636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe
Size

165KB
MD5

b1452a43b7c1b436d9777e2b4e6ac8e0
SHA1

f5bf30f666886aba541b6427609e6c220292d13b
SHA256

636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54
SHA512

ae8fd660c5b3046344aec1997d828cc9ed03663d04b18c3ac5a1d9827f6927a180477ae26b3b5ba229f95dfac20a5d6a42aa34180fe375191e3f6d3807052565
SSDEEP

3072:YYXt4SNWJVfg/PQcIT3vQfEdArGzHq+egM5bylnO/hZP:YmD/1IbQMdArGzHregqgnO

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe

Executes dropped EXE 22 IoCs

pid	Process
1812	Mpkbebbf.exe
732	Mgekbljc.exe
2948	Mjcgohig.exe
212	Mpmokb32.exe
1656	Mdiklqhm.exe
3720	Mnapdf32.exe
3808	Mgidml32.exe
1772	Maohkd32.exe
2108	Mdmegp32.exe
1016	Mcpebmkb.exe
3216	Mnfipekh.exe
2264	Mdpalp32.exe
2696	Nkjjij32.exe
1416	Nqfbaq32.exe
4000	Nceonl32.exe
4164	Njogjfoj.exe
4256	Nnjbke32.exe
3568	Ncgkcl32.exe
1796	Nnmopdep.exe
1208	Nqklmpdd.exe
1860	Nnolfdcn.exe
2708	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4236	2708	WerFault.exe	102

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1812	1228	636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe	81
PID 1228 wrote to memory of 1812	1228	636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe	81
PID 1228 wrote to memory of 1812	1228	636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe	81
PID 1812 wrote to memory of 732	1812	Mpkbebbf.exe	82
PID 1812 wrote to memory of 732	1812	Mpkbebbf.exe	82
PID 1812 wrote to memory of 732	1812	Mpkbebbf.exe	82
PID 732 wrote to memory of 2948	732	Mgekbljc.exe	83
PID 732 wrote to memory of 2948	732	Mgekbljc.exe	83
PID 732 wrote to memory of 2948	732	Mgekbljc.exe	83
PID 2948 wrote to memory of 212	2948	Mjcgohig.exe	84
PID 2948 wrote to memory of 212	2948	Mjcgohig.exe	84
PID 2948 wrote to memory of 212	2948	Mjcgohig.exe	84
PID 212 wrote to memory of 1656	212	Mpmokb32.exe	85
PID 212 wrote to memory of 1656	212	Mpmokb32.exe	85
PID 212 wrote to memory of 1656	212	Mpmokb32.exe	85
PID 1656 wrote to memory of 3720	1656	Mdiklqhm.exe	86
PID 1656 wrote to memory of 3720	1656	Mdiklqhm.exe	86
PID 1656 wrote to memory of 3720	1656	Mdiklqhm.exe	86
PID 3720 wrote to memory of 3808	3720	Mnapdf32.exe	87
PID 3720 wrote to memory of 3808	3720	Mnapdf32.exe	87
PID 3720 wrote to memory of 3808	3720	Mnapdf32.exe	87
PID 3808 wrote to memory of 1772	3808	Mgidml32.exe	88
PID 3808 wrote to memory of 1772	3808	Mgidml32.exe	88
PID 3808 wrote to memory of 1772	3808	Mgidml32.exe	88
PID 1772 wrote to memory of 2108	1772	Maohkd32.exe	89
PID 1772 wrote to memory of 2108	1772	Maohkd32.exe	89
PID 1772 wrote to memory of 2108	1772	Maohkd32.exe	89
PID 2108 wrote to memory of 1016	2108	Mdmegp32.exe	90
PID 2108 wrote to memory of 1016	2108	Mdmegp32.exe	90
PID 2108 wrote to memory of 1016	2108	Mdmegp32.exe	90
PID 1016 wrote to memory of 3216	1016	Mcpebmkb.exe	91
PID 1016 wrote to memory of 3216	1016	Mcpebmkb.exe	91
PID 1016 wrote to memory of 3216	1016	Mcpebmkb.exe	91
PID 3216 wrote to memory of 2264	3216	Mnfipekh.exe	92
PID 3216 wrote to memory of 2264	3216	Mnfipekh.exe	92
PID 3216 wrote to memory of 2264	3216	Mnfipekh.exe	92
PID 2264 wrote to memory of 2696	2264	Mdpalp32.exe	93
PID 2264 wrote to memory of 2696	2264	Mdpalp32.exe	93
PID 2264 wrote to memory of 2696	2264	Mdpalp32.exe	93
PID 2696 wrote to memory of 1416	2696	Nkjjij32.exe	94
PID 2696 wrote to memory of 1416	2696	Nkjjij32.exe	94
PID 2696 wrote to memory of 1416	2696	Nkjjij32.exe	94
PID 1416 wrote to memory of 4000	1416	Nqfbaq32.exe	95
PID 1416 wrote to memory of 4000	1416	Nqfbaq32.exe	95
PID 1416 wrote to memory of 4000	1416	Nqfbaq32.exe	95
PID 4000 wrote to memory of 4164	4000	Nceonl32.exe	96
PID 4000 wrote to memory of 4164	4000	Nceonl32.exe	96
PID 4000 wrote to memory of 4164	4000	Nceonl32.exe	96
PID 4164 wrote to memory of 4256	4164	Njogjfoj.exe	97
PID 4164 wrote to memory of 4256	4164	Njogjfoj.exe	97
PID 4164 wrote to memory of 4256	4164	Njogjfoj.exe	97
PID 4256 wrote to memory of 3568	4256	Nnjbke32.exe	98
PID 4256 wrote to memory of 3568	4256	Nnjbke32.exe	98
PID 4256 wrote to memory of 3568	4256	Nnjbke32.exe	98
PID 3568 wrote to memory of 1796	3568	Ncgkcl32.exe	99
PID 3568 wrote to memory of 1796	3568	Ncgkcl32.exe	99
PID 3568 wrote to memory of 1796	3568	Ncgkcl32.exe	99
PID 1796 wrote to memory of 1208	1796	Nnmopdep.exe	100
PID 1796 wrote to memory of 1208	1796	Nnmopdep.exe	100
PID 1796 wrote to memory of 1208	1796	Nnmopdep.exe	100
PID 1208 wrote to memory of 1860	1208	Nqklmpdd.exe	101
PID 1208 wrote to memory of 1860	1208	Nqklmpdd.exe	101
PID 1208 wrote to memory of 1860	1208	Nqklmpdd.exe	101
PID 1860 wrote to memory of 2708	1860	Nnolfdcn.exe	102

C:\Users\Admin\AppData\Local\Temp\636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\636bb8df47c0971c27053e99091ca843612d4aff637845fc32d306e2cab2cc54_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\Mpkbebbf.exe
  C:\Windows\system32\Mpkbebbf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\Mgekbljc.exe
    C:\Windows\system32\Mgekbljc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Windows\SysWOW64\Mjcgohig.exe
      C:\Windows\system32\Mjcgohig.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
      - C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        23⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 224
        24⤵
        Program crash
        
        PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2708 -ip 2708
1⤵
PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maohkd32.exe

Filesize
165KB

MD5
1fcde06fa5cb1cda9067ae6d24e5ad84

SHA1
e034bb92af5e03467fad5c01776eb2d683b8a93a

SHA256
7e5e07f53c08e59a75471f2a49468b7e9c29b8c555ee14162b7b8cdad6d08118

SHA512
0dbbc97a0823bb4a99e87e3c5757b658bea73eb4ff810a49953393059080814163d01df21db00451af8bb7607f90d02ce4713ccb602dfbe1686a2ae772dbb34e

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
165KB

MD5
3e7253f90990ce3f5fc2848710fab885

SHA1
c8fed1d463bc4df18eb6bde522f2ec77d58465c3

SHA256
de0d929ca3208817424d62edf20c991036724e516b682e3bc6e3e1edf4b9cc49

SHA512
e9c5c6411b94cf2ec87e645b011b0dab3e9d37764794e64c20059f210f8a207c56b589422172993d3f2ceb65d4fabe89beeac6ebf5a61cdde7ef48ee16750c52

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
165KB

MD5
28559615026b2894aafc8ca79c85e23a

SHA1
74434490b2525615e36f391f95e04e293b805674

SHA256
c32b3fdb45871f152335f7480b4e8c64ba76511778fe5fa45e536983945378b0

SHA512
6abbf34cea33afbaa193647f6e3519f944a439862f0f2afaa9f44f9d3f3dc8b70d8ad1894fb1c32177e8daad3909320575adb7745969c6d91206dbe6fc6c6089

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
165KB

MD5
951a05b6fb5c7306653f4404865cdbce

SHA1
6fa99e027cafbbc9120312e09a3fddf32accd340

SHA256
b59a0656907ab3526c5eff9fad71f75a985949abb604cb2bc266f28a3333d02a

SHA512
854fa6636584a21c3192e37f5e18aac76bce45f593f174523c5badb2687c6cfcd0e2663e036d8251a68a4af66395c26c63c3da29469602f60c1cb288e678a691

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
165KB

MD5
7cfd27ce17e0f0a1b4ebd87ca16482c3

SHA1
c7c7ae20a421b7335526cb482ab25a8b2f195ce4

SHA256
c00166cf405d9391a0a701d119dae1ab17435fd11272c40bf5d12ca4639e30c7

SHA512
eb69c77e43e27df35cff35c07e8176d1283fde93c6624e936ec0706ef6741c116b2abf2c812f1bcbceb9f37425a36aa883c1f0b88011df716720ef368b70160d

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
165KB

MD5
33d02f677dbba59a8aafa27838f818fe

SHA1
a7c2ea3926ef1594bbe8411570725bc19639f66c

SHA256
5bf304a7e1b60c98325b7f2ad79e84a83dbf1b50cc1a73cea01e68bd6147c992

SHA512
d646596a1943cc22a99e2f826fabc296b15f2911f0f9f49d089b0d19901ed196b0a3ecebef7b526657e5199da6fc0168692f6c450e00566a4c58ab7f32dc49cf

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
165KB

MD5
1b2b0ff4e2250118757921c0c6815515

SHA1
e2aebdd6e04bb8b99f8dae1dbbac89a82653540a

SHA256
0a55f91de138aae9d71a29605738c1d3cb10254841535d8fa0dd2f73ed02c0ac

SHA512
da899ecd51518a3ee3754b2e1c38b2a53fe1bf7936bf40718e3c4540205241e134b482be9e8229e405019772725b05ba3c89d3a748f3161c84d90abe69020554

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
165KB

MD5
858da5688eada9116950434fbd6cfd56

SHA1
ed48d43d8b9e85d2c36576a36f7f90c1510ecb64

SHA256
7fd228edb057eb4ab2daf63c79098cba8d09579bf239f481255668fcd487adc0

SHA512
9f3bc59921a525650c71d10250008078cc7b6ef1afd9d254fd8d20645d20176b6b3a0af9bbab57222434113755fa3568fdd9c6fea4eadf9d71daf78f9501c0f2

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
165KB

MD5
878218de0ede92961d92ee591c88c44c

SHA1
7ddb89d436b3a10c4dff455d47ac972a738160a9

SHA256
8435ca6d9bcbcd0be66ccea3f489eb1bab002a5a1c0d9fc6a2df4db815dd05a2

SHA512
af40cf3e16c2471e78bc8d48d5b42f5471e7aca03173620327f3bdc4e689f67b7c0ebca8a84cfa117c8f8b4fb550144752a3073d67c5ddf6dab56fc913ee5892

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
165KB

MD5
b16cd68055ea3ca8766fe5b762cdbb1d

SHA1
39f6bfa0a49472ff98302518cf2a78370afa4fa5

SHA256
de4c6de636e7dbd81cc4795d5040ae010496e1574b9d051d941b4f632ed40e02

SHA512
1bbb87c3932f0e909f4d3582759493464b259637f43992979234607cfdf9d8b5ea5c02668d0e64718b0f665ce72941a151266b3ff4c0aa96ba4e6bb28af537c2

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
165KB

MD5
30daace44f14f138cb19898f1d4d745a

SHA1
941791f0f657d25c51b2682a9c611ed75c171fdb

SHA256
5b5493160ed55f0937685cfc623a46b0b37d0c2cca68b63bfc85f6bb3052ca35

SHA512
c401dabc214faaffd4e2d6196c9e17e059f4a3dcb10b4f89f40b200728fb121c642db7edafa5024a1e36384af59ed3a741b730b46506bf16d4cf0086b1095712

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
165KB

MD5
9f5317eeba9a2e472ed5d243c8174998

SHA1
8ad6b0e49cecffafde86b390aa08a8b8495f619b

SHA256
851e3b6c155a02c04550fa767966d5f89cc2d72e7121bf73babe0357d0ec0991

SHA512
4d97ddb68c6cfb5dcaf8ed6f8edfbb5303c0048daebf179af441faa7dbca821b40bc7c1379d244a1cb11ea7ad837069cd7ed502bb3a200420da3399a4ef5d4ae

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
165KB

MD5
da94c636b84b55df9bba728bb451f628

SHA1
1d63e345746c97e2d50f97cb693f74e668cf1a54

SHA256
d4ffc64ad7e438457ea7eb4b10de85de5acfcd20418525d51f7810a9e43437c8

SHA512
01f92c1d2895880bca4c59c1358a877e7b0bb98b1240a5f9f2dc8dc29d4b3397b11362044a0127b099299128992293a46de045843bf001433cae4762f2039cc3

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
165KB

MD5
f05e3b0c09718262dd6666d0287c2a2e

SHA1
0809c4bc61d5d2011bc7217cf332d7ec3bbb5d7e

SHA256
7d23c915e2936e3d8ede2a881122c62a94b718362b5fb0f82211e5b3baa24cae

SHA512
7e6ce4e9cdb966cbcc8af82a7b7cb8f3263ebf4dfe756821718162cba48144aac256616e729b8e05d432c63ec43f8f9d00c48e4d72cb4f2d073c8f951866ac28

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
165KB

MD5
9caab46543f739a0444c5f84ee4b15d6

SHA1
fa88883a054d071dca00c2666491a959412ad852

SHA256
1e82fcca22cfa822996c16e3e6b19fb22522e333a593ae949fb2e9a0069f2c7a

SHA512
c82a98d492dc7a12e4142e053a7d05db1adeeb346426ed54e208c20a3d07f89be5cef2365670a8e4aa743bba135ac991226a096e7e543181474dd277b3692389

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
165KB

MD5
24ef3bc921e6ca8d0232bbb6fac43a8f

SHA1
5a05336056616a3ee906a5c122523c4091837fe0

SHA256
b179065a245b18b8205641cb7240a4bacf1698bfdab618884b4152500441363b

SHA512
e125258b72b41abbc3a3fb38f38e541f1c0fdd9305b4ccd8b72013ae9c2201a247565d55aa1c0f2bc63407cc4ae8ba4ee137f6fdbb2dc60d517401976888fd98

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
165KB

MD5
2e0d444d514616ec068eff05adb62f5e

SHA1
691694a5421a6006e0d75f4234ba8a0c0d14605c

SHA256
cca997ffa161dcfcf1f1d8ab5c538c542251c7978db7313b20863b90b79ce653

SHA512
1121358e737ec4dfdda64bcc1e61e1301c46efb19dc7fa28d6590339c90e46786c6174de25c58d171d41392eff6487a79108359aa8c0a89666bd1cf5e30b32aa

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
165KB

MD5
d52b17b6c7a9edb10efd117fc3b2073e

SHA1
0c557c6e510418419e1c783282fbe496d4a3968f

SHA256
b35b16170bf249f01d0beb84394477befe454f8f95a76e70f1ed4b3489e47a7d

SHA512
aae28bba5d1536b7c3fe612b6673b3fd40cfd288bb0f92051cff9dde8ec1c66e48337c4f51490c4040614a50744e2e8217942cbb9d11637c844d94ce13fa7e7b

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
165KB

MD5
37607308a2674c68ffbfeecf9935741b

SHA1
bfad5b2dfb2c1952ccbc02867232a1364b332975

SHA256
f28a217d668f212db9616360b9c75bf04654265879a3df852aee0b8e2d55d348

SHA512
8d76f4fac9c734fa6378b8d79bfaa396aace67a0a277613780ed3ca264a0757dc69af48ec3072f7151ed9bcc97979b311205c414f2b71696d8cac6b7f610d0cd

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
165KB

MD5
44665e061c8a8da6c84b4e02ec3a95bf

SHA1
200c102d6c52b47c049975b058cdfcb831ab96c6

SHA256
787b45083ad3ca349c3d321a4aa2891d5aca2d177db3f28870c220bc4d4fe5ab

SHA512
41229b07720bf2352a86aa34965f928eeee9d19bda317eb1f79b02274b84b2f3248137c11e6c8fc01b1d9dd2a48a328637eaff9e6fa8a6d07c39393a137e416a

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
165KB

MD5
3898ada9788c680453a7c7fcf42d4056

SHA1
235fd8223cabf00bbed9f07f7d09695c8db1607b

SHA256
24b5a697cef690f3e85679fe2626931f22bb918b1e07c863f2f33b68889e75ac

SHA512
5bb088fdd5fc54a3c0652b4e071792962f3d0b457a9847cc7de5aafd085c17e563692f31ce4297107a6dbdd51d44b69d60e2ea6ae6a3059cb53b9c6ec14cdebf

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
165KB

MD5
af79e568862710f9d93c902201e3113e

SHA1
28300c33c2621f2f47a813afefc35b0e87feaff9

SHA256
40dcaccb7611f41955f928520544d7acd74af23cc3d6daee3fb3c4faaa12bb0f

SHA512
57f602b3cbd7491d3a99664ad4a5b58ab9a7d377efd59465fd6bf593b48ca70e5a2330c7ab519b27004277c562054d1fa89a427cdca03bbe0d1a831d6c7d27a4

Download Submit
memory/212-215-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/212-33-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/732-20-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/732-219-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1016-203-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1016-81-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1208-183-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1208-160-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1228-223-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1228-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1228-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1416-195-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1416-117-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1656-213-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1656-47-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1772-65-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1772-207-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1796-185-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1796-153-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1812-9-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1812-221-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1860-168-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1860-181-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2108-205-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2108-73-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2264-98-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2264-199-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2696-105-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2696-197-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2708-180-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2708-176-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2948-217-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2948-24-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3216-201-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3216-89-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3568-145-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3568-187-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3720-211-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3720-49-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3808-57-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3808-209-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4000-121-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4000-192-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4164-129-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4164-193-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4256-137-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4256-189-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads