2ae910af223a48c3adfdfffd0985ff5bab024d697716a9d8d80913bc54ea54d2

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e05c773b7893145ae81a1e963bc18a0_NeikiAnalytics.exe
Size

55KB
MD5

4e05c773b7893145ae81a1e963bc18a0
SHA1

faeb9041d1b99b0ea7138cc0109e0946f955d6b2
SHA256

2ae910af223a48c3adfdfffd0985ff5bab024d697716a9d8d80913bc54ea54d2
SHA512

4e4e06bffa40038dcda7d3c9f7eb21986b488f285dc3db6786bb9dc0a2ee2ea14e50a0e8412b9d332b602823bd05e04c6b8f684b13f361be13936f97296de78c
SSDEEP

1536:6wbzfTj9PbcRXC+yEASfHJ5qIz7dv02LX:lfFCC+yEAwHJ5ffX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4e05c773b7893145ae81a1e963bc18a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4e05c773b7893145ae81a1e963bc18a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe

Executes dropped EXE 31 IoCs

pid	Process
4484	Lgbnmm32.exe
2460	Mahbje32.exe
3252	Mciobn32.exe
2572	Mkpgck32.exe
1676	Majopeii.exe
808	Mdiklqhm.exe
636	Mgghhlhq.exe
60	Mnapdf32.exe
2360	Mpolqa32.exe
5088	Mcnhmm32.exe
1016	Mjhqjg32.exe
2340	Maohkd32.exe
3848	Mcpebmkb.exe
1636	Mkgmcjld.exe
1528	Maaepd32.exe
1312	Mcbahlip.exe
5052	Nkjjij32.exe
4044	Nnhfee32.exe
1940	Nqfbaq32.exe
2644	Ngpjnkpf.exe
8	Nnjbke32.exe
4856	Nddkgonp.exe
4972	Ngcgcjnc.exe
4372	Njacpf32.exe
3768	Nbhkac32.exe
2388	Ndghmo32.exe
4644	Nkqpjidj.exe
4520	Nnolfdcn.exe
392	Nqmhbpba.exe
1592	Ncldnkae.exe
1068	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	4e05c773b7893145ae81a1e963bc18a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1764	1068	WerFault.exe	115

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4e05c773b7893145ae81a1e963bc18a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4e05c773b7893145ae81a1e963bc18a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4e05c773b7893145ae81a1e963bc18a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4e05c773b7893145ae81a1e963bc18a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4e05c773b7893145ae81a1e963bc18a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	4e05c773b7893145ae81a1e963bc18a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 4484	4056	4e05c773b7893145ae81a1e963bc18a0_NeikiAnalytics.exe	82
PID 4056 wrote to memory of 4484	4056	4e05c773b7893145ae81a1e963bc18a0_NeikiAnalytics.exe	82
PID 4056 wrote to memory of 4484	4056	4e05c773b7893145ae81a1e963bc18a0_NeikiAnalytics.exe	82
PID 4484 wrote to memory of 2460	4484	Lgbnmm32.exe	83
PID 4484 wrote to memory of 2460	4484	Lgbnmm32.exe	83
PID 4484 wrote to memory of 2460	4484	Lgbnmm32.exe	83
PID 2460 wrote to memory of 3252	2460	Mahbje32.exe	84
PID 2460 wrote to memory of 3252	2460	Mahbje32.exe	84
PID 2460 wrote to memory of 3252	2460	Mahbje32.exe	84
PID 3252 wrote to memory of 2572	3252	Mciobn32.exe	85
PID 3252 wrote to memory of 2572	3252	Mciobn32.exe	85
PID 3252 wrote to memory of 2572	3252	Mciobn32.exe	85
PID 2572 wrote to memory of 1676	2572	Mkpgck32.exe	86
PID 2572 wrote to memory of 1676	2572	Mkpgck32.exe	86
PID 2572 wrote to memory of 1676	2572	Mkpgck32.exe	86
PID 1676 wrote to memory of 808	1676	Majopeii.exe	87
PID 1676 wrote to memory of 808	1676	Majopeii.exe	87
PID 1676 wrote to memory of 808	1676	Majopeii.exe	87
PID 808 wrote to memory of 636	808	Mdiklqhm.exe	88
PID 808 wrote to memory of 636	808	Mdiklqhm.exe	88
PID 808 wrote to memory of 636	808	Mdiklqhm.exe	88
PID 636 wrote to memory of 60	636	Mgghhlhq.exe	89
PID 636 wrote to memory of 60	636	Mgghhlhq.exe	89
PID 636 wrote to memory of 60	636	Mgghhlhq.exe	89
PID 60 wrote to memory of 2360	60	Mnapdf32.exe	90
PID 60 wrote to memory of 2360	60	Mnapdf32.exe	90
PID 60 wrote to memory of 2360	60	Mnapdf32.exe	90
PID 2360 wrote to memory of 5088	2360	Mpolqa32.exe	91
PID 2360 wrote to memory of 5088	2360	Mpolqa32.exe	91
PID 2360 wrote to memory of 5088	2360	Mpolqa32.exe	91
PID 5088 wrote to memory of 1016	5088	Mcnhmm32.exe	92
PID 5088 wrote to memory of 1016	5088	Mcnhmm32.exe	92
PID 5088 wrote to memory of 1016	5088	Mcnhmm32.exe	92
PID 1016 wrote to memory of 2340	1016	Mjhqjg32.exe	93
PID 1016 wrote to memory of 2340	1016	Mjhqjg32.exe	93
PID 1016 wrote to memory of 2340	1016	Mjhqjg32.exe	93
PID 2340 wrote to memory of 3848	2340	Maohkd32.exe	95
PID 2340 wrote to memory of 3848	2340	Maohkd32.exe	95
PID 2340 wrote to memory of 3848	2340	Maohkd32.exe	95
PID 3848 wrote to memory of 1636	3848	Mcpebmkb.exe	96
PID 3848 wrote to memory of 1636	3848	Mcpebmkb.exe	96
PID 3848 wrote to memory of 1636	3848	Mcpebmkb.exe	96
PID 1636 wrote to memory of 1528	1636	Mkgmcjld.exe	97
PID 1636 wrote to memory of 1528	1636	Mkgmcjld.exe	97
PID 1636 wrote to memory of 1528	1636	Mkgmcjld.exe	97
PID 1528 wrote to memory of 1312	1528	Maaepd32.exe	98
PID 1528 wrote to memory of 1312	1528	Maaepd32.exe	98
PID 1528 wrote to memory of 1312	1528	Maaepd32.exe	98
PID 1312 wrote to memory of 5052	1312	Mcbahlip.exe	99
PID 1312 wrote to memory of 5052	1312	Mcbahlip.exe	99
PID 1312 wrote to memory of 5052	1312	Mcbahlip.exe	99
PID 5052 wrote to memory of 4044	5052	Nkjjij32.exe	101
PID 5052 wrote to memory of 4044	5052	Nkjjij32.exe	101
PID 5052 wrote to memory of 4044	5052	Nkjjij32.exe	101
PID 4044 wrote to memory of 1940	4044	Nnhfee32.exe	102
PID 4044 wrote to memory of 1940	4044	Nnhfee32.exe	102
PID 4044 wrote to memory of 1940	4044	Nnhfee32.exe	102
PID 1940 wrote to memory of 2644	1940	Nqfbaq32.exe	103
PID 1940 wrote to memory of 2644	1940	Nqfbaq32.exe	103
PID 1940 wrote to memory of 2644	1940	Nqfbaq32.exe	103
PID 2644 wrote to memory of 8	2644	Ngpjnkpf.exe	105
PID 2644 wrote to memory of 8	2644	Ngpjnkpf.exe	105
PID 2644 wrote to memory of 8	2644	Ngpjnkpf.exe	105
PID 8 wrote to memory of 4856	8	Nnjbke32.exe	106

C:\Users\Admin\AppData\Local\Temp\4e05c773b7893145ae81a1e963bc18a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4e05c773b7893145ae81a1e963bc18a0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\SysWOW64\Lgbnmm32.exe
  C:\Windows\system32\Lgbnmm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\SysWOW64\Mahbje32.exe
    C:\Windows\system32\Mahbje32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\SysWOW64\Mciobn32.exe
      C:\Windows\system32\Mciobn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3252
    - - C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        32⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 400
        33⤵
        Program crash
        
        PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1068 -ip 1068
1⤵
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
55KB

MD5
715872494539d258bc41dbf3836963b0

SHA1
395bd29e8befc78732718f6a4f80809db3ce9773

SHA256
f6a216797110a4b58b0c19fea442666b445ed9789c6eac6fe993b92e701c378f

SHA512
3c45e36cea558dd737c389bb03f36e0a6806fd366e70f7426d691fe9fbc0108886cc93b4a1aee0c03fded0211f5bf08f48ec815912656545314014f05b09efc7

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
55KB

MD5
41b4f79d3130defc408411cdcf5cfa6a

SHA1
d69562f783af6d5d9a063c32e209dbe4ceef4bd2

SHA256
b6b3c2196b4cb9a0e5686a3c449a56977e94b68dc446f039b66431ddb696fd59

SHA512
2f90c5274f067aef00a2f055f263d43abce1a7509341c46c693e58d0c91e4fb7c6df2d40ad2f9a37db9293e3bc967a16b2bf41134f244b6285ce91ee14281ec6

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
55KB

MD5
c1e348b57dccacb78cfec2e351249f52

SHA1
fd5012288ddfe7eb85a9ab62f3be8495fa1a69cb

SHA256
59e9667b116e20882a275e41aef7fd50c01769d0d274cf97909dbfb3f5ab7c11

SHA512
42e185216f8db1087b18d90220c42aed2eb47462cbc303faa7ebd034b65750926ed0715e10affbf7ef6e9c3f093b4c292f7133c418be5f9108c14ef77cf1354b

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
55KB

MD5
063afabf695e6c70c6499470c1543a48

SHA1
29da85552bd8fc975203369972b94ec2f856a57a

SHA256
5cec576c2f89c48da6a0ff9370e3eed89c6a4aa9473d8e1708c613e6da94da31

SHA512
fc6dfa057de3ded930f21fa96b1c6d8a7d614679164b12d4f88dea5748d52edc7fa9ba24c1c1b12053d336023426bce3b5fb7bc469655ee9093a127a01afba8e

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
55KB

MD5
9a27b0fa13100c0327a7affd092dbc27

SHA1
940dff557cde9af420fd79ca77ca801d99c5cb8a

SHA256
0271425786be7b3b020abde57fa50a766eb3fdce476513dfdb5fd8b85d70578d

SHA512
0dedbcf20e6b39fe61ebc0a721af1de5b3ac051d13b23424cdb8bb1a44f6ab2640e71b43b65d532940929db21ab1e25cd58720d97c6742d596bcb9394199300f

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
55KB

MD5
643fd59a0ecbdede9fb20a26c09c90d2

SHA1
90fc9a03f953631c48cac47b35608b7208e2f989

SHA256
f9658f3ac0289dabe5f343fdcecf422d4f1ecec868c687025c049f441cb4bf45

SHA512
8f8fd592dc3879426fcf11f1a261dcd42cab78aa473b05eaa5846b20bc51cb47224cb14bb3164eb668d1c9b40ef1111a74e11ce6f30efe68dcbe700837cfdad3

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
55KB

MD5
c36f0a396a8a236adb3ae3f970fc03c4

SHA1
cb79544e7ac6db61ccec67c89d6fb9b80c235655

SHA256
9137c95ca47f5a268bbf6b4e144d39652e84b7e178e1e4ff3bf07e36132211c2

SHA512
372a607746c871c02efbf8883a5ae2e6abc91010a74a508e2fcb8eda1cbb300cb2ebfb78ed1aeaa71d6b938ad9f4c6ceefba55087713d8055d5cb90402a64451

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
55KB

MD5
ac39c12e6dbc9cb23048d0996d0c021a

SHA1
e63c740fb28a19804876abf129d833e7c7e10f83

SHA256
4aca72ac9995f973d1fe5f9a3dad279ea110c31615be6aa13210ec16f80074f3

SHA512
573a32171dc21b0128c76d5725aba2618c9af18ac2a289ffe760bb30c5d0aa0c2c0427b971591a6fe32381e4f3f57b59c09077cab107fa374198b5eced6e8849

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
55KB

MD5
500feac8ac7d2b94dce255ca1b334ac0

SHA1
a470a771e1a2ed40e91d401e1577e4cf5dfebe60

SHA256
c0fbd1039f72d3318e86068e021bfe622b118d556c1e48fbc2ab60ceb10d758c

SHA512
7c6a400c889183a5c5312c6d94abea2dd2c747939e4ab2493fb85f053ea983a6fe67a8997ba9c8b8c19650b74f9d2f5fb6e58fd11e74d9948ea52d99a3166aaa

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
55KB

MD5
127e797851dba2aa1c8f9785439ee699

SHA1
5216ae758f916b5a5e95baa2ec51eed5ee74d4a1

SHA256
0abbc224083a707133c87cc332aadcea22e15d8d772e13a693af277de5b00731

SHA512
9c5db62fd200ff3e158fbea957782e20ce2177fc316a8a6db039be8ec3300be8c1db6dd05149ec9cfc6aa71b07e0451549a0184536cbfe02104f41bb56042937

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
55KB

MD5
7f717f55b1745dacf4ee47ec62b5248b

SHA1
a997039e9f9e21f0abda85fcbfa7d08cffe27aca

SHA256
81e294271917f5c71c462c2be517f657817d1c6fdfb6084c0104bdfde1834ee8

SHA512
4767ee8f5563c8f97a2de9757d0ee7e319caf78649ec586fd4846f6f10fb3d1f3e407dc5c6b8b1be59a0c587c6d00f44291651943163d4a4a476822028b30ebc

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
55KB

MD5
a61dde95cd543a4dd82422c2d6eed772

SHA1
7f6d59025d17957f083db4ef95bd9f8273211cf2

SHA256
758344edb67f2891e544681059aaa52af2968c1ef88a7f430c900bc15e096610

SHA512
a6e1390af3922bd7bb7adfaf5b5126003a6ec468776fe55c3397d48a6782196b747991e370b711829ae976408e4e3ad350adfd17a9b670610789058e07f5b9d4

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
55KB

MD5
2aaa38e33ead0b908fbc9965870cd309

SHA1
fa6da7d623aca27cc227a5f8bb9ea4e55795c4f6

SHA256
ef8d1572c8b13d94c619109f965b4ad3d4ead863dda1bd926a3608062fc5fef1

SHA512
946ec596a18cfbbe651f3ac9de27bcfb316df2ac9d6b1b8e92c2eae58a47234c1ecdd4132c4e9d58e197e3249d5135af58461c035d7a82454d58e2359341474f

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
55KB

MD5
fb866e513f6556c808151587a179b45e

SHA1
67e3bbbc1edff2c6c4896df740d1fff7475d519a

SHA256
efe157a5994546256b4a8e9381da07e9218c17870d26cfd065242d228725b847

SHA512
e8c5b69c31a7113b7c2668d7681b4cc6d7938b43f66ec206a1526bfd5262c98d6176dcc18f32c110981949cc4094e5151c59bb9033585ab277ab83dee2922059

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
55KB

MD5
0713594d2a87f6f5a4bc388a38990b10

SHA1
122b7c1f808ede736b3a1c5607f96a0f6c47f368

SHA256
c31c7f7b78e204f72f3bdfcd2b1ab67afe4ea932ff808eb61a8b1e513d29d2c6

SHA512
dc1f359db54f164b34d8274dc8a18223ce2d7b833c27f981642bf7b5e51c185de6d78077c8dc2a3b827f55f333f4e91ff2604a0b0c8e86572528b86ee7770df2

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
55KB

MD5
3769255e3451aa01a87a20e188e54d93

SHA1
888d4e5c0a091738abb3568aed03efc09965278c

SHA256
8f66aa9e86174f6be82271fd8709254bb932e6db5b0c33af1fd970fdeae7a795

SHA512
93c7cf05afcbf36d2134ad39aa51c33f44f8238ed07cb54a605a170ce009f01400a844a68a890ec3e14cd641fff1a5347982a37684f0f17a986c16da7507c2c7

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
55KB

MD5
61de90a55b29f712b1feba58c1617e43

SHA1
77b7637b15b528a2a4e4eacb910d7557baca8054

SHA256
d9e88ebdc22eeb289e27766ca9b4cf46026d2639eab052980fcebdc8f2939d3b

SHA512
6b2e1bd7b3937871629feb12954809b501326b6af20abbc852bffd449d6cb3ecab3dded3eecb3b444b361879a921150bcd29197462cef4305eebb1d19d78bc3a

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
55KB

MD5
260d9ecc7797472001008b4f98fe3a41

SHA1
e7bb616ea919491350a718c158890bfb9b5ff4f7

SHA256
9c1b11329db3c6c702ece91eec210ca5761d9f36d6b906697a6f4863fc6f4e38

SHA512
6281d538846e31fc43773a5235a48645986fb4eea66d8f73bd3c525553245056cdfc083753acb0105dc6d028c7e69d2784ac651632455c906d958e69aec288fc

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
55KB

MD5
59c70a982e031e473745c8bfe6379f56

SHA1
1e1822d8c5b4272ac8a1fbb5187071a64beaf0ab

SHA256
34d14febd530c3dc93ee7d14f247d7c14eee44f0797cd47c4b059aa5dbc01545

SHA512
11949a048b54a8f25c27865f4068b6824b4b108e02adf338bb602c9b453ece87de0ac7b7a78d50e034c2ef46933831b850d7447bb48e5b34fa1a4252a9592d8b

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
55KB

MD5
c88c1eec2f79ccebb430b616b35e71cc

SHA1
1f613720c74bca4093c65583c8e097dab1797460

SHA256
a375109a5d1f0f5ff6a1e1afafa3c1f63ac6beea045c60163b21c5b1d4955b93

SHA512
e5b23765d79279d0e67861fc4b0a3b7e0fcd796a455f881eb84620f29d78021aeeed3aa62a77b095759710d35d3c57cb7b26fceebd14f9d275acc095fab43728

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
55KB

MD5
0d5ee0ad33419687a13f902378a220db

SHA1
549947cb3af25b61dcac02b7df5cd4e66ed10e6a

SHA256
eb1a3b711fd27678d0545759e9dbe0bcb448f914501b17603793d57f627e99c0

SHA512
c8862dc791d83b60061d45c7843f83a4d5f9918c2a4c56ab9b93505a51c2706269a569773855562b32902ca1073a5310f9612efc81014f308bb128a2a9584b3f

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
55KB

MD5
9b3e515416ba73ab9a921212146a6801

SHA1
6bc00de7ac52e1f17332e2b1b9ef3afb60ad4a10

SHA256
e2b7e05bb7a7cf4ef2c1f018021a7e72e17ce4a70a73802093db07271296d633

SHA512
e8248795e83256dc0aa83993d3fd3aea3beea08773fc5f10af1a5d7f4673316757de7bdabd95c372b3d53c7fc22e9885975346abc7dfb6173e22b0994c305ea6

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
55KB

MD5
385f4ef1a4942a85c65bf04ff6548e9e

SHA1
07090d45f9104cac3e50d464f7132a5bedfe37c3

SHA256
95f92ac940d6d694dd4c91e436965443a827b7e9040847b7656dd28e1e67eb47

SHA512
c549b8cbd3da2e0db04b799a6b6d57934d7fc0104b030cf23615627fd8048587139db0522c9a15ffb6da81d801d67271fa5da60ec57e6b2d9a05d41a8aaa56d9

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
55KB

MD5
bc40fbeef0b14b62f78f41dd61df1cd9

SHA1
fbc325467eb9a85e3b71f2cf6458677f31bf2550

SHA256
48d408330ab3c951ab0da6ed7de0893984cf888a085d629bd3690d52eb41dec5

SHA512
94d582ce628a1fe17e4a260c908529a9d337996aadde84ebd53a00b2a6f346ea814b2a8b4aaa9120a7fd55534a2104735f8f1ce0f40201c89bc0ac5cc31ccba0

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
55KB

MD5
5be032e34ed63891f09ec11d90a840b3

SHA1
d06b9803589a1032a17b3fedde1a4148824bab6f

SHA256
0a3adfb2fdd2ceee9f129f026264c421298080071c50b0f63c8040fe308ffb77

SHA512
7ea10700fd66b617ffed1f627718f6a6b3c075f20a4314aaf55665cf42f52b75ab8dd2d6d8d9337d3f37c9843517164cdd5b9b52910826f7ab5a23b3b01704be

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
55KB

MD5
46382c5e4a45569f79703557bf0afc33

SHA1
86d76db639d0a12ecb8a1031c76575027cab616c

SHA256
d47ff2a44c12587826532669f956d3ed59944e80ded0e6a1f402ef906e1d7b05

SHA512
23fe3e3a66452e3e23b9d1ea72f25d9015e85170b693f8eeb27a916fdc1c0b93ccedc12d7ec8dec81f4fa7cbf14c73b9bf1a8ec2732e160eae98f4c3390dc672

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
55KB

MD5
b8d64023a822c0242eb9da7f0e785dd5

SHA1
b196b4c6b949c5f838a9377b493b156261b41c3d

SHA256
4e841b6e773e42dd846a6c1da3ce95c5a21453471eaabcbcb9ee1674f148b89b

SHA512
9c38f89bcb7431eff7e04ad8bd22ee0ffea2969e4ef33c84c190b2f4eeb14fb8923519fc2d8b4bae38ac322dae0bf7772c8efb4d5e051aa852754c9cec98bfee

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
55KB

MD5
d31b73c27d367f7579261721219a4eda

SHA1
960fb8155d26adce33f3a742d128bff7b6872fce

SHA256
dd997a1af564c2979b13ab76020615f9077458b3bcf152312efc5d53c8843081

SHA512
ce0275776b922994606cb927595ad9107733d2d79a0e2d9af38183cb2efbffb312beb78284b9bae694baf5c8ccc5f4f76b7ffe41818de5d1ad74b9fe41e52de4

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
55KB

MD5
e5caed2569f778bbd098628c95b5bf14

SHA1
fb243024b9876ecf5da0f595cda0b7b5c83b1c95

SHA256
a246d880b25db612cb40f60eab42e36d442ea4ca55816e6ddacdc4d942def487

SHA512
1f5a76e7bcb57b40219402401f7170e7127c756de2ce593f94cff8ff99f4333e5d219bebb06c3017e96d185b5a9ede2a2ac3b8abf057b7aec4316f6b844512a6

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
55KB

MD5
ecf006dbcae1fffe6eb4600108d0cf4d

SHA1
ef4bb6c19424c39b43931b710ca5168e50bd2d0c

SHA256
ef0cfd4d4318377cc9517fe05ac415a9b1c57308880a24d62ade365e9e074c85

SHA512
17023c8b46501068e98b479f426f9d55aa01c55622f22c99e09d356b8cedeb87912d0a2ec463bde1aadf2fbee417999981d47237285e657b356734163a6e4a7a

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
55KB

MD5
725db09c3001e20a459e454e1f147da3

SHA1
c57e5556a43b48734bdb052d83c50977bbd5936e

SHA256
d51906736bb11d9971234ddc75bbca39060644300bbe12444c9fd97888f2b565

SHA512
c24b19955591e8e6671030c4d811a82638a78feff1dc10279caf3b5097886ffe58fa512520153459913295765938db59be1d384a03947d84342014cadc5cd1f5

Download Submit
memory/8-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/60-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/60-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4056-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads