8f84cf4fb1e2c0acf5e59f0dceeec5dec19b23c0ea90d2a8b18587618ffa6e50

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a44667b74c7c88452e454eaf9587f470_NeikiAnalytics.exe
Size

224KB
MD5

a44667b74c7c88452e454eaf9587f470
SHA1

254f976f1a0d530f8098158acb3e2a7e8573aa6e
SHA256

8f84cf4fb1e2c0acf5e59f0dceeec5dec19b23c0ea90d2a8b18587618ffa6e50
SHA512

80faa9f0dc3ab3b050d7f2f8981720bf064638d7c270fcf6c5cf8a98bd4b39af7c829a8c360c93d0e1b147acda38a67f9a095e3f4a1ab7af013c828d9a372b65
SSDEEP

3072:s4JoCbYqJTbIuYUvIMDrFDHZtOgxBOXXwwfBoD6N3h8N5G2qVUDrFDHZtOgtSU:s4J9pZ4s5tTDUZNSN58VU5tTtf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a44667b74c7c88452e454eaf9587f470_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a44667b74c7c88452e454eaf9587f470_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe

Executes dropped EXE 22 IoCs

pid	Process
3680	Mpkbebbf.exe
948	Mkpgck32.exe
3448	Mpmokb32.exe
3588	Mcklgm32.exe
804	Mgghhlhq.exe
3192	Mjeddggd.exe
2068	Mnapdf32.exe
1484	Maohkd32.exe
1184	Mglack32.exe
3436	Mjjmog32.exe
4788	Mcbahlip.exe
2200	Nacbfdao.exe
2192	Nqfbaq32.exe
1044	Njogjfoj.exe
4048	Nqiogp32.exe
1828	Nkncdifl.exe
832	Nnmopdep.exe
2028	Ncihikcg.exe
2820	Njcpee32.exe
396	Nbkhfc32.exe
2816	Ndidbn32.exe
1060	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	a44667b74c7c88452e454eaf9587f470_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	a44667b74c7c88452e454eaf9587f470_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	a44667b74c7c88452e454eaf9587f470_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2568	1060	WerFault.exe	105

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	a44667b74c7c88452e454eaf9587f470_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a44667b74c7c88452e454eaf9587f470_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a44667b74c7c88452e454eaf9587f470_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a44667b74c7c88452e454eaf9587f470_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a44667b74c7c88452e454eaf9587f470_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 3680	5080	a44667b74c7c88452e454eaf9587f470_NeikiAnalytics.exe	81
PID 5080 wrote to memory of 3680	5080	a44667b74c7c88452e454eaf9587f470_NeikiAnalytics.exe	81
PID 5080 wrote to memory of 3680	5080	a44667b74c7c88452e454eaf9587f470_NeikiAnalytics.exe	81
PID 3680 wrote to memory of 948	3680	Mpkbebbf.exe	82
PID 3680 wrote to memory of 948	3680	Mpkbebbf.exe	82
PID 3680 wrote to memory of 948	3680	Mpkbebbf.exe	82
PID 948 wrote to memory of 3448	948	Mkpgck32.exe	83
PID 948 wrote to memory of 3448	948	Mkpgck32.exe	83
PID 948 wrote to memory of 3448	948	Mkpgck32.exe	83
PID 3448 wrote to memory of 3588	3448	Mpmokb32.exe	84
PID 3448 wrote to memory of 3588	3448	Mpmokb32.exe	84
PID 3448 wrote to memory of 3588	3448	Mpmokb32.exe	84
PID 3588 wrote to memory of 804	3588	Mcklgm32.exe	85
PID 3588 wrote to memory of 804	3588	Mcklgm32.exe	85
PID 3588 wrote to memory of 804	3588	Mcklgm32.exe	85
PID 804 wrote to memory of 3192	804	Mgghhlhq.exe	86
PID 804 wrote to memory of 3192	804	Mgghhlhq.exe	86
PID 804 wrote to memory of 3192	804	Mgghhlhq.exe	86
PID 3192 wrote to memory of 2068	3192	Mjeddggd.exe	87
PID 3192 wrote to memory of 2068	3192	Mjeddggd.exe	87
PID 3192 wrote to memory of 2068	3192	Mjeddggd.exe	87
PID 2068 wrote to memory of 1484	2068	Mnapdf32.exe	90
PID 2068 wrote to memory of 1484	2068	Mnapdf32.exe	90
PID 2068 wrote to memory of 1484	2068	Mnapdf32.exe	90
PID 1484 wrote to memory of 1184	1484	Maohkd32.exe	92
PID 1484 wrote to memory of 1184	1484	Maohkd32.exe	92
PID 1484 wrote to memory of 1184	1484	Maohkd32.exe	92
PID 1184 wrote to memory of 3436	1184	Mglack32.exe	93
PID 1184 wrote to memory of 3436	1184	Mglack32.exe	93
PID 1184 wrote to memory of 3436	1184	Mglack32.exe	93
PID 3436 wrote to memory of 4788	3436	Mjjmog32.exe	94
PID 3436 wrote to memory of 4788	3436	Mjjmog32.exe	94
PID 3436 wrote to memory of 4788	3436	Mjjmog32.exe	94
PID 4788 wrote to memory of 2200	4788	Mcbahlip.exe	95
PID 4788 wrote to memory of 2200	4788	Mcbahlip.exe	95
PID 4788 wrote to memory of 2200	4788	Mcbahlip.exe	95
PID 2200 wrote to memory of 2192	2200	Nacbfdao.exe	96
PID 2200 wrote to memory of 2192	2200	Nacbfdao.exe	96
PID 2200 wrote to memory of 2192	2200	Nacbfdao.exe	96
PID 2192 wrote to memory of 1044	2192	Nqfbaq32.exe	97
PID 2192 wrote to memory of 1044	2192	Nqfbaq32.exe	97
PID 2192 wrote to memory of 1044	2192	Nqfbaq32.exe	97
PID 1044 wrote to memory of 4048	1044	Njogjfoj.exe	98
PID 1044 wrote to memory of 4048	1044	Njogjfoj.exe	98
PID 1044 wrote to memory of 4048	1044	Njogjfoj.exe	98
PID 4048 wrote to memory of 1828	4048	Nqiogp32.exe	99
PID 4048 wrote to memory of 1828	4048	Nqiogp32.exe	99
PID 4048 wrote to memory of 1828	4048	Nqiogp32.exe	99
PID 1828 wrote to memory of 832	1828	Nkncdifl.exe	100
PID 1828 wrote to memory of 832	1828	Nkncdifl.exe	100
PID 1828 wrote to memory of 832	1828	Nkncdifl.exe	100
PID 832 wrote to memory of 2028	832	Nnmopdep.exe	101
PID 832 wrote to memory of 2028	832	Nnmopdep.exe	101
PID 832 wrote to memory of 2028	832	Nnmopdep.exe	101
PID 2028 wrote to memory of 2820	2028	Ncihikcg.exe	102
PID 2028 wrote to memory of 2820	2028	Ncihikcg.exe	102
PID 2028 wrote to memory of 2820	2028	Ncihikcg.exe	102
PID 2820 wrote to memory of 396	2820	Njcpee32.exe	103
PID 2820 wrote to memory of 396	2820	Njcpee32.exe	103
PID 2820 wrote to memory of 396	2820	Njcpee32.exe	103
PID 396 wrote to memory of 2816	396	Nbkhfc32.exe	104
PID 396 wrote to memory of 2816	396	Nbkhfc32.exe	104
PID 396 wrote to memory of 2816	396	Nbkhfc32.exe	104
PID 2816 wrote to memory of 1060	2816	Ndidbn32.exe	105

C:\Users\Admin\AppData\Local\Temp\a44667b74c7c88452e454eaf9587f470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a44667b74c7c88452e454eaf9587f470_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\Mpkbebbf.exe
  C:\Windows\system32\Mpkbebbf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\Mkpgck32.exe
    C:\Windows\system32\Mkpgck32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\SysWOW64\Mpmokb32.exe
      C:\Windows\system32\Mpmokb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3448
    - - C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
      - C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        23⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 400
        24⤵
        Program crash
        
        PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1060 -ip 1060
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maohkd32.exe

Filesize
224KB

MD5
09e98915adbbd7c61f0ac478c368b658

SHA1
eb82b80b0e3fad41a1d992bb3bd2bb6caa47fa56

SHA256
2fc8dbf41059a2c8dbce0ea25e28db8bb1beedfa93bb039260e2f9f958625f68

SHA512
2da78a25af47618553d884d35f2a4298c033062c6e8cf58b416944239041d27904763246bb69c3d71c039ee7471e38e3cd680bbb302a18c4e61d70ab456760c5

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
224KB

MD5
2f6261e7c65cc8b6d54db88fe0d4fb31

SHA1
6d6dd671f3b77e2951c25dab3b676b948e109a31

SHA256
4a63a1f6d46c7e9a2007b9d4a1d2c7fcb69a0bc72a52786be329f0de7604c62d

SHA512
ed4f063e9462a79671d434295b01df1b5bd7ca4b3ca6a09fe23721641f465f580066a24643c3c9cec2ad5307c08cfaa0e4dbee0249f051b981152e39ccaf33d7

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
224KB

MD5
6499148513701f76503f854f5d52b3c1

SHA1
04584cef247358bb3aa6978e4866e8f5c70446b0

SHA256
a052bde7018389b39742110d04796f76dba03cd6f000634981055c04b4465a5b

SHA512
6396542781bacae5f6687f82c5348a0a4a6c169d66855c30688570f6d1a6dc3e30f0c02e7621b6eb6a5db0042aed9ceae11b65f185feb0493a71494f174a1c09

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
224KB

MD5
97804df9114eddc2de61b42536d6b8a8

SHA1
231641f8d8a05e42492c8e5c7deb3adfbab7b0df

SHA256
c3cdc0ca6cd0a0fb1950c018954274168e8fcb2205a127636d36922af67a7e8c

SHA512
d196e034b8f586c5da4bcba5bb2ee122ff46eba7cdd94b1f67cbbce66f6255a68930c1fb99c4252bd8e6235812ac31974e8ac24188e7eb4b9bc287698c58136a

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
224KB

MD5
0a25e2896082b7bd935b2cbb35704446

SHA1
36965058352267df8b3c3b6fa8264bd5f00c68c8

SHA256
19579539845c990e8d9222dcba620483c04c4404def5e1e4da01c7747fa38007

SHA512
cad3335157240cca0c3b55aa834040456eabd5736b4f257f100cda9bfc5eaa6ed1615bc39b1b53db03255cc2dda12c57b4458db87083fd453e0446e0e14ff093

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
224KB

MD5
48f71f03b5fdd23050dc98c66dfeb825

SHA1
febfafc739d4bb251b96540b2075bc184217143f

SHA256
14b7eca7539b6ba024dca41d2fa18e1b23c894a5b1abc2e327dbf5e28ba881c6

SHA512
bad79ea4b3a21ee967d6220f1331479de77ddfd707eefcb489d039c68ccc4354e06cf317a2f8c01564e164b49bd52e2716a74ef6439692f5066f18b688dd8026

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
224KB

MD5
399baa08a49f66112ccb07e21f918f1b

SHA1
f987cf6ca9fbbc4abd5028cab4aeb49b4ca6703e

SHA256
aaf9ced366aa4256407f615c433b72007844bcb2c204dc121ffb1f5f4130e799

SHA512
ef2d902fcf10aeb4aa074e0835e592e31f40146f15039e94a8a81fe9fef7156fb50bac0d5cadfb73aee312c0675cc6c5fdf76ceff9f0d2a44020fecb4baedd38

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
224KB

MD5
d5ac9458263b692d115104c36d6137a6

SHA1
de7870349459cbe5b60271bb8dfb4b49ddd3a815

SHA256
de158f264d57c8df8fc878635158df873cd29d3c5b07652d63062ff144419c5e

SHA512
0662b35aef3bbac0c862752cdc0af826887e161a5776bdfba53b11a2a3fa22a288a11bb8b2de9c40dd4f321553d104733bbb000c23d970ce0bd3e896fa4cb60f

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
224KB

MD5
15de75ceeeb9002f0644d5150be0783d

SHA1
a7368560f31998031131de8878f11547c31b6e7e

SHA256
22f9e352e2505886c2ab7c568af89aba37985997a411a3d0e7bb41aa6eed7086

SHA512
6b0beb055737b3c6fd534eba30968310151d6ff5fa32ab3d07325857a4bf42200a6567ceea48a817fdc2cdfb2c1ba476c4e68986ad26b3ce54a014230b5be882

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
224KB

MD5
4d9e4dd249a6e965c21f2366a9d243b1

SHA1
e2f97ab4faa9c2d2dbbbd76a0ee286b9e5914e62

SHA256
094a64f99211f36a52a56276eb6ecc00d4ecdc7311360d526fea34ea53e51f8e

SHA512
f3a4eae15fceb853c98ad1948c364dd6bdc7b34f7eb0ca08e553451994ca8ff858d0b3cfb0397c675c304e4ee45948a5fb8fe4fd6da4cf8c1d1d4c2a2c104cbd

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
224KB

MD5
6025b03bbadd5fc289bb6cdb6556ddac

SHA1
443f0b42f332b9551e0f71484b7e6984c2ac0544

SHA256
e680ac3b3e37045b757b7fed851acc97a0ce118c43684cc884164154fe532d25

SHA512
01049da4eaa628c3af0e5924d46ce067350cc48e49f858d7ec1d4e3a421f0e5136996a4e36fd5401f4507c727707e6a9f43c819f88ab918d47760f3ce9b159d5

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
224KB

MD5
6b38dd775b8cb95232fd0b340609950d

SHA1
f69ce10d0dc4152563e4dcb6dfaa3f9d42a7b05c

SHA256
ffcbfcf193c6887559ef0ca2495c2e986b5783cfed58e3490918bb6239638c79

SHA512
867d084319a8b14eb44612055c1da1c5f4449ffc335c83c8ef5a5a3de708db2b00c231461f36378eb8b1d7d91b36ceae1946a25918dec1fb8dd01220e339263e

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
224KB

MD5
9d4b21862ef2d206eb9b80ad171093f6

SHA1
366ac3b973d7b49c5ac5e08a7e83b5a104716794

SHA256
0289e1cb299fb695c2c7b9da9464e8ba2704216e4f599ac79b262c35d5a33cfe

SHA512
9e9d793ef1e0f5a8cbd636b26c5387987312880ff71ae2f0b2734eb8933b56cb0f9d399f2d2cac9ced780169b004a4296512336391aa09be7671458926215983

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
224KB

MD5
1699c0103b70010ad7e3acf991a5701e

SHA1
b41e73d67035170f4023166a5d14fb0e6bb127e3

SHA256
1c1fda59c9b08a104bac18d11d89e259085c2b26fce33b65f69c24983b0f31f7

SHA512
bd60007d20ae98d45240d2c528a97c248c15d0bd1f3bd497434191d5e072aa9f9cfd92fec3d222546dce878d8e94a7266c2a20270e042375814b3cec1b928df6

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
224KB

MD5
31aa963af0a411f9a6a52dfa5ffc53c1

SHA1
48efbbee3b354fdf14610be728fed201a3b0011f

SHA256
f2df83dbfee804c1dda2671ecbcd85f275e2463eb6face94e63a2bf9119d65cf

SHA512
11e1c6e77575746672992390c0143dcf0c3050a9e2d410fcfb59d88f72e9f8c999e15a5db529bfe71d23ecb91a43890df2a77301f97c89472c7f4ffac611b410

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
224KB

MD5
26aabc9a83d542f7465dc9d016013278

SHA1
d8f86a4dae5314b3cec467378b1964b84ab74874

SHA256
33572ed028176359ba6efa5a5e1e495cc909406ab51dd4345dbb866547e68ebe

SHA512
d0b7b36599b960bece0309f34950f56caf8f5e8072ed525c6484344f4a15388cb54d23f1004dde96bd8d3b0a318830ab6df67107dfe6486d970dca96c3ea9eb5

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
224KB

MD5
ebfac6d407ee7f94aeba3fe691d28c4e

SHA1
0fc85d8bd7f8deb5a59a758b6aff309d2d8a4bd1

SHA256
0ad3a5ac890d8ad8593aae74a55781e4918d61f9285e771b3c7f42ddebd22fed

SHA512
7c93a5f6a21cb844fad28818c8884fbf873bafb91b4a605a0c3aa3e332e6bdd257bc47c2ea3f5d413ce3036738480e3b56f98238de10094ebd29e19ec812eacd

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
224KB

MD5
c2d17d2550f609ad2aea36a0e676ceee

SHA1
6685e8b3f83430321506476742db39b359f8a296

SHA256
3a4ad6dbde72dd3fb28cd6707fcc473c393e831eff7ff806b123c59d9c74ed2b

SHA512
f8a3aadc9a4ed6160131014c1e7cfdc4765ebc486295085c955a1da136362771635f566d9a1c967fc716b5ac9d7c36ce123704101de8065e2016eb551e0ea999

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
224KB

MD5
0fe7eae0c6aa7e1505f740d0a9bb7316

SHA1
61ac9c0021af5f74c34f23b55eda08a175927d86

SHA256
7204146b5442d41f1449672b645404ea1e0b412611869b025243764f13cc9e85

SHA512
bde39dfda6416daa4ee34505a0d9d026c007a7a5277b74481fe89e3fefcc2050f758d48e55b2f998afa6ccf4e6924bbaf73ab04a6b8edf804de92ac544e13816

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
224KB

MD5
fc7bc0496e2972f45a312c7574c8bee6

SHA1
24a7f31d97d29639a1ec9299b9d441e2fcedf45b

SHA256
880d022b3d1c513ef18e137f014b93a4678ef271c9f3483b9031b0724bf4d6c8

SHA512
1760e56cbd1569ce1ef52b328eaa5a8ec2423d9146fa7aa8eee7a6da81bf13d30893d0d53c325fb017129bbef7f09e64d08536d17885a45c78c0a29f491d57db

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
224KB

MD5
55000f676d230895a2b123f870e62245

SHA1
0ebb89502883295b30d7d6fc30ca6bd146684814

SHA256
ceef3d036e0c1768a43951b7ceef8c3983173563fb2cde4eaa9df0fa20848dfa

SHA512
c9fd2e8c304616c9a36f8c269c5bd42e7ab44a32c0b28d6ce789e2c52316c765095923e6dbf68129cf2a2ca09cb4fd8719710959f236979daba7aa9bb55770fd

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
224KB

MD5
7d8f7e91bb4a07b16011db67e12918d2

SHA1
c2ad1c27cb7fcc1e0f97cabd50600225265dd598

SHA256
23221de6ad2b5915bc0570a0b6eb17868fd240ffe8e577c1aaa91ce5e9652e98

SHA512
741ebee8c82ee316c4e3a46edecddefd06e521e8ab3d616ff78ced867d7514b7aa7c59d12e046ea14edccc0db9fb99633983f50dfcc25a54dbbda060040ce29e

Download Submit
memory/396-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/804-44-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/832-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/832-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1044-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1044-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1184-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1184-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1828-182-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1828-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2068-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2068-190-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3192-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3436-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3436-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3448-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3448-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3588-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads