5d977a73338909a764bafd8f81e9e5a029cfdbc5ba24533dc96131e17a0fda1f

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e397b8cc4f8ad15053333875a7074c0_NeikiAnalytics.exe
Size

60KB
MD5

0e397b8cc4f8ad15053333875a7074c0
SHA1

b85940a38249487e84a62536a7dff3f69510a978
SHA256

5d977a73338909a764bafd8f81e9e5a029cfdbc5ba24533dc96131e17a0fda1f
SHA512

131011e84770667e80dea38240778c31d90cb54541200fa93f3093eaefe138d26cac083e1ae4200b9bf944be95b87f8bcf921dfa72be130864bf72f0b3430f3f
SSDEEP

768:DoaITC+Gxloayfcr4mG3tTLvb2ZYmKnfOmswNiL6sxqaVxnl/UD5WgWvOW5/1H5T:Dkurqm6XaMnfOmsV6iI5W64SdB86l1rs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0e397b8cc4f8ad15053333875a7074c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0e397b8cc4f8ad15053333875a7074c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe

Executes dropped EXE 26 IoCs

pid	Process
1100	Mjjmog32.exe
3808	Maaepd32.exe
4988	Mpdelajl.exe
5052	Mdpalp32.exe
4948	Mcbahlip.exe
2828	Mgnnhk32.exe
4504	Njljefql.exe
4652	Nnhfee32.exe
2576	Nqfbaq32.exe
4220	Ndbnboqb.exe
4704	Ngpjnkpf.exe
224	Nklfoi32.exe
3220	Nnjbke32.exe
3496	Nqiogp32.exe
3632	Ncgkcl32.exe
4936	Ngcgcjnc.exe
2804	Njacpf32.exe
2856	Nbhkac32.exe
2360	Ndghmo32.exe
1364	Ncihikcg.exe
1260	Nkqpjidj.exe
4516	Nnolfdcn.exe
800	Nbkhfc32.exe
372	Ndidbn32.exe
3592	Nggqoj32.exe
3948	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	0e397b8cc4f8ad15053333875a7074c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	0e397b8cc4f8ad15053333875a7074c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe

Program crash 1 IoCs

pid	pid_target	Process
732	3948	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0e397b8cc4f8ad15053333875a7074c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	0e397b8cc4f8ad15053333875a7074c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0e397b8cc4f8ad15053333875a7074c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 1100	3896	0e397b8cc4f8ad15053333875a7074c0_NeikiAnalytics.exe	82
PID 3896 wrote to memory of 1100	3896	0e397b8cc4f8ad15053333875a7074c0_NeikiAnalytics.exe	82
PID 3896 wrote to memory of 1100	3896	0e397b8cc4f8ad15053333875a7074c0_NeikiAnalytics.exe	82
PID 1100 wrote to memory of 3808	1100	Mjjmog32.exe	83
PID 1100 wrote to memory of 3808	1100	Mjjmog32.exe	83
PID 1100 wrote to memory of 3808	1100	Mjjmog32.exe	83
PID 3808 wrote to memory of 4988	3808	Maaepd32.exe	84
PID 3808 wrote to memory of 4988	3808	Maaepd32.exe	84
PID 3808 wrote to memory of 4988	3808	Maaepd32.exe	84
PID 4988 wrote to memory of 5052	4988	Mpdelajl.exe	85
PID 4988 wrote to memory of 5052	4988	Mpdelajl.exe	85
PID 4988 wrote to memory of 5052	4988	Mpdelajl.exe	85
PID 5052 wrote to memory of 4948	5052	Mdpalp32.exe	86
PID 5052 wrote to memory of 4948	5052	Mdpalp32.exe	86
PID 5052 wrote to memory of 4948	5052	Mdpalp32.exe	86
PID 4948 wrote to memory of 2828	4948	Mcbahlip.exe	87
PID 4948 wrote to memory of 2828	4948	Mcbahlip.exe	87
PID 4948 wrote to memory of 2828	4948	Mcbahlip.exe	87
PID 2828 wrote to memory of 4504	2828	Mgnnhk32.exe	89
PID 2828 wrote to memory of 4504	2828	Mgnnhk32.exe	89
PID 2828 wrote to memory of 4504	2828	Mgnnhk32.exe	89
PID 4504 wrote to memory of 4652	4504	Njljefql.exe	90
PID 4504 wrote to memory of 4652	4504	Njljefql.exe	90
PID 4504 wrote to memory of 4652	4504	Njljefql.exe	90
PID 4652 wrote to memory of 2576	4652	Nnhfee32.exe	91
PID 4652 wrote to memory of 2576	4652	Nnhfee32.exe	91
PID 4652 wrote to memory of 2576	4652	Nnhfee32.exe	91
PID 2576 wrote to memory of 4220	2576	Nqfbaq32.exe	93
PID 2576 wrote to memory of 4220	2576	Nqfbaq32.exe	93
PID 2576 wrote to memory of 4220	2576	Nqfbaq32.exe	93
PID 4220 wrote to memory of 4704	4220	Ndbnboqb.exe	94
PID 4220 wrote to memory of 4704	4220	Ndbnboqb.exe	94
PID 4220 wrote to memory of 4704	4220	Ndbnboqb.exe	94
PID 4704 wrote to memory of 224	4704	Ngpjnkpf.exe	95
PID 4704 wrote to memory of 224	4704	Ngpjnkpf.exe	95
PID 4704 wrote to memory of 224	4704	Ngpjnkpf.exe	95
PID 224 wrote to memory of 3220	224	Nklfoi32.exe	96
PID 224 wrote to memory of 3220	224	Nklfoi32.exe	96
PID 224 wrote to memory of 3220	224	Nklfoi32.exe	96
PID 3220 wrote to memory of 3496	3220	Nnjbke32.exe	98
PID 3220 wrote to memory of 3496	3220	Nnjbke32.exe	98
PID 3220 wrote to memory of 3496	3220	Nnjbke32.exe	98
PID 3496 wrote to memory of 3632	3496	Nqiogp32.exe	99
PID 3496 wrote to memory of 3632	3496	Nqiogp32.exe	99
PID 3496 wrote to memory of 3632	3496	Nqiogp32.exe	99
PID 3632 wrote to memory of 4936	3632	Ncgkcl32.exe	100
PID 3632 wrote to memory of 4936	3632	Ncgkcl32.exe	100
PID 3632 wrote to memory of 4936	3632	Ncgkcl32.exe	100
PID 4936 wrote to memory of 2804	4936	Ngcgcjnc.exe	101
PID 4936 wrote to memory of 2804	4936	Ngcgcjnc.exe	101
PID 4936 wrote to memory of 2804	4936	Ngcgcjnc.exe	101
PID 2804 wrote to memory of 2856	2804	Njacpf32.exe	102
PID 2804 wrote to memory of 2856	2804	Njacpf32.exe	102
PID 2804 wrote to memory of 2856	2804	Njacpf32.exe	102
PID 2856 wrote to memory of 2360	2856	Nbhkac32.exe	103
PID 2856 wrote to memory of 2360	2856	Nbhkac32.exe	103
PID 2856 wrote to memory of 2360	2856	Nbhkac32.exe	103
PID 2360 wrote to memory of 1364	2360	Ndghmo32.exe	104
PID 2360 wrote to memory of 1364	2360	Ndghmo32.exe	104
PID 2360 wrote to memory of 1364	2360	Ndghmo32.exe	104
PID 1364 wrote to memory of 1260	1364	Ncihikcg.exe	105
PID 1364 wrote to memory of 1260	1364	Ncihikcg.exe	105
PID 1364 wrote to memory of 1260	1364	Ncihikcg.exe	105
PID 1260 wrote to memory of 4516	1260	Nkqpjidj.exe	106

C:\Users\Admin\AppData\Local\Temp\0e397b8cc4f8ad15053333875a7074c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0e397b8cc4f8ad15053333875a7074c0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\SysWOW64\Mjjmog32.exe
  C:\Windows\system32\Mjjmog32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\Maaepd32.exe
    C:\Windows\system32\Maaepd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Windows\SysWOW64\Mpdelajl.exe
      C:\Windows\system32\Mpdelajl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
      - C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        27⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 416
        28⤵
        Program crash
        
        PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3948 -ip 3948
1⤵
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
60KB

MD5
33c0697d53ab8409360aad6bc1463d64

SHA1
b3e02d8ddf5d82997a5c91d0b22e1bb413749315

SHA256
be5fc27787c5931ed5444dfce05f1714d94091cc62f7225cd27c83d3c96c4f73

SHA512
1fc222054580034215a6908e5fec48733352d26ffeb4771b8ccc59057720bb1940d6b9306b72dbad24df584e6be94fb13dd65d7f923f251f14396a054283427e

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
60KB

MD5
96d5b15f89e1b3438a70e32817998657

SHA1
584db6e4fefefcbc2472b63d4a4e23df0206d09d

SHA256
3627c4a78949965f0d0dd42c3297d62b352e04d4f5b703d0fbec543475b4ff8d

SHA512
3e98d420e2ee186b3f3a9ad5e02c65b1865833ac80725cd92d80c3b8308e0c0cbafb85b192264ff1639e679338e3bb39ec590787d857421e382e83f0522fddeb

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
60KB

MD5
3d62bb8f380a5c2754ca7f525b71ebd3

SHA1
243d729b130cd59030f8036c66e3bdd0486b4057

SHA256
4d1feca92d7425a7cb7875886045ab5ed82c9f4376f4668e680bd1a1b2d22376

SHA512
7e1b3bc1615051576e70d322278b7f30f195f83ce8f099e985a067f8503155fdfd6d7ecd8d16332ba672516cc5fc7cf9c0b273194b1a5174a418e13ede25a994

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
60KB

MD5
5e2d4610531cb6528476025396a2e15c

SHA1
ea796b1597633178db9c03929837b149079251a8

SHA256
31b7618deae1197386cd3a5d9d5277d4d75c4b9f75ceff8d6dbb6d6938a3f06e

SHA512
2725d66e82a69491d7884483756f7c4d2e2740d45ac359ef331d4bb1c3378a49c276d7fa5573b9c13439510990246c122c4a232cee146b3760505acdb560a810

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
60KB

MD5
4cad51b3a7c440ac46a7ce524493486d

SHA1
41acd61f4c86be1c92a7f561f4b1b5e638080a9e

SHA256
dadded4cd6d098b17ade9e37c6766dde94ea6a6ebcdae6f3fdca24ae5f06d20a

SHA512
b8b0cf93076b83aa679c583d966f163752285a10b1272df04ed1347e0100c672a4a81cd94d6293f335cfdc83d30472e3b2f47ea1890649b40d6fed67ae01bb39

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
60KB

MD5
179b28aa0794462e1e02c6efd2fe551f

SHA1
76137013c513961f66aed6f5e7e54277d4317cc3

SHA256
2271bbc1fe3bfb56f354faea15ab019f79fd34e5fa262fce5bc6731d71a17fe4

SHA512
f6dc6b10465be72093fed7550f2bb2f1021748bb94f113e3039c9b6e9a585e79c0cd4aaa0e4f1f8ed6ffe44864719ae70bf080d8ef3be885d2d0122d7d9694ed

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
60KB

MD5
11d522dad399e3783c7a823ea6416903

SHA1
47f701f7556c75dcf7455e26acd9064c682d3c83

SHA256
9a8c1ba05e4c5f341af4ff82d2a9d8a67d1cf9318b6abcb02052a014192aa7be

SHA512
28c69418520182caf3bfc055b6b9f641cd58395e54c360efc31df8013490bf61e2f1e673388b7c6ef550c98de754970306d430ee42cba592ed55151d46e1d77b

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
60KB

MD5
a5439b2c3251901f9a45424bb774194d

SHA1
af00e55b051182bc4b9f195af8f21a020ee1c288

SHA256
41f132d47588438def3c739fede93d22787471bd90fd15583391aa15dab4096a

SHA512
a30c4374e5f3a431f57d50039760b27a536bec59e9bfa5c9eb252e0d95e653767a0ff02b376265f9355e5c1489f4b26159ab6334f1b1e55a1b2919db0159f67f

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
60KB

MD5
18765c7a0170f9616cb6ee33a8bace25

SHA1
46ae629c13efa7d44a9389c3c54a841bbf32171d

SHA256
9f4093517667cf1b2d434f917c47a0c7eeec4a8e84f6fb39176ac52e662f423c

SHA512
abc89441c8bc9f929a521d0d00afd39be84e268f6e678c993fe20eb5f535f9991299ee5dea42cdb0dba02a3b762747c6cf1ec3bc0b31ce277580ec9dab7bd0f3

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
60KB

MD5
90839dd302cca0818d8478f357757a13

SHA1
398a2c57774d8b80cd9a23b2a03444e6ceb495ef

SHA256
ddc21c6cfc1d4789233450512efb61eab1a3fe9e0ba436938d26c5ddb8a1709a

SHA512
5bd9fa74670fcb74059af831cd3420613aa4b9271f7b04335f1fe229090e842a85af2f3e9b8db90f695b2e80d8c5954ff974357121a65812fac6b623f2f24900

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
60KB

MD5
2826a2f417c3e251a74bc98c2160f0cb

SHA1
4bde90744ce073b320f32e026f8dd32d558280c1

SHA256
43c79ca4d0fb24fb813120c0504aea038f8ee9c34c602dce06b4c09114bb1679

SHA512
82f40a6455a34e0b1fc7f43e308c8ed4a6552094e08bd0e12c0be5094cd9248aec5275242d6fe177c5bb8af8df8145624894c35365d300d2da6977d977cb9fad

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
60KB

MD5
2845f74284f0747e60e8310ebe24aa3b

SHA1
87d920ecac42396c8f52e2271438a7e577cd4de5

SHA256
0297fb5f5939196360866e0a5c5e754c1698f323db9bf1d63b70dcbf19e8ee6e

SHA512
18d2678f5cac030b642fbe04ba1b7a713809d13da0c6a81835529c7efff93c5a50d11b6f212d4e1ec44b78f18958826b53b03ae513378f1339a5a83c77b469d6

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
60KB

MD5
6edf8fabb00c04cd1d8b42bcd513db21

SHA1
af5e5b2c756cd3305d95455c35569a227b47b11a

SHA256
269e782e15710314eb9b92cfb0599c2c15d4ea1c6454417e7d1f5a97bf49dc0b

SHA512
c7f6aa0348d59c71ece3c688dee85ee0194638689dc2390b660ec12ca29134367ccdc0058cc38b8ec0a20b8bfa364d944678b1bf695bc18ece34e9c17902523c

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
60KB

MD5
872d20e85f06dd4e46d55954b677b2dc

SHA1
203663a9ad190fb75cf9cc03032f3cbbc04db214

SHA256
a50f986c4ad54f495336e66bb96da83bcdbe018619f88507178c4d4a3585b21c

SHA512
574872fbe0da535375a935ebd707c9d421a8d2d34f7b8df16ba74b3348d5465b98eefd5aa6016d9f8faa0878c800a4f8e48ac9c91698eca2536a218b855fff97

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
60KB

MD5
8d24df6b5df7607dd69cfe98d047208d

SHA1
28b237ef21f59e46f0399e87600add77ed52f8e2

SHA256
6d6b55f7a20a482ee2657778b1ed3a4d7b7b1754c67a4cf5113d0bcac2a72f9a

SHA512
2392c8853af3383d1073b4b73bab122dd7746024ae5161e5acea3ac9ded12d50829e2876e3331b666cde40cc914d90335b65fe52876a6ec7e1cf814d503e5188

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
60KB

MD5
612d908f3bcf1194d2c20013e883247a

SHA1
cb3ff6e58eb6d5bb2512c7565114b2608921f2d8

SHA256
1a554557974075340ac45479df06bc8600bf183bccef81b79c8f49b74e3eee6c

SHA512
5f907ea4539110254dd9965c98293b552cefebb30908487ab36de9b6f95bfcfa59fae2bf494a3090e84be54aeade3555d8ac3ef34de24238e96d0b3bf51dcc90

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
60KB

MD5
553d61f26c6d3075a0912ede5d56de7a

SHA1
6371f996cef5fc5242f7bf668c829fd5dada13a2

SHA256
6ae3e1444e2aad8589da389e47a4672e00ddedfa7f2d7b1ba079ef9b4e62ebc4

SHA512
f75d56ab0455f1caf293bd44a945a931a216c5f12b9cd61cc82d5c5b47bb4b8f124a7550889d4526e5faaa98e9523bcbea060fd22cb0aa7c7263849ed8b3ebae

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
60KB

MD5
3ecb86a719658cedc2821c452e8de978

SHA1
f9b7c3ec22b2d9aa4ee143bfe85b1cb2a20f99ea

SHA256
c360b11135d0e74e81d5af1c8ca2ad340f473de852d1669b979160c95c9da9b6

SHA512
66bcfa7a0302fc808dfa903b478638c0da76a1635b633236f5bb617ffe00ef07da70c809835bfbe7f1603abe8ea02cbf72e66d826412e0fd948c9de0a8b6765a

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
60KB

MD5
126715217e5d71a9ce757714132a2bcd

SHA1
cd0bd3e91b45eb49a2176efcb1abb9d3746e1169

SHA256
2ed4fac3e1689cc85ac8b42fc8d9bb8820b2469016337a6840860de7477782e2

SHA512
a9279414e3d251b03f939f0b40dc9c30647d1e85d80d8484006556f9e1beb1e81c7e000b3ca235299f9795c60b535a7d6422dfa48c2bb89a962696cdb867ed84

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
60KB

MD5
671b3f9ddf3be373ef6c38bcf8344cc6

SHA1
ef8932d82990174621e1ef8a09ea6e6085fe3f27

SHA256
b34d0c0eb2c306e893462e1db477470c3c70757fe69eabf4f5c3f7620ebcc7d8

SHA512
2804a84554248e6e1502a41b042ce9a0de8e6b8c4507304b36b9f76f4c90f37f3d6464428f132cd6dfbb3e20201e774aa25bba271e729941cd8f89780a55ef09

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
60KB

MD5
d667c80b5d2972e4b996e0bdc916d537

SHA1
b415e2e691f8d92f2077b7558a3e7e6ab2355e0e

SHA256
bbb5986d5d0da8794dfc33c1c1284a3c96f0b103c8438f00bc2c7aa9170109f2

SHA512
eee2346476b7a4fb72b19a5e6100dc78de41e402ffd41f4b4ee2e0af8413881b51db8a8e1f0638ad21c40b4456e6a64044f8bc275700bdaa06ab6bfe12fcc492

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
60KB

MD5
972804620b8f04949b669fceba35d411

SHA1
69780a53befc60d0a99fe35e065a8a573a0b1844

SHA256
74b86ae4657d12ba0e990967631a269789d2a0f03deaa733a0f12368ab17c7e7

SHA512
d72b77177a1e40c5a3fe4b991bb512fbc53af0636f5b7e310ed2b3807281e78c7526d11615d483f2802834ffc7fdcb54110a8912a181246a412263cfb2211e7c

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
60KB

MD5
4c76143ef051ff55a87ff346b467c292

SHA1
107aa1fc0aef60f4418471820e04697841e72f50

SHA256
15470479a8680dd6dccc780e658b0f7649966f38da0e1a79de456c42757b47df

SHA512
1e3dcc4c978d15e786dbc94601ee2d8a90d8c6c8596de1ac49ff63bae126aae991e55932b8924d92d157041c5c27c9eb0e09919e31c2047e941896636c690f7d

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
60KB

MD5
cc61de22140e5f8b22169ea69bc5db04

SHA1
51f042f36a3bb2efae9229d3c3ec1cf1047259f2

SHA256
54cbf8f22eacd5a4dfc3558bc61485b11498ad23433b248af5201888021d2b18

SHA512
25e888a5e71cc43c27d3af421b98579081f95d233b1f4581c036659dd56e715aee9fae43e9895d90f11f8a933f8aca61710db9187377f30b8a2f0e2f1ddec0ee

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
60KB

MD5
3fdcf0141359d2e236ec9d7259746c12

SHA1
88036061f742ec1579e56432894fdc8f0e7e73bf

SHA256
8dbaaaaed74619041d6180c68d087bd6513c3520bdfd6b0012234ed2693a992d

SHA512
59f028c5b627d66cb195298c18855960a0a6c3ceceb3d642ffc6097616f2cd0f560bb47e0bd7f0794182175ce5316636347be2168c2fc3a4ee42690d6dd323ed

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
60KB

MD5
5e357ee78812f619672067ec365f232a

SHA1
37055c4f1487001de6efbf03fd10238768440fae

SHA256
87985b7d1d920063444006f958f84f7b5a77151703b02f518f394836c5c30533

SHA512
7b42ed1344e4b2c3a12e092fbf8615708a9c40eb779c1886490383d160e5cf543d5c9db70563979742a18d831c113ea9a4a03f338f1acfca8b0c2ab4552c4143

Download Submit
memory/224-246-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/224-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/372-233-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/800-192-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/800-225-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1100-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1100-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1100-93-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1260-228-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1260-176-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1364-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1364-230-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2360-232-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2576-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2828-49-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2828-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2828-258-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-155-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-271-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3220-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3220-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3496-242-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3496-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3592-208-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3592-221-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3632-240-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3632-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3632-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3808-266-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3808-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3808-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3896-77-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3896-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3896-5-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/3896-270-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3948-220-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3948-217-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4220-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4220-250-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4220-168-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4504-256-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4504-61-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4504-141-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4516-187-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4516-226-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4652-254-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4652-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4652-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4704-248-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4936-238-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4936-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4936-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4948-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4948-260-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4948-124-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4988-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4988-264-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4988-106-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5052-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5052-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5052-114-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads