8028d6a8789bc06ce21f108da144d8336de1f12cdfeada9a4322b4ccfe2e3e29

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 02:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe
Size

96KB
MD5

3619a61bff10023767e546d024bb39b0
SHA1

ad6a7b42947bb8f1d5cecc04a1437b8e22091550
SHA256

8028d6a8789bc06ce21f108da144d8336de1f12cdfeada9a4322b4ccfe2e3e29
SHA512

cd596576560d0d8ec9d0d56c12b7a681dd1b816a19df486e2588bdea8a60e6075658a0df4513a46dba94fdddd2254d81d2a23d98c9010e70c2d6394943ac6284
SSDEEP

1536:tPCKCYIv52BiTzwI21oCgbf36AC8k2LrZS/FCb4noaJSNzJO/:xCKmn+6CwhD9rZSs4noakXO/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe

Executes dropped EXE 22 IoCs

pid	Process
3272	Mkepnjng.exe
228	Mncmjfmk.exe
4340	Mdmegp32.exe
4064	Mcpebmkb.exe
1168	Mkgmcjld.exe
1312	Mpdelajl.exe
1432	Mcbahlip.exe
2024	Nkjjij32.exe
3780	Nnhfee32.exe
2344	Nqfbaq32.exe
3672	Ngpjnkpf.exe
4848	Njogjfoj.exe
4908	Nafokcol.exe
4304	Nddkgonp.exe
3744	Ngcgcjnc.exe
3068	Nnmopdep.exe
3800	Nbhkac32.exe
4272	Ncihikcg.exe
1720	Ngedij32.exe
4056	Nnolfdcn.exe
1988	Ndidbn32.exe
1960	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1624	1960	WerFault.exe	106

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 3272	3104	3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe	84
PID 3104 wrote to memory of 3272	3104	3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe	84
PID 3104 wrote to memory of 3272	3104	3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe	84
PID 3272 wrote to memory of 228	3272	Mkepnjng.exe	85
PID 3272 wrote to memory of 228	3272	Mkepnjng.exe	85
PID 3272 wrote to memory of 228	3272	Mkepnjng.exe	85
PID 228 wrote to memory of 4340	228	Mncmjfmk.exe	86
PID 228 wrote to memory of 4340	228	Mncmjfmk.exe	86
PID 228 wrote to memory of 4340	228	Mncmjfmk.exe	86
PID 4340 wrote to memory of 4064	4340	Mdmegp32.exe	87
PID 4340 wrote to memory of 4064	4340	Mdmegp32.exe	87
PID 4340 wrote to memory of 4064	4340	Mdmegp32.exe	87
PID 4064 wrote to memory of 1168	4064	Mcpebmkb.exe	88
PID 4064 wrote to memory of 1168	4064	Mcpebmkb.exe	88
PID 4064 wrote to memory of 1168	4064	Mcpebmkb.exe	88
PID 1168 wrote to memory of 1312	1168	Mkgmcjld.exe	89
PID 1168 wrote to memory of 1312	1168	Mkgmcjld.exe	89
PID 1168 wrote to memory of 1312	1168	Mkgmcjld.exe	89
PID 1312 wrote to memory of 1432	1312	Mpdelajl.exe	90
PID 1312 wrote to memory of 1432	1312	Mpdelajl.exe	90
PID 1312 wrote to memory of 1432	1312	Mpdelajl.exe	90
PID 1432 wrote to memory of 2024	1432	Mcbahlip.exe	91
PID 1432 wrote to memory of 2024	1432	Mcbahlip.exe	91
PID 1432 wrote to memory of 2024	1432	Mcbahlip.exe	91
PID 2024 wrote to memory of 3780	2024	Nkjjij32.exe	92
PID 2024 wrote to memory of 3780	2024	Nkjjij32.exe	92
PID 2024 wrote to memory of 3780	2024	Nkjjij32.exe	92
PID 3780 wrote to memory of 2344	3780	Nnhfee32.exe	93
PID 3780 wrote to memory of 2344	3780	Nnhfee32.exe	93
PID 3780 wrote to memory of 2344	3780	Nnhfee32.exe	93
PID 2344 wrote to memory of 3672	2344	Nqfbaq32.exe	95
PID 2344 wrote to memory of 3672	2344	Nqfbaq32.exe	95
PID 2344 wrote to memory of 3672	2344	Nqfbaq32.exe	95
PID 3672 wrote to memory of 4848	3672	Ngpjnkpf.exe	96
PID 3672 wrote to memory of 4848	3672	Ngpjnkpf.exe	96
PID 3672 wrote to memory of 4848	3672	Ngpjnkpf.exe	96
PID 4848 wrote to memory of 4908	4848	Njogjfoj.exe	97
PID 4848 wrote to memory of 4908	4848	Njogjfoj.exe	97
PID 4848 wrote to memory of 4908	4848	Njogjfoj.exe	97
PID 4908 wrote to memory of 4304	4908	Nafokcol.exe	98
PID 4908 wrote to memory of 4304	4908	Nafokcol.exe	98
PID 4908 wrote to memory of 4304	4908	Nafokcol.exe	98
PID 4304 wrote to memory of 3744	4304	Nddkgonp.exe	99
PID 4304 wrote to memory of 3744	4304	Nddkgonp.exe	99
PID 4304 wrote to memory of 3744	4304	Nddkgonp.exe	99
PID 3744 wrote to memory of 3068	3744	Ngcgcjnc.exe	100
PID 3744 wrote to memory of 3068	3744	Ngcgcjnc.exe	100
PID 3744 wrote to memory of 3068	3744	Ngcgcjnc.exe	100
PID 3068 wrote to memory of 3800	3068	Nnmopdep.exe	101
PID 3068 wrote to memory of 3800	3068	Nnmopdep.exe	101
PID 3068 wrote to memory of 3800	3068	Nnmopdep.exe	101
PID 3800 wrote to memory of 4272	3800	Nbhkac32.exe	102
PID 3800 wrote to memory of 4272	3800	Nbhkac32.exe	102
PID 3800 wrote to memory of 4272	3800	Nbhkac32.exe	102
PID 4272 wrote to memory of 1720	4272	Ncihikcg.exe	103
PID 4272 wrote to memory of 1720	4272	Ncihikcg.exe	103
PID 4272 wrote to memory of 1720	4272	Ncihikcg.exe	103
PID 1720 wrote to memory of 4056	1720	Ngedij32.exe	104
PID 1720 wrote to memory of 4056	1720	Ngedij32.exe	104
PID 1720 wrote to memory of 4056	1720	Ngedij32.exe	104
PID 4056 wrote to memory of 1988	4056	Nnolfdcn.exe	105
PID 4056 wrote to memory of 1988	4056	Nnolfdcn.exe	105
PID 4056 wrote to memory of 1988	4056	Nnolfdcn.exe	105
PID 1988 wrote to memory of 1960	1988	Ndidbn32.exe	106

C:\Users\Admin\AppData\Local\Temp\3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3619a61bff10023767e546d024bb39b0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\SysWOW64\Mkepnjng.exe
  C:\Windows\system32\Mkepnjng.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Windows\SysWOW64\Mncmjfmk.exe
    C:\Windows\system32\Mncmjfmk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\SysWOW64\Mdmegp32.exe
      C:\Windows\system32\Mdmegp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
      - C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        23⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 400
        24⤵
        Program crash
        
        PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1960 -ip 1960
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
96KB

MD5
c0fd1a95852335801a0dc254a4f91b6a

SHA1
072570afb26ace512adb933495ac77cb47253c3f

SHA256
75da284e16520ebf6ed99386f46af8966662e94b243da9ef1d24e3149fa9d6a6

SHA512
f60fde712e3ec25b17a4c090d4c910b8904cf388918f8f41814c17e62e10520c9bf3d3f8061000974b7a7a1ff09f0d5d547273fc2d5d744f6e41b008a51ac209

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
96KB

MD5
ad01092fb952936ec94c818aa5affb01

SHA1
8e138763dd3fb3d3732336afddcbe8eb4919f951

SHA256
aeac08e8d3e246c56b08be94b04c43267d6ef91f30001e1e4870975e43cbbec4

SHA512
73ed93f518b2888025aa77f4476f01e442503dca71cf01587f19f61ee44ee26368dbca27bd8d0f0f6a796413c2af1a13851a83e9e3a98b3f321b8fbba9bef82f

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
96KB

MD5
f6ab7e6ce5abe8179c21000ced024f76

SHA1
c639dc29f2bb1c3963846e0e3bfb1bc1cd23af7a

SHA256
34e9ebb02dee9b1dfb37b842b105acbb397b47423c22a9605275990050c9bc04

SHA512
9cbb1a889e16a088f33889709fbd17db23c09b08f1b041a14ff10875bfac0a8bd535d0d2e7feaaa9b3274a942bc36b9245833fa5c4747e7a0c392bd3e143260f

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
96KB

MD5
d78bb1ba25adad497d78e9a86f9565d0

SHA1
22a1ce40e45a2f1e9a937cf3ae67d8f7d643a964

SHA256
2b018eed49a60278ab3f6d8ee072a2150c0da8fea77a720e69658aea74d4db21

SHA512
de9c1a92a4dd0a51e04e78b40d3fd590d431f6e946923207e97dbc51e4c5ce819b7ab2451c54da350d4840b5f5eb43a0f018e3e9a256c6b129669bbbfea15c37

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
96KB

MD5
91cc411c5db407a4794aaf13c7c56e8e

SHA1
34a67d5f3f385f92a2c554ebb2dcac4e95a4730e

SHA256
b191cf3e3412cfc195ee7b92be036de99263e94f80a5a9d21d1f1e60ced5ddff

SHA512
b121ea33ef2856070925c07ce258b525f6026d30f1baf7b2438830697845ccc573386667d65873c40e071307e555cc632361372b603fc22845929cee67f99c69

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
96KB

MD5
958232daeaa5f86efd91fe74aa8028d8

SHA1
b609e7e4c5d2a9773070e0911485c7dda8540f75

SHA256
8cc41a79db014671df094bb5405b7b26c953e99ae5efd8c99aad1c2988323aee

SHA512
55de51dcbbfef5596054a0f7b4b382ab2698451b515f515cd1864e945eefc10f2f48a2f0454912e4d1923d067f5b427a6e4ada0082aad7ace568f8e2e6348342

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
96KB

MD5
ada9f2469069a368b4578285a27f18a8

SHA1
49a37e2ffdb80467b6677762688a21c8e7cbb290

SHA256
51799f5a19b7c4f9f5474b2b8fdbaa4767de2a8eecbc9c96fd020cf2012bc1f2

SHA512
3919b82a5850a403b71617a1a8b72e7e098082a628e77b7bdb8c049611dd48d5ffdf1fc760331a2e6576f58da07ec9ce552fcb7fce1922d5217b3bb29d7be4f6

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
96KB

MD5
9a184d4f6f0a4088f459e540cafeacbb

SHA1
2936febc77e341956a7c88b987abafa301b092a4

SHA256
528de9fbc9d29fb6eb58b3379a2cbad6beba46de1ad03485b5262213a1339b33

SHA512
6d957dfe88cd16242c3bb8563122b544617c0758b8d3c4ef93cc3f6bb9bd5f3d4ea2bcb8489c473a53a2b634c9dde05d3f8db92b2a09208f6f5a4c1c5fcac3d7

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
96KB

MD5
b35454cdf5116b752de1fc9eb80cbf77

SHA1
482757cacf676fa5c38d4a15cc65b1a5c8c7ae06

SHA256
1a2b35f911ac0a88286bab8be9ebb046c2ad85749859455bf18cd94db2d147f6

SHA512
46531ce6bd9d85a55ead28c5c6aaefb241050bef697b232e818462dd334c262fa848c4ff1c16ceac364d0e9f2ab9ce22f1d193d3e827e11f4cf716d7aca824f5

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
96KB

MD5
b895eea5777437448d689866183604cd

SHA1
d6d072b1af0b654c1b9c9c573964d833bcf7b9e0

SHA256
89c113588ad62ac6a7197b05bda33ad20d5d69eb37fa7259a2bdd52e590f26b2

SHA512
ac4e5a7351439b60806689e3d4b3d39b529955aa57ef29b21018315aeeb39e9d39ca688f325cf6fcd5b943d0cc0056633c4f257c3f998efa0cb81a33f27a9be5

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
96KB

MD5
80ff12be73b4c39c8aaf29463aef5881

SHA1
0d9f39d213d1963beb606d4d0a81c256d8bbe823

SHA256
b4eb833ff1138e3d52eb758d1a6cd7ade587154ad969e3b2dfca11f6c908466d

SHA512
e24c120efb88851d9c651ad1caca9eb3a93d4137e6fb5512ecf0e1c2b1b6e18ba11eac5e638b9a14273198c80dd1e1b664620552a9963abf59399b7a998f46e4

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
96KB

MD5
14acb8bcbbc99d70548c9b09d85772c6

SHA1
6ab32e4e2e41d25f4ae313e8eb408dc585443b60

SHA256
f1ee98a2499eacc273cbbbcda5d20d39ba252c6af57df69359cc9f8921f5da24

SHA512
9edad19d7b4ab6d96b93c22644163a8736d430989b4b3155ad0ac2615734a4f237f9802478a7f96758487fc378088bc961a164ce63ad19cf381da833e8654681

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
96KB

MD5
ef4808587c3f0cca4cc09c0c1d423ce2

SHA1
76608816664d4d2044eff3c222d56d7916096d97

SHA256
5c11d946330d7a5977c0a43e0c16038839f23f30eba041511cea47cdf7c234b3

SHA512
0c9452073bef10686d8ef5e585dca3a6798607bd23df69e4fcd2a614009fc2e4d6e7c23b06d8664a484c3cf4b459965fceeb2c4889639686cce648b5a548e85b

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
96KB

MD5
af111c5156f564c226adede14e96a17b

SHA1
b2dc1c874bd0333057732f4f7df01ba0e40bb170

SHA256
14680f300410316b4709e7eb3759ebe2f5161f2a5707f21bd6ab637138844d03

SHA512
d4a59cdc5f33a9f0e4ef5bc8d08fd7685bd21839bc29dfd27af92d80f7a53ab809dd1affc0e8f6e076410bac1aec9a6e861886cc09d83aac3c28b0c5cc0f4964

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
96KB

MD5
eb0ae6555fa64000b44c43582e82ae33

SHA1
8d3cc6f2d246e16cdba7f010b6d59f524d3c96d5

SHA256
efd991d2aea8b8c8e5952809100208b817e86dfd12c9b0a60b1beec393a05257

SHA512
0ad6056d78ba38dbe7b121fae97f428b8220e0888a8d7d08d1531a1789d0e6e19b6543b9d05019d497466379591f2803b78801d54375fa1a33b30529697be426

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
96KB

MD5
408e3cdc75a36da3d9eb2d4b509c3311

SHA1
7434c1feb010ec5de613101b7fe5c209c64cbacc

SHA256
16f8d6df6c916f95ce4f12e06c4bf1b2152f4d4615058e641c6cd1402ea4c0f4

SHA512
9e2a120689135c9f057ab8108d51fe2c53a2700c5dde7058d3c5faba931c817ed7ffe510cd3afa153612ada13f93fcf519d0927d620fabae65cd781bab27b2d6

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
96KB

MD5
3c04b295eb4a2bdc08995b102a198c06

SHA1
8c144978404febe9822cc1746ac68d5cd54b8d5c

SHA256
9ef87e277af9e3a65978398ec30b434855b7229b4e8cb79390cf48069b1a3d14

SHA512
e780ce05025801a41c21e1c572a5a0db25476044ee2c409a8f6880bb5d441efb1c79a5e759aa58e5c38d4f48422375d43f3e5c710e3e355e2ced8154f86b7517

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
96KB

MD5
f70f3d068827a174f3977cb62b56d90b

SHA1
ce4ce92fd899c2392eb3ad718e8010d9e52b2b2c

SHA256
88eeea1b5dda77b1d0c0d016d11fbe1985e6505b40d4c0423328b433a060275b

SHA512
0c107968ad6e203808f8de15a7b4cc332fac0cac1540ae913a9ae20adc9c382d001e72f6cbae7e3d07b6218b2d9b963f37626d89e157aa6779ccc978ef4fae60

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
96KB

MD5
0d29ad587c283434baabe5c3681f7ea6

SHA1
19223f664b1926aeaa311da7ba640db504898b40

SHA256
eae2aa8b4fdabbd2dcede93cf1bd6309a7b3f141ab32ae2c98f3dd9a591262ac

SHA512
72eea85bcad0a68d2c5e8be5ca5cf7e3881bdb1a0abcd3e68cca1ab276d202ffcaabc0195787e969a19a52f3ddcc915d402ed6c4568ace632b44369457f43a53

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
96KB

MD5
44874e7935bf094625dc0df181836af6

SHA1
f9aafb49c64364f8eaa1d7ca8f5d08efa7af70ce

SHA256
93bc3b99029d219123c9fb64c087040a79211865cda156ed4ffcd77534cc3081

SHA512
3c81aef0a8003acddaad783e0e2d28457f35de6b557c99db019ab3535516b2af8bf8f35bcb900261cba23439f6e2d55865f2626c9cc3ff497e6282e9ce10ae0a

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
96KB

MD5
8420a3eb8f3e6d48b30e9c53eed02cff

SHA1
3b6ed2346454488239d11d57db62f3eeac2d6c13

SHA256
b0c931f5b1a7f5c26fc827b6ba8af2ffe2ee7d4f02668756761c40ed14701bc4

SHA512
610f20d5be1c0f173bff65b2034a6190b10a98f3223c16a50941a262087f62f072b0768fafe7ef787c759d34fe488fb0e87c92418dacbeb13ad79a22082aa136

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
96KB

MD5
5440fa362506d50df364435d382d49ab

SHA1
4cb2128017fc59b53bd825529496e9c600aad523

SHA256
64cb7966c98ce5a0e973b1c35b14d54426e02f333b35953fea0f51a67c6edcee

SHA512
4596e7c31575e166e879c4cd806f46b154fcb1818cb22d9f3042a32d230ba767f53be40dd199b16d30e8a9f9dfdda6e6c3c0ab7bd81c55e6824e07bb3e793fc4

Download Submit
memory/228-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-6-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3104-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads