6f50b1a6cc0190522940b0a69122f8550910b507f0b43f8afa36313caf2ca2dc

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06c089d9648231df805ae14fa98b0060_NeikiAnalytics.exe
Size

63KB
MD5

06c089d9648231df805ae14fa98b0060
SHA1

0d28f107879162aace7c19ed98da2c7077e67f44
SHA256

6f50b1a6cc0190522940b0a69122f8550910b507f0b43f8afa36313caf2ca2dc
SHA512

dd81069250fee10be4a723017c144a6db2300267c4284ebd61057bd5b4ab53201c10046ed177e22abd13788e30bf3d3ec6c6b4e12be1e7511800e49384b67d87
SSDEEP

1536:NH081u8efxNxBG1Ccy15usfzpgJ15Ozn7AEzH1juIZo:qmu8efxNMXyy6pK1mNzH1juIZo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	06c089d9648231df805ae14fa98b0060_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	06c089d9648231df805ae14fa98b0060_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe

Executes dropped EXE 23 IoCs

pid	Process
232	Mnlfigcc.exe
2964	Mdfofakp.exe
1044	Mkpgck32.exe
208	Mnocof32.exe
744	Mpmokb32.exe
1176	Mgghhlhq.exe
5048	Mnapdf32.exe
4528	Mcnhmm32.exe
1540	Mjhqjg32.exe
392	Maohkd32.exe
4180	Mdmegp32.exe
1512	Mkgmcjld.exe
1036	Maaepd32.exe
2272	Mgnnhk32.exe
4168	Nacbfdao.exe
3496	Nceonl32.exe
560	Njogjfoj.exe
1212	Ncgkcl32.exe
4264	Nkncdifl.exe
1980	Nbhkac32.exe
3536	Ncihikcg.exe
4236	Nqmhbpba.exe
948	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	06c089d9648231df805ae14fa98b0060_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	06c089d9648231df805ae14fa98b0060_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4184	948	WerFault.exe	104

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	06c089d9648231df805ae14fa98b0060_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	06c089d9648231df805ae14fa98b0060_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	06c089d9648231df805ae14fa98b0060_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	06c089d9648231df805ae14fa98b0060_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	06c089d9648231df805ae14fa98b0060_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	06c089d9648231df805ae14fa98b0060_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 232	5052	06c089d9648231df805ae14fa98b0060_NeikiAnalytics.exe	82
PID 5052 wrote to memory of 232	5052	06c089d9648231df805ae14fa98b0060_NeikiAnalytics.exe	82
PID 5052 wrote to memory of 232	5052	06c089d9648231df805ae14fa98b0060_NeikiAnalytics.exe	82
PID 232 wrote to memory of 2964	232	Mnlfigcc.exe	83
PID 232 wrote to memory of 2964	232	Mnlfigcc.exe	83
PID 232 wrote to memory of 2964	232	Mnlfigcc.exe	83
PID 2964 wrote to memory of 1044	2964	Mdfofakp.exe	84
PID 2964 wrote to memory of 1044	2964	Mdfofakp.exe	84
PID 2964 wrote to memory of 1044	2964	Mdfofakp.exe	84
PID 1044 wrote to memory of 208	1044	Mkpgck32.exe	85
PID 1044 wrote to memory of 208	1044	Mkpgck32.exe	85
PID 1044 wrote to memory of 208	1044	Mkpgck32.exe	85
PID 208 wrote to memory of 744	208	Mnocof32.exe	86
PID 208 wrote to memory of 744	208	Mnocof32.exe	86
PID 208 wrote to memory of 744	208	Mnocof32.exe	86
PID 744 wrote to memory of 1176	744	Mpmokb32.exe	87
PID 744 wrote to memory of 1176	744	Mpmokb32.exe	87
PID 744 wrote to memory of 1176	744	Mpmokb32.exe	87
PID 1176 wrote to memory of 5048	1176	Mgghhlhq.exe	88
PID 1176 wrote to memory of 5048	1176	Mgghhlhq.exe	88
PID 1176 wrote to memory of 5048	1176	Mgghhlhq.exe	88
PID 5048 wrote to memory of 4528	5048	Mnapdf32.exe	89
PID 5048 wrote to memory of 4528	5048	Mnapdf32.exe	89
PID 5048 wrote to memory of 4528	5048	Mnapdf32.exe	89
PID 4528 wrote to memory of 1540	4528	Mcnhmm32.exe	90
PID 4528 wrote to memory of 1540	4528	Mcnhmm32.exe	90
PID 4528 wrote to memory of 1540	4528	Mcnhmm32.exe	90
PID 1540 wrote to memory of 392	1540	Mjhqjg32.exe	91
PID 1540 wrote to memory of 392	1540	Mjhqjg32.exe	91
PID 1540 wrote to memory of 392	1540	Mjhqjg32.exe	91
PID 392 wrote to memory of 4180	392	Maohkd32.exe	92
PID 392 wrote to memory of 4180	392	Maohkd32.exe	92
PID 392 wrote to memory of 4180	392	Maohkd32.exe	92
PID 4180 wrote to memory of 1512	4180	Mdmegp32.exe	93
PID 4180 wrote to memory of 1512	4180	Mdmegp32.exe	93
PID 4180 wrote to memory of 1512	4180	Mdmegp32.exe	93
PID 1512 wrote to memory of 1036	1512	Mkgmcjld.exe	94
PID 1512 wrote to memory of 1036	1512	Mkgmcjld.exe	94
PID 1512 wrote to memory of 1036	1512	Mkgmcjld.exe	94
PID 1036 wrote to memory of 2272	1036	Maaepd32.exe	95
PID 1036 wrote to memory of 2272	1036	Maaepd32.exe	95
PID 1036 wrote to memory of 2272	1036	Maaepd32.exe	95
PID 2272 wrote to memory of 4168	2272	Mgnnhk32.exe	96
PID 2272 wrote to memory of 4168	2272	Mgnnhk32.exe	96
PID 2272 wrote to memory of 4168	2272	Mgnnhk32.exe	96
PID 4168 wrote to memory of 3496	4168	Nacbfdao.exe	97
PID 4168 wrote to memory of 3496	4168	Nacbfdao.exe	97
PID 4168 wrote to memory of 3496	4168	Nacbfdao.exe	97
PID 3496 wrote to memory of 560	3496	Nceonl32.exe	98
PID 3496 wrote to memory of 560	3496	Nceonl32.exe	98
PID 3496 wrote to memory of 560	3496	Nceonl32.exe	98
PID 560 wrote to memory of 1212	560	Njogjfoj.exe	99
PID 560 wrote to memory of 1212	560	Njogjfoj.exe	99
PID 560 wrote to memory of 1212	560	Njogjfoj.exe	99
PID 1212 wrote to memory of 4264	1212	Ncgkcl32.exe	100
PID 1212 wrote to memory of 4264	1212	Ncgkcl32.exe	100
PID 1212 wrote to memory of 4264	1212	Ncgkcl32.exe	100
PID 4264 wrote to memory of 1980	4264	Nkncdifl.exe	101
PID 4264 wrote to memory of 1980	4264	Nkncdifl.exe	101
PID 4264 wrote to memory of 1980	4264	Nkncdifl.exe	101
PID 1980 wrote to memory of 3536	1980	Nbhkac32.exe	102
PID 1980 wrote to memory of 3536	1980	Nbhkac32.exe	102
PID 1980 wrote to memory of 3536	1980	Nbhkac32.exe	102
PID 3536 wrote to memory of 4236	3536	Ncihikcg.exe	103

C:\Users\Admin\AppData\Local\Temp\06c089d9648231df805ae14fa98b0060_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\06c089d9648231df805ae14fa98b0060_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\Mnlfigcc.exe
  C:\Windows\system32\Mnlfigcc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SysWOW64\Mdfofakp.exe
    C:\Windows\system32\Mdfofakp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\Mkpgck32.exe
      C:\Windows\system32\Mkpgck32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
      - C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        24⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 436
        25⤵
        Program crash
        
        PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 948 -ip 948
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
63KB

MD5
db347029ad2234da6ccbe3c2f3662c64

SHA1
52a9ae48e6c279635538e2e0933ee3f9e0fd2b96

SHA256
7ff787c8f076f2aec54e19ad4c04f6c6d4ea418d7f7a882a70bf7ec77bcc36ed

SHA512
f01253b8dd088bc678cdb8ddb2e543140d74e3c66050b54f6d6708bc367c90007000ba8581e46c936f90619b5a5e3b6e3d81307263e88d86e49d08b991ad103c

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
63KB

MD5
12a9fc4ee26de69555aab6f0967025d1

SHA1
3e7aa023771a978834fc91c6f71ae150197d3cec

SHA256
cedf9c679bd4e63092d98792b7d9799a1ac64a61a997e52dd861bc20105da093

SHA512
4c2dc776bc72fa5dc48a27b03da796082036d44e7128c7410ed94449338729958e9a37120595f14e83a535e0d42f4521e664b0fc9fa1c1534a3269d8cefc7158

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
63KB

MD5
a05604f462b1e94c368e822407fe4ddf

SHA1
ccd339c8554a2e8052698d16b7a3062f6d67c3ab

SHA256
7916929968bee6220341611b90d5a04e57385142e001cb3406c3332e75587122

SHA512
d31fe83b1044bb2999a421a3073575e0f15b28b2a276d61f45c94a6f380eb124f296c674c885e6eea8dd2229decb9e4438f174c6f15866227c8d9b0bb3ce1b6d

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
63KB

MD5
25dd6a21a79ddfdaa23445f055f74dac

SHA1
12b09a3308b657503c59ba087a24d9d441a7284f

SHA256
6a3c46a9b32e488933be6320d9e878fa34a550fe686f931f128339d4213046eb

SHA512
5c779cc23e1a358fe23a25f855c5265dadac4d8cefeff3e1b73233190ae6ada5e9acc5b65ee2130986724fac292016d4e9a563ce3db869740411525a6f465cb4

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
63KB

MD5
32c90d290d0c09f13de1844fb2b586d2

SHA1
df820e27380f7ee410742afdd5340e1d0056636d

SHA256
1b1e5d45b0443f327123b31b1ea0a9eacae7d0e45a1402a79fb07cd26df99d95

SHA512
37e3bbdb9f46c4786ff142567dc5aa019630037f2d51c926af5e01e1e2bae41b792c9ddf4974e37566d17d45144f17c1708fad024afe02c13713d8acf0fb358a

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
63KB

MD5
64a2d9fb85925f3e421df014e0515724

SHA1
82138ae64a421e4cc773e061f3f3bbec5a530407

SHA256
dd8d9ff6adea5c9aa952bd51e20bbd08dfb564c089dc2a0a4e76c7daca93326f

SHA512
c797dbe3778ffc45fd95e6828b4332eddc3705cb7838b08e1575047ce701b5ca0fb4021fb510921f802a70854a2d3d2da8909f51992003a41b2152f801aa87fc

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
63KB

MD5
6322f1cc0974ae91f5753d7b5480e15c

SHA1
723f5006518e663ecd8b71a69563aec9b0a55164

SHA256
47e641b018e7e526aac3de9de16faeb6ff9635bc979c90653924775edde84cd7

SHA512
329a868ca6539e1dc71a6203b40479bb912880e741b3bb03751946fc11d0c365ca8723fa37c9def186f89b70172878c3148b6b4edbc4c840007cebafa1fb5569

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
63KB

MD5
c14c3b2a59956ff0c2a56bd014c219e8

SHA1
4a990b8ed3ff782a4c2ba3d76d9fe75d6f741cb8

SHA256
2efe4488a0d3eb5fdf13c2891bb7d73e165844c3b705fa2345889d8c48e3dd91

SHA512
c2763619d8138c045be5042f8c6f772d39962c1e4a7f70982e1c00fd3febfa8b3d8fc7fdc5f493101801ce2dee83eb7ff17d52061a1501388405808c197d3555

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
63KB

MD5
efca7be2b296c498039cdffdd4cbbcf0

SHA1
5231c4206440bcb2c565845bffab0d9d0ee7824c

SHA256
e29982547e290b03cf2d1135273f8b43bb7a32067422226c23d67fb70afe6ed3

SHA512
154c8a2ec693688936dcd3ba98a650f51226298a595662f64df4e7f44f15e499e34f42467113d8b4337c1cfba341c63f715bb4cf4af093b01be37940967e9df4

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
63KB

MD5
6c7832ea1f31b2e5f50fa450cf1db91e

SHA1
ee23f60f501cf39ac1f0dc4ecf9f806e74be1c81

SHA256
948ad5fb6c7563f9c47ddef4877d171708461cbf725f2ad192199b523b93d8c5

SHA512
49297f3bda01a954afaee006bd71f7ae6d08625f0906a70635309b5f78b12abf0dcaff4f1c0af5978e11ec9d98b1c52119fcdb2bc050e10091e4cd6d2a9e61f0

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
63KB

MD5
847cbdf70147cd7689754ea49de56b0b

SHA1
c169171808e3a534d03b0546cb0ece25b5015da7

SHA256
320b420123ead2286ccfeaec753aabacfaae90f40d30617d71f7f2051552557a

SHA512
d73afcd9619f9e411ceb9510d2a970ac047eca68123db7274a7b8b08ff9bf05bbaebfd59f51c54987072f6279aa8418f0f232308312f9993963f5ca621f4bd49

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
63KB

MD5
93ccc3f7803d5016eb84e8edca9c53b0

SHA1
b21a31ed9b1150f239753f5a64bcab4d2809c788

SHA256
7fcc4e81cbe48f60791b20cde12f18eb125b12c6042f62b8bd37d14c073257d7

SHA512
74a3d07e2daeff5c2f850731a5a956c77eafa5c3b68161b6ef72f27535a874bcee088ace5b64da39eaab9a60f0f638d219813b582e2f0aa483bdebe37c7219ee

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
63KB

MD5
5bfa3e803c1d2eb5b8c1c38e16053bee

SHA1
e03da0bbd496ccd95bd327194dc39298a77e7253

SHA256
ba357136df2ed7b029848d28bb4b6e48a5bba0499f0d165400506ac1fc5d6ae0

SHA512
74002aaabf230fd33315d01a2e75a8764627e41dabca2f813e754b67253b970f33bb7a182551e386cbe5df9102dc2b670650ee9edd0fcf0c5eca2e313bb83845

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
63KB

MD5
08bd5b94df314bc59ec026f1f381942f

SHA1
4cfbb8ee3f90e67f1a98d5f5f5fe6f9165cf3996

SHA256
5c7e3c78a714402cac0f34e63d9b3b26ad1f96277cab3cf58f0565695aa06afc

SHA512
c644ab16ed1348cc51b7bd44f95aade69fae87030f5010c91be832cded34dd15bc1620223966fad1726ee56f68015d759af776032a32966672e29a13358bf7d6

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
63KB

MD5
bbc9a92ed83a27e14b521c49f0e800ab

SHA1
c8c42bf45737b0d03e665a0ce2c1d24960cc24c9

SHA256
d19d0cb1913465454c2eafcee28bf14809a36c05a31d925cc3b3b156deb3e570

SHA512
19c0a8d70b887c8ed10a9fc18fea64c6faa4235a12d75aebeaf4d77e571977b8524be80d61632c2bb2681bf11f06eceb41c27da793530f5ce0c18c81990979eb

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
63KB

MD5
866b0084224533e62d718f0fb334d8d0

SHA1
93de6371b2c4fecc350c51f5b1b6844bdd70209e

SHA256
415eb4becf3ba68388cd36b08348372c10a36a2121f091589ebdb18d738b2d88

SHA512
eefe041d1f455e49bfd9381a35a7f107f5b1dd20f993259597b6cf8c9b60dd0a7099c31e0761c145e6585ab356c796e6d90e61872965377c1956187154a19dd6

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
63KB

MD5
da6b444cbcad802fb5c54a377b594ec1

SHA1
1790f651b6a1f6ec82d87974234be69e6cbfbe47

SHA256
f68929d64df43a317e6a0d69c34f5900800b448c9d37f6842bae37e432c0a1d8

SHA512
3830cc804f7cec99976ba67bcafb2f5fab8752fadd48a761114561e8e6b1935f68ff7c011f3bdd51ff5b800fe8a3521f61959ebdb03489ce2b3a1358a5330600

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
63KB

MD5
2ae7581d320a6a09f6b468f748d345c7

SHA1
b224a62afafb9cba54a771497fbe0c9ad176f24c

SHA256
1d4797c9ea141f9652fba670eee42b9fd1b24ec89873417743a1e5598c069a2f

SHA512
d1e779d349a6891d068cc570579ab7fdf0d9d10cc69677bf3751ff2762766a2031a0556f04d852a08ae8c28f54abafae158e99e72e75cc3f7f3f70289a57f9a1

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
63KB

MD5
7ef201dafe97fe74d6f6c7d386e2cda6

SHA1
2fd14244e0bc69febca858ef8e23e1dd52830763

SHA256
2e7ee9fd3f2472dea86eb7a04e02386b74b0f692aca7de1ec196b907ce32dafb

SHA512
30f42dee84e558636099b388c63183b84aa00ddef609704d737bb1ab732cce9c70e63409e3b24c424387efcfe1f082a4b9e87eae15da424db4974f13a710c6e7

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
63KB

MD5
6b6db43334be95caebcc118109166973

SHA1
00fdb3acaa5a400baa1ad4f41115e8e0127c70d6

SHA256
974d5470880224f55a25355165de177a7ff7dfb61f427fb3e3fed988a8474e07

SHA512
ccfa9116e66de82d4ee050312f9749fcee1004a85e8c12da58e9794d580de6de9d03d5b71591cd90cdfd959afff398752e3abf33284b06f8ba7124504cdae8a2

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
63KB

MD5
4e3c15490fcb0a3f399e451406a7fa53

SHA1
eaed5bfd8d841093c9ab3baa33d36d7e3393fef1

SHA256
e1d075990922713641649d3d714058c7caf9ed8f7c5845c5ae960c4cdaa77e88

SHA512
0c5e16af97d12c0221f8221129679280b6cc77a632eb1c38e451a02aa5d6cb9fb44390bbe6c46bd76b31cf86c539e316ad397434f4ada303cc139bac7426fdba

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
63KB

MD5
c583c3039ed3d0f0440b6ae80fae8d2a

SHA1
a601f972230f0be6c79e8cc9dc344e6ced6d21fc

SHA256
882db7b76ac147550f3ec29fa559ba3dd6635a2b27f1a73a4e713b40d31bb084

SHA512
498769bab0f67f9a655c6f6003abc47d2cbd96d38ee753266436e2264b1f6b9e64c73e0e4e14a4eb4841ec5cb3a182bab8122840901acdf670eab43c09b16cca

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
63KB

MD5
e53d17f7f406118088e67450ad196ae2

SHA1
0213a5ce6ce756ecd2fca4a3f583e0a2fca819cf

SHA256
eb08a43f729ea3c9ef075c8d627a2dfa8cf078ca8a74fd701a1f9608ec3f1a63

SHA512
2d7cf0ab51ebf707c244d1e9b3ccb80501998d005b644a903b0be54240172903feacffcd29341fca0a611be54e79677aec4fef0df52ce9072fa4b0c7653aa531

Download Submit
memory/208-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/208-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/232-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/232-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/392-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/392-211-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/560-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/560-198-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/744-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/744-221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/948-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/948-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1036-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1036-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1044-29-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1176-219-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1176-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1212-196-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1212-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1512-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1512-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1540-213-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1540-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1980-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1980-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2272-203-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2272-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-226-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3496-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3496-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3536-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3536-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4168-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4168-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4180-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4180-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4236-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4236-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4264-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4264-194-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4528-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4528-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5048-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5048-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-230-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-1-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads