847c051408cc4ae340637584691366e6f75bdbb7289cd88bba8dc388d7def982

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11fdeada52c781d933d23ec4cdd0dc80_NeikiAnalytics.exe
Size

2.7MB
MD5

11fdeada52c781d933d23ec4cdd0dc80
SHA1

764491bf8bf1adaa3eeb812f916d85260b879ccc
SHA256

847c051408cc4ae340637584691366e6f75bdbb7289cd88bba8dc388d7def982
SHA512

acb9f397e8ad70a5c54af411c976eda885ba69ed5136434629b19c5616b1da6d4daecf2f6521b58295ff95ece65ff579e75c7a83b95962f9431bc2009b3b6eb0
SSDEEP

12288:+HevEDVqvQqpCtRwKA5p8Wgx+gWVBmLnWrOxNuxC7:OF5hqEfAL8WJm8MoC7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	11fdeada52c781d933d23ec4cdd0dc80_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	11fdeada52c781d933d23ec4cdd0dc80_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe

Executes dropped EXE 30 IoCs

pid	Process
4296	Iiibkn32.exe
1340	Jfaloa32.exe
696	Jmkdlkph.exe
716	Jpaghf32.exe
1612	Jkfkfohj.exe
2816	Kibnhjgj.exe
1996	Lkdggmlj.exe
1672	Lcbiao32.exe
2888	Lknjmkdo.exe
4064	Mkbchk32.exe
3388	Mamleegg.exe
2456	Mkepnjng.exe
2836	Maohkd32.exe
2700	Mglack32.exe
816	Mnfipekh.exe
1368	Mpdelajl.exe
3632	Mgnnhk32.exe
1836	Nnhfee32.exe
4084	Nqfbaq32.exe
3556	Nceonl32.exe
4316	Njogjfoj.exe
3588	Nafokcol.exe
4708	Nddkgonp.exe
4484	Ngcgcjnc.exe
3840	Nnmopdep.exe
5044	Ndghmo32.exe
1568	Ngedij32.exe
2436	Nnolfdcn.exe
4100	Ndidbn32.exe
4872	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	11fdeada52c781d933d23ec4cdd0dc80_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	11fdeada52c781d933d23ec4cdd0dc80_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmkdlkph.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lkdggmlj.exe

Program crash 1 IoCs

pid	pid_target	Process
812	4872	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	11fdeada52c781d933d23ec4cdd0dc80_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 4296	4112	11fdeada52c781d933d23ec4cdd0dc80_NeikiAnalytics.exe	82
PID 4112 wrote to memory of 4296	4112	11fdeada52c781d933d23ec4cdd0dc80_NeikiAnalytics.exe	82
PID 4112 wrote to memory of 4296	4112	11fdeada52c781d933d23ec4cdd0dc80_NeikiAnalytics.exe	82
PID 4296 wrote to memory of 1340	4296	Iiibkn32.exe	83
PID 4296 wrote to memory of 1340	4296	Iiibkn32.exe	83
PID 4296 wrote to memory of 1340	4296	Iiibkn32.exe	83
PID 1340 wrote to memory of 696	1340	Jfaloa32.exe	84
PID 1340 wrote to memory of 696	1340	Jfaloa32.exe	84
PID 1340 wrote to memory of 696	1340	Jfaloa32.exe	84
PID 696 wrote to memory of 716	696	Jmkdlkph.exe	87
PID 696 wrote to memory of 716	696	Jmkdlkph.exe	87
PID 696 wrote to memory of 716	696	Jmkdlkph.exe	87
PID 716 wrote to memory of 1612	716	Jpaghf32.exe	89
PID 716 wrote to memory of 1612	716	Jpaghf32.exe	89
PID 716 wrote to memory of 1612	716	Jpaghf32.exe	89
PID 1612 wrote to memory of 2816	1612	Jkfkfohj.exe	90
PID 1612 wrote to memory of 2816	1612	Jkfkfohj.exe	90
PID 1612 wrote to memory of 2816	1612	Jkfkfohj.exe	90
PID 2816 wrote to memory of 1996	2816	Kibnhjgj.exe	91
PID 2816 wrote to memory of 1996	2816	Kibnhjgj.exe	91
PID 2816 wrote to memory of 1996	2816	Kibnhjgj.exe	91
PID 1996 wrote to memory of 1672	1996	Lkdggmlj.exe	92
PID 1996 wrote to memory of 1672	1996	Lkdggmlj.exe	92
PID 1996 wrote to memory of 1672	1996	Lkdggmlj.exe	92
PID 1672 wrote to memory of 2888	1672	Lcbiao32.exe	93
PID 1672 wrote to memory of 2888	1672	Lcbiao32.exe	93
PID 1672 wrote to memory of 2888	1672	Lcbiao32.exe	93
PID 2888 wrote to memory of 4064	2888	Lknjmkdo.exe	95
PID 2888 wrote to memory of 4064	2888	Lknjmkdo.exe	95
PID 2888 wrote to memory of 4064	2888	Lknjmkdo.exe	95
PID 4064 wrote to memory of 3388	4064	Mkbchk32.exe	96
PID 4064 wrote to memory of 3388	4064	Mkbchk32.exe	96
PID 4064 wrote to memory of 3388	4064	Mkbchk32.exe	96
PID 3388 wrote to memory of 2456	3388	Mamleegg.exe	97
PID 3388 wrote to memory of 2456	3388	Mamleegg.exe	97
PID 3388 wrote to memory of 2456	3388	Mamleegg.exe	97
PID 2456 wrote to memory of 2836	2456	Mkepnjng.exe	98
PID 2456 wrote to memory of 2836	2456	Mkepnjng.exe	98
PID 2456 wrote to memory of 2836	2456	Mkepnjng.exe	98
PID 2836 wrote to memory of 2700	2836	Maohkd32.exe	99
PID 2836 wrote to memory of 2700	2836	Maohkd32.exe	99
PID 2836 wrote to memory of 2700	2836	Maohkd32.exe	99
PID 2700 wrote to memory of 816	2700	Mglack32.exe	100
PID 2700 wrote to memory of 816	2700	Mglack32.exe	100
PID 2700 wrote to memory of 816	2700	Mglack32.exe	100
PID 816 wrote to memory of 1368	816	Mnfipekh.exe	101
PID 816 wrote to memory of 1368	816	Mnfipekh.exe	101
PID 816 wrote to memory of 1368	816	Mnfipekh.exe	101
PID 1368 wrote to memory of 3632	1368	Mpdelajl.exe	102
PID 1368 wrote to memory of 3632	1368	Mpdelajl.exe	102
PID 1368 wrote to memory of 3632	1368	Mpdelajl.exe	102
PID 3632 wrote to memory of 1836	3632	Mgnnhk32.exe	103
PID 3632 wrote to memory of 1836	3632	Mgnnhk32.exe	103
PID 3632 wrote to memory of 1836	3632	Mgnnhk32.exe	103
PID 1836 wrote to memory of 4084	1836	Nnhfee32.exe	104
PID 1836 wrote to memory of 4084	1836	Nnhfee32.exe	104
PID 1836 wrote to memory of 4084	1836	Nnhfee32.exe	104
PID 4084 wrote to memory of 3556	4084	Nqfbaq32.exe	105
PID 4084 wrote to memory of 3556	4084	Nqfbaq32.exe	105
PID 4084 wrote to memory of 3556	4084	Nqfbaq32.exe	105
PID 3556 wrote to memory of 4316	3556	Nceonl32.exe	106
PID 3556 wrote to memory of 4316	3556	Nceonl32.exe	106
PID 3556 wrote to memory of 4316	3556	Nceonl32.exe	106
PID 4316 wrote to memory of 3588	4316	Njogjfoj.exe	107

C:\Users\Admin\AppData\Local\Temp\11fdeada52c781d933d23ec4cdd0dc80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\11fdeada52c781d933d23ec4cdd0dc80_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\SysWOW64\Iiibkn32.exe
  C:\Windows\system32\Iiibkn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\SysWOW64\Jfaloa32.exe
    C:\Windows\system32\Jfaloa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\SysWOW64\Jmkdlkph.exe
      C:\Windows\system32\Jmkdlkph.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:696
    - - C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
      - C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        31⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 400
        32⤵
        Program crash
        
        PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4872 -ip 4872
1⤵
PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
2.7MB

MD5
d97c5055d644d6ecd9e0ca9fa921e37a

SHA1
ce14fcd9e840c5b167a1a799a23f8f8afdbba383

SHA256
0ab73099b1a81aecc85c33ab3ad352fa4351c32792fdbd74bf5ad8c7dfcd3daa

SHA512
6aa1685686e41e9e31bdda1a28f4fe62c8778683b6fe6970f882267763d90fb1c627b3e603d94500e359d6bf3c80085a253353ea9c438dd8cc925afc1e631433

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
2.7MB

MD5
3752791cd23db4c13e8e42270c43b09f

SHA1
b9f85a297b2aa1b91e6c6f5b8a72f6a7155e9393

SHA256
374de03cb61df870a48eb7c604eaed4544e07c2c32f9760577fc6a7e3f2aca4c

SHA512
3ee3341afeae90e153d7a93c190a9e5c7dcfcfe552558108e2c81befb79857982e171d30c725fc5b131614d04254b4bbf6892b978fe63d5d64c8e667e8f4fdea

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
2.7MB

MD5
047b4e559c24ae0a5b2b9052fc3cd445

SHA1
bdefe289114730f87079ccae28f60c3ac1a9e35c

SHA256
894ce3da56bcfba98f5eb1fc8c4993535712f67630dfdca9f0addfb6390c1f1a

SHA512
ece5d2d6f8adb42fcca34e320dbdf4f2a46f005002d37f4dc6f7e076b3ca893c93ccee50104837fab6d75556a5495ba81778610d69eb96c7d27311b47448f3e5

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
2.7MB

MD5
bbda6488fe9bd25153f89b64f67894c4

SHA1
0e9cc751ee4b8616f00b6d6dcdc86619c3920932

SHA256
6d51f560984c904298801e6f2dc4f769221b7df315073f4e2d3dc693d158f010

SHA512
54c93f878c3c2b75c702011c45afb11fb667cdd163fe680d0b55f5aa6d93758d60c34538412874e305441c8c1e35032c1059cd6095a42db3ecdbbcc539e55607

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
2.7MB

MD5
5583a9e79a3d67c2dd2d4645388156ef

SHA1
644ab1a2da30a5baaab6f9852de3418652ca6e87

SHA256
d41b1d0de0d3f629498654d536a4a815be654beb24b448c88a28d52552bb45b0

SHA512
347f74dc3b8c7d2d0d5500712b856b85e5eb3dadcbd312756555661a0041c4f0a8717b761f030eec7d1299b9fc7b102181ea5e5a6ec91e9c9bb75a453add7664

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
2.7MB

MD5
0fdcacc00b84d07fd7ab255399dfeed7

SHA1
8c4eaf6b6a1395e204f0f165f95e3e199cdc3797

SHA256
916f91fb96908bc65eaddac4c200a4540b246e69630f4c7b02c8d87147268fc3

SHA512
5192d8518b3a34ab6e4e06ebf9c36e06aa63b16e51764b55c893db0c83dd808ce5534ee103ec37d477ae00b41ff8b5b4d9133ea1660972b2cba49523af5f3f0a

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
2.7MB

MD5
57b6dd93adca8465457a33ce5051624f

SHA1
da3f9c761e1a3f241baefd1b585de8b3c87321c8

SHA256
0b166a7ab325ac3c078850d46a2025d566aee1df114ae73e279e49de9657d1a3

SHA512
b663690da0322e502f48c03e858640a33b3f9961c686068caf9ee5b9d6ea881a172b4a20e50d04d7e9748e0841bcc2d57f0c38a9991295912101a8f617e1409f

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
2.7MB

MD5
45a22eb6eb5bf84724dba6b0d3821dc5

SHA1
54fbe998e86da1ff65980731de87fa822b3cb2d8

SHA256
ba496ffd8d107a5791ce3a8e777919b55c91a4d9700bc125dba624606fb89e59

SHA512
e50d302bd8e0ab154a7f16595a328854c53a79be9d299b3a26784f470eed3be5a41dac79196e94ecaf27dfcbf5ec0b94f0dfec8000d3c786470c95b2731d7622

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
2.7MB

MD5
acad1f45611b3743dc357fc505f1759b

SHA1
df0fba340efdf3c69951264c43d6be2a21df829c

SHA256
d748d237a2f7c07cb59ce363b02f58ef0ad3c1236d4af38721e25fa2c73bdcf5

SHA512
ab423d8c529e771a683b2afef1f6df508b8bc1fd2246023de129972becd5a1d0a3afda6c616c76f7e0d8c8c6ad690eb2dd21a38afbdec3d0214a4c862cdea877

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
2.7MB

MD5
7ffa85e6b743200f01f05240caa7867e

SHA1
28e7cab78e80fb19bfe6d2750b898d1bdc46204f

SHA256
3d980547c44701b8774432862b1d3e2844abbc196dc44565bc778ed7581df07d

SHA512
2bb8b946c7155128f3e3d570fc6ba4fd33b9396696bbefd140f30c64bba8ae52e9ba70ecf6433f8ed4950f815f4475cc875099e5d0a2009ded74c0017f14642b

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
2.7MB

MD5
10f00a0239f7b4b1d665e7f012862436

SHA1
850b6c8b9b7cbe41e724b765ec9258e65396ee6f

SHA256
34929a77c00c3d4e23ef28252a92c50c9b62e7a868e2c714e68cc17159cc889a

SHA512
ca0cd207d687b7d0b3b80c5c3c8ff5737492343d1522c1472903ac0d53939177302b1338981bd3337c4ca11449549f0c42f20d457b14f4e7191609cdfb246812

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
2.7MB

MD5
999437c6c6d5d03208c95b4e113cb89c

SHA1
9fce2c280c29ca27012cf8e5b1a122215affa60d

SHA256
49cd14c731442cfa04aa364137e741cde7154e707c51fe3ec204a87ce653d89f

SHA512
8066c4b00a951fa97f127dfd6ac1f940894a5e7e9fda0d0ee3026337f2be9051fa95e6434c18d1c5c0c7e7842f9bdf10ef161ff291aa3d5911725d8acb56a79e

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
2.7MB

MD5
8e3079aef4fedf2ae54a43c909d8b1a7

SHA1
af337e49673e57204d80855dce9b6f2fffd5b75e

SHA256
7d64732f01fb2f8d7aa10a057a05870200890ac29b09cb065f0e1ddaaf7c582c

SHA512
8d715ef3a8d9e354bb6cea1e7841f3415cfadfcc80bbb52b278b97eb5fb37103a6d9ab64c073a1a439ab0345e8a697d463251ea70943d3d270400275bdbc46ea

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
2.7MB

MD5
765e53d5ae367375456625fb48d6b941

SHA1
93590007cf7639bbc3f566e8e869521e3603282a

SHA256
1e9d5a67f7eee3d259ae563264a519debffb463564b9800b3ec72e8d29b53af1

SHA512
a205ee8ca80049361a91115e73f34c9bbeadbb96a785b9bcbc260fc304e532e9fb93a7bba0b19a93e4679f4d0f087555586ba71de45bf03611a6cb2ec1dc10c2

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
2.7MB

MD5
4fa833ce5679c9210ef61daaa45bf481

SHA1
b52ce06c5d8ee63cb1a18b3e1c9c0137e70f0597

SHA256
37479ee8855a98efe387e72fa89df293bb84d63ebb59d5505347358f36d4dab8

SHA512
61e64e66b9f92285c8319fe8a2eb6d63678e4eca21a86bc27335095ef72f2fe183700957901bad6c58d614436b899d2148f1479ecc5a376c4d7f3f09353c4f84

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
2.7MB

MD5
a11381731361dbf4de556469e4a8da83

SHA1
a7a5d1887171646d96bcb0d14825a2cff31f4d71

SHA256
ff1e6a47cc3c5737f6bf5c6d61185ca85955958c7509b01cb22abff40d57dcee

SHA512
8ce2615396cdcaab7de1d85375e653945d5a093ecafd6c9775145b05280307d9ee9ff887bd151a127b820caa36e8dd6e103f0b7bd027e142ed57fdb299eccfaa

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
2.7MB

MD5
6f5f6602f9888b43677d81bc7fcc1be1

SHA1
4353afb66c7cda36ee46e8a9dcad9f13a187471e

SHA256
d52addd92635a70ee7998c7da33469008924d3bc93441fad252793d598b2e920

SHA512
202aabed819955397aa3b5becb05778d064390d715cd127ea774cf9a793dd9a194f87ea4200f5a2fb7357f793e67bbc5aa3c15fe47559ac0d75dd529cf4e874d

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
2.7MB

MD5
3e9c66fd9ad3b01877d5487bbcc7e1ae

SHA1
4fd38213d524021d162e23718890945c89ca3a98

SHA256
dfe63b1fd912792215471a6df9f256e80f3a35fc98e45f548aa33246b030c911

SHA512
103bdbbb49e5bfe56742b85761e608e7bf8a9000470a6cd7207052f1441fae0ea9cdbc2dd693a56bdce9ff67031c4bf6f7f5c6dde22c2e811e8026b1d37e86ca

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
2.7MB

MD5
036e8fd31c0413f0ecbc112ac88763bd

SHA1
d3f2fdba4d31f8ef832ad34e2ba5430db60dffde

SHA256
a62fd0d6e20a8babe297c87b6d94d71ac73e9124e16162d902d3e0c6ecbd7b6b

SHA512
9c36a500a868829fe34ffb3ed0da0f3867aecc2444813d3971e971cccd5180403e9b01c447b534951239b2ba6bd63b72004f727f055f78fec70725394126d052

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
2.7MB

MD5
65b3d6afb530c5f0f23021d8ea78ca01

SHA1
dd2ecf865a6812e34c362af8cb9c03f03b82d3a7

SHA256
061cde43ef438eb445ef41285b29d79d27990724e3ed5deccd7560cc1efd7d5b

SHA512
f6ade3714b5cf66016d69d93287e7819158d95e81ee4b1fd081aafcb3f223663c14451a3e35325957218aad0035211eec1d8a0fa9281bc9788bea273e39529c2

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
2.7MB

MD5
954302d93feaafddcbbed004abc2664d

SHA1
99d3cbd39fbbd445769c240726c479505f10d457

SHA256
7c35d9637c517183451c991463f840b5d0699cfa25911399d3c4ca0bfe4af516

SHA512
d215b1b6845f4e46b103d56c128eb79879de26428f6ae929e7d94b4940159583bee7084a95a32c43acaccc3879990cdfc7daac23791da17018b70d55becd93d2

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
2.7MB

MD5
2b41991c8a94528492e9da9de191a287

SHA1
07bd3b4ed37dc2d326f1dc72e9f97d75a1078cdb

SHA256
57e7719008e81d5216a213bfffd7e496590de2a157ecf87c01196034844fbd79

SHA512
7e0256570652a074c9b261a46cbf4b97208b16a9651af0e782790299d6e299977af1371a28b65fed4b47cee617bd529679ed87b97928c915333a97aeb0591938

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
2.7MB

MD5
424664dfb84d9e9942ce7e51df5de9b9

SHA1
b16c8dfaa1c0b0afcb03b4fdae6d10ae086ae600

SHA256
713072c29539a8a6b5ae7c611b4ccc411207d034252d033eb3e283e9885d83e4

SHA512
59c2bbd376786b58cff06087f36fb51ea0e2729a124278dc78764a530b004ff5c6f7cd33aa50074d8d56518be263a48b5c90be03f032d0563d32a017cb419aa8

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
2.7MB

MD5
c35a94e6ea4c6ec4dcf4e826ac4c9a3a

SHA1
f0016b6c5ecc2aadbeb4c29a8b49b8080e78a0c3

SHA256
659c1f5e2abb4a874ca303af2d2c2334cbce1c7c70c01ac3b1f398cda0ae4e7e

SHA512
63f6d1cce855625c4fe4e337c29035258ff3f2d61a51013d9ac8da1cd8233e6a118d4f70d2987b466bc0a33d672cf717ec809420710f8ea5826cda93a9d5eeba

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
2.7MB

MD5
cc3bf19f7c0fa01745b7a270fdd10e9d

SHA1
ccfde723bf384d1974732709bd99e7e972fe1bf0

SHA256
c4cc9b18c23c541e45be99601dce96d3b3e70931120a2946f73a270f4042bed9

SHA512
9fdd9e56d014fce43e4a94e6ff5cfd3498e7cc17568cef30cc3005ba79d22931ef1d1fd632e3a7693c6081cbe3c2777ab8865235badf9fcd9e5bbd0385c2a7fe

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
2.7MB

MD5
7f80a15748b941f4115db529a6fdaa20

SHA1
69672556151c5ed50d96e7fede17fb8f1b116138

SHA256
fb77cf0efc9cdd232f59ebee20793247d179af8e424d02e57515627051841bef

SHA512
62aca6ff156e10759d52dc17496d6b6dfb9246bcf5b9883b14e2441eddf0d7d3d2778e438dcbb3280fe483b8fe96fe6faf6e79a5d31f6fe7dec49ba1b4b95369

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
2.7MB

MD5
9628d0b09b5ddb61640f4c2262d5b15e

SHA1
9227de312764d49b1084df926a8c6c77de1ea668

SHA256
2c5ce9be87b5f7822ba35aa169d2e5db597646e50b5ad3e2c5647b1f5fc7f904

SHA512
97f6014336c8bcc04b8de1d25fe97d6caed592b292b0177f547f5bfefe350eb0d1a6063e0460c62d8c5483afb01e085bce373ac68926d977a7d1c343b6970713

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
2.7MB

MD5
de7735777e374713bfcf58237bddd7b6

SHA1
e14a91c2629c16efcb5519e14bb7f0cf68a860af

SHA256
2fa043ed07a4b6febdeb99d7031fb8030e7227f49cb95438c1391ed4acf8bb7f

SHA512
471dd60874623bcf647d60230264052733a58dbf6b70d4d69ebbe558113d3b94747c3a7ad74f9a621bd60237367da9e635b54beb0c7c0aff061e1dd9ee5a0097

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
2.7MB

MD5
eaa8b726b6805d822b68303797c568c6

SHA1
93d9b0c95816bed6401ac786bfa780d63868c6c2

SHA256
7f420a4b5b80d7d79f061695cd382e0b5a6eda9428c492ef324153c39c9c6170

SHA512
83804995b2a971ac8a49ba1d93bc64475ed0c3ae49b130f3270830507c115d8d22551a94d664a487184a0b35c5de42cb10194b25fcbf3d1d3d27d71862803a42

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
2.7MB

MD5
b44c4c175b2603532311b5b66e6143aa

SHA1
9f26ecb6e869b728a74c6c1a8e5895805d7507db

SHA256
25dcbd493f292774746327476056b6257bd29f645a0ee05dacb7de192a477d1a

SHA512
41f254d246b73898dcc29ecbcd051b3035e825ddf4e674f92dffa4ba1b3ddecd4d82a3330142e577cc659e11f3bde721d3bb4a8be4f3f176fc10bbf854af35be

Download Submit
memory/696-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4112-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads