3e159fc7f3b2ec76ea6b39e1cb5161ab8913e7ca7f8f460a9ccd9ebf7fc7e4c6

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe
Size

78KB
MD5

254ca2bca3eddd7824dfbad65db23380
SHA1

a5d9e616edc49d6c9b829db01e0f1afe4c7fc1ec
SHA256

3e159fc7f3b2ec76ea6b39e1cb5161ab8913e7ca7f8f460a9ccd9ebf7fc7e4c6
SHA512

3fda83b67e746b8ba405d275b10727bd8aa402806c28de808ac914f8a8761f9ee634af1826b09f74b8012ad553af95d2518d1d9a93336f322ef68fff5495fe8a
SSDEEP

1536:rQmSXXS5GhS0BFYOZF8U8bjjRFKnkpin6yf5oAnqDM+4yyF:UmCSeS0BFYnrKQinCuq4cyF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe

Executes dropped EXE 22 IoCs

pid	Process
4440	Mcnhmm32.exe
2340	Mjhqjg32.exe
4340	Mpaifalo.exe
4600	Mcpebmkb.exe
4816	Mjjmog32.exe
1312	Maaepd32.exe
4876	Mdpalp32.exe
2024	Mgnnhk32.exe
3780	Njljefql.exe
5032	Nnhfee32.exe
2240	Nqfbaq32.exe
4960	Ngpjnkpf.exe
1556	Nnjbke32.exe
4904	Nqiogp32.exe
4384	Ngcgcjnc.exe
4608	Nkncdifl.exe
3492	Nbhkac32.exe
2944	Ngedij32.exe
4196	Njcpee32.exe
2504	Nbkhfc32.exe
3464	Ncldnkae.exe
872	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3812	872	WerFault.exe	106

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 4440	1692	254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe	84
PID 1692 wrote to memory of 4440	1692	254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe	84
PID 1692 wrote to memory of 4440	1692	254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe	84
PID 4440 wrote to memory of 2340	4440	Mcnhmm32.exe	85
PID 4440 wrote to memory of 2340	4440	Mcnhmm32.exe	85
PID 4440 wrote to memory of 2340	4440	Mcnhmm32.exe	85
PID 2340 wrote to memory of 4340	2340	Mjhqjg32.exe	86
PID 2340 wrote to memory of 4340	2340	Mjhqjg32.exe	86
PID 2340 wrote to memory of 4340	2340	Mjhqjg32.exe	86
PID 4340 wrote to memory of 4600	4340	Mpaifalo.exe	87
PID 4340 wrote to memory of 4600	4340	Mpaifalo.exe	87
PID 4340 wrote to memory of 4600	4340	Mpaifalo.exe	87
PID 4600 wrote to memory of 4816	4600	Mcpebmkb.exe	88
PID 4600 wrote to memory of 4816	4600	Mcpebmkb.exe	88
PID 4600 wrote to memory of 4816	4600	Mcpebmkb.exe	88
PID 4816 wrote to memory of 1312	4816	Mjjmog32.exe	89
PID 4816 wrote to memory of 1312	4816	Mjjmog32.exe	89
PID 4816 wrote to memory of 1312	4816	Mjjmog32.exe	89
PID 1312 wrote to memory of 4876	1312	Maaepd32.exe	90
PID 1312 wrote to memory of 4876	1312	Maaepd32.exe	90
PID 1312 wrote to memory of 4876	1312	Maaepd32.exe	90
PID 4876 wrote to memory of 2024	4876	Mdpalp32.exe	91
PID 4876 wrote to memory of 2024	4876	Mdpalp32.exe	91
PID 4876 wrote to memory of 2024	4876	Mdpalp32.exe	91
PID 2024 wrote to memory of 3780	2024	Mgnnhk32.exe	92
PID 2024 wrote to memory of 3780	2024	Mgnnhk32.exe	92
PID 2024 wrote to memory of 3780	2024	Mgnnhk32.exe	92
PID 3780 wrote to memory of 5032	3780	Njljefql.exe	93
PID 3780 wrote to memory of 5032	3780	Njljefql.exe	93
PID 3780 wrote to memory of 5032	3780	Njljefql.exe	93
PID 5032 wrote to memory of 2240	5032	Nnhfee32.exe	94
PID 5032 wrote to memory of 2240	5032	Nnhfee32.exe	94
PID 5032 wrote to memory of 2240	5032	Nnhfee32.exe	94
PID 2240 wrote to memory of 4960	2240	Nqfbaq32.exe	95
PID 2240 wrote to memory of 4960	2240	Nqfbaq32.exe	95
PID 2240 wrote to memory of 4960	2240	Nqfbaq32.exe	95
PID 4960 wrote to memory of 1556	4960	Ngpjnkpf.exe	96
PID 4960 wrote to memory of 1556	4960	Ngpjnkpf.exe	96
PID 4960 wrote to memory of 1556	4960	Ngpjnkpf.exe	96
PID 1556 wrote to memory of 4904	1556	Nnjbke32.exe	97
PID 1556 wrote to memory of 4904	1556	Nnjbke32.exe	97
PID 1556 wrote to memory of 4904	1556	Nnjbke32.exe	97
PID 4904 wrote to memory of 4384	4904	Nqiogp32.exe	98
PID 4904 wrote to memory of 4384	4904	Nqiogp32.exe	98
PID 4904 wrote to memory of 4384	4904	Nqiogp32.exe	98
PID 4384 wrote to memory of 4608	4384	Ngcgcjnc.exe	100
PID 4384 wrote to memory of 4608	4384	Ngcgcjnc.exe	100
PID 4384 wrote to memory of 4608	4384	Ngcgcjnc.exe	100
PID 4608 wrote to memory of 3492	4608	Nkncdifl.exe	101
PID 4608 wrote to memory of 3492	4608	Nkncdifl.exe	101
PID 4608 wrote to memory of 3492	4608	Nkncdifl.exe	101
PID 3492 wrote to memory of 2944	3492	Nbhkac32.exe	102
PID 3492 wrote to memory of 2944	3492	Nbhkac32.exe	102
PID 3492 wrote to memory of 2944	3492	Nbhkac32.exe	102
PID 2944 wrote to memory of 4196	2944	Ngedij32.exe	103
PID 2944 wrote to memory of 4196	2944	Ngedij32.exe	103
PID 2944 wrote to memory of 4196	2944	Ngedij32.exe	103
PID 4196 wrote to memory of 2504	4196	Njcpee32.exe	104
PID 4196 wrote to memory of 2504	4196	Njcpee32.exe	104
PID 4196 wrote to memory of 2504	4196	Njcpee32.exe	104
PID 2504 wrote to memory of 3464	2504	Nbkhfc32.exe	105
PID 2504 wrote to memory of 3464	2504	Nbkhfc32.exe	105
PID 2504 wrote to memory of 3464	2504	Nbkhfc32.exe	105
PID 3464 wrote to memory of 872	3464	Ncldnkae.exe	106

C:\Users\Admin\AppData\Local\Temp\254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\254ca2bca3eddd7824dfbad65db23380_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\Mcnhmm32.exe
  C:\Windows\system32\Mcnhmm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\Mjhqjg32.exe
    C:\Windows\system32\Mjhqjg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SysWOW64\Mpaifalo.exe
      C:\Windows\system32\Mpaifalo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
      - C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        23⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 408
        24⤵
        Program crash
        
        PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 872 -ip 872
1⤵
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
78KB

MD5
3df323ac64fbd18edd4083f9871a6865

SHA1
fa8be45a68cda61b072b53eaf742afcf3fc8359d

SHA256
285c8da7c580f50066a6e9db405d61c6f5c7bc82114876800d94805550950667

SHA512
3c31cd3953ec0b0feec7d8c0aada12d8a9fd32eeeb85a8650bed536edd247b7c1d56d369aac96ec5dc3d34ab68905960ffac3670395938a96d9b5a7f9364f034

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
78KB

MD5
18d1c947f58e465fdb9986aaa744024c

SHA1
8a2312951bd9afbe07d7b61f191a084c9e928459

SHA256
da805f003982a1a166c74edf756b3e98e4cb39efad449e02679ce4d356ae0e3b

SHA512
87a316901d4d30f42109710d081c28cdb33a8a83b8a68ba62664692467b46c391a28ceed957849980362c4b9a12a2cb0e208592210049f2d242f61ab6fe7fb37

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
78KB

MD5
ed61a184c156dae2673ca8163ef44cbb

SHA1
40a6475f310be00636070cc249f11fa9e023d2ff

SHA256
9eebf67438dc24652838b6d068a2ea6e7f7c6960a45c5234860dbaf0df657f29

SHA512
92ef314022ef2e3438e54963a271bc894eb8dae5b31c18dd27f9f61c0c3806b8542dc2aa42343b9a7b5ac2457785da646edfb5d2ec907991ab03707dbc886fe8

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
78KB

MD5
78641faded64c37482575fbb80091b05

SHA1
1ff0901686cc416429a62bbb7d4a514e1e22de33

SHA256
5d4fa7a7b634da8fb7e3962290f20997b9d3aa588cb5c5e81597c582a947f07e

SHA512
603b378bca6b5d5cdec20900d20ba8f06eb276829765794eb351d541e05de605aef1f6a4e458e4a8cf1ee57a863eb68009f661efcc9b6d0e6f73bc6c7a3c1dcc

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
78KB

MD5
2600bf0b3b12f0cc957ca76d356759b4

SHA1
475818ecc85d05bfec4efaf3afa2270551a0b5ca

SHA256
65ed19004595b0a8222d6a34e58d85479cfe22212d7710bbea4c72433a47ea19

SHA512
b9716a0a692d8ee33caf2cf07ed11b8395c6d1bff526965dc35313acbeb0e74e4c25e24a2e5000c17a51d9ebb44919e45bb382aea88825da5d13ec6f96d9f658

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
78KB

MD5
f0fca88de3d5d02d764d7ee7145c3525

SHA1
831d383d717a4e067bcc3b3342db4dfe697bebd8

SHA256
f7890774c9ca74f630d786f0e1334ab5356719b42106b4ded24a0039e53277d2

SHA512
335e0548f99d30fe7edf32716ed162d755a7dea8c4f3ae07996609154df3abdf29871145464cad4818a907a9630975e20269fe0a036e07c32aa904ab56f85c2d

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
78KB

MD5
bb93ca80b21328227d4276390cba7ed6

SHA1
f701f6dd7c9deb414f631e2d6a123541039f862a

SHA256
a72c170b11d9309c614851b0650c49cc272696069e9e3a92bf2ddaffe3c42d75

SHA512
16b38800bb2ea03c8cd7c3786240b13302599ffb5f537acaa5d46f02d79edf32ea730a67249a04ebda2f60c234fb60a51f59df182ff47da404bea6e62eb39218

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
78KB

MD5
0b02ac1d20187fb2b09a904b73d9d3f0

SHA1
e5d3993de857931acfd1c9b36147a02c17d6a1d0

SHA256
0a5c252997a610eb904d9cdfc279aacab65a7f8c410b5bd118cbc2356d365a18

SHA512
10621b4ad563d422bb84889e2fa62c2b089cea610052cdf0b6310861fa549b175cfe8fe85faeeb212e40d869844241abd16da34718e28f5f8c8e7633e32f49bb

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
78KB

MD5
704761b472a7dafbae8c63883cabb3fc

SHA1
a686db9b5b0498423852302f870d90eb2787cd10

SHA256
f3b5375b05cb2117d3fa5c3e0ff307251a9a5ed5e27e9659830ec745d087b8b7

SHA512
ddcecdc05b6241f92875cc62641d431f839c70a119bbacf4ad1f30927b2ba41b2e9c375d29b778e732e90eb68e3c7bd0beea830ad8d31b505aa53b47a313dc5f

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
78KB

MD5
700b95db209cff00b2d8dfcd0b6771b9

SHA1
68e1efa703f16de57aed0c34a74491574dcb5533

SHA256
6a2d3a34e695261466eaa4fa6aaba415e49d848cd7a2b1eef52a555fbc988c6b

SHA512
cdf5433b097cfcae707e6c58bdcbd0a8f7f36c5291da4905beb29bb28b8890aeef9e68cca73520bd0450500ea565628b3e5b6e92d80a5fa3a7bff70f61ecd088

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
78KB

MD5
c4e0af5c9afc686daa4c7075ff30d699

SHA1
20e1b4a6136658f31bc38bd31f33c9d5d8f36b5c

SHA256
9c85b66b29c18cb9a1228f5d94f4550c87f837edf5176d182328febe9eee0138

SHA512
5a0ed2d662903131409d285ae831aed0403050c1361950e731fad7968db7db19214320ada2f3507ceae4d1377b7c4e725b8d3909bdfbda20880a683ee9e9e354

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
78KB

MD5
d12b0e8edf620a5b7e9c399cf686b187

SHA1
2c80de224f32996353d42725c984edfff97d979a

SHA256
e487a478f1787e502f75f9994ac2368eef412b6547dbe1d2fa841385b21eadbe

SHA512
d9c2d76325f17446f1fdda4bfbd78efd2acb4431edf7cbe6378fb61e54e7c7821b5fa31725ce94ba3b4a7fd4151226518b9154978cc565b3ba454fd7a270cb70

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
78KB

MD5
203a8bfe002e8896aba3beece719592b

SHA1
47134a171fd5c4d61ddec00842f281aca829f77a

SHA256
ad578e6fbf5f57e0155b8dee02627ce896c6f373bb457cd405d77cafc4534bbe

SHA512
1656504c0eff17a97eb84a477e32dfb5ef8b82a8a42b7ef37b2820f18af889cefdbabdb63f29e3ed10ce518141f99af3d2836bd7480ca35ae85ce71f748b5ac9

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
78KB

MD5
033bdec9fb79a6265f033e6fd97c5663

SHA1
7a67f82eea317e13f7dc5af729c901e2a60ad225

SHA256
31b2c7c5efc5b57ed5aa6a152594b17f1f16dba91d295447d5668c07dc45f7c9

SHA512
37df6e503bc9610350a03a0c425ecbcb8b73174fafa2983b43fcb0a855125a8a32ede398b65caa89ddb12d594c45db37f3bd416b13ad259797767486f8e1043d

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
78KB

MD5
125fe688ddec0d456bef5003474c9531

SHA1
0b754fedab424b6cd62583bb244c1331cce7f90d

SHA256
2931880af7ead0276cb29fc8e6da8287919fa56a020eff59c27da53a42567795

SHA512
b0635f4f20ae717cf6c0851ce0c56866085aee1264a6cfe1a393988b5917b6cecf0ba5f92aed3db264782f503f845d4b600be3f8cc72c8aad1251e157b8fa686

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
78KB

MD5
66e9f6129d5bfaba9a056e5cca255f69

SHA1
b7cfb161415f4bb8562991216d481c8a3fc60395

SHA256
953784f912a4cea37fbdfc664d22db2082b9220eec6a634dd6c6c2f58bf00a42

SHA512
f437f22ef1989714fc408822d95767aa706aacb409df30b950827f78c8e70b183bf7fe5e2881d23e5ced95390d05d3ff24fad0cfe066ec17d544c7f790541c3b

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
78KB

MD5
994e110e52ddebcbfee3073ba4abdf17

SHA1
9d7af5fcfd911e05dabf00efb970cbe050f0fcfc

SHA256
9ff0213e9a1ac91033b1458799396e8e9c1b1ec509e606989e925515b2a7a7fc

SHA512
31c91cce92302de4fc688e2932d03e7125ad895dd0eb215fe083667861da7d715dd0baa7acb7033dd624fa911962ca7535ca95858b4c22d87048230040ca2a2b

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
78KB

MD5
fc5a055076fa8f8bfdf3be5e1d0e213f

SHA1
654640b9ebe92110cfd533ef7c967b09fee640f7

SHA256
28d4a867ade26ed4b65697240cae549c2463b45e05edfdda2b447696fe95869c

SHA512
ab31713e482fa2f172ee3009e8b156cfd14e7213e200353e382b933a04b9ca95c013fccff32c76f19e1bd37b95166b04bf48435e9b09295c108c9fc605519503

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
78KB

MD5
11d200820ebcd949a9c8a62da5165e38

SHA1
73fd920daafdc8d991663ffceff984631a24a701

SHA256
6857e8bc58ebd98f8a83c669123be83e5a23efce7056a62773687cd39d494ff3

SHA512
4d05f034818703e4cfe263a42e8ed8c91d829a9c3a4655a1e3f75a19876eb91852059d0693ba0129cc84c3350fbc46f211f59c072b5f6b7a204edc3ee6c1bee4

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
78KB

MD5
5fc6e23541f1d071c37a8dbf80dacf97

SHA1
d24ed9d004157d259850c057e2753dff3d94cd10

SHA256
73f243fd8884983b05b8e2c4f01f510f68ae8cb4752cefb8a885acfd33f04683

SHA512
8c9050cbf02ccd4183a767ba3455e76a0487a46f82cff94507508c4e941f103ca01c90ac57098775651356593cd2e3e39c693a9d45d732efae26d86d9e7a228d

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
78KB

MD5
f4c20732c735b92374e34337eefb3120

SHA1
769688d1c685661f7dee157ef2103c17f9ac5af5

SHA256
61c78d46cabdbf3887a031ff4d5998ae3dd60347f13812189c9d4b8f315df9ed

SHA512
69d1348d1d1ae8326ec87bafbdb02affefddaf61235dcc6c413b088dc484a61e4b83ffe2c8d738a74cc826ba16f388bfe30fb7a74727796a1821a210ebe913d2

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
78KB

MD5
42fd54d77ffabdeefb93ee3cd47f5bd5

SHA1
d0620248bae7f6758625c4c4268e13d18a4e42a0

SHA256
db2b408afe363edc57fb21d5f342b7b6f910aa74ea576c464eb007d222dd9070

SHA512
7f523a4e771dfc20a1290a5797d874105d481adf24d90b492e0e22dcbd6a04cf8ca94287982d54c365209e082600735154eb1bc50d357517de635c0944c2396e

Download Submit
memory/872-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/872-178-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1312-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1312-53-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1556-186-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1556-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1692-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1692-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1692-6-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2024-69-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2240-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2240-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2340-195-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2340-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2504-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2504-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2944-182-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2944-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3464-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3464-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3780-77-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3780-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4340-194-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4340-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4384-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4384-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4600-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4600-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-129-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4816-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4816-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4876-190-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4876-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4904-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4960-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4960-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads