79e47a1a331886ca158167e27a2c98ac266d9fc85b47f0cc366d347ddfd5b43d

Analysis

max time kernel
132s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 06:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5fef3b10fae04aa14a25d13685cf98a0_NeikiAnalytics.exe
Size

136KB
MD5

5fef3b10fae04aa14a25d13685cf98a0
SHA1

caf7fe7b9c234720a34eecfaca0b46ef64286c10
SHA256

79e47a1a331886ca158167e27a2c98ac266d9fc85b47f0cc366d347ddfd5b43d
SHA512

a16480b2cd2588c19f355eed10d293cacee9ea60817de3958c07853c2e33cd3580c7fa021580735d1caa7556a1598dc2c1e6f3dd6b4493a3817b2202992f5313
SSDEEP

3072:8EvghIg5adv/sohLwdNbw+Y92xQuohLwdNbw5bxH0zVWccA:rYhsv/sohxd2Quohdbd0zscj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5fef3b10fae04aa14a25d13685cf98a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5fef3b10fae04aa14a25d13685cf98a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe

Executes dropped EXE 23 IoCs

pid	Process
3300	Mgghhlhq.exe
4152	Mjeddggd.exe
1056	Mdkhapfj.exe
556	Mkepnjng.exe
452	Mjhqjg32.exe
4500	Mncmjfmk.exe
4160	Mglack32.exe
4700	Mnfipekh.exe
1536	Mpdelajl.exe
2508	Mcbahlip.exe
3840	Njljefql.exe
1484	Nacbfdao.exe
3620	Ndbnboqb.exe
3952	Nklfoi32.exe
4808	Njogjfoj.exe
4608	Nafokcol.exe
4708	Nddkgonp.exe
4040	Njacpf32.exe
380	Nbhkac32.exe
1220	Ncihikcg.exe
2944	Nnolfdcn.exe
2484	Nbkhfc32.exe
5000	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	5fef3b10fae04aa14a25d13685cf98a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	5fef3b10fae04aa14a25d13685cf98a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
644	5000	WerFault.exe	106

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	5fef3b10fae04aa14a25d13685cf98a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5fef3b10fae04aa14a25d13685cf98a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5fef3b10fae04aa14a25d13685cf98a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5fef3b10fae04aa14a25d13685cf98a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5fef3b10fae04aa14a25d13685cf98a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5fef3b10fae04aa14a25d13685cf98a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 3300	2372	5fef3b10fae04aa14a25d13685cf98a0_NeikiAnalytics.exe	82
PID 2372 wrote to memory of 3300	2372	5fef3b10fae04aa14a25d13685cf98a0_NeikiAnalytics.exe	82
PID 2372 wrote to memory of 3300	2372	5fef3b10fae04aa14a25d13685cf98a0_NeikiAnalytics.exe	82
PID 3300 wrote to memory of 4152	3300	Mgghhlhq.exe	83
PID 3300 wrote to memory of 4152	3300	Mgghhlhq.exe	83
PID 3300 wrote to memory of 4152	3300	Mgghhlhq.exe	83
PID 4152 wrote to memory of 1056	4152	Mjeddggd.exe	84
PID 4152 wrote to memory of 1056	4152	Mjeddggd.exe	84
PID 4152 wrote to memory of 1056	4152	Mjeddggd.exe	84
PID 1056 wrote to memory of 556	1056	Mdkhapfj.exe	85
PID 1056 wrote to memory of 556	1056	Mdkhapfj.exe	85
PID 1056 wrote to memory of 556	1056	Mdkhapfj.exe	85
PID 556 wrote to memory of 452	556	Mkepnjng.exe	86
PID 556 wrote to memory of 452	556	Mkepnjng.exe	86
PID 556 wrote to memory of 452	556	Mkepnjng.exe	86
PID 452 wrote to memory of 4500	452	Mjhqjg32.exe	87
PID 452 wrote to memory of 4500	452	Mjhqjg32.exe	87
PID 452 wrote to memory of 4500	452	Mjhqjg32.exe	87
PID 4500 wrote to memory of 4160	4500	Mncmjfmk.exe	88
PID 4500 wrote to memory of 4160	4500	Mncmjfmk.exe	88
PID 4500 wrote to memory of 4160	4500	Mncmjfmk.exe	88
PID 4160 wrote to memory of 4700	4160	Mglack32.exe	89
PID 4160 wrote to memory of 4700	4160	Mglack32.exe	89
PID 4160 wrote to memory of 4700	4160	Mglack32.exe	89
PID 4700 wrote to memory of 1536	4700	Mnfipekh.exe	90
PID 4700 wrote to memory of 1536	4700	Mnfipekh.exe	90
PID 4700 wrote to memory of 1536	4700	Mnfipekh.exe	90
PID 1536 wrote to memory of 2508	1536	Mpdelajl.exe	91
PID 1536 wrote to memory of 2508	1536	Mpdelajl.exe	91
PID 1536 wrote to memory of 2508	1536	Mpdelajl.exe	91
PID 2508 wrote to memory of 3840	2508	Mcbahlip.exe	92
PID 2508 wrote to memory of 3840	2508	Mcbahlip.exe	92
PID 2508 wrote to memory of 3840	2508	Mcbahlip.exe	92
PID 3840 wrote to memory of 1484	3840	Njljefql.exe	93
PID 3840 wrote to memory of 1484	3840	Njljefql.exe	93
PID 3840 wrote to memory of 1484	3840	Njljefql.exe	93
PID 1484 wrote to memory of 3620	1484	Nacbfdao.exe	94
PID 1484 wrote to memory of 3620	1484	Nacbfdao.exe	94
PID 1484 wrote to memory of 3620	1484	Nacbfdao.exe	94
PID 3620 wrote to memory of 3952	3620	Ndbnboqb.exe	95
PID 3620 wrote to memory of 3952	3620	Ndbnboqb.exe	95
PID 3620 wrote to memory of 3952	3620	Ndbnboqb.exe	95
PID 3952 wrote to memory of 4808	3952	Nklfoi32.exe	96
PID 3952 wrote to memory of 4808	3952	Nklfoi32.exe	96
PID 3952 wrote to memory of 4808	3952	Nklfoi32.exe	96
PID 4808 wrote to memory of 4608	4808	Njogjfoj.exe	97
PID 4808 wrote to memory of 4608	4808	Njogjfoj.exe	97
PID 4808 wrote to memory of 4608	4808	Njogjfoj.exe	97
PID 4608 wrote to memory of 4708	4608	Nafokcol.exe	99
PID 4608 wrote to memory of 4708	4608	Nafokcol.exe	99
PID 4608 wrote to memory of 4708	4608	Nafokcol.exe	99
PID 4708 wrote to memory of 4040	4708	Nddkgonp.exe	100
PID 4708 wrote to memory of 4040	4708	Nddkgonp.exe	100
PID 4708 wrote to memory of 4040	4708	Nddkgonp.exe	100
PID 4040 wrote to memory of 380	4040	Njacpf32.exe	101
PID 4040 wrote to memory of 380	4040	Njacpf32.exe	101
PID 4040 wrote to memory of 380	4040	Njacpf32.exe	101
PID 380 wrote to memory of 1220	380	Nbhkac32.exe	102
PID 380 wrote to memory of 1220	380	Nbhkac32.exe	102
PID 380 wrote to memory of 1220	380	Nbhkac32.exe	102
PID 1220 wrote to memory of 2944	1220	Ncihikcg.exe	103
PID 1220 wrote to memory of 2944	1220	Ncihikcg.exe	103
PID 1220 wrote to memory of 2944	1220	Ncihikcg.exe	103
PID 2944 wrote to memory of 2484	2944	Nnolfdcn.exe	104

C:\Users\Admin\AppData\Local\Temp\5fef3b10fae04aa14a25d13685cf98a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5fef3b10fae04aa14a25d13685cf98a0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\Mgghhlhq.exe
  C:\Windows\system32\Mgghhlhq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\SysWOW64\Mjeddggd.exe
    C:\Windows\system32\Mjeddggd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Windows\SysWOW64\Mdkhapfj.exe
      C:\Windows\system32\Mdkhapfj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
      - C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        24⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 400
        25⤵
        Program crash
        
        PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5000 -ip 5000
1⤵
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
136KB

MD5
6e2bfcce79a059dd19c1872a1607c4b8

SHA1
8ea0473ceb3e3a1c878d7aa03d03d1aad17325f4

SHA256
7230c0bece06105976135d8b16cf1b95854f613df177ce926fc827fc25e13d99

SHA512
0ad5403020ccbf1d76aa7dd981dd6f534d6ac116b0a09d39f8e9cc9f36a3c5cfd922ff68a2a6ca11f5be6dc73484105fa0425ba2434153a587bfa1d6c2eaefc5

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
136KB

MD5
9db20715cadd7be941dca4cef31ab411

SHA1
479dfabf55c8922443224d27958bfbce0a62bfdf

SHA256
b83eb3501ad463d4d385833236f27ac1fcd4a0e16f0b354ec853715ed9abdc71

SHA512
e13d63d21f251ccfe0f1e36ed71d53cb672c01f7cced62bc6de9e7220a49a20c0f24921eb2e15df326546c4e32de577877bdb4b7e8a771caade775e8f6aa8d52

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
136KB

MD5
e400a0ae3f8444962dcbd8f0a904770d

SHA1
9294e951a41adb38c4239fcdbab4cf8ee4bc5b82

SHA256
727f1eae90e9b18f42fa3ab418b91ad91ccec692efcb57112fa4997757492c3c

SHA512
686cdd6424894cb3bb49c375eb10dd35d1d44d0cc06933dd53c177eca76b0f2ca18bc650224134ae435b0ed24dac81ae11a5bbb8ecc16dfdb40cd7f8b5cdfba3

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
136KB

MD5
1484157f428c87abe8add970a924d99c

SHA1
e19e37a9aa48ce5385664655a8beccb3b2c7b4e3

SHA256
2b182dd49334cbd85b897bde5344ac6b25d6537cf79a17e016434cfcfd3863a2

SHA512
3ff3f8d43375e6348df826a4217adebc6f2e3a6effe741b0e1c25b7b171173a28818a059d3ca7cec510d68268950a9b46879d4b3c14435b7e30f70129dfddc40

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
136KB

MD5
0f5672c8f9626d2c0f79b01329413f2f

SHA1
0aa26ae39f0a02339385fa842fb329509a10a580

SHA256
d5293b14cc14dc35781905b954d8db6cc9ffd3a1fa2c117938fdfc553abd8fa1

SHA512
60e56d7a2090a5e9521381753d5d2822491170806bb6496e4b5fa0d4a5e6f38db7bf709c0fe70ade6a861ee083561a1a481c7bd94e3d8ea5e0ed6f4d986ada8d

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
136KB

MD5
0967f95fd6fc03e3f0ece0b68a57fa02

SHA1
bd5abb512a11d303a99362d51fa7cebe5e096044

SHA256
635704e13381a239321cfe2bee121b45e206fa03dd166f195131046a248e27d0

SHA512
458d821cb5fafb38075c37c3fca8aaa7dc47196fc74d5d331bb32dfc917bd98787713a68c95dccf2b73b020364991fc8ae21f55530ff7c8bd19fdd65c3305066

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
136KB

MD5
8eb270c50e296bcedc7e56ae0d5f380b

SHA1
4e2b1bac398a1e9f3ea02acf3c20ab13731323d1

SHA256
4d8a69ab2bb2e8333bffa136f861a183fa06164a103b16bad60ec4ee3353c7f1

SHA512
425208e6f348b585193a2de6cac3eb4be4e4e3194d061ac0b3c2c6a7f2a8dc3756960707b6a46d7998dc0e03036262ec358df14542cc43ceeaa440248167710b

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
136KB

MD5
01db40f655ae49de860d6eb1d17b25f9

SHA1
37c9532acff18ae21c009dbd518b8a3a97c2106f

SHA256
0530fb80bacc191b675315a5575961070867090493ed496ecb0cabba622f3e29

SHA512
3e0eb1cdd91f093efc9d627a25982a27872809df6f31ce72db0c1163bdaa2368b71693ee7f8ed12affe4bdaecbf46b395577d0b11163b8340abb5c53043be37a

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
136KB

MD5
01a18c8432f9b409503b54d83ae2aa71

SHA1
b4152a5fd847df1b724789b2e54486f47a412171

SHA256
f335f8b702ee3b61e1b223a6d981eefc8b3833b85dda8cea90b5757b36d9d04e

SHA512
f2d4f5831568f5339b4930cbd967c4d5d3d1c032d3d40693ced6349d62d265f60bee24e69bc9ff4cc826b3b802f67129f94710bdf03dcca443b03a5e88f687ec

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
136KB

MD5
325aaa3af58118b913b3edaafe3d28fc

SHA1
81c5746f302d4bec2999d31af3506d2e34d6b0d3

SHA256
4ea40f561ea5cbc65ed8f569d023eab9498f737a6ea30081bcbed7c201302d2c

SHA512
3f089142986f08fc02659ebde2beba2e30acceb20b1260f1ef83192a20d8cbdcb47d805a8b9d31e71605c1c48c4fed557057c267897d9c32b098b88afad704d4

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
136KB

MD5
25c20cf6d88cc495c41adbe785ea181f

SHA1
55e47c3e50f1cc64fce74e4174c288010f2a65fa

SHA256
217fc2587026743433900f5a619c69a50f0ef1e42f6c31214634c0975a1a6462

SHA512
d457f53f4c3a45733ac534557dca6af923476da6f1a00f1016306cfb4bc441f845ab9d60ca8dc5166ca67a71994059498ecbc6caa7f0ca21b9a4935bcbdc53e7

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
136KB

MD5
5149aa44305a83909949d5b5e1929d44

SHA1
d98d212caf91fef80e1a0055702b919bb868f7fd

SHA256
4fef7440e9a5c1e0d9d5bf33e8ad73bb12b139dc84df5eb2e68dc08b42bde75a

SHA512
491bb23f47aac0927c9bfc2d5349c57eb17315c358cda4a58be9a3fe369d9313fd83f71708e3e28652edba5b57f3e1594f5b78252219e392e5832fe345139363

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
136KB

MD5
e368e5a7bbf9007b25cbccb9a9d3d210

SHA1
56dd4891faf8eaae4061b8d4544741d69bccc49a

SHA256
4bcf55c354f23c23cfa0dcbe3bdbc1c4ef08369702244d63a715f5db2db55349

SHA512
229d4df929f03bbeb89be160a5e10fa518319d5fc9b694ba5074d56d0b6d6006e876343d8cdea8cfaba97fd13d836ef5d651c95a7cb9f21a2b21e0c2f200db3b

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
136KB

MD5
df15ecef35a6b09173cea44fdfcd8df8

SHA1
1222325937826e8c5e4751a9c7c2acbaccf6331c

SHA256
cc3ebddfc27f4f29b8b2a63159edbf8aff7a72fcb482ecb33cd44e93a31b28b2

SHA512
aa64705b9e0ead1b50790c68329750afbed13f6d501666f75a1a3417c9fb70f38ece97e8e7d2f7ddd763ea6eacf870f75eae618814aee5d9881e32b1a438521c

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
136KB

MD5
6a20cdc49a266f79fe753c16575d4bfd

SHA1
beb51b1977fbd6d215e606e103e339f58b1d1741

SHA256
c6c74ac6955e9a4838814e4e45fc7dcbc6f05da306b4a24bc4a002ccd75bc9ea

SHA512
62b29d0c5be639a8f57d6848b82c633522a932b830567bbeaa80e297118379738949206dfbe3f9950da1e2e4aa64970c606ea87d4800e12acbb37e570bc0e84e

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
136KB

MD5
33f358560bd27952bf24a1dc63570ebf

SHA1
a9b1639bac16842bcafec6c63bf490d0dc72d618

SHA256
7c7d8e08231dca3fcc2ec4d855d6fab108189337d05b5f22ca83e48efbecf860

SHA512
c2db2d1ae519faee0e6553461685f050808af629daa0b133e411a9dcafdd2e6c5c428fa60556ab9a62f174b5972412ef6df9b1d69acdcd9180c7bd6bdc65e0a7

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
136KB

MD5
f7f13da24a7f8a0d29148a242238d074

SHA1
481fb3214859c102a6e165d54be60f25fa72fba6

SHA256
60e54f0365b1b720713da387e7e7b24751bbe63b4d70b332db36e691575a895c

SHA512
a4112fe02260237164f7b7f27f667366ffcf096fbb030f38897af8a5247c3bef738346dbab5e28f23afb87a6c2c245040e812157764cee1fe60dfab14eacf60f

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
136KB

MD5
3d3539a60233785ecbdd07ec364d6f95

SHA1
78ba5b4fcea55b55fdcf5c6df3c96fd21eab19b6

SHA256
a62428bca92f549201aa875caa0c52b7fd51910b484f584e0dfde11612a2f40f

SHA512
cce6e4861b148b31d5ba623664b4f39e98ae1b1e57aac1cd4c0c64aede7ceb7d09c2ff40b57647a971d9e2b668cad318bb6f3c0d318f5f3f15932c3317fa8cdb

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
136KB

MD5
2b989c468caa54beb0409951dd652cb7

SHA1
f5d04e777d9f9dc5f69b1606a152f4441b3416d3

SHA256
bd8a141f29af7e484dd564c0e9426ce781d1d827ab8b0456f36955c06f7b3d7f

SHA512
19ca507f026728e3ae372f7481b95780a83b85d6471bd63819b26acba469ca3620cbee9d0dacdd9cd71c6841f33aaf86c06874c803744f924ce7a30bd8850502

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
136KB

MD5
577a0df8d09b80dd7568ddffbe057ce3

SHA1
f3a9bd384249b1d2bb9b104db0d985a353b68295

SHA256
3289a7cfc77f8d8229b08e0496210c258d97c435bbcb32ec735eb850ae23b52a

SHA512
fb1967844e4130fa54ff070876a8b42a7c9988e5df0ac894166ffd6e911e48079e2d9745a72dffeec16f6af7b86ac2058eef1a148ca821a553ab0ea772cf32f1

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
136KB

MD5
41a81a6917da8d1a38fd3eba15f701c7

SHA1
01d3315f347c7e90bdc59bee9910904520e485fb

SHA256
f216ed82660a80a5583f0745692cf7457c97fcfb540cb83c19bd1b61cdf1fd43

SHA512
f1517498882a8b81c3557817202baaf2676cb40a59eb3edd6b0d955f3556709d6cf60e6ff892c5153f0d992bcc746348670a2b45c22de3609eca5434cfc30bf4

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
136KB

MD5
ee870780f095c8363e2de2ac1e5ba58b

SHA1
c9782d703a573c20578baee4cc0d293b66e291f4

SHA256
9bcb2285f35d807510cdff23446c223ed5bd80ebb2697a8112019948e0a050d4

SHA512
75f3a54d51ce37e102ee9c46e8512e0e1d5b86fed5a8550a257ff030839e4f06d3fb569f3390e210f795c7c2e155f9f9537516c1c359e9dfcc88d0ec02eb7009

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
136KB

MD5
081a02fed54d1902b0f9a7d93dbace13

SHA1
864577782f207894e5c75b29de6a63787d2796fc

SHA256
3f813b57f7c57cf3f856b49c9517456832fbc7e5fbfe33327a06ae22a00ef47f

SHA512
39f6db7b71de0379d60a437d0bf5ed059f8aaf7afc315612bad338a77d14e60dbbfa2deb5e3dea3fa8bc3fbc9f7b8c161f7b4c40dd47826b88eb232559d9bc83

Download Submit
memory/380-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2372-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads