0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab

Analysis

max time kernel
51s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe
Size

219KB
MD5

5031609cd7dde276ed5f8eb15b982780
SHA1

5ca37a517d9e5728961d782afeeab5807146d309
SHA256

0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab
SHA512

b6c3f1d588ba2f9c2d6843257e261fbd590ec2fa9710a55765fe258dd00363d96c665f5023e2dc8aa59c22cfe0060a4f0f8ac2fa3d6574b8000dd240b03eadf7
SSDEEP

6144:XJyXTccrzXnEzDOO0aDD4PCxdXXwSfYrwB:XJCpfXAOOdDD4PCxdXXwSfYr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe

Executes dropped EXE 23 IoCs

pid	Process
372	Lgneampk.exe
4312	Laciofpa.exe
640	Ldaeka32.exe
224	Laefdf32.exe
4088	Lgbnmm32.exe
1628	Mnlfigcc.exe
4104	Mdfofakp.exe
2656	Mkpgck32.exe
2104	Mpmokb32.exe
656	Mcklgm32.exe
3044	Mpolqa32.exe
3716	Mcnhmm32.exe
3084	Mjhqjg32.exe
2752	Mdmegp32.exe
872	Mjjmog32.exe
1740	Mdpalp32.exe
1608	Nnhfee32.exe
3284	Ngpjnkpf.exe
5068	Nafokcol.exe
3692	Njacpf32.exe
1544	Ngedij32.exe
1392	Nqmhbpba.exe
944	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ldaeka32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3760	944	WerFault.exe	103

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 372	4560	0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe	81
PID 4560 wrote to memory of 372	4560	0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe	81
PID 4560 wrote to memory of 372	4560	0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe	81
PID 372 wrote to memory of 4312	372	Lgneampk.exe	82
PID 372 wrote to memory of 4312	372	Lgneampk.exe	82
PID 372 wrote to memory of 4312	372	Lgneampk.exe	82
PID 4312 wrote to memory of 640	4312	Laciofpa.exe	83
PID 4312 wrote to memory of 640	4312	Laciofpa.exe	83
PID 4312 wrote to memory of 640	4312	Laciofpa.exe	83
PID 640 wrote to memory of 224	640	Ldaeka32.exe	84
PID 640 wrote to memory of 224	640	Ldaeka32.exe	84
PID 640 wrote to memory of 224	640	Ldaeka32.exe	84
PID 224 wrote to memory of 4088	224	Laefdf32.exe	85
PID 224 wrote to memory of 4088	224	Laefdf32.exe	85
PID 224 wrote to memory of 4088	224	Laefdf32.exe	85
PID 4088 wrote to memory of 1628	4088	Lgbnmm32.exe	86
PID 4088 wrote to memory of 1628	4088	Lgbnmm32.exe	86
PID 4088 wrote to memory of 1628	4088	Lgbnmm32.exe	86
PID 1628 wrote to memory of 4104	1628	Mnlfigcc.exe	87
PID 1628 wrote to memory of 4104	1628	Mnlfigcc.exe	87
PID 1628 wrote to memory of 4104	1628	Mnlfigcc.exe	87
PID 4104 wrote to memory of 2656	4104	Mdfofakp.exe	88
PID 4104 wrote to memory of 2656	4104	Mdfofakp.exe	88
PID 4104 wrote to memory of 2656	4104	Mdfofakp.exe	88
PID 2656 wrote to memory of 2104	2656	Mkpgck32.exe	89
PID 2656 wrote to memory of 2104	2656	Mkpgck32.exe	89
PID 2656 wrote to memory of 2104	2656	Mkpgck32.exe	89
PID 2104 wrote to memory of 656	2104	Mpmokb32.exe	90
PID 2104 wrote to memory of 656	2104	Mpmokb32.exe	90
PID 2104 wrote to memory of 656	2104	Mpmokb32.exe	90
PID 656 wrote to memory of 3044	656	Mcklgm32.exe	91
PID 656 wrote to memory of 3044	656	Mcklgm32.exe	91
PID 656 wrote to memory of 3044	656	Mcklgm32.exe	91
PID 3044 wrote to memory of 3716	3044	Mpolqa32.exe	92
PID 3044 wrote to memory of 3716	3044	Mpolqa32.exe	92
PID 3044 wrote to memory of 3716	3044	Mpolqa32.exe	92
PID 3716 wrote to memory of 3084	3716	Mcnhmm32.exe	93
PID 3716 wrote to memory of 3084	3716	Mcnhmm32.exe	93
PID 3716 wrote to memory of 3084	3716	Mcnhmm32.exe	93
PID 3084 wrote to memory of 2752	3084	Mjhqjg32.exe	94
PID 3084 wrote to memory of 2752	3084	Mjhqjg32.exe	94
PID 3084 wrote to memory of 2752	3084	Mjhqjg32.exe	94
PID 2752 wrote to memory of 872	2752	Mdmegp32.exe	95
PID 2752 wrote to memory of 872	2752	Mdmegp32.exe	95
PID 2752 wrote to memory of 872	2752	Mdmegp32.exe	95
PID 872 wrote to memory of 1740	872	Mjjmog32.exe	96
PID 872 wrote to memory of 1740	872	Mjjmog32.exe	96
PID 872 wrote to memory of 1740	872	Mjjmog32.exe	96
PID 1740 wrote to memory of 1608	1740	Mdpalp32.exe	97
PID 1740 wrote to memory of 1608	1740	Mdpalp32.exe	97
PID 1740 wrote to memory of 1608	1740	Mdpalp32.exe	97
PID 1608 wrote to memory of 3284	1608	Nnhfee32.exe	98
PID 1608 wrote to memory of 3284	1608	Nnhfee32.exe	98
PID 1608 wrote to memory of 3284	1608	Nnhfee32.exe	98
PID 3284 wrote to memory of 5068	3284	Ngpjnkpf.exe	99
PID 3284 wrote to memory of 5068	3284	Ngpjnkpf.exe	99
PID 3284 wrote to memory of 5068	3284	Ngpjnkpf.exe	99
PID 5068 wrote to memory of 3692	5068	Nafokcol.exe	100
PID 5068 wrote to memory of 3692	5068	Nafokcol.exe	100
PID 5068 wrote to memory of 3692	5068	Nafokcol.exe	100
PID 3692 wrote to memory of 1544	3692	Njacpf32.exe	101
PID 3692 wrote to memory of 1544	3692	Njacpf32.exe	101
PID 3692 wrote to memory of 1544	3692	Njacpf32.exe	101
PID 1544 wrote to memory of 1392	1544	Ngedij32.exe	102

C:\Users\Admin\AppData\Local\Temp\0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0631786ef4fba3134f8446d61c925cb651f7e1f4ac7bae256c4ec729901249ab_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\SysWOW64\Lgneampk.exe
  C:\Windows\system32\Lgneampk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\SysWOW64\Laciofpa.exe
    C:\Windows\system32\Laciofpa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\SysWOW64\Ldaeka32.exe
      C:\Windows\system32\Ldaeka32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
      - C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        24⤵
        Executes dropped EXE
        
        PID:944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 400
        25⤵
        Program crash
        
        PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 944 -ip 944
1⤵
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laciofpa.exe

Filesize
219KB

MD5
fe91abed23f9c8d838ef780db7e5dcbd

SHA1
9b9d0f76c08d836fea54c567463af60cf0ada53b

SHA256
3f850b8230f2ef9bfe4a071bd9970a00fea957241073a2596f9bb3d217f7cadd

SHA512
e720e71b91d5373301e7ca950483de75f1d79ac969079872c9920af986554f1adc654008415352dfb6b700248e3fa5018627f2983c77a100c97c4e06c316346e

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
219KB

MD5
b5db63433536e5bdf80af89d73e6d7a7

SHA1
9eae0ef348ae9ead786f832263d97cdd9c5c7bd6

SHA256
e8ae1b87d5c2cea2e57b21e2af1c27c960851dca5764f26e5e9dbe45df160411

SHA512
bf863b2379468ee381b545819b07fbefb5c015890c20a345f218fc368e680885e782a84c3b2597ef191a49f95c7b0a7d4069ca9dc85952a809a4870717fc62ce

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
219KB

MD5
bc57ba8c30e54219c60543e50e1860b7

SHA1
967ce12ca83e3fc8ea8599247c49824bef8a083d

SHA256
31f78618e798b3aa84800df070613f7a8f0973a6cb97be8d3184f803ee635613

SHA512
7aa9eaed53e78e7f9041947b6020a6982429784f23e25038437a0f0f7a29ca03ccb366f8f8774de7aca363c1c5dc4fa34e6633e1dd5fd5a07e7d4d7c38b64e8e

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
219KB

MD5
f42f9522413bdeb3f579be3efd12d4f6

SHA1
ae11c8ee4f8b2c8a983ce2c9f060eada927b6cf1

SHA256
091ed2e67bd235be508f37095b075640a3734ce74ae7c91b747d803e59445a2e

SHA512
3f75cfbdf2428b3de6a622e54165bb5de845fab0a9758a1820269d0c93831553f73f8922d39f85b1ad4a6dd232d88e8a62a63789f310f60449e59e545a4410f6

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
219KB

MD5
f0c641d7053025c50cd580e2b0881246

SHA1
1522b6aad1686207cee26b635bd202a81c1ae3f9

SHA256
339d6216ce6033fe3bf0e8dfef70f1e4c79c528e4cbc26bee68386696409c276

SHA512
70c65b67a6e98e3d77483adcedb3bb8ab611aab8d81be7d985d01c9669e0c78c5a567b12a64386f8c50d1e34b2aae9d35d9ce77f06cb6d91a9390c2e04f397a9

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
219KB

MD5
48210c76d432eb0817532856fff3adb9

SHA1
78dc1852927f374ea3b1eb6c84b27ad9e019c4aa

SHA256
782d857531a5a2cd101adef9aa03476eab89b5d7db2079b1181e042eb9c1b84f

SHA512
9cb057aaedfca07928847e6eaf0dac6eb37075589a2c6e1d8cf1b365aa0e1cc318b5ca87cf74670af4b02b8efcc67de90cc867a92778d1afc39dea97876dd536

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
219KB

MD5
272eed6441c1e2889792e21fc3bfe575

SHA1
84fe92ec79068605a4f3e9a0889421d20f3b0754

SHA256
289b3592002f30412940074ad0f97659567cac1fab78fef0dcd120a16c1f44a1

SHA512
1d434996fc28f1bffdc3ebf4955463f3874135b04c5fe31646cb4e3ce0b141b477cefda6d4d999c55b61ad5a88d2e99c0d2ecc08dec0700e3ac42bc3fcb2eece

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
219KB

MD5
addeb05f1f3cdef7926b4a04650b5482

SHA1
43d3d346efa6945a0d3a60fcd69e218761129942

SHA256
91e826e880305fee71dfd4b9fbcfee7e09c6f91a84a835be0e712721b7edc5ba

SHA512
e71508b83180e9b0a2e5f86e9287155dfec1ad7658c1486a427b0b31b9aee7b0f8d871cc3113c3fbc24b373acef840ec67cccd55990eb24d37d3ac064f7ded70

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
219KB

MD5
6fe031a6ce7d38072d87ad031891a1ac

SHA1
ab962e9f3ae34f908f971e25d87054633bda1207

SHA256
76a6cdbce0017bb403e836093cfdd33c4acb2c0b17719fc237c9a15057262538

SHA512
c5504c8ee25eff046d54191dbfa91c8cbdec17a9b26405e769c684d9870cd5015e2b4eabdf094ef8012f738a56f1407ffeff4e7e7511b600219af37393f77412

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
219KB

MD5
ca4ed1f458c9d4912df509633de981de

SHA1
1c89ddc978ae572f590a0bf45fed883b0d2ce5e1

SHA256
2a7e0d643715783e1d06dab6869ed385b170bc18776fdb81f887b0c90ee7611f

SHA512
c641db4c7dcc41a6f2280c73f3228667f1351eb6ed150f566f18d97eb6faef74ee559e1358bdba120d6ca66faa45386f69e44c64c467659ef664c1f660395868

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
219KB

MD5
08924a6defcd8c75f055ce3eb51119a6

SHA1
dee9eebbfaa39d0aa8b6ecefe13cb454ace73035

SHA256
60014bc150a52a366b5934f5faf6138239d3b749773d258853858bb6ee8e195e

SHA512
e9ea9687a11d4bacbeb03946e3a3b209dbee34a4c9532461d83ec0e7563f6fec49b57f4d0dc3202c10812c37070c716f9b648bdc974f7c1f298ad98d6059ff9d

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
219KB

MD5
7f523d4496e66542a034edcd92de0b2e

SHA1
c8e26532ce04983d885fdc3196c8125facdf1e42

SHA256
c1271620786fd407a80987b25ec7a1de98d7b27f5b47ce5b8e960483634d4228

SHA512
cc562608165b073cb0c9820ceff0767840ec037fd328c071002fcf50090a8fde31e0d93158e6c30e88ad997ef7fca546b989d8509deb8369624adaab4fd20603

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
219KB

MD5
69eca5e4d84c3216b10b4fe5f804f0eb

SHA1
d27aa5e6fbbffaea744ec09539ec910a5f360c1c

SHA256
a0c737a7e36cd7a7a1d8f9a146d2b28eae40dadf99515cb0f295a5bd5c845372

SHA512
6c9f3f8385b5db157aef4a53dc26d32cbb9f8f886ed53546bf0bc7344a4267391a5541a808bf7c1e69983907eb03e38b5cd48aaf0a97a67777c05cbbbdc0b16c

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
219KB

MD5
6b44e482e7c8ca270669a322735200ad

SHA1
6a19a738601526d6954af954223b5ebd5601c3f6

SHA256
367ae35808f149ca0b32f30820fac43dcfd635b2b5aa1247af862d616f4b9289

SHA512
5cecaf55f524acd4f837ef75e6732df16521d0a8672851f7110b6bb8a4fbeb2fa2f5621f2f035abccbe9de61a450756d1cb2d64e13da7e6087cd4ec66dad7f95

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
219KB

MD5
87c0e69926411d2c374b1c1c43f10028

SHA1
f6046371907ffce910b3978d09e4326af12a9e02

SHA256
097b8d0eb514048a78c8ec947b008c1e595043796512fc4b2fd10b7dea4140e5

SHA512
64b567b790fda766b06519ae28815ed6b4ddf13bc3851ad533957b97bee43ff5dc5bc53fe30e90054c376f7892dd24c448d4123df7db141461dbe2f4cd33468c

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
219KB

MD5
66e2cb3a66b561fa96426a2162c3ce4d

SHA1
6a5837a3dab7eb6ce308beb4ef5bfbc691b68a30

SHA256
950a726c0d31d14e3cfd0cabd35395931e92d871af8823eb69fa7feaa47cbf10

SHA512
ae603cd9dfc60c82ffdd9cb5d01ba36c6851ea424fd2f0e2d41e26b65cf623618476357a17230a9672b35637192932c4c32874479d74795022ceb8de268c1b8e

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
219KB

MD5
c938c1a804bed9d1398c4dcc6a6a8681

SHA1
8a35990f2f4a704d36ad15168505015527f3b472

SHA256
104eefa36e35df483dacb24bd265c0ccfed85bbcd27b84a56678cf8414e8f7ba

SHA512
9f1cab2290f5b384fb70d085eeec729c08924f84031a9b4d74e41de597c4369736d6e280aa113c9af11150823d303ed6ed3d6bf63fb9b15b7eeeb3c9e53c82ca

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
219KB

MD5
2f98482f92e5d1001fde5bdebebff87b

SHA1
74103a055624c61e4197c1eb82c05824f476f551

SHA256
f47388703e9e8370420a045fb987ac5d26267910a4f3cfdc93379f213299c779

SHA512
54e11d58af01bc67b6bde7ba92dc205f30fb5d2ae4df692b6c4e3b0172b92188e81b5701dac7f610bdcd501fa6499cd43aabe62e33c0ee6b5559d2b8b1f7b990

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
219KB

MD5
59fb4b39c4df6630ac3cc7d73300711d

SHA1
c5a3f39fd848aa8a0ff42e2b6cebf4188b588edb

SHA256
3a02a3659e1d032e0a529dea434f74930f901c0371eb4b6a246e42cbfa63828e

SHA512
f851112b41841d3d44f31cea04b574e971e57c1a236b3e4210361f981fb52dfa9c18c256dd3beef509235af52effa5947c1937df68bd9776f3665740b3d9bd6c

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
219KB

MD5
761f70035a091644b680dcff480faa56

SHA1
0d2f092f59e0433d2c662ccdbbae232bbfb030b5

SHA256
16596f8f6e52294b07e1e5855a27d6205a5f166c4113971497e3c785dc067722

SHA512
8a8a020596d35d92a6aa6567c8c30b3efa86ce6eb45f5b922e58b65e63ce13d6634aca0725ba92677273b072d9e0a8a75aa5ca2f704c35cc8635dd257c85bfb0

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
219KB

MD5
accd9378303af7853c08aff814c6c609

SHA1
e986c12251f8734d7ab407eb63c1d7abb18ca410

SHA256
4c084f83e28c468bba170bc9b6afcdc7861dccb0fca29f3e57d7c3b7f2aa8f01

SHA512
c4f40aa929f7585ea26d50d774c9a322fe415b6a1dcc003db7910f27ba75d3126ff1ddb92d5b75daee9ba038494d27135592a80492b13306e563aebd0c586de3

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
219KB

MD5
5e6dc1cfa7ee43adb48b7573baa28d18

SHA1
0350ae7a394b4608801a913bb32c2cee085cfc67

SHA256
fde824c9f001ec7ce6edda0eabb725bdd27285c5d1afd2471b654abb0cde848c

SHA512
3501b981aa0445002c4891b3f139924ba1d682ec3de40c5a039a6ec998bdfa26ad9bc9be37dde2c16b73ae05439c56f455fe4021d227a299149ab3030b3b78b8

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
219KB

MD5
95b9f3d67c0f1d1375431a547025f82a

SHA1
9b2da149cb04bd00acdfcbeae267effa5575f049

SHA256
e174678d8361fc0b1c853508de86a06553bf92c1611387767b5c7120ab94e7ab

SHA512
5e15f097fb0243b167cb3c4fb8e0d4918e86f15c059ec6469c40843957b573956c00e15cd66a4466afe3db30b407ca629e29568ac5432f4332c78eec2f36298e

Download Submit
memory/224-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/224-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/372-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/372-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/640-226-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/640-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/656-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/656-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/872-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/872-202-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/944-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/944-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1544-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1544-190-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1608-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1608-198-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-210-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3084-206-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3084-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3284-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3284-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3716-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3716-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4088-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4088-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4104-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4104-218-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4560-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4560-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads