
6b322ff61d20442951fc2e2da8a8368ed0ffce92

SHA256
a2b9e2d293c458d6630e6c88b25a266c2c97b4532d4caab26a8304820c4a5197

SHA512
887d69dc3e3be8212fa80f3488f8e0a424575e7f5d530d89eee1e0af6902093d788c9f9c32802a2e24cbe0ccea8df764fd72f7f00c7ca619402af0f1f2d3766f

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
192KB

MD5
c5f36a07a055f48da65c5b9519f97cd5

SHA1
686261bc281b409f7857d63a069e76a01204ff70

SHA256
4d88b3254354660b61c7420a67aa21155904cfc37ab424e003f7573bad17d541

SHA512
9875b240b5350f50e1daf828b8e045cbc0f11ff13f78c1b754f66ad6a8a43d1f8bf7a5488b38528ff711b215e1c8840e112f387d9cab11e97bdcbb3a6e830a2b

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
192KB

MD5
5477d8de98bdee8a737c6bfbbb6d15c7

SHA1
9fa2eb981215fe9933793b414da7d7ae3b7d49be

SHA256
f43b12f405b1a7ccd4d217b16b2dc85ff3bcbb3d5fe57775fc6a15ee0aae9175

SHA512
96742278314fe383e4c73f0c4d93403f22fbdb61ae75050510b40d9fd0cd4657b76d99fda508950395ad6bd5e95bd56c929a6c41643e044672ed028d83f43931

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
192KB

MD5
a12e278390403f7c197fe527d059f26c

SHA1
0fcd57404f53aa5233d673eaffa2914d92b8b2c5

SHA256
8e81b6c534eddea7c76fe0c59fa21e55818414bdc10998d03df29cd0583e419a

SHA512
8b053ff781b8581c46f6adc690511e53ecc46d8c80c113ae362caacc5730fa14f38726afcd7e58d763572a8bb522752bd34d047d73d81e5c7f58c42c63f092ff

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
192KB

MD5
43b70f2032ffeaea363028d236a71d98

SHA1
6a6b5985f14c4a56dd34385038dd4a602af4be73

SHA256
a5c783e4fc3d80d7ac985f8fbbe7fef8bb8ee297d45bda68333bcf6fc9f629c6

SHA512
65e559925f02bf13d3e4064a28f8cb6d6a4cfdba97bd9b495094336666b41be226360a12c4ff1e6474debaf2b4af82bafa767fe7a19a3e66524ec8541c97ecbd

Download Submit
memory/648-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/648-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/744-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/744-202-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/984-156-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1404-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1404-218-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1412-213-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1412-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1500-220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1500-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1652-221-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1652-36-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1852-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1852-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1932-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1932-148-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1952-12-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2012-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2012-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2328-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2328-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3128-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3128-222-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3528-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3528-212-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3700-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3700-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3780-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3780-208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4048-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4048-219-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4416-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4416-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4576-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4576-203-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4620-204-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4620-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4808-206-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4808-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-217-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4984-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4984-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5004-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5004-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5076-209-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5076-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads