1ad56847c9e57d967b73a12ba74719675274d2b7002d530b4d19e8282e2e7be8

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 04:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8af0773d409cc0d78849939e99df5540_NeikiAnalytics.exe
Size

74KB
MD5

8af0773d409cc0d78849939e99df5540
SHA1

591b7a63827bf5d460a7f23a355128176d9e9c94
SHA256

1ad56847c9e57d967b73a12ba74719675274d2b7002d530b4d19e8282e2e7be8
SHA512

5ca7d9ae66c5ea3a3f604686971b095cfdb1dae561c9be588533c91027a6fc7eaac4812c5f6aa4369b9f9d8cfb74b4ccdf7e60971e8f83d7b51e0f74966d668e
SSDEEP

1536:kmadmBlU+RhJC4ataZLPEmV/eFfdgfa7R3/0Abz0zdGz:FKm3PatxWy7R3vidG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8af0773d409cc0d78849939e99df5540_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8af0773d409cc0d78849939e99df5540_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe

Executes dropped EXE 29 IoCs

pid	Process
3812	Mnlfigcc.exe
2132	Mpkbebbf.exe
2544	Mgekbljc.exe
3352	Mjcgohig.exe
4016	Majopeii.exe
2192	Mdiklqhm.exe
2800	Mnapdf32.exe
3168	Mdkhapfj.exe
3348	Mkepnjng.exe
4836	Mncmjfmk.exe
4844	Mdmegp32.exe
4324	Mglack32.exe
4368	Mnfipekh.exe
4252	Mdpalp32.exe
4588	Mgnnhk32.exe
3400	Nnhfee32.exe
1600	Ndbnboqb.exe
3712	Ngpjnkpf.exe
3516	Njogjfoj.exe
4236	Nafokcol.exe
736	Nqiogp32.exe
4652	Nkncdifl.exe
4856	Njacpf32.exe
3524	Ndghmo32.exe
3020	Nkqpjidj.exe
3508	Nnolfdcn.exe
628	Ndidbn32.exe
3956	Ncldnkae.exe
3272	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	8af0773d409cc0d78849939e99df5540_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	8af0773d409cc0d78849939e99df5540_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	8af0773d409cc0d78849939e99df5540_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3224	3272	WerFault.exe	113

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	8af0773d409cc0d78849939e99df5540_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	8af0773d409cc0d78849939e99df5540_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	8af0773d409cc0d78849939e99df5540_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	8af0773d409cc0d78849939e99df5540_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8af0773d409cc0d78849939e99df5540_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 3812	992	8af0773d409cc0d78849939e99df5540_NeikiAnalytics.exe	82
PID 992 wrote to memory of 3812	992	8af0773d409cc0d78849939e99df5540_NeikiAnalytics.exe	82
PID 992 wrote to memory of 3812	992	8af0773d409cc0d78849939e99df5540_NeikiAnalytics.exe	82
PID 3812 wrote to memory of 2132	3812	Mnlfigcc.exe	83
PID 3812 wrote to memory of 2132	3812	Mnlfigcc.exe	83
PID 3812 wrote to memory of 2132	3812	Mnlfigcc.exe	83
PID 2132 wrote to memory of 2544	2132	Mpkbebbf.exe	84
PID 2132 wrote to memory of 2544	2132	Mpkbebbf.exe	84
PID 2132 wrote to memory of 2544	2132	Mpkbebbf.exe	84
PID 2544 wrote to memory of 3352	2544	Mgekbljc.exe	85
PID 2544 wrote to memory of 3352	2544	Mgekbljc.exe	85
PID 2544 wrote to memory of 3352	2544	Mgekbljc.exe	85
PID 3352 wrote to memory of 4016	3352	Mjcgohig.exe	86
PID 3352 wrote to memory of 4016	3352	Mjcgohig.exe	86
PID 3352 wrote to memory of 4016	3352	Mjcgohig.exe	86
PID 4016 wrote to memory of 2192	4016	Majopeii.exe	87
PID 4016 wrote to memory of 2192	4016	Majopeii.exe	87
PID 4016 wrote to memory of 2192	4016	Majopeii.exe	87
PID 2192 wrote to memory of 2800	2192	Mdiklqhm.exe	88
PID 2192 wrote to memory of 2800	2192	Mdiklqhm.exe	88
PID 2192 wrote to memory of 2800	2192	Mdiklqhm.exe	88
PID 2800 wrote to memory of 3168	2800	Mnapdf32.exe	89
PID 2800 wrote to memory of 3168	2800	Mnapdf32.exe	89
PID 2800 wrote to memory of 3168	2800	Mnapdf32.exe	89
PID 3168 wrote to memory of 3348	3168	Mdkhapfj.exe	90
PID 3168 wrote to memory of 3348	3168	Mdkhapfj.exe	90
PID 3168 wrote to memory of 3348	3168	Mdkhapfj.exe	90
PID 3348 wrote to memory of 4836	3348	Mkepnjng.exe	91
PID 3348 wrote to memory of 4836	3348	Mkepnjng.exe	91
PID 3348 wrote to memory of 4836	3348	Mkepnjng.exe	91
PID 4836 wrote to memory of 4844	4836	Mncmjfmk.exe	93
PID 4836 wrote to memory of 4844	4836	Mncmjfmk.exe	93
PID 4836 wrote to memory of 4844	4836	Mncmjfmk.exe	93
PID 4844 wrote to memory of 4324	4844	Mdmegp32.exe	94
PID 4844 wrote to memory of 4324	4844	Mdmegp32.exe	94
PID 4844 wrote to memory of 4324	4844	Mdmegp32.exe	94
PID 4324 wrote to memory of 4368	4324	Mglack32.exe	95
PID 4324 wrote to memory of 4368	4324	Mglack32.exe	95
PID 4324 wrote to memory of 4368	4324	Mglack32.exe	95
PID 4368 wrote to memory of 4252	4368	Mnfipekh.exe	96
PID 4368 wrote to memory of 4252	4368	Mnfipekh.exe	96
PID 4368 wrote to memory of 4252	4368	Mnfipekh.exe	96
PID 4252 wrote to memory of 4588	4252	Mdpalp32.exe	97
PID 4252 wrote to memory of 4588	4252	Mdpalp32.exe	97
PID 4252 wrote to memory of 4588	4252	Mdpalp32.exe	97
PID 4588 wrote to memory of 3400	4588	Mgnnhk32.exe	98
PID 4588 wrote to memory of 3400	4588	Mgnnhk32.exe	98
PID 4588 wrote to memory of 3400	4588	Mgnnhk32.exe	98
PID 3400 wrote to memory of 1600	3400	Nnhfee32.exe	99
PID 3400 wrote to memory of 1600	3400	Nnhfee32.exe	99
PID 3400 wrote to memory of 1600	3400	Nnhfee32.exe	99
PID 1600 wrote to memory of 3712	1600	Ndbnboqb.exe	100
PID 1600 wrote to memory of 3712	1600	Ndbnboqb.exe	100
PID 1600 wrote to memory of 3712	1600	Ndbnboqb.exe	100
PID 3712 wrote to memory of 3516	3712	Ngpjnkpf.exe	102
PID 3712 wrote to memory of 3516	3712	Ngpjnkpf.exe	102
PID 3712 wrote to memory of 3516	3712	Ngpjnkpf.exe	102
PID 3516 wrote to memory of 4236	3516	Njogjfoj.exe	103
PID 3516 wrote to memory of 4236	3516	Njogjfoj.exe	103
PID 3516 wrote to memory of 4236	3516	Njogjfoj.exe	103
PID 4236 wrote to memory of 736	4236	Nafokcol.exe	104
PID 4236 wrote to memory of 736	4236	Nafokcol.exe	104
PID 4236 wrote to memory of 736	4236	Nafokcol.exe	104
PID 736 wrote to memory of 4652	736	Nqiogp32.exe	105

C:\Users\Admin\AppData\Local\Temp\8af0773d409cc0d78849939e99df5540_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8af0773d409cc0d78849939e99df5540_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:992
- C:\Windows\SysWOW64\Mnlfigcc.exe
  C:\Windows\system32\Mnlfigcc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Windows\SysWOW64\Mpkbebbf.exe
    C:\Windows\system32\Mpkbebbf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\Mgekbljc.exe
      C:\Windows\system32\Mgekbljc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3352
      - C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        30⤵
        Executes dropped EXE
        
        PID:3272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 420
        31⤵
        Program crash
        
        PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3272 -ip 3272
1⤵
PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lnohlokp.dll

Filesize
7KB

MD5
9404721dd4235cb3a2804c7206ac0f16

SHA1
77a11452cef7b599c41031c81a945c78e1ff3e67

SHA256
7dd926eb37845dd732ea361ab066bfb3e41d58868c45cdfa6a1f0cb1d9ea5a3b

SHA512
4a133551728f0f21b3b8424426fbe4fa5829fcc6083c6066fe63286cf26ce1512789e32ccf92c63f33de6773885bc12ba9af15f7efc836eb53b206b9068066e7

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
74KB

MD5
2a7ac2e6aaea5fa198cbcf8947d2b2c6

SHA1
263c91482e4a5214d7e231a3247c02764f854a8f

SHA256
ae565227ef21536a6df2ed120d75d00d81d4a49ea5b531a39a043640ca000a2c

SHA512
673a24d237f0432aa155024f1507daea9bf7e656bd483408f6bb676eb13abb1b1d34b05144ded3737ed91782a8b4cd728362ae88609c1897e1d7eb1b6241237f

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
74KB

MD5
293a7cfec217589335cdbf5e8e813333

SHA1
36d817901b16335663863304e3dee171aa82d585

SHA256
1411506ed160649f1e1ab827e3e077c7b404212993f091c75298ff69679e2ce8

SHA512
009fc8c61fba961f7f44fb9d08ca0474b29b169ae7b44272efa8253d41c5e5cc9adac0fd08017646c9badc5d375ea90cb775506a870b86a9c23f36d717831f1b

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
74KB

MD5
a4671e7249326ced852d266b04cfd6b4

SHA1
4490e5380ee9205ef7ff33a9bd61c05172e73aaa

SHA256
64c1dc5d86d4966787a88a66ed315ebc2d743745e2d9284aa2d183e2aa0d35be

SHA512
049199adb6ce6da269992a549366705dc43e3a7c2866a329a10dee6dec5a018a38742b6d00c3e92b41f5918b5d664af487ce6a569a7dd141188daffad4945aa6

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
74KB

MD5
7f1c7a89582b4646a6bbecb4daa93cd0

SHA1
2285f8ffe110a197ffc3910c3638faa43451446f

SHA256
a085c1f91c89e478ad5f29029e547baae229ca63c4fd194c5d0284746254ff09

SHA512
6db26816952cca9f0d8c36ab84a8b8ace7df7c6eead812c4bfaf80050f8bf8db40c9af7ecf30cde0102c8e90b7e83318acb1cf061ae9ec6ccb86945fffbd4200

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
74KB

MD5
e4a424546d0351c541260144daf2afd6

SHA1
935653db905cabd536664c1c83342223e1d8775a

SHA256
ea2db16c02d6f13d8664b3ddab557727e0ad3ca8063b10b62d6d7d6aae49c75d

SHA512
2c7897f0289f7ef72a88be3a25c40076ec78fd920f4ffbadc2600ca1b1839b20832008ef4d8ee7404659d3fe5385dae843e6bea09daf3575122d90aa4dc0c020

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
74KB

MD5
d0cf8c339bb24afec24fe882eb79b841

SHA1
0c440c6a2d59da727ed75fd140d85b2651e2664b

SHA256
94b930773505b92345fff383eb379fd1f311cbd169874fe1fa7bb1ab9fed2a9d

SHA512
e477aea0e65bf1869c834a0c41011f8a9e3c93f382ab98855cabedda8271f79a5fa661aa9b09fba565464c611c17d9832c4deee13329a95e186c57a4f82cea08

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
74KB

MD5
8d62cd23e02d5e6fcd7accb75e473627

SHA1
46a87df0f7fad148c740f65c4eac036235a4b2ee

SHA256
8d05f048dfdd3c4c17a05ed0d67efb8530819f9d1e9a3b2a00ff8e7f13fefe9a

SHA512
3b96161acdb0ec1dbf3ce811bafc2cf63a9c59cf05e80aa1e0583b8a05c16149a65170bbca06a61bd1e1baaa8dbea6a26a0ce684d6c3bbc35f224006ffb9e6ed

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
74KB

MD5
fe0b503f35967dc14a6983836a5120b6

SHA1
d47694be42d162a087a8ac22f4c84f54ed597fdb

SHA256
9bfdf085ce93c358ca045c2ac1387c9ec0c87be6cd2990c58e692ca7d7c01eaa

SHA512
eff3bd9b4cbb8c7866262bb3a00da3d4a93b3fd2a13624d874c6b17132ad6f7d1d9802c35b213feedcd05f323f1d0fa3ff412b4557a64e842faa98d1b85a7ed3

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
74KB

MD5
344800a4ab93bcfbc14d9c15e577cf27

SHA1
febb6b473eaca95054ad42f010497e7190966fa8

SHA256
6e8ee1831c28a95c51cfaa635a8906e163002093399795a399ffe15ac84b0d1f

SHA512
5babdb24ad5093bb9328b4976db41a301f94478f4e889bfcc83d708f848ab8b5ed6b8fbdf58f900acfc488dec4d0bcf2ec8bac29b319da5e8c4a2dd954ba0af2

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
74KB

MD5
c895311574af6bbef019d8fd1b27c21e

SHA1
50523776203b29e0f7e484e8ac708e70e35978e3

SHA256
f38d34ead48b29124835af44dae2cc3407031c4929a96480bb4579bc5be18a66

SHA512
8ea08187b1af897061b65e798834fda7348459d406e0aa88b877df25f31d4ac366e95413de80efb4d64f88828f850f3c53e3074a452deb014fad15594d7380e8

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
74KB

MD5
63c80747a51e10bf0d3c819531151b9a

SHA1
5e3b47cacdb82cb133143988575725844ac384a8

SHA256
a11e08f9acfaaaeffb64c536f66b31d23f8d1f02171aec1fe5d75cfa2d5b0633

SHA512
65f460f0c7a57fed2de3e6eda34340d6bbd093da4ddf84ef1ab802d7c227c09a48c1d7e413bc52b3b533816431dc0d1aa90aea8a79b6bb935904ecf37758b4f8

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
74KB

MD5
997f65c95b47df8a682b664cf91ff5ea

SHA1
8b14dae9854ae0ed15fa1bc7ec67f17d5e0a0b2e

SHA256
fb58faf52a418e006addb199b8c1541858287def4e0321fff1d7bfe417397e32

SHA512
9369a6e4a8c20f7eb97ced0f3daa471945c812b0e2226da062575956ed50397722dd7c3fc2ce8f2419eb6a75f9389b7a109c34011f41de60dd122a98a2584282

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
74KB

MD5
63ade10af3967a5596dd0adee177237d

SHA1
bde0d6b4a176da86ffbce6dd31365df6a762627e

SHA256
6a2f0a1bbb6e204826c9d0e726cfbc8f5522d5ffd0904f9b047eae0402b18bac

SHA512
490eaf095b65fbbf11474f743e9b03a62dc661ecdb0a65340cf59aa4df4630255c109bf751668b81cd572038721d17109c349ede29febf596e967afa1e756190

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
74KB

MD5
d8e5c68c38957bc4db1b3516588b0b60

SHA1
db28c9e0d30757b7f740b72672b450a4428fe1a2

SHA256
92e283efc32edfed21759db1512ca0ee7ab10478c632af3319472ba8112e08dd

SHA512
4084ea7daffb2a31e93b19cb5d95912b221f2c1cfa07905216a32d1794d93d7cd223e8ce81e37f63b68a7a9831c440fc15a9efbba359dfb35b89c9d60e4fcf5e

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
74KB

MD5
b2576bfbbe6234930815c065b0584325

SHA1
0cd2816de3c2f3d5b4442e2c50232e12c393cf0e

SHA256
d179f99eca82778354b2347ca6d3e27fb4b7fff7f8482132074763158e8a0cc4

SHA512
c53ad44a09019ba900f7c0db2ac1117e5ab099f2fe535b79da849896402a935b1e5695e30d219a5c5b067e8f715fd30ae1e77f2618689eb61c82117348830380

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
74KB

MD5
05d22962f0db78ecc7489736b7c1a5f4

SHA1
bfc51a313167dbcdfebdf9f404320ba65545c79e

SHA256
b2cba40112155cb678548cc9ca421ab2c4ec47e1394812c9f663a8b62675ddcf

SHA512
1a193c0a8b5c4696b54bf7c313cce7703d8f4c5b6580b15857524cf0ebed96071153577a29680af7b81db0d5933f22f2a4cf53db08b8d401dd945ae55879baa7

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
74KB

MD5
44ff68d3878aa9286f7dcd77e23f637b

SHA1
4e9abbf84ddd936d6dd3d20723a19f8f8211b355

SHA256
17f50c2027324b2cfb8d37c1643f217c21bf07d862ca6fab177ff96ba34864c8

SHA512
2fa52bc3dd7bee21e72398ef99dcd253f7cfd8d2f404f1fb3c55ebc5b001ca433f207afa2275f1ee9b5c8e1de999895de974efc8cfcf0effe30593aca556ff48

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
74KB

MD5
cce849c4d54c05531e916001ac2e2ed7

SHA1
fda1c0197b2cf89f1c31ce1feab1df12a76720d0

SHA256
09b514434605fbeb01971840ccc1ecd8815d5a30986e9b51de2439a682becb3d

SHA512
e627594cb115294514c2b2ea623e9a78707d04c3da79ab9901a3c8cc68b7b1127d2cb60e8cac746c6e4b6706064aa839430a905a709440a61ae339fe725132f2

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
74KB

MD5
68019fb5184103a533ecba749ab361c3

SHA1
7f4f86808a09b93092b7bdb4a4e836e4661f8cb4

SHA256
e24ce64d4509fb6471cf26c49b3c3d15a04c659f72bf547bac1614674ff76265

SHA512
21869b86d713b2650a2bce5490126dbccad59f7e7f0a717d89a2f7006b6180469f572e7ab669aa673dfdc35a8006ff8154d8ad2f8d9cf1158d46a55650d74b87

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
74KB

MD5
5e2646c8a91313ed8e7a1ee3744b88ed

SHA1
a76b43730d59c40895ac7fb1ad0465a7b1d7873c

SHA256
b84ee40633d3174b31b4b6d080c5d5da8820558face680fc9e94087fdad36578

SHA512
582d0409b2f8d3020f2af36392b579cd5d370d65cd987116e39a142ee153bc9cc8fa1df0e8410e06b809eb8ba7b3aa41df9fd51f37eec2915ab03de46d73182b

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
74KB

MD5
7f5e95bda26176d2fc4a285ca7c095c5

SHA1
3fb75696e6e520f5ae4465366979e0f1c4a9d970

SHA256
b43e5fcca79a0302f400555d45f7f5fc60110ef520c4d664dd7c3a7ec370e28a

SHA512
35a6a128e9a47c091c4db4e34d5e5191b7fae2b8bc6816d6d110ec59fe73d2323463eb995383ec1977f78870e0a99312df7065b7e1a09f5dc6f794b1e9edf43e

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
74KB

MD5
5b9699958b2c9693c3c11e477f108590

SHA1
64266cf20d05fdc6772a563205f338d4eb7f8b7a

SHA256
21ccfe03fbff60a370b8fb5ab0fe3deeb7cd4ae236ef40a802346f6a5d679388

SHA512
373bfd47f2ad4080868eea2d16e65947a5a224f55ca09f6a7d567e1244993e368712066ca94ea6954d174fd4cd4199c29e77fb0ec8bc5cc87a3b5b53ed842de1

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
74KB

MD5
77ff7964ad01d5ad6c3d26dfc61d1f3c

SHA1
3301c726a8311be157c87401159c4436c9113dc2

SHA256
f3ed5251e1128e108278a15ef3a4fba18c14e4bfc9f1a7428879d96826b8f3ae

SHA512
10b0a21e879559e2d561794c7e9f75d34201962994888548458c7a56f8f20f7a4d4972471354f1e66b73915c126bdebf53df7c4e4b55be79fb5894d34a748654

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
74KB

MD5
b1c498464f12babce00b3922024feda6

SHA1
3bdbc04c82cad090170060a0ec6710aee3c5f036

SHA256
38b835d5db2084633eb2b41a1b577febf5f906c98c4ce74d525443656715823a

SHA512
43a287424e812ba51319bb55ced49a91dbaa5a0169ed3b908f5a3ddd60180b087baa84e42a559fe2fe882d6d29b7cd1ae0270d1d9dbb61f4be56fcdbb50c0bc4

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
74KB

MD5
fb6579ba2f8d07496449d63bbaeb7272

SHA1
4afb11226373da769445b445e6f99bfd29d97287

SHA256
c82de1b7fc873b1985f7b6f9a8ff83011d7eac0f7002efe6b601bf947766a560

SHA512
a6024544930dd014d75369205cd170832a7ef32f958478fe3bf8d20cfd542c71faa28a805d7bcd6baa1fc7f3f793b9b0491607767a83efd6b8a9ee7bfdb26551

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
74KB

MD5
fa1366ec778d4e06444ba51b01d12948

SHA1
5d537ca54acc6d2a27ffb31e705a9cb0861c181e

SHA256
1436656144c19fb6219f335de146eae1c6ce9e9f085d20195fffc9b07ca04a41

SHA512
63aebf5d3c7d252659004f3eea538d98271564271a03d79900f6fba58a29b354d0079ee063987fb647ca36d1d63890a6e78e3a06abe7ff177d336899f4f824f4

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
74KB

MD5
339f9621d3d11f1419ea8dc8d64cf993

SHA1
99747a4ca1d0f04726c4cd9cd434f7e6fe3626ca

SHA256
031654fa81eb45c6047cb33cb0267934c4274161bec35cad5970dd97f85528d8

SHA512
9a8dd43d8c7d313743d306e6c1e245fdd8f63b556a2abfa8b2a457be08e9691f64f789b7dffca1cc26a2cd34efb6c27de3f721c87fa8499d5a6daaa9edc20434

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
74KB

MD5
c28f2208cc42cf9ca01080d855a8240e

SHA1
1ac10974f5d7de34a7ab7831d2d1d0e1b61a2363

SHA256
cc63ee9fc9d1a6e58336d9ef8b1e35a54962e30195f2bcd4b2942cc2bf362259

SHA512
5af09f27dd1aa52adab842199132d8569ad8b538cae87517a982daa637a09557253fa4a3ed76c6df145f0b5c7fe433dcc690f2b56903f33f1698f73478d758d4

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
74KB

MD5
5b318158445d9cd9b402bd4a0b93b3e1

SHA1
9dd11f046400757583b40b7fc106b9a7dfa2f7f7

SHA256
f283e8198ef4d6dae8fb97f526140930c69e9e598cd273db2f372733c7847958

SHA512
3717a6f2063509423ee3e9b9f66f09416dfc1fa562c097b7b93db720bd788de7a9f12a5b891dd1d030f7e1bb241d10cafdc7ea15bafae6062eab81f610a0f9fd

Download Submit
memory/628-221-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/736-168-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/736-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/992-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/992-257-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1600-241-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1600-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2132-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2132-255-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2192-252-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2192-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2544-254-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2544-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2800-251-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2800-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3020-236-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3020-200-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3168-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3168-250-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3272-233-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3272-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3348-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3348-249-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3352-36-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3352-253-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3400-128-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3400-242-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3508-235-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3508-208-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3516-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3516-258-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3524-192-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3524-237-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3712-150-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3812-12-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3812-256-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3956-234-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3956-228-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4016-45-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4236-160-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4236-240-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4252-244-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4252-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4324-96-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4324-246-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4368-104-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4368-245-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4588-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4588-243-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4652-180-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4836-248-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4836-84-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4844-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4844-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4856-238-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4856-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads