7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Size

108KB
MD5

d4cceb855773ce51ab7b412604464c50
SHA1

31db7d14c43ab19db8a4d4f67e19a7cf22be54b8
SHA256

7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2
SHA512

6b419e9c06746d5b583594526d97fd4b2e1409a4230d5bf7f72ee502c0b06e6b0fa5d8140136aabc48cebfd106da44e36885d4dac2b7b5f8b64e30378f517c40
SSDEEP

1536:4XWA1tnkOPKSE+ZVCjk+eMwB+rjm8NiIqhn3HQ8BawTj2wQ3K:4ZnbPg9k+8UjmOiBn3w8BdTj2h3K

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe

Executes dropped EXE 22 IoCs

pid	Process
936	Mjqjih32.exe
4396	Mpkbebbf.exe
2948	Mciobn32.exe
2844	Mjcgohig.exe
2712	Mpmokb32.exe
4072	Mjeddggd.exe
4704	Mpolqa32.exe
1724	Mgidml32.exe
932	Mjhqjg32.exe
1524	Mdmegp32.exe
4448	Mkgmcjld.exe
4360	Maaepd32.exe
4088	Mdpalp32.exe
1900	Njljefql.exe
4296	Nqfbaq32.exe
1808	Ngpjnkpf.exe
4144	Njogjfoj.exe
5000	Ncgkcl32.exe
4792	Nbhkac32.exe
3152	Nkqpjidj.exe
2504	Nqmhbpba.exe
3712	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mjhqjg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3916	3712	WerFault.exe	102

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 936	5108	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe	81
PID 5108 wrote to memory of 936	5108	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe	81
PID 5108 wrote to memory of 936	5108	7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe	81
PID 936 wrote to memory of 4396	936	Mjqjih32.exe	82
PID 936 wrote to memory of 4396	936	Mjqjih32.exe	82
PID 936 wrote to memory of 4396	936	Mjqjih32.exe	82
PID 4396 wrote to memory of 2948	4396	Mpkbebbf.exe	83
PID 4396 wrote to memory of 2948	4396	Mpkbebbf.exe	83
PID 4396 wrote to memory of 2948	4396	Mpkbebbf.exe	83
PID 2948 wrote to memory of 2844	2948	Mciobn32.exe	84
PID 2948 wrote to memory of 2844	2948	Mciobn32.exe	84
PID 2948 wrote to memory of 2844	2948	Mciobn32.exe	84
PID 2844 wrote to memory of 2712	2844	Mjcgohig.exe	85
PID 2844 wrote to memory of 2712	2844	Mjcgohig.exe	85
PID 2844 wrote to memory of 2712	2844	Mjcgohig.exe	85
PID 2712 wrote to memory of 4072	2712	Mpmokb32.exe	86
PID 2712 wrote to memory of 4072	2712	Mpmokb32.exe	86
PID 2712 wrote to memory of 4072	2712	Mpmokb32.exe	86
PID 4072 wrote to memory of 4704	4072	Mjeddggd.exe	87
PID 4072 wrote to memory of 4704	4072	Mjeddggd.exe	87
PID 4072 wrote to memory of 4704	4072	Mjeddggd.exe	87
PID 4704 wrote to memory of 1724	4704	Mpolqa32.exe	88
PID 4704 wrote to memory of 1724	4704	Mpolqa32.exe	88
PID 4704 wrote to memory of 1724	4704	Mpolqa32.exe	88
PID 1724 wrote to memory of 932	1724	Mgidml32.exe	89
PID 1724 wrote to memory of 932	1724	Mgidml32.exe	89
PID 1724 wrote to memory of 932	1724	Mgidml32.exe	89
PID 932 wrote to memory of 1524	932	Mjhqjg32.exe	90
PID 932 wrote to memory of 1524	932	Mjhqjg32.exe	90
PID 932 wrote to memory of 1524	932	Mjhqjg32.exe	90
PID 1524 wrote to memory of 4448	1524	Mdmegp32.exe	91
PID 1524 wrote to memory of 4448	1524	Mdmegp32.exe	91
PID 1524 wrote to memory of 4448	1524	Mdmegp32.exe	91
PID 4448 wrote to memory of 4360	4448	Mkgmcjld.exe	92
PID 4448 wrote to memory of 4360	4448	Mkgmcjld.exe	92
PID 4448 wrote to memory of 4360	4448	Mkgmcjld.exe	92
PID 4360 wrote to memory of 4088	4360	Maaepd32.exe	93
PID 4360 wrote to memory of 4088	4360	Maaepd32.exe	93
PID 4360 wrote to memory of 4088	4360	Maaepd32.exe	93
PID 4088 wrote to memory of 1900	4088	Mdpalp32.exe	94
PID 4088 wrote to memory of 1900	4088	Mdpalp32.exe	94
PID 4088 wrote to memory of 1900	4088	Mdpalp32.exe	94
PID 1900 wrote to memory of 4296	1900	Njljefql.exe	95
PID 1900 wrote to memory of 4296	1900	Njljefql.exe	95
PID 1900 wrote to memory of 4296	1900	Njljefql.exe	95
PID 4296 wrote to memory of 1808	4296	Nqfbaq32.exe	96
PID 4296 wrote to memory of 1808	4296	Nqfbaq32.exe	96
PID 4296 wrote to memory of 1808	4296	Nqfbaq32.exe	96
PID 1808 wrote to memory of 4144	1808	Ngpjnkpf.exe	97
PID 1808 wrote to memory of 4144	1808	Ngpjnkpf.exe	97
PID 1808 wrote to memory of 4144	1808	Ngpjnkpf.exe	97
PID 4144 wrote to memory of 5000	4144	Njogjfoj.exe	98
PID 4144 wrote to memory of 5000	4144	Njogjfoj.exe	98
PID 4144 wrote to memory of 5000	4144	Njogjfoj.exe	98
PID 5000 wrote to memory of 4792	5000	Ncgkcl32.exe	99
PID 5000 wrote to memory of 4792	5000	Ncgkcl32.exe	99
PID 5000 wrote to memory of 4792	5000	Ncgkcl32.exe	99
PID 4792 wrote to memory of 3152	4792	Nbhkac32.exe	100
PID 4792 wrote to memory of 3152	4792	Nbhkac32.exe	100
PID 4792 wrote to memory of 3152	4792	Nbhkac32.exe	100
PID 3152 wrote to memory of 2504	3152	Nkqpjidj.exe	101
PID 3152 wrote to memory of 2504	3152	Nkqpjidj.exe	101
PID 3152 wrote to memory of 2504	3152	Nkqpjidj.exe	101
PID 2504 wrote to memory of 3712	2504	Nqmhbpba.exe	102

C:\Users\Admin\AppData\Local\Temp\7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7a912662a9200079feee263f0d5e2e787b0cb4c3fdd788e92acab80d1977cec2_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\Mjqjih32.exe
  C:\Windows\system32\Mjqjih32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\Mpkbebbf.exe
    C:\Windows\system32\Mpkbebbf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\SysWOW64\Mciobn32.exe
      C:\Windows\system32\Mciobn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        23⤵
        Executes dropped EXE
        
        PID:3712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 400
        24⤵
        Program crash
        
        PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3712 -ip 3712
1⤵
PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
108KB

MD5
0d783850bd072ffd3ba2c0136624aa7f

SHA1
c87fbaa9aa1746ce8fbdcdf778899d2f133c108d

SHA256
8e1efb6a5ef1971224172c9d0c8587fa29f681d5ddfc30b6c05e76b60c3897b3

SHA512
b6914e8c1d663535294465d0c8ed87a7dc5087be608d26c3d7c4c2f94365a17579170fef6c9d8dcf57f346f78fec0c7edee088212bd564d375a7cf20068345da

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
108KB

MD5
1820d8cbe4513e1b286e2181e8cb6e6a

SHA1
e581f6a859bca4cbac49b382558954a252578721

SHA256
8897005043a712f247d3dbbb0430ce88a4eb3d786ba5951b0521e2fea8f0dee9

SHA512
f5a88e7bcd25dc4acd886af21b727955408aad4d4b4f3b8847eb2c06d4925c4ddcc5d8f5ea60de8b08f7d11f9bf0745b863435fffdc094cc04c5c20879a435e9

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
108KB

MD5
048465cb2c2dbe3e58b6cfca6e05f691

SHA1
d6e8ac6f6b3e93ba733dce686fdb305668a6982d

SHA256
09909a622598ef0ee2096ed96ce99fbbd0cd4ba1299b2db485d43073c0aeb005

SHA512
d06bee36dd80ee53262f0a56add4e5a31a19bc34973beb740aac410f6e04faa13b029fad4a11aab52fa25fa14391907003b8d8ef51abe6ef46b42e68db55afbc

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
108KB

MD5
d2e339b995c52ac601f0eca9a787fdcc

SHA1
a8ab438ca38d5e2779a9cf3c75b670e44b316d1c

SHA256
de0d3e360777aced85e8d089f245884d1d99205c1d6dd692f946f8e11b4fc490

SHA512
990288959d3e23416aac596095040f2f35881272608921f6b8041b4cee36d2c13e902e8cec46764c294ca4cd5bf25335f66665041344dfce6b8b922fc75eca26

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
108KB

MD5
f5bd2436438d2720531f5c08e12b3b1d

SHA1
21070f9d1a2223e228616f1c73b00315035483bf

SHA256
d8ec7ec7fc1eb52d49f1394e2d947bdf384258473db15bc6dc9f9d96450c0d82

SHA512
cee9572f31170f919e62dd0508ffa00958e2e80f8c373795d5d2386745d5697c2bfbcf61eab11c7b2e76893e93db17d37f2a74df57291c2bd42c2786b5317d8f

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
108KB

MD5
33ffad14f1848b97143f94e9e0c4895a

SHA1
a520369e413d79925d3ce36667a6691735d14a68

SHA256
ee9c69b0fee58474c63d54addd559c7dfba76d97c84db2dbe0e4ce5dd36c2277

SHA512
d3ad704e42a0dd2315709964eafe7017954babf5e38f1c23854553e3bf6e1cea0cc28016fd1a3abcd4b0910cc1fc904002f3338744e22bcd0d3da5d2961c9374

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
108KB

MD5
3b73abe55b18fedeb8a456c57a00658e

SHA1
e6353c4e1053e57e8ea6f9f9acbf9b9d7056e4bf

SHA256
99237bbc70dc74fa676287314dbd79d4ece623b4a97d03d0fccfd52af0f5c6cb

SHA512
48cf79e2cd6941fdddbb073ec1daae4c5d67061e6900404edc00dfb3023f839659630e546925bf6a9828f21d47788da3b10c58cf1acf66de426460256625ced0

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
108KB

MD5
04da4d0411d8afc8a67bd4ac5a6fb554

SHA1
b4afa8f41fa61db4de10cb71de5e3a83c5da91a7

SHA256
e7ba7b6abe219673a6b361c154e920aabf7b749419caa962472bb3d9807bf430

SHA512
787df31ed2592693cc1eed591e71eaa6321c711c348e4329270b0ef9491f59576f5a8f6523682bbbe11fbdbc4b6668e184dc120e3474b6fca107e0ba89389d3c

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
108KB

MD5
399cd7a310e72523651a4942f20ed979

SHA1
feab1f5b04c4cfed16264bed138b3e02756acd63

SHA256
671fe9f45ee8bf5351a25a6a805c2b875a66d8b98c729d48e24903eb910f2a06

SHA512
fa0adde26c51432afb58988a60be4f99f55133231846c26f8c864f52c637b1887bdcfa894f775a9386a0e5f22c98eecb2af3018e336d88ac1411981e0469fb4e

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
108KB

MD5
92501b74b2433275f869b5e6674618de

SHA1
5d810b9a792e53afb966b2bb9888fdf58556c562

SHA256
4343adecebccff7b7e0d75aec46ec92afa9981194b6b692690df687b8796034d

SHA512
a5dde45b9eac32ebd6ac5afd3fcff604e2bd9d3b6f24f716b316a4f48f61571e45e9574316bce43d7eaf7aba7cad91abc8808056536326a6f15a8b81b2fd8780

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
108KB

MD5
316b10c9269735a03f06b6727287b067

SHA1
5b9bcce6737699c3c6c59f14dd9f8ec7ef48aa46

SHA256
27c79129258b3cec6307263303b98bb5dca55e35e39382036710e812096067a4

SHA512
86527f8cfd67c5386f977dc60a571558d219a26e560b45b8faf45068f3bb9405c447fbf75e10d8ec5d6a0197fe775ce64dfc080f9f580bb93265efa62c15344d

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
108KB

MD5
a07c2ed1eeb907b8f7b54b5b9db7d8b8

SHA1
d635d0a410916ac8983ea601991d884d3f3933af

SHA256
581c1ff59454089f19a49862c72e4e51198e3e045bfcba0f6cd26f17a533fa82

SHA512
8e7d0c49c0c41d122eabef5067668ff82946242db3cc8e01481ae4965089ad84d321a51013912efe51a0a7e12fd1dfc94ec0e5ed190709d0cf1d74b92d18566e

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
108KB

MD5
3e4e5098d3cc3fcf78523c3a9988ad29

SHA1
71b5c94bfa6ae4988879f83d25d2d32678c0ec81

SHA256
97cce06ac69402af4a242c8176735beeb9f16aa3b4a7198a0ce19491a7aa70c9

SHA512
24e1fa910f25b87238396b43afd8bacf88b5a838887ac20daa8865f24f199498c2b5d561cf4a3821e18bdf17b4e9bb3465e9b9ccf13e8610501c3e980ff1faa9

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
108KB

MD5
60de0a7e31491e101d004e4461dee4b9

SHA1
d886af82e24c655da7fc41bebad23dab7a57e619

SHA256
72c3a8d4cf2eb7bbab2b29127357c34c9870ef345d111d075bc5a1c156a32a07

SHA512
17680f13e90ef594daa10c44f5196ceb2650cf03c8dc475e25b9af65be2e60f6bff60d01318edb5cec033df4849595d7789d1fdcc7ed3a5404ce846e523e17a8

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
108KB

MD5
74d4fbcd7780537c29e48bdc885fa852

SHA1
ed9120cfaeb9335882d9dbcd336715e21001166a

SHA256
37ef6e6aa0e38d93cc50c4d7cb0ddb23e9dc6eaf73a02a379394d9f833aab5f3

SHA512
a388a3585f1814f50b4f2c73e6d3ed2c60296e3e2011e0cd4ddc110dcb12c056d715cda46d56ae0139cc59b7fa5477163bae941846a89dc64f9ea5e938347b97

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
108KB

MD5
5e6426f270d388a664c02d482425ef62

SHA1
3b66829fe6c2d52c3c7eab63f507da1af003cb61

SHA256
eb74dae88b521197022d9b800249acbaf5d365fff9f9dd9ba449d3d82d8ee35c

SHA512
f28de951d791ba2bb4c48623df82af8bfcb7bf9aa22b9656ce60b793dd7f66b1cf1b69702b896d716942e06e3140d2adaf66ba8b64a5976abb109ef7160031a3

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
108KB

MD5
845b2f19c14ee0361ef6fc234973ede3

SHA1
db2ad0f4545d98ccace32463d12ab76ad8945fdf

SHA256
77d82b2fa42b09b470faf501daf582426064a6bb3ecaf91177c925723b28eedb

SHA512
167e7320740d1aa38f0d8347085eea22029e4b516910128666ae7f2b04cb029dfb70e6a241ba56bd598e921877a8082a940df6f6d500268202b08491a34beab5

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
108KB

MD5
6667010c829b0349fe4da56c4586876e

SHA1
b82f60f1fa2c5fa21a5e2f5d87f2fa57bda007fe

SHA256
1c3be6c5444ce7f341030e11dac42e9449baf39648f52543904303d5efac2689

SHA512
b738a25c7d8084ab68aba19fb3c6eff6b531a29ab5b68ec538294f80f711606b7ef3047328eca7dea31b0c1d0cf5faa63321d432be577d498ff350b49b0a2a33

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
108KB

MD5
e019d004b2a045f49bf53b3da7ce108d

SHA1
209612b6b4ada8a49f03cee3fd32d3a8faea2960

SHA256
f672e1c7c53bc0fa4c33234eb157cbcf3474c42e91536823ace5e797edfac628

SHA512
c2fb48fc09b222501f7a712e62325f7a8409fc415a5b7e240b73122c9ceec5d53688df34866862360308d00d8246335984a1c5546266903c609908bfb134fdc7

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
108KB

MD5
ee5bee15d650d9df7464a42bee22f7b7

SHA1
27df75c0348155c2defc0d954d4d30b5372d7ba0

SHA256
ab7d7897a1080ae0505c79dd2c9de060c52aaea2a94ab2eeacd42aec3335086d

SHA512
2a5279352c8f5b4d5b8c281259c7d4d2e47dfff307e7ebf8a2898f668440b288124c6e6920e3bab26f9fb3daccec630ddf5195a7607d8ea3752510d8e42b6850

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
108KB

MD5
1d1e3f6b9c3e7cea86ab38008437f4de

SHA1
20f1cef2f38dc58a662340a6a7790dde276850e3

SHA256
0329a5eac392b7410af98f13b85e8af687249ab0d870754833da5ded15cb9458

SHA512
f9554ab5f0d9257b5a70df8868fc0f52c6a3a8de73eb7a04774a85e17fa0f6f4ff3c10ee7c246ab17c314014ffb00c89c1e24fec88f6c69579661a7f35314985

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
108KB

MD5
72e7a0b4a32a10d32b6e30c1dee949df

SHA1
e00ee29b3ae2d323ba15b13bc99cf47cf5c05da9

SHA256
8e06255d84e23f1eafc73766d4cc94f47dd90e245b53cf56bf4ecfa1be3cee40

SHA512
cb3457560474fbc169907ecf835cd6b56e4b5ced1afd50e5ea01be337675104de8961236dc8e214dad4634b477782792d98e9680595b1ff9917d9dbc9f66c17d

Download Submit
memory/932-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/932-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/936-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/936-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1524-189-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1524-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1724-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1724-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1808-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1808-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1900-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1900-185-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2504-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2504-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2712-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2712-194-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2844-195-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2844-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2948-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2948-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3152-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3152-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3712-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3712-177-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4072-193-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4072-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4088-186-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4088-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4144-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4144-182-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4296-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4296-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4360-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4360-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4396-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4448-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4448-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4704-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4704-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4792-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4792-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-181-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5108-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5108-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads