f8d70e3023fc7caf04842c96c97304d8571f6bc6fc41eae33ed344ae88d45136

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe
Size

214KB
MD5

0847242d5082ba07fc27da686d5e8760
SHA1

de38e61831f1ff34740fb4d9fc04b348b6341dda
SHA256

f8d70e3023fc7caf04842c96c97304d8571f6bc6fc41eae33ed344ae88d45136
SHA512

8043c4617848e8039b29c776e02becfe4915fc0745824f7e36f3caac8e0c94ea48daed78e73a03b0cabcbbce394e72f289ba0e9d3f323f014fdd3c690dff95e9
SSDEEP

3072:3jYiWMgAlv0CWEM6eHLBx0i4SenAnDlmbGcGFDeaqIsKEYWyPVBweyFve3CFdagy:3ji2HlULr+peC9a6HYW0VBLyFviCqgBk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe

Executes dropped EXE 16 IoCs

pid	Process
4332	Mcnhmm32.exe
4204	Mjhqjg32.exe
1212	Mcpebmkb.exe
4048	Mnfipekh.exe
856	Mcbahlip.exe
3608	Njljefql.exe
2408	Nqfbaq32.exe
3892	Nceonl32.exe
3200	Nklfoi32.exe
4008	Nddkgonp.exe
2584	Ngcgcjnc.exe
5088	Njacpf32.exe
4832	Nnmopdep.exe
4612	Nqklmpdd.exe
2384	Ndghmo32.exe
3448	Nkcmohbg.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndghmo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1648	3448	WerFault.exe	100

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4332	4808	0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe	84
PID 4808 wrote to memory of 4332	4808	0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe	84
PID 4808 wrote to memory of 4332	4808	0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe	84
PID 4332 wrote to memory of 4204	4332	Mcnhmm32.exe	85
PID 4332 wrote to memory of 4204	4332	Mcnhmm32.exe	85
PID 4332 wrote to memory of 4204	4332	Mcnhmm32.exe	85
PID 4204 wrote to memory of 1212	4204	Mjhqjg32.exe	86
PID 4204 wrote to memory of 1212	4204	Mjhqjg32.exe	86
PID 4204 wrote to memory of 1212	4204	Mjhqjg32.exe	86
PID 1212 wrote to memory of 4048	1212	Mcpebmkb.exe	87
PID 1212 wrote to memory of 4048	1212	Mcpebmkb.exe	87
PID 1212 wrote to memory of 4048	1212	Mcpebmkb.exe	87
PID 4048 wrote to memory of 856	4048	Mnfipekh.exe	88
PID 4048 wrote to memory of 856	4048	Mnfipekh.exe	88
PID 4048 wrote to memory of 856	4048	Mnfipekh.exe	88
PID 856 wrote to memory of 3608	856	Mcbahlip.exe	89
PID 856 wrote to memory of 3608	856	Mcbahlip.exe	89
PID 856 wrote to memory of 3608	856	Mcbahlip.exe	89
PID 3608 wrote to memory of 2408	3608	Njljefql.exe	90
PID 3608 wrote to memory of 2408	3608	Njljefql.exe	90
PID 3608 wrote to memory of 2408	3608	Njljefql.exe	90
PID 2408 wrote to memory of 3892	2408	Nqfbaq32.exe	91
PID 2408 wrote to memory of 3892	2408	Nqfbaq32.exe	91
PID 2408 wrote to memory of 3892	2408	Nqfbaq32.exe	91
PID 3892 wrote to memory of 3200	3892	Nceonl32.exe	92
PID 3892 wrote to memory of 3200	3892	Nceonl32.exe	92
PID 3892 wrote to memory of 3200	3892	Nceonl32.exe	92
PID 3200 wrote to memory of 4008	3200	Nklfoi32.exe	93
PID 3200 wrote to memory of 4008	3200	Nklfoi32.exe	93
PID 3200 wrote to memory of 4008	3200	Nklfoi32.exe	93
PID 4008 wrote to memory of 2584	4008	Nddkgonp.exe	94
PID 4008 wrote to memory of 2584	4008	Nddkgonp.exe	94
PID 4008 wrote to memory of 2584	4008	Nddkgonp.exe	94
PID 2584 wrote to memory of 5088	2584	Ngcgcjnc.exe	96
PID 2584 wrote to memory of 5088	2584	Ngcgcjnc.exe	96
PID 2584 wrote to memory of 5088	2584	Ngcgcjnc.exe	96
PID 5088 wrote to memory of 4832	5088	Njacpf32.exe	97
PID 5088 wrote to memory of 4832	5088	Njacpf32.exe	97
PID 5088 wrote to memory of 4832	5088	Njacpf32.exe	97
PID 4832 wrote to memory of 4612	4832	Nnmopdep.exe	98
PID 4832 wrote to memory of 4612	4832	Nnmopdep.exe	98
PID 4832 wrote to memory of 4612	4832	Nnmopdep.exe	98
PID 4612 wrote to memory of 2384	4612	Nqklmpdd.exe	99
PID 4612 wrote to memory of 2384	4612	Nqklmpdd.exe	99
PID 4612 wrote to memory of 2384	4612	Nqklmpdd.exe	99
PID 2384 wrote to memory of 3448	2384	Ndghmo32.exe	100
PID 2384 wrote to memory of 3448	2384	Ndghmo32.exe	100
PID 2384 wrote to memory of 3448	2384	Ndghmo32.exe	100

C:\Users\Admin\AppData\Local\Temp\0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0847242d5082ba07fc27da686d5e8760_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SysWOW64\Mcnhmm32.exe
  C:\Windows\system32\Mcnhmm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\SysWOW64\Mjhqjg32.exe
    C:\Windows\system32\Mjhqjg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Windows\SysWOW64\Mcpebmkb.exe
      C:\Windows\system32\Mcpebmkb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1212
    - - C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
      - C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        17⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 420
        18⤵
        Program crash
        
        PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3448 -ip 3448
1⤵
PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lelgbkio.dll

Filesize
7KB

MD5
accdb1d99470e08d3b840e5fb2e902b2

SHA1
5a3adc977bd0503f49e590760651ebacb0ef1405

SHA256
6bfa06db70b8ae9112e8e8423eab2eba12c45804a4ed785664c63fe349a836c0

SHA512
fd74de8cb18a640043f2bbf42334ab0f4a11f559c98fa19a1fef93ca30e251b75678df3476437ce1d0d74e882b04b41f9f5b3a260ea9115d6b478fcaf7d3093b

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
214KB

MD5
3e304ebd9d93ebdd1cb08e03ddea746f

SHA1
1db66fa8df2646d88e40dcb01e436ca7c02ead34

SHA256
25ed0e1e5ef7cb6b52681e01355bcf4d52e09ca3c904fba824a0e8554ef31cee

SHA512
6745882b42d66580e4e12938952cf94b6a35504a994d202bf85f06e1d4c07ede26986a3bcefee01574259cfa1e51a114ef0108ce7ff62739cb059563f1257f5e

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
214KB

MD5
90c0f3d4a726160b6df1f03209eaa6be

SHA1
8738bc9cdd380d1ffea0207b5ec7b64aada3baec

SHA256
7d5374764ceff12176dd45ba827f4ee195f163bc1d24527d475e99429ec0b67b

SHA512
7d46a558a348cfbefde20dbdf0644eda9d70c864f4a996277799f7e5eef750e3c9cc36ca91d5ad819d991e6f46fb94065b74aba7d376209589830c4f05428ae1

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
214KB

MD5
1e8fcc64dcf893b22d9177f9cd5f3178

SHA1
3d8c1be843c964d60681b85b79074c5343173226

SHA256
231506814ad246fd9ac1d53ff8f9421bb2d618eaf247616023b3452e9d998b4e

SHA512
948cf1713942a60541f22fd3a172748bd3ab9dbde78b0d9e8dfa7026708e65db4db03db0b13d3b1f588832fde035bc13fd355ed5e1ef41d9f6703a2a9503e09d

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
214KB

MD5
a629100136f41f0d925f82e9aa6f36c8

SHA1
500fd85431d1a82ff87a313e6b8b8966b7f23857

SHA256
84a4e2f61ab3fd10ef22e1a7d2e1f4e320746e988f4b81aa30e93c6efb7fb151

SHA512
d44ea00eadc1b4a3621a9aa933e527baaf2dc0588e92e98864643a39a1555a091fb3b8dd7b241d0df9fc36e10ffb49d404e857eb9f2c54740404eb91364d19f6

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
192KB

MD5
f9402d207129d29d6042f01634a35a1e

SHA1
191949a63c9573d6e98821fdf2f0060c814b8065

SHA256
bf38eea27d06d4bf2c86b58eb7eeecf3aefb55311f35502f40a2e6edbe7e2146

SHA512
e4c2fa64d04855ea3293bb6283215c501d1c99a95ed3566723ff5acdd045a65f7e25efe7a821beb7a00fb0f807dd45c9d24eaf88b54871f5eff1f3811efaa503

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
214KB

MD5
4aae46945c1a798cd719f4122121bb21

SHA1
ccc205487f8bd741733abb60f032072c16efd205

SHA256
40cca36b802a9e32ca840f38e7773c3ac0ea62da98ea3d8a24e5d6ce6143aab3

SHA512
37abf6e68cd3f997c7acbbc187d4504b856fd796a1cba1a921b274597d8e35cf2751466339c247010ac7fa20df28a3e28eb79d7254a2e3abef53506497249830

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
214KB

MD5
eef6639e0e3a7cca0781b2c807e241c1

SHA1
cca11abfe9dce32d25b29712ab8e97d1803f7174

SHA256
02579b7f881ba1c2af3906c94d2d7e42d2530e58e13d72607ae9e7ac1113a0c9

SHA512
19cf30bdfed155579fbc7a7b4fb1607915dddf3354a31e74a3b1dad07bc916883c02cf3969d0244058135028bd39d7a0443d1383ac055c4f8291243ebefd9801

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
214KB

MD5
30e2a53ebba99f4bb0a7bdf757005ffd

SHA1
6d82df624ab3fa89a56333fe74b3fd7e7358f330

SHA256
92e8df3be76a66d04871a13333db81c1f2cb2ee1c25e12c0223ee78c608a94c7

SHA512
c3e2d4080e38b7a6cef4a19b597ef5ba38e236f426d29a799ad113c3d5c278aabcaec2672fbf2427184c57478424312054c81f09313ba858ec536ac489fe0cd5

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
214KB

MD5
f93557d00d3fe23766887a9f95afe332

SHA1
6f179a79b513d5a3aec57a85262813cb8b9eca33

SHA256
05b10c0cdc4b1da8023a4a078f2b8b273e3c045a36d4989a63ce420c788aefc6

SHA512
3a9453317948c8c7a6d53b98ad197f55ad49e91a0597f5b5439a365af76ae531c25a3bcf3a24f6486a0a438687bff5854e9337b6ed1b8fc519ca4b834e7ff154

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
214KB

MD5
1ed9f9585bef59ae6b731fad06973232

SHA1
69826ba6bda6754a053c9de734aac468005c9184

SHA256
e187cb531ffcac03fa1901c9d27714a55385ae1814f9435d08571f0e1e3e130c

SHA512
7b9216a8b3068a96b4d7b5350ff571cd8a4e1d9106d35661e5482ece09e8392867d173551a107f6d79b99dbbf8c31fb290be9dad12a53c982886d0fe4caec0e4

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
214KB

MD5
1bced0a8e2f41e68d1ef6cddfe42a17a

SHA1
9d212c5bd7f1fbaac680a35939199bfcef7b1d51

SHA256
770e175211e90b2355b455489667519607cbb44e6ec4e594b46391b410f62d41

SHA512
1dc686bbbde9775ec7bb48036447b4838c6e1c157e9cd24189bba0935dba7cf644c7f4e3730dc85b70e61362c569b78564c182966bc240f57c8c7dad01fa7be5

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
214KB

MD5
bdc1eecfb3fc4b71a61e0ec31aaa149e

SHA1
77defd4c46ae68352b0aacea6809c746cfe0037d

SHA256
7bca7b1b65cc920160cea0fe937478351f65952f5d8dbcd33f726a2c150c4f8a

SHA512
aeff854850fce0c616258b7339327ed59206ee05f2dfe0dc09bdb7733325df41703729c0799eff0bc6ce60dd2a705f000cc761fc18b1b5f53a32b498afc181a5

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
214KB

MD5
cc0d0e31f91f3d627584edd618d8ca4b

SHA1
bf8223a4a3cf1979f654911cebb7689b9384a6d6

SHA256
97f2994e9c39dbbe0d88862ac9af08c43a82d2474b5829b036f374aa07a9a47c

SHA512
e187edb43acf4af48ba308b13f1c618991f05a8154273b047ec03159b34713a089cf7b06e7817869825baa417d64b121a39015d1ecf38d8d73a2a3bab4c1a099

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
214KB

MD5
e4f3030555f3d86b828a876d1b5afd3e

SHA1
7e8a456bfb47360b077db624fb5eaa8b8a9896f2

SHA256
ab469e2a0c9d3073b946febcb572ef511e352cb52b4b8c5ccb3bae9d3d336086

SHA512
160c5f996d71d208bcec3e0b4baa8fa5dce0b6a6c7223d9defa19abefe2ca28090e130c760deb038122c99db0eb15aaebc5a610e8551d8e73eca47dbd69d30ca

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
214KB

MD5
0e9c6cd96f9ed921568021654d84c16b

SHA1
7a5e81c8ef0d73a2eb74c969368541b23c4da819

SHA256
1c2e7ed0fc5ed0901ca342d8aad1e5299c5aad626abf8949797da3089f76657c

SHA512
a605305717b70756708cb813c0cd8babb35344eefa175bcee7301e9497d640dd0a2f5c92490db661de72cc837984a250fafecdacabecdca54a2b3f867c027500

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
214KB

MD5
386e6da1313677c12e0736a770ded1f9

SHA1
2ce2361912694dbd080159e51a8373f5778345fb

SHA256
e5df2fd5e59de66e2ce34c140048582ecde3354d6d0b387ebb005dbc1ef7685f

SHA512
53d78bdc203ffe52686f06d9cfb5bcbfa0d2abb4ecc45c4e59b1cf9abeb54da1ba374fc47c66e4655d7eaac6e52ce1c5d2c66ab25d915ef91253c0b2d9bfcb01

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
214KB

MD5
bb3951fcaad7ae307695a57c2036064b

SHA1
c308460f8d17fd74bb3c490981a660300ae0ae6e

SHA256
652c2d9e7b6f8cf2c506ca6868a29eff3db8da5e611f21d3b8a33510fa2ec86e

SHA512
0a94a6eb212f126e3f78ef412d5dfce4f4d8b11d9ae64c0290f9e7a116ec02c17c4846f05fc0c71e03fb3e71893f88ae3fae4fb33ab82d2ae6ac489671e39b04

Download Submit
memory/856-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/856-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1212-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1212-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3200-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3200-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3448-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3448-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3608-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3608-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3892-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3892-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4204-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4204-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4332-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4332-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4612-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4612-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4808-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4808-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads