010859ebe17b13d58bb31e6246dafa8aff3bf68a29a95c718546647b3214ba73

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c384c52b57f05af182d8e8df095ae680_NeikiAnalytics.exe
Size

64KB
MD5

c384c52b57f05af182d8e8df095ae680
SHA1

519b9547fd5b50343c1b8e081ea7221e782b7550
SHA256

010859ebe17b13d58bb31e6246dafa8aff3bf68a29a95c718546647b3214ba73
SHA512

7560b90b0d8b1e4389f663aa8edb75271bdd870dbe6d11ac8a144adebe3e2e5a3e22f67efc9adbfc514a505b087a01de77c9363fed8e4e8512b3bae24a6432d4
SSDEEP

1536:69XNavaEwHfHHkYy2DZ/c+j1lxvYZXUwXfzwv:mdCW/HHxZcabdYdPzwv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c384c52b57f05af182d8e8df095ae680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c384c52b57f05af182d8e8df095ae680_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe

Executes dropped EXE 27 IoCs

pid	Process
392	Lcdegnep.exe
1352	Ljnnch32.exe
4816	Laefdf32.exe
3180	Lcgblncm.exe
2164	Mjqjih32.exe
2996	Mpkbebbf.exe
2424	Mciobn32.exe
4488	Mnocof32.exe
2436	Mpmokb32.exe
548	Mcklgm32.exe
3288	Mkbchk32.exe
3472	Mamleegg.exe
4796	Mdkhapfj.exe
4024	Mkepnjng.exe
3972	Mncmjfmk.exe
4960	Mdmegp32.exe
3900	Mkgmcjld.exe
1280	Mdpalp32.exe
3956	Nnhfee32.exe
1160	Ndbnboqb.exe
1172	Nnjbke32.exe
4928	Nddkgonp.exe
4168	Njacpf32.exe
428	Ncihikcg.exe
224	Njcpee32.exe
4288	Nqmhbpba.exe
1876	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	c384c52b57f05af182d8e8df095ae680_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	c384c52b57f05af182d8e8df095ae680_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	c384c52b57f05af182d8e8df095ae680_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1624	1876	WerFault.exe	107

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c384c52b57f05af182d8e8df095ae680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c384c52b57f05af182d8e8df095ae680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	c384c52b57f05af182d8e8df095ae680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c384c52b57f05af182d8e8df095ae680_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 392	2324	c384c52b57f05af182d8e8df095ae680_NeikiAnalytics.exe	81
PID 2324 wrote to memory of 392	2324	c384c52b57f05af182d8e8df095ae680_NeikiAnalytics.exe	81
PID 2324 wrote to memory of 392	2324	c384c52b57f05af182d8e8df095ae680_NeikiAnalytics.exe	81
PID 392 wrote to memory of 1352	392	Lcdegnep.exe	82
PID 392 wrote to memory of 1352	392	Lcdegnep.exe	82
PID 392 wrote to memory of 1352	392	Lcdegnep.exe	82
PID 1352 wrote to memory of 4816	1352	Ljnnch32.exe	83
PID 1352 wrote to memory of 4816	1352	Ljnnch32.exe	83
PID 1352 wrote to memory of 4816	1352	Ljnnch32.exe	83
PID 4816 wrote to memory of 3180	4816	Laefdf32.exe	84
PID 4816 wrote to memory of 3180	4816	Laefdf32.exe	84
PID 4816 wrote to memory of 3180	4816	Laefdf32.exe	84
PID 3180 wrote to memory of 2164	3180	Lcgblncm.exe	85
PID 3180 wrote to memory of 2164	3180	Lcgblncm.exe	85
PID 3180 wrote to memory of 2164	3180	Lcgblncm.exe	85
PID 2164 wrote to memory of 2996	2164	Mjqjih32.exe	86
PID 2164 wrote to memory of 2996	2164	Mjqjih32.exe	86
PID 2164 wrote to memory of 2996	2164	Mjqjih32.exe	86
PID 2996 wrote to memory of 2424	2996	Mpkbebbf.exe	87
PID 2996 wrote to memory of 2424	2996	Mpkbebbf.exe	87
PID 2996 wrote to memory of 2424	2996	Mpkbebbf.exe	87
PID 2424 wrote to memory of 4488	2424	Mciobn32.exe	88
PID 2424 wrote to memory of 4488	2424	Mciobn32.exe	88
PID 2424 wrote to memory of 4488	2424	Mciobn32.exe	88
PID 4488 wrote to memory of 2436	4488	Mnocof32.exe	89
PID 4488 wrote to memory of 2436	4488	Mnocof32.exe	89
PID 4488 wrote to memory of 2436	4488	Mnocof32.exe	89
PID 2436 wrote to memory of 548	2436	Mpmokb32.exe	90
PID 2436 wrote to memory of 548	2436	Mpmokb32.exe	90
PID 2436 wrote to memory of 548	2436	Mpmokb32.exe	90
PID 548 wrote to memory of 3288	548	Mcklgm32.exe	91
PID 548 wrote to memory of 3288	548	Mcklgm32.exe	91
PID 548 wrote to memory of 3288	548	Mcklgm32.exe	91
PID 3288 wrote to memory of 3472	3288	Mkbchk32.exe	92
PID 3288 wrote to memory of 3472	3288	Mkbchk32.exe	92
PID 3288 wrote to memory of 3472	3288	Mkbchk32.exe	92
PID 3472 wrote to memory of 4796	3472	Mamleegg.exe	93
PID 3472 wrote to memory of 4796	3472	Mamleegg.exe	93
PID 3472 wrote to memory of 4796	3472	Mamleegg.exe	93
PID 4796 wrote to memory of 4024	4796	Mdkhapfj.exe	94
PID 4796 wrote to memory of 4024	4796	Mdkhapfj.exe	94
PID 4796 wrote to memory of 4024	4796	Mdkhapfj.exe	94
PID 4024 wrote to memory of 3972	4024	Mkepnjng.exe	95
PID 4024 wrote to memory of 3972	4024	Mkepnjng.exe	95
PID 4024 wrote to memory of 3972	4024	Mkepnjng.exe	95
PID 3972 wrote to memory of 4960	3972	Mncmjfmk.exe	96
PID 3972 wrote to memory of 4960	3972	Mncmjfmk.exe	96
PID 3972 wrote to memory of 4960	3972	Mncmjfmk.exe	96
PID 4960 wrote to memory of 3900	4960	Mdmegp32.exe	97
PID 4960 wrote to memory of 3900	4960	Mdmegp32.exe	97
PID 4960 wrote to memory of 3900	4960	Mdmegp32.exe	97
PID 3900 wrote to memory of 1280	3900	Mkgmcjld.exe	98
PID 3900 wrote to memory of 1280	3900	Mkgmcjld.exe	98
PID 3900 wrote to memory of 1280	3900	Mkgmcjld.exe	98
PID 1280 wrote to memory of 3956	1280	Mdpalp32.exe	99
PID 1280 wrote to memory of 3956	1280	Mdpalp32.exe	99
PID 1280 wrote to memory of 3956	1280	Mdpalp32.exe	99
PID 3956 wrote to memory of 1160	3956	Nnhfee32.exe	100
PID 3956 wrote to memory of 1160	3956	Nnhfee32.exe	100
PID 3956 wrote to memory of 1160	3956	Nnhfee32.exe	100
PID 1160 wrote to memory of 1172	1160	Ndbnboqb.exe	101
PID 1160 wrote to memory of 1172	1160	Ndbnboqb.exe	101
PID 1160 wrote to memory of 1172	1160	Ndbnboqb.exe	101
PID 1172 wrote to memory of 4928	1172	Nnjbke32.exe	102

C:\Users\Admin\AppData\Local\Temp\c384c52b57f05af182d8e8df095ae680_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c384c52b57f05af182d8e8df095ae680_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\Lcdegnep.exe
  C:\Windows\system32\Lcdegnep.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\SysWOW64\Ljnnch32.exe
    C:\Windows\system32\Ljnnch32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\SysWOW64\Laefdf32.exe
      C:\Windows\system32\Laefdf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
      - C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        28⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 400
        29⤵
        Program crash
        
        PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1876 -ip 1876
1⤵
PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laefdf32.exe

Filesize
64KB

MD5
c8544c850a844f8f902af49eeb9ba7c7

SHA1
f277bdb2abcd044bda05fbd77087dcc3bba28cda

SHA256
594fd036274ffe2a0a5d23f6959f28852a58d4e419e5215435bae1833563c56c

SHA512
1f7cb7a3ae78d6c00f63a93a8cd9e9b4369fd09898450d0719d89815552a84c39956ce26af0e3b0b04de9b5bd7f9c51ed6c9601cc8f52ef148f7144646d7611e

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
64KB

MD5
58914060fff16fd2ed08a40f630d755e

SHA1
42293490a65a54f3fce6d2b447faa9fec137c464

SHA256
e92759b238e5ec8fa6f770a319fa3563db5db340ea1439c627f9bc60ae786ad8

SHA512
03aaece04457c68c117efe5bd5a8557f8dde44618d79cf245de8c61ffd97287bc840c74675847274f3e371215ae84cb6b4f0a2708d00c5450742cc0b1aca7b09

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
64KB

MD5
07c8b8b8361ec91f8faf6953522840b9

SHA1
d570fa04a2ed0bf687d8c33f9a4788f4a4d4f808

SHA256
551c39627559b6fbe031818f56801256f8d0d16d9ee1df7bcfc0d6d582f4c06a

SHA512
eb3c7a250364683257d54d82a95c2d4c5b60694a414f954ae80fd2d4fc6bc6024c0a8fe084a5679a536e4642f3ff3a0f8f73bdd63d8f5ffaa4975d25058945d3

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
64KB

MD5
7168fca274ea6df4c8273a87644570fa

SHA1
10aafb6bfc53285b2d7ca3a8767b75c540e0e0c1

SHA256
1a72dc81ba98cd90d9534037395a9a71d2d2a1a14e2dca3d5b8dc5be2609ccd6

SHA512
3f4ad599ee79194453ae8f28bb7dabc3f18bbea78d0214f9b46d0e5c67a63f97f76feca6282fd2d5562d7bd330ecfcd052c4f0dead089ad3403c4326730f75f1

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
64KB

MD5
ab1058364f6199d82da143d8bed74ec1

SHA1
050e8393fa722c59c1d9a7ca1ad60de77a670e14

SHA256
c7bbc406ba39af13df10b99fdada94ecdb0f9c1ae920abdc4cf51224843f6c8d

SHA512
04cef002e751c35ac9296370de82873c3a8314799250fa008d3b61025baa243ee2b455a2e6963b442d123ba3d45ad71c7ae9d90d2e26f90386eb238b8e7ebb49

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
64KB

MD5
864e6a3e3e613cd603782d9c739fae3a

SHA1
5302b8ffee45aea2d7935687345e0498fa79d126

SHA256
0244de3ff36d5f620e3253c9f7854ef577265ae8702637ac665d91bd1434ecd8

SHA512
16c11e0f0106ebf30a19e1a5b04fe269b1aab5983c32f40c1c4d474f25fe62fd9949a7086edefc683809f7e5fce9fedc642a73d200181465ca9bd3255ab4e959

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
64KB

MD5
dd2c738c07cc155d4c4a7fa2f61fdb7a

SHA1
8f73c5a407b6038c4835366f9a15d7c3e4fb3f99

SHA256
899ddbb802f0e50f03f7592ed216ce0021b33930b93bee06fba4373e579a8d65

SHA512
58f22c282dd1fc5d077f3acbf5d1979ef291c3e806ab3b409254626d6f1b5d9790bc0e0bf70c731308154145c64187d0c1fec3359c38469600136ccc2bcf13c9

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
64KB

MD5
b6245f5e6b99210e56308714c2d9d64d

SHA1
90f7150cb9e039aa64adb06e36eed9ec98b984b2

SHA256
3fd4f972af910e9935f407916f88938b681478d1babfb472b61b886a30f8079c

SHA512
5dcb349d9c831744bef8349cf08ccf41fd42b2381f0f3132d0512ae4d4c8dd358003be2f428e948d99c3ad0c62889af5e1c3c09652dd680578a2f45067955042

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
64KB

MD5
c93c73195f2389bce1a82813d62cbb5e

SHA1
d5ec48447482e63a3990dfe12582b032191ab773

SHA256
38d0e89971038dd9b1e885dae3dde7c3556b217087be4b72cf80b1486531aa76

SHA512
d1d7d462774cb58063bb8036326871d60ee69b2ad478a3f89f727058ab280c675b847055dd62f5e17bdebe48452ae7631817c3eeed48d53ac45c62c3dd6dcd47

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
64KB

MD5
5221714a26092ba4ef4a28848a84e42b

SHA1
003e6f68bdee0005ccdc3153dcac50464083de86

SHA256
7bcca542440873a945c5ae9f73f42af65023c0180a25da4712e4249b3b95741e

SHA512
c57b8c1405f37eaa6e850e7a09990121ea78763e6a19a5021410e6d51dce179f53c8024c6f8f2fbd14332c103c08baca109d11d63ade6e8a6b398142a84b7b8a

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
64KB

MD5
280a86d18e82d3d47bed86a3991ca587

SHA1
d2e82af7ecb37f4d1d4d2d110cc573896ae7c795

SHA256
55436d5f32d953904c32ef0bc4e785940e3ac08e139dc0c57d0da6c02240783d

SHA512
61e792bf88342662fadfb741e0f333a82a6b8906b4e6cea6eb029e3a8c0e9d4a46c9d13774a32887438f2eb4277d1924cb3af51161032019f6cea880d8d0f206

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
64KB

MD5
d0c2921f2a05ebe09cc9259e9dd69f0c

SHA1
af4560e5dd6f89cfeace9ea9fbeb0123048af446

SHA256
d43df6fee8ff39fd1835817223ec01c8913aaab32f8da88c7a9a0a40be14726a

SHA512
3686b4a6b9534164aa7926c32aca7f06ebbf047994a4c9d27f53c46ac14bde31ca4d79f32f2fae0ce0f47014bb7a5d67f8ce6f36254e3a1f2fbbddc791920c9f

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
64KB

MD5
224afc07c39f51822992ad0d9ef648c0

SHA1
5ba7634fe517f4ab341c6127faac07f23efdc6a4

SHA256
9412c3d2e8c4d8ce916f6bffeff30f742258bc74f03e38b710a27d13c53570c7

SHA512
ba6c7cfadc44c3473b7875444608ae347b182fe59d59798a25feb553d16a7db4ce84f14e4daf8e3c31afb9c78a8964fb2e6e541f042330125652b180914af295

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
64KB

MD5
a0f450887769bbd16fed380f37f77f72

SHA1
66fc3b8c38df1f4139af3e68e02acba3f600dd83

SHA256
0703ececcb1b4cb5e3236d25ca074f027e09766cca7000824ab8b37328a689d9

SHA512
822fa91a695c1bd5fc1d0186202ec49be5593e9d2cf64b3b3d7c13b58969bfe7b176447659035f945759a08c51ec5015f220ba974c93763efe52a64b19e3886d

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
64KB

MD5
5d49f5833e4e71e103eebfb89d2de746

SHA1
8d440014e7d14b4d23bce5e0a802abe5dc72d509

SHA256
109f6610c796c17f9cd913051f9cee025750935af5bf94b2d494e4468149c1cf

SHA512
dd67d57349a0997cb4cdd429b7b982130421844e6e59db5208e9eb533cc77e2124b4f64704ab0f5d597aff975364ca66be436cc28acdf98cc1dddc29016385c3

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
64KB

MD5
2ab738055542e9bcc4ac88e37b6e90b8

SHA1
6392216b459495cc8cf20e1c6b113a12e12f99d1

SHA256
c43435de717e1b56bba23bdc02b7df110c64bb6e42e019743622d8ed95206c5f

SHA512
214b226d200e5e248fb8c46553958103800a75078a908ae1f6a39ed2cb031e04778795dba40ed6796d0e57044fb7f35640fdf479fbd144ee6b8fff8332b12f97

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
64KB

MD5
9aa0f42742b600be520c141c4220d1f3

SHA1
b87c050aae202e1b9a92f41076611d4e2b7e617a

SHA256
01efc07c5af1137066ca3b317d1fc605f61b73ec496eac73fc57d812ad658471

SHA512
b88836dc55c997a2f24a89c099b2f1dad891a0173adc7d28e6e25cc283cbf2dcd68e8b266f5c91d7746e088f05586d5c4cac2080cf6efafe2200b69d5c1f86bd

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
64KB

MD5
fc611a8ba40a4352e624943f8fc23d3f

SHA1
8ee181c1c0e3be067dc37b1c7148497f55f2919e

SHA256
329e9249a36b8135a9f357a724c5f369f4a9b26fcbd5b2d4ba682492938c4e40

SHA512
55298b48284b3187aa43a0650e4c1a165f0519554686ebaf812044b217dcd3ff5c23686a13524fffab30dd81f3e58993e05abd694e0ddb891680d5381b0cb402

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
64KB

MD5
1ead55691263c77d142e337aa7cc5879

SHA1
66745af3fab129d2d2000f15ab08b7cc4cf24089

SHA256
9c29756ec0c5fe986f985bc0b0acbb14dd68ae3686edd7ed2fdf872c7c1f4194

SHA512
9a0a64c8d554354f96771df8c6d4c42070003c7ba1d12054974189fd2caacf5d4fbef8bc19a5161b025a5acf6733bdfc0ec51190295d2da9b92607afb44f60d3

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
64KB

MD5
ff54e8ce740a44237247e6db9ee0d9a7

SHA1
05b5b48e3afc973c4e219dd8da2e55a222d6c5d4

SHA256
491aa470a611621e222d75a0545c1847da0dc3a3a036028621a6e22e40d4f081

SHA512
f83c0414d06c84b2f03f52c7a2e6ee08858edccb81970c62e0792460e722518bbcdfbea1d4152320035ae391a18f0619704828ae96aff40cce2a8c79d72257c2

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
64KB

MD5
cfe6620dc51baf8d955e275e6673cdff

SHA1
fc8ce902333f069fc4e9b09be6985957ef95c480

SHA256
8827e390735c534d38a27c4ca7645ca438180282f2d031f563b4d70705940cbd

SHA512
667efde565ee47816de2561a53b2385a61a80cf57c6cc58bb2c8cb9f84501e7a7580377291b50e415f2fa7e44633550dd2e6dafb67419b7ab53818d00d2a7107

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
64KB

MD5
62980df1bc1657e010a874ce80284c3d

SHA1
b85f0aa983270ea04efed8e25eab7946153ddc0d

SHA256
ecc434dcd957846c008a7c2d296df019ae3f03b93513d8c360fda38657306bd5

SHA512
f5035d0a3fb1e5d41df3537739a67945b1c76874943bd1f46764e5573b80c247752da91be83778ed29546c79c50c5d5fb73ff5ae2a0c008b184138ce0ad7d56b

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
64KB

MD5
f2e9b4f72c3cabcd6337bd8125b1dd07

SHA1
cd0ef003c918592adf6bdccdda2abff6569def62

SHA256
effc13e5a84e0af6553d7608e6a0f15432653f091d0255aaccc639964a88fb7b

SHA512
f61147659ca17016046d8f1cc142c526df780ecfff2e4156b84b0a4d65e4575e5c63a63411dae78dc2e19aefe8339dee1e31e3ad66c552986d26c106367ea0b5

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
64KB

MD5
238fea0e46006aeb4d21c6aadd2b17e8

SHA1
592298067adce790761489504b9f533d61d033ec

SHA256
bca649e968fe060d18decc7e04946099042b2b2b98c21957908abb5e30069a12

SHA512
61bcf4f4b4d97da66d26f0535b0564e58a0c6b20004986503015fcb6a2eb4e713ec06a76f178f6d4b8260ffcbecc3130ba2d19b4e532fd4968f78fb01b0901cf

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
64KB

MD5
5f745ce5eae38f628ffa0ae9b7812bba

SHA1
f55eab933ddd108cf4f5b87631bd09b24c8e8e8a

SHA256
56e036bfd06e89bb8ff03f527d2bef53271dcc14e1831a4e3821e21ee3d0e7f5

SHA512
20f1bbd8df5c452b5cac3066cab2b431eb499984178458419b64872eda91e2b1c0763a1c4de79f68b5ffec45da9785eaa99ee857acbd0fbddbcb35045ac01cbf

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
64KB

MD5
0beff26ef39e015c527d8e595b9483c5

SHA1
e775317ee452eacfb2af0edb25d6f589e5ac6771

SHA256
60297f5f8c6a6d077f6a4acccf8fe373e29034d621896cf4a601f40cb8098817

SHA512
f4a076d025d12c913823f893bb26bc3d9350fece888db776da1aaa54a4469081781fda91e4af0ccd4eeeb7a5c6f870b3ed57a4227b6a3f58d5824cb73e434256

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
64KB

MD5
c23e1752cb45d9424086ffc6c1d731c9

SHA1
c66cf36cf85a35ef05441ab98e5be0605c64db3d

SHA256
2644776a49a0e1d9c1ceb63d31a964cb130b3bc0e0c14bb9869b0da3a8ccece0

SHA512
aef3bfe34ded4603ef9ac40994093dc2b5f67fe3b2829a9f4b4914dfeee1c2eb85a9111b2ce27dea43de5cdd7ee9f620a7fa9be07e315489bebe4d2889ba0268

Download Submit
memory/224-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/224-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/392-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/392-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1160-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1160-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1280-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1280-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1876-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1876-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-253-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3180-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3180-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3472-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3472-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3900-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3900-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3972-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3972-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4024-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4168-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4168-226-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4288-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4288-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4488-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4488-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4796-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4796-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-265-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4960-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4960-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads