9ad90bd640415321963ef07bdb90d341ed4fd1dcb1aa08bd8d137c24826cbeb3

Analysis

max time kernel
132s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03f86aa68679a615ac0d04333ccbb040_NeikiAnalytics.exe
Size

256KB
MD5

03f86aa68679a615ac0d04333ccbb040
SHA1

41bd042722f64ff56a067a9164f2e64b56dbb8b5
SHA256

9ad90bd640415321963ef07bdb90d341ed4fd1dcb1aa08bd8d137c24826cbeb3
SHA512

780180c5d2e6c8f960c632a71df61dc6ca02ac54a04c68c612281465837ffe42deae093b7400f704c66fb3e67292659cd75771f60747773861254c413a73f520
SSDEEP

3072:AEBEVtOt25STWqAhELy1MTT6e5f7N+Awrogsw+STWqAhELy1MTT6e5fAKkVyerze:AEBQ5STYaT15f7o+STYaT15fAK8yL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	03f86aa68679a615ac0d04333ccbb040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	03f86aa68679a615ac0d04333ccbb040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe

Executes dropped EXE 28 IoCs

pid	Process
232	Lkiqbl32.exe
4348	Lnhmng32.exe
3556	Lklnhlfb.exe
3844	Lddbqa32.exe
3528	Lgbnmm32.exe
3604	Mdfofakp.exe
3128	Mjcgohig.exe
1224	Mnocof32.exe
2412	Mkbchk32.exe
3392	Mdkhapfj.exe
1196	Mgidml32.exe
964	Mdmegp32.exe
4952	Mkgmcjld.exe
2536	Mpdelajl.exe
1376	Mcbahlip.exe
1780	Nacbfdao.exe
2340	Ngpjnkpf.exe
2372	Nqiogp32.exe
3600	Ngcgcjnc.exe
1864	Njacpf32.exe
1756	Nnmopdep.exe
2520	Ndghmo32.exe
716	Ngedij32.exe
1944	Nkqpjidj.exe
4904	Ndidbn32.exe
4760	Ncldnkae.exe
3164	Nggqoj32.exe
4204	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	03f86aa68679a615ac0d04333ccbb040_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	03f86aa68679a615ac0d04333ccbb040_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	03f86aa68679a615ac0d04333ccbb040_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1384	4204	WerFault.exe	113

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	03f86aa68679a615ac0d04333ccbb040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	03f86aa68679a615ac0d04333ccbb040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	03f86aa68679a615ac0d04333ccbb040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	03f86aa68679a615ac0d04333ccbb040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	03f86aa68679a615ac0d04333ccbb040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 232	2276	03f86aa68679a615ac0d04333ccbb040_NeikiAnalytics.exe	83
PID 2276 wrote to memory of 232	2276	03f86aa68679a615ac0d04333ccbb040_NeikiAnalytics.exe	83
PID 2276 wrote to memory of 232	2276	03f86aa68679a615ac0d04333ccbb040_NeikiAnalytics.exe	83
PID 232 wrote to memory of 4348	232	Lkiqbl32.exe	84
PID 232 wrote to memory of 4348	232	Lkiqbl32.exe	84
PID 232 wrote to memory of 4348	232	Lkiqbl32.exe	84
PID 4348 wrote to memory of 3556	4348	Lnhmng32.exe	85
PID 4348 wrote to memory of 3556	4348	Lnhmng32.exe	85
PID 4348 wrote to memory of 3556	4348	Lnhmng32.exe	85
PID 3556 wrote to memory of 3844	3556	Lklnhlfb.exe	86
PID 3556 wrote to memory of 3844	3556	Lklnhlfb.exe	86
PID 3556 wrote to memory of 3844	3556	Lklnhlfb.exe	86
PID 3844 wrote to memory of 3528	3844	Lddbqa32.exe	87
PID 3844 wrote to memory of 3528	3844	Lddbqa32.exe	87
PID 3844 wrote to memory of 3528	3844	Lddbqa32.exe	87
PID 3528 wrote to memory of 3604	3528	Lgbnmm32.exe	89
PID 3528 wrote to memory of 3604	3528	Lgbnmm32.exe	89
PID 3528 wrote to memory of 3604	3528	Lgbnmm32.exe	89
PID 3604 wrote to memory of 3128	3604	Mdfofakp.exe	90
PID 3604 wrote to memory of 3128	3604	Mdfofakp.exe	90
PID 3604 wrote to memory of 3128	3604	Mdfofakp.exe	90
PID 3128 wrote to memory of 1224	3128	Mjcgohig.exe	92
PID 3128 wrote to memory of 1224	3128	Mjcgohig.exe	92
PID 3128 wrote to memory of 1224	3128	Mjcgohig.exe	92
PID 1224 wrote to memory of 2412	1224	Mnocof32.exe	93
PID 1224 wrote to memory of 2412	1224	Mnocof32.exe	93
PID 1224 wrote to memory of 2412	1224	Mnocof32.exe	93
PID 2412 wrote to memory of 3392	2412	Mkbchk32.exe	94
PID 2412 wrote to memory of 3392	2412	Mkbchk32.exe	94
PID 2412 wrote to memory of 3392	2412	Mkbchk32.exe	94
PID 3392 wrote to memory of 1196	3392	Mdkhapfj.exe	95
PID 3392 wrote to memory of 1196	3392	Mdkhapfj.exe	95
PID 3392 wrote to memory of 1196	3392	Mdkhapfj.exe	95
PID 1196 wrote to memory of 964	1196	Mgidml32.exe	96
PID 1196 wrote to memory of 964	1196	Mgidml32.exe	96
PID 1196 wrote to memory of 964	1196	Mgidml32.exe	96
PID 964 wrote to memory of 4952	964	Mdmegp32.exe	98
PID 964 wrote to memory of 4952	964	Mdmegp32.exe	98
PID 964 wrote to memory of 4952	964	Mdmegp32.exe	98
PID 4952 wrote to memory of 2536	4952	Mkgmcjld.exe	99
PID 4952 wrote to memory of 2536	4952	Mkgmcjld.exe	99
PID 4952 wrote to memory of 2536	4952	Mkgmcjld.exe	99
PID 2536 wrote to memory of 1376	2536	Mpdelajl.exe	100
PID 2536 wrote to memory of 1376	2536	Mpdelajl.exe	100
PID 2536 wrote to memory of 1376	2536	Mpdelajl.exe	100
PID 1376 wrote to memory of 1780	1376	Mcbahlip.exe	101
PID 1376 wrote to memory of 1780	1376	Mcbahlip.exe	101
PID 1376 wrote to memory of 1780	1376	Mcbahlip.exe	101
PID 1780 wrote to memory of 2340	1780	Nacbfdao.exe	102
PID 1780 wrote to memory of 2340	1780	Nacbfdao.exe	102
PID 1780 wrote to memory of 2340	1780	Nacbfdao.exe	102
PID 2340 wrote to memory of 2372	2340	Ngpjnkpf.exe	103
PID 2340 wrote to memory of 2372	2340	Ngpjnkpf.exe	103
PID 2340 wrote to memory of 2372	2340	Ngpjnkpf.exe	103
PID 2372 wrote to memory of 3600	2372	Nqiogp32.exe	104
PID 2372 wrote to memory of 3600	2372	Nqiogp32.exe	104
PID 2372 wrote to memory of 3600	2372	Nqiogp32.exe	104
PID 3600 wrote to memory of 1864	3600	Ngcgcjnc.exe	105
PID 3600 wrote to memory of 1864	3600	Ngcgcjnc.exe	105
PID 3600 wrote to memory of 1864	3600	Ngcgcjnc.exe	105
PID 1864 wrote to memory of 1756	1864	Njacpf32.exe	106
PID 1864 wrote to memory of 1756	1864	Njacpf32.exe	106
PID 1864 wrote to memory of 1756	1864	Njacpf32.exe	106
PID 1756 wrote to memory of 2520	1756	Nnmopdep.exe	107

C:\Users\Admin\AppData\Local\Temp\03f86aa68679a615ac0d04333ccbb040_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\03f86aa68679a615ac0d04333ccbb040_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\Lkiqbl32.exe
  C:\Windows\system32\Lkiqbl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SysWOW64\Lnhmng32.exe
    C:\Windows\system32\Lnhmng32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\SysWOW64\Lklnhlfb.exe
      C:\Windows\system32\Lklnhlfb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
      - C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        29⤵
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 400
        30⤵
        Program crash
        
        PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4204 -ip 4204
1⤵
PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
256KB

MD5
73b0e36a9e2d70375b7046aae6762291

SHA1
1b9c21eb2349d317406f12e95bef00ba49771ce6

SHA256
83e35c1badeea7c9be3949606516e9194024818f81c706eb590920e44c56fd49

SHA512
3ae322d73deff50f2ad3e13c1b56c818a54d97d085fb5b98b0d544acb92e35ba86890be84a2861ead3e612de4f1129b46302902e756c9b916287182b1884751b

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
256KB

MD5
b30c69bbfb9c4080845b32a1dd80486f

SHA1
df098d7494c42d9e8ee6842f3406626add6629a8

SHA256
a2ff4f61f72320775f1017ff03e7e044c219821e1ae8e756a7d072ec3b8c679f

SHA512
3237c4a2325da71bda6e2ddc2c25631f3e2c3eeaef2ca41dc354f7b9920ea501494e14a1249f22bf8a0c92ae2970d0e5ebc9ccfb79d02faee4cbffdaa8002785

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
256KB

MD5
c0c7260751e5c9587cf1f1b4dba07e9a

SHA1
000f5dc0961db60af547f8085028a596a007abf7

SHA256
4a63f562689c73ccd79187efae6c95b07ff467b00ece1ff82b65f8380edbc9ea

SHA512
14ba86720e43895f28cfb6b75f1f3cc3fb2fcb5568093501c8b6e472c4750b55620d4d026c3fff08aca97487fe8f5d567b88bed344a2e5722591e6071052dada

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
256KB

MD5
9c3f73a8f549850b5ecd5d4e0c15d738

SHA1
7f904bd698b4858f902fc7acd5732dfd343aae06

SHA256
491704cc4d95d26d9c0a5fb333aed1859e9f489aa683d58ad4611a6a5912b78d

SHA512
bfc399b7db0252011786aab5c1df8794d3dfa5a3ca48bbe2ffa3914a795db19f26155538dcb9cf06157900b124e4b2cac1be3e381e428729274150c6c7720e2e

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
256KB

MD5
4d665e35ef7554883cefac06f8714e8e

SHA1
2cb1e6cf20e5bf71307c3b26cf44a83003324510

SHA256
15f6ebfb52fe45396ad2b0e2ccaf962f0443e88ed50bfc641e60e0b0229cb131

SHA512
98df5dd94dc815d1770c12fc5df1d8dc62579948f4694f716a41f39d7da74e6bb66a5d9ee70a7f67c4b8c101527f389ec7317b2111b06e70e87d11d9293a2f30

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
256KB

MD5
d5036ace3d2f0a049cfb3297fcbab8c9

SHA1
d1cb23d42630701a3ac66cf437e566efdf3aa7a3

SHA256
65292928a8dc986b5784ab1ef421928f9a68c714ff8e447bbab4bcee8a0f1666

SHA512
c61b515c1c040a23f56cc54ab36a130b2babde679ba9f59a8d842bc7ee0db58c32fb9ab9a6d7c41e8a2fd2b6ed383a95ecb626cf064b557ba0a503221f707602

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
256KB

MD5
6d49544720047b5869c7d7b023f04d26

SHA1
9ae5fc927fc8fa72ad1cc39fa4b0bde7019765ee

SHA256
e959bd4c332f95df895a069becf0b854d9d2ff0b497238fe45e57c3e5ad123b9

SHA512
e0f24d89126fafc950b196d0c98dc3a6c21df0ca4d4e13384de4398518da99d6376e5ab5e1b642601a6f2cbae0aef55ceb3bc42e6a7d1c5ab60ed43f9ccab4eb

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
256KB

MD5
b24a21a66f03b96d290825db9b9e0fae

SHA1
8fdd90a3a534217ed441f1d954e3c8fe6505bd3c

SHA256
5c90918cdf46f393387f3932ca0fb14d2f97324d90019e365c3205872d4d785f

SHA512
e6e4d178f7e446ccaac98d776cac7532cecf7133d6154a630caf209ad61905c070109ac01e9cc56236acd7554d979fc24bc688829efc33617ede793bafa85f9e

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
256KB

MD5
3afb12557beafa6ccd54a80d61b5dd07

SHA1
9b10300ac43ce701cb4d375abad204e8f5beb3f0

SHA256
4a09827f04611ae883fd564158c15b2fddca45130121eb5c3d762133d33c7fb2

SHA512
1d5490faee7727ad10587caf9aa843c59897c862b46178914a0ca029514490285c7bc7b15a70e5401ed5335c5b93d12ac63a9f59d25bf9585d93ead70903f46f

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
256KB

MD5
af06063d8d406d8dcc422fdf0e9ce561

SHA1
9fcdeb9a21edada09d6da6e0908617c271032e1d

SHA256
6eac691d37a1213513aec2281bd57c56c9dbd915a5a14959893009a6798a8b6d

SHA512
6f669ca6029a81000b6d71424ca4ad88f220747ce51480f800257025ea8865b0f780da80b62f2cce6e1ca6e000117077381de1649f9723f5c19e97128a6e2d7f

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
256KB

MD5
fb248a05d11879007f848ce622aa827b

SHA1
e35e3ff5a8c5b2029a726fe5be7a067179e782bf

SHA256
80ece9784d1ab9139ea116a1947b12068ef10c3f8be2be9c7326cbd125adbab5

SHA512
c4a39ae219a734e4a4c6a54906a4e8566fb51282e2a395be905622693268964674df4f75111ad0f098ba3a989bacd64046bacb577cfc6e36cb7462d27ecf1be4

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
256KB

MD5
f07d832ee990844fbd0a189eb632b4bf

SHA1
d49e55b05e5aaac9b5dde86cfc7cf06f5909739a

SHA256
cecf884b31cb1f82882c501e14a72057a345ef9d27ea6854c97508e189b964ef

SHA512
10f3775252b820816f78e64fdb189939746d954d23e7de4c52b7fd1a09bdae566629d297e8c98b83ef6128535d319c156f63a89f8e2bdf9c1ad35dc4bf386edd

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
256KB

MD5
a57399f36a21c8f760ed2ef5d1c09b51

SHA1
3fc6237e8622cdf9d4f92f456eb44c37767e7f04

SHA256
25818380e8638dff18194575ae2eae1b3c49485fb212f4fec94f37b692e447f0

SHA512
ed5a100945613cb9fdc6716be5a4f02c10333aab85f810ff82d60c7459abedb69b04f03c08991be9604d8898a424727342ba76578c9010e5e56b9575aa920217

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
256KB

MD5
228b58c7918c92202967b40fd31c5aff

SHA1
a684d812a28baf43a7dca2e7a0d91384a545e0d3

SHA256
a59f95da4c8234d7a1b16aa82bdd02f3a24d65f492f6d889017fb48343cf357c

SHA512
ccecadd1011b39241da53c6451bc89fe0e963b74260f118c9b3454972c52f220bf05676e46b6bd7962390f1cdad0d7f80da32ea4cb35b0df6ee0494344fcaf20

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
256KB

MD5
935979b654f7fcc7a95a21a992abb587

SHA1
9013b8667f80a826f2f73c7448c4f47d00206482

SHA256
572e2b3b519bd6e7dc176d4bb6a0a5635accbdb2409adb5ad5e765cb3d2cca7d

SHA512
6204a969a13b5c0b225443ef2f07bd6696175f0ecbc6908c669b639d1c9b04dc2c84e729556d2c0fc751152f79b8ead8e30ed9f7a41377d7331ddc16d8474334

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
256KB

MD5
3a0f3458f38eb1f89965b65a1cf0d174

SHA1
b0316dd20d58b1182af0296829a48756808d3442

SHA256
ae13646f0f0ccd6cf0681308b472c6296b2bff1627ff4dcc1f527342a48120d8

SHA512
eb912d7f1194cae81d8c4a0bd569fe860f48bdfe87c525bfd09809100cf6a2b23d70f5da04fe7f36d8e4b1ed20f470500f36aeaa9f9a1a3aaf3bdb5cf850f4a4

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
256KB

MD5
5a2a5b5548d944452595e5c1689c1d22

SHA1
dfca4456ecd0e6fb71a8f5f79599be24c6a819be

SHA256
934c4e1be2fdf322aa5525e0898379ec15bc5afe852be8e06f23af88e780226d

SHA512
7622d337eefc587f698769bee694353d8ba05eee5841da16cb624343c6d993b8c804b8b74729487173ab2399c46d1b3eca84ca42820ede4b48f65c03436b0a81

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
256KB

MD5
8d37bad81cb3425d6b15b8dde5c6c2fc

SHA1
89dc90dbd414671c41ca044fc5c6e8eee0f9d6cf

SHA256
667ab905f5a228b8e9d06e980747ae49c05f8fccf576ac6aa792f58e1170f191

SHA512
473132d9847c4aff82ce274d081ce19fd4a4f4b9cf76d4977c308447ac2aee9bebf82501f251ed81d5c4ecd7e7b3327a68bbdca673960d1dcd103ef20ff0a7c5

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
256KB

MD5
6bd4d924bfa65cba8a52dc70dcf74a4e

SHA1
e387846e905b8fa67d704fe18458c7ddda809d89

SHA256
be788a8b856ce0ad5879eb84590367dbc3f1e6b942e4b7146b06c8265c6c0de6

SHA512
af5357667264bb84e116bc0d8d174ea9be0cb9dca75482a6396ce2028224fc4b457253472869c610069966212e1aa4937c088b3e7185fcf92ced1f7385aa46b3

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
256KB

MD5
6d3f738488635c1673c0f681fa7e449b

SHA1
f0baf251475ecfb9f53e052702f43c83b5bb00e2

SHA256
ebd94d32397c19347f0af5702434e5b899b8dfb7bed63b66b167b3f5ba590e31

SHA512
6e4920d6deaf8dae03803500acbde561b09114447bb4e801eb8892df0ed5a805d575df065efeee9b533f27662b472f51c843c132426fc56ffe21b68a88324fa2

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
256KB

MD5
5714937c4820b435c7aa70c89839d3cc

SHA1
6d0f0d5c3330f793bdcc73cad510ba57e3f5e0f2

SHA256
9a891a58a34b50161a76c6b86b83bf5bada1ddfb425729063c8afc64374119f8

SHA512
e038eef8c22cbcf2dcbfb509f5c2ab24395dbf933cc99ffaddb1352aeeff4504b3add98b777f897da113899dfa27725465d286306592e7363a4ee492cc8c5ea3

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
256KB

MD5
25c76ed565a391bd2aec06cc5a927e0e

SHA1
a19c3ff836cbe2a877d24d9423d0583bce0239aa

SHA256
6a24647a4182de7693deae6a91162c29c1060d49041029e75542860f045aafb8

SHA512
feedb2d953d3c2307f67e9ae8489c10b61f5d13f494fe27d078726ea4a37796e9699b28b6124d275bdb0fc287e0799373015057e3dd3c205170c3ec5954da409

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
256KB

MD5
3cc12367f814cd5f424cd396b6834dbe

SHA1
b37dbfb36a7ccd08c384838f06e25c2fcbd013f7

SHA256
146c03b8019983efb80b0000c7615e26e221d0b292745d28cf02b2309c390647

SHA512
e62bda36d45911decfe4979129cc96c34615c4b1322360fd445d78e500aa1649a4402612223e1f1311b712923ef12bff778632e9a920df832856b6f1657b247e

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
256KB

MD5
b489fe1eaae9289bd5473a8b191583bc

SHA1
155c84a08c6b088459497cca6c291803d7bbf3a2

SHA256
8a6dbfb1ef6c10e83501a73266660ac452787a562d795904bd8576bf5a8f1a5f

SHA512
d8f9a0bd0b7b7df92c69842100fb99271019228d8b8ab5107b1d4e1081ca975cab4e4dddf2c53401171cfa47bb3e7bdedb0feb1322b6bd891328c40cb6f77248

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
256KB

MD5
1de9ff1c6714ae3c9d2f4516cc49c3f9

SHA1
2dd2291f49a35537fd0da3988ecb5c537781c748

SHA256
1ae77391c36637f88aee5d23e5190b2630358825c3225b17ed2b4c0e304de3bf

SHA512
c49157d149906ba8c9c6396363de6cad5dd29ece6bb83e7f09844ba3e640644c394286587d5f3873b351113f5ccca29b4e5a1e5ddf63b15bfd4024164665fdf2

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
256KB

MD5
25fa1ad78dad4aeef0c3c8341fbc3f34

SHA1
bd3d44c3052b9539b24d8cf367ae879ce861954c

SHA256
3ee142660576b9dcc4031bd825efed7aa908e1bc359592bca7655597e0e06061

SHA512
11ec8b9e75f27ab6e340eff550c14ba82d789c389cc0a440d0b77c06f66581cc0f62ea226cbb980be73bea2bb00cadccc0a742bbf83336e7783d034f252caf83

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
256KB

MD5
ed3ef0812555f71e1d9774ecd7d8c7c6

SHA1
0e7c6d6b6a8d7135fedda507c00f9032396711e5

SHA256
162734fa321666d833ee49b2ed4e0e7ba8c0c92720ae02a33a14c56d0ccac8ba

SHA512
5a412c1445a75565f13896b9e89d6ad127427105001f9afd9b51bb97ee1832586459dffe88aee6696247e3aa562d104c6bd34b162957eae098a2a0611401d874

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
256KB

MD5
27ad28c002e51a7a07e9926ee16c057b

SHA1
18e261841289f0c2d59d8b267176add180e9b188

SHA256
ae0ea87cd1c9aa3e2413eac13569fb31d2e7b35f2e50c0f24236c72e4c75b1f4

SHA512
ff6dd3cbb7d775306ea95e0efd104dd3ddff78042bbda24b3ff080f9a70c2520ce2292879c4539aaedfbf4117d16615bf02a0b14556f85b7c312ba34290f8d0c

Download Submit
memory/232-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2340-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads