3aa3d3296a7dd8f6ecd6bbe27bb38494116cc1cdc52f5003c4c7c79d6a19fbf8

Analysis

max time kernel
138s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6c374b4fdde220024f380301c0d2410_NEIKI.exe
Size

1.4MB
MD5

c6c374b4fdde220024f380301c0d2410
SHA1

65a342c0a49c27997ef17c31b6ad60f37dd90b9d
SHA256

3aa3d3296a7dd8f6ecd6bbe27bb38494116cc1cdc52f5003c4c7c79d6a19fbf8
SHA512

6a7081b12d5b0e149a53ff0b9ff8f0a1751153bb4939492f9727709c84e4b32c130492d29e2965adf9d5c8c8e09121fda047a088a96cd87ba765482dd93db307
SSDEEP

6144:QPe/L6vlRZVJYYI49O2or9tqlFAr9a2MDmaH1a/wVUWdZeBQTbsJ:Ce/GvF/vUWLSKmaH1a/XWdZeBQTy

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c6c374b4fdde220024f380301c0d2410_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c6c374b4fdde220024f380301c0d2410_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe

Executes dropped EXE 30 IoCs

pid	Process
452	Kgphpo32.exe
1388	Kagichjo.exe
60	Kcifkp32.exe
3916	Kkpnlm32.exe
2160	Kibnhjgj.exe
1076	Lgpagm32.exe
4988	Lnjjdgee.exe
4640	Mgghhlhq.exe
1664	Mkepnjng.exe
3204	Mncmjfmk.exe
1612	Mdmegp32.exe
3724	Mjjmog32.exe
4524	Mcbahlip.exe
5020	Nkjjij32.exe
4968	Nacbfdao.exe
1988	Ndbnboqb.exe
2092	Nklfoi32.exe
2344	Njogjfoj.exe
556	Nafokcol.exe
3588	Nddkgonp.exe
2204	Ncgkcl32.exe
4748	Nkncdifl.exe
1552	Nnmopdep.exe
1712	Nqklmpdd.exe
2900	Ncihikcg.exe
4864	Nkqpjidj.exe
836	Njcpee32.exe
2088	Nqmhbpba.exe
3608	Ncldnkae.exe
3596	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	c6c374b4fdde220024f380301c0d2410_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	c6c374b4fdde220024f380301c0d2410_NEIKI.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe

Program crash 1 IoCs

pid	pid_target	Process
2556	3596	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c6c374b4fdde220024f380301c0d2410_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c6c374b4fdde220024f380301c0d2410_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c6c374b4fdde220024f380301c0d2410_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	c6c374b4fdde220024f380301c0d2410_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c6c374b4fdde220024f380301c0d2410_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c6c374b4fdde220024f380301c0d2410_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 452	208	c6c374b4fdde220024f380301c0d2410_NEIKI.exe	83
PID 208 wrote to memory of 452	208	c6c374b4fdde220024f380301c0d2410_NEIKI.exe	83
PID 208 wrote to memory of 452	208	c6c374b4fdde220024f380301c0d2410_NEIKI.exe	83
PID 452 wrote to memory of 1388	452	Kgphpo32.exe	84
PID 452 wrote to memory of 1388	452	Kgphpo32.exe	84
PID 452 wrote to memory of 1388	452	Kgphpo32.exe	84
PID 1388 wrote to memory of 60	1388	Kagichjo.exe	85
PID 1388 wrote to memory of 60	1388	Kagichjo.exe	85
PID 1388 wrote to memory of 60	1388	Kagichjo.exe	85
PID 60 wrote to memory of 3916	60	Kcifkp32.exe	86
PID 60 wrote to memory of 3916	60	Kcifkp32.exe	86
PID 60 wrote to memory of 3916	60	Kcifkp32.exe	86
PID 3916 wrote to memory of 2160	3916	Kkpnlm32.exe	87
PID 3916 wrote to memory of 2160	3916	Kkpnlm32.exe	87
PID 3916 wrote to memory of 2160	3916	Kkpnlm32.exe	87
PID 2160 wrote to memory of 1076	2160	Kibnhjgj.exe	88
PID 2160 wrote to memory of 1076	2160	Kibnhjgj.exe	88
PID 2160 wrote to memory of 1076	2160	Kibnhjgj.exe	88
PID 1076 wrote to memory of 4988	1076	Lgpagm32.exe	89
PID 1076 wrote to memory of 4988	1076	Lgpagm32.exe	89
PID 1076 wrote to memory of 4988	1076	Lgpagm32.exe	89
PID 4988 wrote to memory of 4640	4988	Lnjjdgee.exe	90
PID 4988 wrote to memory of 4640	4988	Lnjjdgee.exe	90
PID 4988 wrote to memory of 4640	4988	Lnjjdgee.exe	90
PID 4640 wrote to memory of 1664	4640	Mgghhlhq.exe	91
PID 4640 wrote to memory of 1664	4640	Mgghhlhq.exe	91
PID 4640 wrote to memory of 1664	4640	Mgghhlhq.exe	91
PID 1664 wrote to memory of 3204	1664	Mkepnjng.exe	92
PID 1664 wrote to memory of 3204	1664	Mkepnjng.exe	92
PID 1664 wrote to memory of 3204	1664	Mkepnjng.exe	92
PID 3204 wrote to memory of 1612	3204	Mncmjfmk.exe	93
PID 3204 wrote to memory of 1612	3204	Mncmjfmk.exe	93
PID 3204 wrote to memory of 1612	3204	Mncmjfmk.exe	93
PID 1612 wrote to memory of 3724	1612	Mdmegp32.exe	94
PID 1612 wrote to memory of 3724	1612	Mdmegp32.exe	94
PID 1612 wrote to memory of 3724	1612	Mdmegp32.exe	94
PID 3724 wrote to memory of 4524	3724	Mjjmog32.exe	95
PID 3724 wrote to memory of 4524	3724	Mjjmog32.exe	95
PID 3724 wrote to memory of 4524	3724	Mjjmog32.exe	95
PID 4524 wrote to memory of 5020	4524	Mcbahlip.exe	96
PID 4524 wrote to memory of 5020	4524	Mcbahlip.exe	96
PID 4524 wrote to memory of 5020	4524	Mcbahlip.exe	96
PID 5020 wrote to memory of 4968	5020	Nkjjij32.exe	97
PID 5020 wrote to memory of 4968	5020	Nkjjij32.exe	97
PID 5020 wrote to memory of 4968	5020	Nkjjij32.exe	97
PID 4968 wrote to memory of 1988	4968	Nacbfdao.exe	98
PID 4968 wrote to memory of 1988	4968	Nacbfdao.exe	98
PID 4968 wrote to memory of 1988	4968	Nacbfdao.exe	98
PID 1988 wrote to memory of 2092	1988	Ndbnboqb.exe	99
PID 1988 wrote to memory of 2092	1988	Ndbnboqb.exe	99
PID 1988 wrote to memory of 2092	1988	Ndbnboqb.exe	99
PID 2092 wrote to memory of 2344	2092	Nklfoi32.exe	100
PID 2092 wrote to memory of 2344	2092	Nklfoi32.exe	100
PID 2092 wrote to memory of 2344	2092	Nklfoi32.exe	100
PID 2344 wrote to memory of 556	2344	Njogjfoj.exe	101
PID 2344 wrote to memory of 556	2344	Njogjfoj.exe	101
PID 2344 wrote to memory of 556	2344	Njogjfoj.exe	101
PID 556 wrote to memory of 3588	556	Nafokcol.exe	102
PID 556 wrote to memory of 3588	556	Nafokcol.exe	102
PID 556 wrote to memory of 3588	556	Nafokcol.exe	102
PID 3588 wrote to memory of 2204	3588	Nddkgonp.exe	103
PID 3588 wrote to memory of 2204	3588	Nddkgonp.exe	103
PID 3588 wrote to memory of 2204	3588	Nddkgonp.exe	103
PID 2204 wrote to memory of 4748	2204	Ncgkcl32.exe	104

C:\Users\Admin\AppData\Local\Temp\c6c374b4fdde220024f380301c0d2410_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c6c374b4fdde220024f380301c0d2410_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\Kgphpo32.exe
  C:\Windows\system32\Kgphpo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\Kagichjo.exe
    C:\Windows\system32\Kagichjo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\SysWOW64\Kcifkp32.exe
      C:\Windows\system32\Kcifkp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        31⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 400
        32⤵
        Program crash
        
        PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3596 -ip 3596
1⤵
PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kagichjo.exe

Filesize
1.4MB

MD5
2761ea05e9b1b01f1db7a19d7b0f80c6

SHA1
369574d8bad098be2104cf2ceb4a46cb71029d03

SHA256
87fe066577d63ab8cfbd2326a8978b56b7a3c2b2466f4d76e23b1b74db172798

SHA512
bf554dc1322a1abea5a53c56f1f244fa56490e0caecc7c7bd886bae877ecede1f33863679eb80617911b98994e5b426851dab3fcba24aa6dbfffedd60fa133ab

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
1.4MB

MD5
9b7462f75915615eb237529a728c9607

SHA1
174bdd1d664b0c21a9998ea6b920e82788a51317

SHA256
950e8de2da65b51e06d02f9d6ed99585e4dfa7fbd14254d504c95a1bbd107469

SHA512
3820d1d38a7f039d4557040ba70bf626aefaefd47988f02748103d32c576ca27b026c88cd3905bda3f70d26e8e47d0feae6e8f96f45fbbd07b11c3d3591a8aad

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
1.4MB

MD5
286c6d5eed00ea89431eb4ff2530e0e0

SHA1
adfa723b9c1cc25c2065a9019c19dc1f31c6b5b3

SHA256
359298375dad36c554ab5b8ef2dec663bdd16ffb713f92c17c50a74fdac36a0d

SHA512
27f20427ebedf8d47ccfef86221caa1ff468c5829a925f79c042640b859a52da77c19b9cecfadd0a436c370c04cec9b57ec77f23788537b40e8705bcd965da1a

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
1.4MB

MD5
fda2f3225240812110d02538b65332a9

SHA1
06df56f4bf7bedf0bbe91bbabc2e053a7785dd65

SHA256
aefd92acd77e2a42b41fc84a161580d304079ca84b484c1b9bcdc08499cc1531

SHA512
376c50d20c382a4909bfe7c3f865730111e13151ede63a5a1dace66ec241298192ad41a7a77e73e51624793854dfac5e6647c52d8921c9a26115d99f33761695

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
1.4MB

MD5
fe4374317d42a5bf93bfd64e8daf625d

SHA1
417dd2891d53539f43c193123dab0ea394b51ebf

SHA256
43f2936538e054ec95857afff19468f76bdf027fda07615e9cbeceb250920d21

SHA512
edf4416b6f9dfb537058ce7236488c427f3cc55a5f300629cbc6cb4131fa9dcb1bbb0e1aea5f93606d07fbeec0e89358120f5dcc51a273548d2827bf22dc4d21

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
1.4MB

MD5
e99fb14f11477be67321b0d9c64ae822

SHA1
9295d075bc7cb8a28027a2a1ddabb29209036bca

SHA256
b67c469e2b4ddc20779c320ea7f8ed5101d11cc01a6fa116230500db27bb70d3

SHA512
a51c424274af83834edffd6c3f0ce356014a8f9804393d3ea1ad23e68bc79cc93c911c23db6cf321958a5119a91e61d9cef5b0b8d8b89d8729542e5d2c4896eb

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
1.4MB

MD5
c56062297a3606aef7fb7976f6609c19

SHA1
d6ba53c8d6e801953319a19a0058b32bfed7b3ca

SHA256
e2a128ebc3ace63c56dd0a827dc4503f37b0328536d871f082247908a609b25b

SHA512
b04f6e9f4eb6e7a8628dfbd899adc5234ea6053faa25458635293b2f8b8b181df8e3d44e133cc96c7fa869c14c80fe93f63de773e9cc0b47285afa0627a8bda8

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
1.4MB

MD5
1db7cf2e45792dee18b6b382a4f89080

SHA1
82a48e972c621f29f075fc2875de1fb1c6af34e0

SHA256
189476a4de046cd0c6fb64454e8425f2e7881b63bda0a61807c5c105ba4b643f

SHA512
588fd8b8993c662b3b5ba33aec148d7304456bb8396ba804743a1768b5acc88cb7e6b65af2c66c809bcec1e9109fc385f2b1bb94add3a60e5ca2c088b33740af

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
1.4MB

MD5
71353efd9246cef336a8de94d742c2e1

SHA1
307ac6ce6d2c895288f244ff203d8fcb73017764

SHA256
ad820874d45bbda56fc3d92995a0e296a42004cc5d30fb7a3aa58a0822db4e51

SHA512
3b361b9492762d9cf8f28f7608f5cd740894d7e0f7375da70763882fd34fd3d703052db7d3edbe4a23e74be302686dd653541a88850795a3fd4375687e2a426d

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
1.4MB

MD5
c4c7795c32ff81cb779b3a07ec4b1bd0

SHA1
d9fa7a8c48382a1fbc5e866cd9d1eca2b334d408

SHA256
9a314ccbee3356b6c70961bc69179fed517d112aef7e8f1b4a8f04e93570ad00

SHA512
30aa3d24f7a0e607b4ad4a3995e87379b5ac7e21754c470f578bf709d5bb8e0bd489f8de9bf79927cb3f4c39b9a76f0409ea7026f71de97ecc688151d16c62ac

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
1.4MB

MD5
5284551804a38b6ea1265ffc0ae503d8

SHA1
3f27df46f641530174bde96b24e44c1eb70f2c24

SHA256
79be4cbd7033f42d743e782f13ab54fce986431da501687641ea4d3698389360

SHA512
21f4499a8bb85c7f089429b9622cb77e68ae665aad10aeaa0445ecb1d75159b90ee0dda7a4a5fa3df31ac7d2adb7cdbd8a3185b73d2f19f94560cfebd5931580

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
1.4MB

MD5
c688ab8559807b267a20d893b551596c

SHA1
e3f7e5eed43f0135e664dae4d10ac1ec3d77e75d

SHA256
da7a0b622665afd904e11e3794cfe228907d8be5ae7124bd6e479a04e5f1aba0

SHA512
1af9016bfebf4d06f3a5b3b758795987997fbe7cb515301cf8383216be6a2f2c0d27db9d6233ebbaf990a7d77bd9e7f79b2dd2b07062189408dd85a658c80191

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
1.4MB

MD5
1816aaf5ba925b0f20a3ab7d89b6efc2

SHA1
57c1e5367ea93f5d7eda17216849317080735cde

SHA256
06a87bc6dff54d0709f9ab2d78953424c8a6c4f162434ce3e4732f5dd1087842

SHA512
65a0abd9df76fe2a2fc57252c31f185308f27b49683ba27a5a3b9efa8d2bd23f4b5883e7bf987eb76ce3c27bbcc95fb5e2fdf1a27589c73ac8d29efb930aa63b

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
1.4MB

MD5
da59ef7455dbe18881cff772b1cfd30e

SHA1
5f457e18dbd1cdc7104da6511d99062ff720887f

SHA256
af8f4fe5a3cb3bacddccbb719a771a51e9bacff7d88a6dcd88b39d4ecb9a65f6

SHA512
d8781ab487947155df71c747a502b4963f9afa53ad0629f9a450b7db5a8f7217b13a0688b5bc256abc68991ecb158b641a6eaf46b1a0dec2eb83de7e49177466

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
1.4MB

MD5
41ca25aecfe73f9864aad426543c1592

SHA1
366f940b40740e547dcd61a602b14f82036a0662

SHA256
b37785889c19402db005a55e72c5a4122d97fff99250338c9cde79777f9ceaa1

SHA512
668328bc7e2b2983fc529f8c90489425d015000319d0e50fb8a420e0df0d9f3602dd7267dbd80d9e68adcb3be4e9755e8ad36a7ae04ba2ec437fa60edd6ea7a8

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
1.4MB

MD5
038f4111d4bf1da906bf808c6dadf88b

SHA1
53d98d5ade7baed156625b170d1b4ba8d4472a35

SHA256
7dff1311eb12703f9f4ca6465207ea9d7432cdc1b9f6e3abdb94d13491c344e3

SHA512
1399d17a2f6a0183b8e8faf2d6202774a410ca9b17372fe282e3ed96097a91160a2d6ecd97b88b8063a8818cf4de6b87f0d43bb37721ae93656e5ac379bc1fbe

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
1.4MB

MD5
009d2c02ce3df989b80cd66e06714a60

SHA1
75679cf39bb4ed2e4457a4f43a5465ab6235aff2

SHA256
05f1830d8987c7245993830bf684d5350a902cb8c3c0de89a4681ea4bd2eb2b5

SHA512
9c2ceff9d367d86f841ce0d252697cf3a0ba6f15b9aa81e8f9877dcdf5e337ecf49a93c8c22bef8348273c9663c840e9901a160d20f6ae2a040fd453ccc36507

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
1.4MB

MD5
25b1f8b8666598d7fad242bc20e8c16f

SHA1
b780ca87144ec9b763ec3e275c52120e86f7690e

SHA256
101cd546a4a9aa71fe0c9556dafc24a17515d6a457df7b5c71f86b2efcfb5282

SHA512
b364c8db03fc56fdfb58ccf4c8d65b9b68d589e7f1f29626dd28d051ed8b42eeb568cfd7d2fbbcacb6578dff0527e402b1cffced028e7924849d9b0ad3fe6cb7

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
1.4MB

MD5
58f60f3a505832a472928544200555ae

SHA1
eea06c507d7ab2cc08a7bb203dfe573b4eb2a5d6

SHA256
4c040b75008bb0115b7a987e700f2545785be3614c7500ae8cc4197b581a2959

SHA512
1c3a93a3e9bf84a2661cf207dff9bb51ca3f558a9b108a47e3f00292347e38eb9b211886163234a92a50d00f56d97567b50c9cdf0098125c722b16171b9623cd

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
1.4MB

MD5
bb0d6ee022cbb4e6acd2f67d2f5afadd

SHA1
acce255f87532c81077eb7f557993c3ec0668745

SHA256
fb6a4ef152cf67b0f948693c9815e6e8db2d72d222cdc2549bc0b43a857f8fe8

SHA512
16f182f9a5d59eaca9b3a6138503250f6b0cfe0502a4a5d55f0de372617ba946cab8b5f7ec22689c8bab30f16c85213611c791df263a1afa691a940525713c08

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
1.4MB

MD5
ef0a6256c7c8099db9581d8a05992bee

SHA1
4d7b76a945f5318fd4415f4796c8c5d7d699f355

SHA256
791ac94de893f60818de1af507fe04c38f72add0105e9f12e24b963ef4409954

SHA512
da030fc8faeeed9441d36f0ac5a6254e1738296b2568bba0d4a87cb5e8fe13f4d4f12d028c2e441b2545ffe26758eaf9e434b2d5781b377b02e62164255db1b3

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
1.4MB

MD5
e1e2d090a3fb01019ade08dcd3125539

SHA1
240109ec102f058d54011f69c53cf655c2eefecb

SHA256
7058ba2b2c00279fa3bd4253c96615a158c079293162d5fc8b29e0e30b7f5ee0

SHA512
49f4f6ded85dbc73b815f86790e0959a738f048da057808e20b7e3bee87d77e3b4715f60cf4084548f1d5265274825427effb9ad44d568ab1742143baa2e55ab

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
1.4MB

MD5
bb18405f3b81ab17633cbb98d73b2309

SHA1
516a92a1565c41d3227e0e067a71f3e2d65d68b0

SHA256
afa4970b8851c27e65a917dbd5bf8173bf88f7f7cdcfc1b1ebc8018ec283f499

SHA512
3352d9f3b18a1f4d6dcf3a5dc368c79fbb7839a895b9c46644e18dd3dbdfc8b3b1777c0cf440ee96e61a89c7d8c8ba7afd6275d6c35a639f3e922aa947ccca0b

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
1.4MB

MD5
c930e58cb99ecdb48e8d95ba53ce8e8d

SHA1
a4acb636a8cc3c3a274164a543ba792464295e0f

SHA256
971790972f56d33a1e37055044b7283d02ad4646379b002cda3f729285eeaa0f

SHA512
61d3342ce16c077598a88d1f2b9b051d78a7318188cae69577a35428e4837562f0ab4222f491b5bf3897c004be9a5686795aedc0592cef4fe210a297f0296785

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
1.4MB

MD5
e1b91d05de4c15a23ce32e164f493652

SHA1
25f6cb31a40c614ab10f953f5427b003898cfeec

SHA256
b51add30b19d08b457367d21438dc79d3e07124ffd2a43a15684ed5dfb66a1dc

SHA512
ee0d615a1fc91819e07601c68618626f7f2f06e13c4ed7a76b01a0c36d38ece1573ccdbb589069ca3101dfbf2309f2265c804c90e26ac9fa7cacce60227f75fa

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
1.4MB

MD5
275bc5fb55067abf76b35656c3bbbed4

SHA1
121c1ce74019991b311a7356759f92cc29e41ecc

SHA256
62cc36482c84e70fa95d4e1a7ec66c5fecd8dab55816f8ac2d06b42ecf43b42d

SHA512
89b3795b1873693916a16d4642a6dc7ad7941ea09f15b37dc46bcd31ab346b6465f8f219748b56efa5af5f03c58afd0b88745c9a6d9d545b16012be880a99b75

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
1.4MB

MD5
a1bc1c6563459a2f34f9f3e1604adad0

SHA1
e47da1a62c70a2d9ff1c692882602175c960e4b9

SHA256
3869e0825138731cc615cad78e45a4d9697d26b20699f678cdd76962832ae81f

SHA512
5a9a81f0b7e5f6f80099b277269e69138a697de62ba9f6f8ea62720430017d9803f6318b1d7096d5b91caa292d4c50f672834caea818c3e83105a47fd5d21e74

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
1.4MB

MD5
0028b79181ea38e99d8b6154ddce3158

SHA1
5a499b27ea0da5670d3750524354bb6e8c4660fd

SHA256
ce5ad9493d4e6a7b9097cfd1a22fc635da566c80eca46907f28497456b9a3838

SHA512
b9399b714f288fcfd4f8435712541d4684c6f75fb2a3773362ac4bb3dac0f1d481b34e6dc1617c7a948ac4ba43353f72749d4d6867229a4c65550af0fe28a993

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
1.4MB

MD5
f353c76772a5447f7aff5db5d3ca8e7a

SHA1
389975cc27b6df374da8771a26ad8e94ed4b7a9a

SHA256
66e08809ac86e04dd4036e08c8f4399b306a90a5ab4995ec4bf608f2004676d7

SHA512
e2964f7a52018674acfaa21e798899f0224d818aed6c52d21794614ef86f1c54618c335295ca28b5e4a897676a84c088f29b247ca4c7aef5f525f8ea32b65cb2

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
1.4MB

MD5
ab26eecc587fd812340def09fdb37645

SHA1
8160e66d3210f65f9d9663861d65e959788407b3

SHA256
4eebad9eb8489b34b73a1516501b5e43b57c70f98a08b5b64fa25fa43f4c3170

SHA512
39aa7a4be8be56b4468e09169d1c28f5241d923e9b5a3fc1b61ffa03f24d7b602b11d54cc3234cd8b6bae5292118e00a3c768a085f184ea74500057db17b0c6d

Download Submit
memory/60-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/208-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/208-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/208-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/452-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads