4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd

Analysis

max time kernel
51s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe
Size

1.6MB
MD5

5fdae4131178537f9f3dc0c8bba37b70
SHA1

9d421361dfef355f54421399bd30eed1302c6cfe
SHA256

4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd
SHA512

cd162255fcd02bf593a21acacf97bda282b1c7b454ff294f11fdd2c75b87f797e26d4087ef36dd3eaa7af002b59916503ed94e9457a0396716352b81d124134b
SSDEEP

12288:7T7vjDVqvQ6IvYvc6IveDVqvQ6IvYPVSEv66IveDVqvQ6IvYvc6IveDV:7D5h3q5hrq5h3q5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe

Executes dropped EXE 29 IoCs

pid	Process
1480	Mgidml32.exe
3268	Mjhqjg32.exe
4744	Maohkd32.exe
1236	Mdmegp32.exe
3312	Mglack32.exe
800	Mjjmog32.exe
3196	Maaepd32.exe
828	Mpdelajl.exe
3920	Mcbahlip.exe
1244	Nkjjij32.exe
5112	Nnhfee32.exe
4696	Nacbfdao.exe
1140	Ndbnboqb.exe
1548	Ngpjnkpf.exe
4180	Nklfoi32.exe
3976	Nnjbke32.exe
2052	Nddkgonp.exe
516	Ngcgcjnc.exe
2684	Njacpf32.exe
4704	Nnmopdep.exe
3300	Nqklmpdd.exe
5024	Ndghmo32.exe
4960	Ngedij32.exe
4424	Nkqpjidj.exe
64	Nnolfdcn.exe
2844	Nqmhbpba.exe
2240	Ndidbn32.exe
2088	Nggqoj32.exe
3708	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe

Program crash 1 IoCs

pid	pid_target	Process
2344	3708	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1480	1880	4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe	81
PID 1880 wrote to memory of 1480	1880	4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe	81
PID 1880 wrote to memory of 1480	1880	4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe	81
PID 1480 wrote to memory of 3268	1480	Mgidml32.exe	82
PID 1480 wrote to memory of 3268	1480	Mgidml32.exe	82
PID 1480 wrote to memory of 3268	1480	Mgidml32.exe	82
PID 3268 wrote to memory of 4744	3268	Mjhqjg32.exe	83
PID 3268 wrote to memory of 4744	3268	Mjhqjg32.exe	83
PID 3268 wrote to memory of 4744	3268	Mjhqjg32.exe	83
PID 4744 wrote to memory of 1236	4744	Maohkd32.exe	84
PID 4744 wrote to memory of 1236	4744	Maohkd32.exe	84
PID 4744 wrote to memory of 1236	4744	Maohkd32.exe	84
PID 1236 wrote to memory of 3312	1236	Mdmegp32.exe	85
PID 1236 wrote to memory of 3312	1236	Mdmegp32.exe	85
PID 1236 wrote to memory of 3312	1236	Mdmegp32.exe	85
PID 3312 wrote to memory of 800	3312	Mglack32.exe	86
PID 3312 wrote to memory of 800	3312	Mglack32.exe	86
PID 3312 wrote to memory of 800	3312	Mglack32.exe	86
PID 800 wrote to memory of 3196	800	Mjjmog32.exe	87
PID 800 wrote to memory of 3196	800	Mjjmog32.exe	87
PID 800 wrote to memory of 3196	800	Mjjmog32.exe	87
PID 3196 wrote to memory of 828	3196	Maaepd32.exe	88
PID 3196 wrote to memory of 828	3196	Maaepd32.exe	88
PID 3196 wrote to memory of 828	3196	Maaepd32.exe	88
PID 828 wrote to memory of 3920	828	Mpdelajl.exe	89
PID 828 wrote to memory of 3920	828	Mpdelajl.exe	89
PID 828 wrote to memory of 3920	828	Mpdelajl.exe	89
PID 3920 wrote to memory of 1244	3920	Mcbahlip.exe	90
PID 3920 wrote to memory of 1244	3920	Mcbahlip.exe	90
PID 3920 wrote to memory of 1244	3920	Mcbahlip.exe	90
PID 1244 wrote to memory of 5112	1244	Nkjjij32.exe	91
PID 1244 wrote to memory of 5112	1244	Nkjjij32.exe	91
PID 1244 wrote to memory of 5112	1244	Nkjjij32.exe	91
PID 5112 wrote to memory of 4696	5112	Nnhfee32.exe	92
PID 5112 wrote to memory of 4696	5112	Nnhfee32.exe	92
PID 5112 wrote to memory of 4696	5112	Nnhfee32.exe	92
PID 4696 wrote to memory of 1140	4696	Nacbfdao.exe	93
PID 4696 wrote to memory of 1140	4696	Nacbfdao.exe	93
PID 4696 wrote to memory of 1140	4696	Nacbfdao.exe	93
PID 1140 wrote to memory of 1548	1140	Ndbnboqb.exe	94
PID 1140 wrote to memory of 1548	1140	Ndbnboqb.exe	94
PID 1140 wrote to memory of 1548	1140	Ndbnboqb.exe	94
PID 1548 wrote to memory of 4180	1548	Ngpjnkpf.exe	95
PID 1548 wrote to memory of 4180	1548	Ngpjnkpf.exe	95
PID 1548 wrote to memory of 4180	1548	Ngpjnkpf.exe	95
PID 4180 wrote to memory of 3976	4180	Nklfoi32.exe	96
PID 4180 wrote to memory of 3976	4180	Nklfoi32.exe	96
PID 4180 wrote to memory of 3976	4180	Nklfoi32.exe	96
PID 3976 wrote to memory of 2052	3976	Nnjbke32.exe	97
PID 3976 wrote to memory of 2052	3976	Nnjbke32.exe	97
PID 3976 wrote to memory of 2052	3976	Nnjbke32.exe	97
PID 2052 wrote to memory of 516	2052	Nddkgonp.exe	98
PID 2052 wrote to memory of 516	2052	Nddkgonp.exe	98
PID 2052 wrote to memory of 516	2052	Nddkgonp.exe	98
PID 516 wrote to memory of 2684	516	Ngcgcjnc.exe	99
PID 516 wrote to memory of 2684	516	Ngcgcjnc.exe	99
PID 516 wrote to memory of 2684	516	Ngcgcjnc.exe	99
PID 2684 wrote to memory of 4704	2684	Njacpf32.exe	100
PID 2684 wrote to memory of 4704	2684	Njacpf32.exe	100
PID 2684 wrote to memory of 4704	2684	Njacpf32.exe	100
PID 4704 wrote to memory of 3300	4704	Nnmopdep.exe	101
PID 4704 wrote to memory of 3300	4704	Nnmopdep.exe	101
PID 4704 wrote to memory of 3300	4704	Nnmopdep.exe	101
PID 3300 wrote to memory of 5024	3300	Nqklmpdd.exe	102

C:\Users\Admin\AppData\Local\Temp\4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4f23484eaf0e1e87a1a61d9806fdad5cf1f48dffd39dad626e9a9bc60df1e2bd_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\Mgidml32.exe
  C:\Windows\system32\Mgidml32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\Mjhqjg32.exe
    C:\Windows\system32\Mjhqjg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Windows\SysWOW64\Maohkd32.exe
      C:\Windows\system32\Maohkd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        30⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 400
        31⤵
        Program crash
        
        PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3708 -ip 3708
1⤵
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
1.6MB

MD5
e2c33b82c9d56bfaf44bfd8e7a8287f0

SHA1
aac92705c1cd4333c19c577a1c32dc3b1ecb76f9

SHA256
8f1ce13095f1ee46ec0bfa14445b1c399dd6c62b3429ed9711cbb8b71efab602

SHA512
0e0d5029a8c03ed4d9dc194cd61513123c61aed7a54776e370d1aaa28291bc91e648ef2454a614afa98621958cb281179bb7ee7692733538419d4da7a1d29c2c

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
1.6MB

MD5
94fcdf8e0d05e9f1f90704e60f3bc1db

SHA1
f3cae77ada6421bd315f95ac0740c97b49b9b285

SHA256
06c7eeb127fde02ca331fb84fa1b108bcb5a85db2e6fa521c199930a53eefede

SHA512
eb62ede53e18a6269a44002f6dbd646c175f06ba787a0c911097157fadb94acdae8ea39072dcb1dcc072604f3e311f7e9c269723e545bffd76e2b5b3c30e8523

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
1.6MB

MD5
a19fec9e6b99a7b310791df49188e104

SHA1
114a6a2bbf55fca0d4d59a1ef11241b30152b1ea

SHA256
71c7d9559f1a374067aaf175aaa380b9a8e003f13bc9d668021d8e48d8ce5ba7

SHA512
5e2025a0942f248624604fa15040ea9fda53df278684dd8b2c324f4cb5ea4ea2e77caeb6ebea0e89ac5eca01298eff02e6ae3df5582fb3448098f5748808585f

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
1.6MB

MD5
c8226b33dcb996144a9c995d4c6d695e

SHA1
5e0b2ccbb04f714b55fb14a6c0446e72cdd8cd6b

SHA256
6134f9c1594d33233c7c65e533c83a7552786115d1bd550c3abcf3a37a6b7d15

SHA512
75d22661e6b5b6eb25683347fe54ae1fc6d7266c95a8db7c6b3a623ed41cef36bedfd7354862ecc4cdde015a278da2cc9be3e2e38431ebbbb81c0faa2c21e696

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
1.6MB

MD5
5f555cd367a8065568aeb1d4daaed9c1

SHA1
4a47c37468976db3011d94aa6c894a048dbef7f9

SHA256
af695d4d20194008da4539f42ace4aa99d1976ede79f4ea59092117662f132a5

SHA512
941d683dfc9fce65f6ddce958dfd71f5ab437aba0de8f4345d19ea8a1a3a256003d5ef0b4d788557a5b95e7dd7e5ea3b50c894dbb8a9abbf69276ff66c5d7868

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
1.6MB

MD5
47e48945c884d81914c9260940073146

SHA1
841865b9967ae4ff308a99786f381957a7423369

SHA256
8c1c52b2d05a9069afafd4cabffa8852a52cd0e837686d3137cf38aa411db7c4

SHA512
1e252121978ded98d5e15727e277c3a004d80f5f96c79fdadae63950f682c7c01095e6b1d389dcfc079375e2eda704f71385e49b776b5b4ef82f38364d87fc47

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
1.6MB

MD5
1f2f95d79d6dc02cc8f8a058f247661d

SHA1
4df0afd6688674a0d65026643f06d4f2e8202404

SHA256
b71c5cfc9140d09499091f5e8fda929ce964e58066b53b41012487a8d4a84370

SHA512
0ca1ee352f25d23d6b75cc87fb1b591fb61d01a032cf8070a2d467b38b9d3d9279ac0bd4bcaf2553411be7497841e89fb364c68ce56591d9fdb9592924c16643

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
1.6MB

MD5
c95869b6f4f5a8e8efd48bda7749ff33

SHA1
c0d82dc8fccbf7b07f75fea4ac4baeea1f1da623

SHA256
710137a267a32c35bf29bda6e9097bcdf8f122949cd792c5b063e194bea04abe

SHA512
d3cd389f45d2352d05eb98157109972bb8c0dc7c9fffe42e69388cb42250f17a3398fbac19493d8a2c9a01e7481d559c3856a3eb179c7b9b3cdd656ac7eba5e5

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
1.6MB

MD5
ccb9cd778fe77cc2c323029a881cedc2

SHA1
4a855f1b6dce50d4a17776bc46243e90558c0fc7

SHA256
e894d49cac8442e0b7f6550d87c8788b5d622371234a4bc4672419e1bdfcb7db

SHA512
7c6e3bd8c989ddf1235828fde205dab8067a0c344292f0b1f742a578e4b2c32fdaa8c5742d29c8c365f34c8705c8c29023170a5d2793b7de253decc4dd46cbb4

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
1.6MB

MD5
b3a64c04e74a049976219d3f60e09f0a

SHA1
27013ccc0a30baaf593a0e27ed320d912c042827

SHA256
be1253c413b4337bb2b949c9ae83b4b2cfce166f27cd4da5b813fafd9a7af937

SHA512
9c4b07e725d5a5fcfe2928c77b8832f0232a4ccef804c5893b30d7fdd7a69617f1263ff1023449ec28eac5a7051d47b228ab4300b1dc192118911c4a443086ea

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
1.6MB

MD5
4e766093e716f26533c2a1ec2b8eace9

SHA1
073efae3a1db4e036fb2587f433906159a72f005

SHA256
79f5cad93e2087728a7da78244d6b95236e7e48ce1f9f309366d7b8a58b4994b

SHA512
331b062ce7f0b37f7fc874f0af5a0adfbc9bbf9217add60670a7d418d3046c29bce5c09dd9259bbec98fde3359262f982241acb25a95dfb67199fb3f4f5299f5

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
1.6MB

MD5
54c95345cc4c69a004da7cefafa4023e

SHA1
2c251764e5fb2be34ea4581558fe9abc1f44b9d0

SHA256
245af356cf3467237389774763f5e5b956598fa7849d6d34dd8980c5ac6fcedc

SHA512
78bab9dd20291f6ca484ca5570cc9aa4aabfecd21ec2060361f622bf6c765c1f84011ca9cf1ff5b4408a1061774860c39275423a6672c37aa245fa86b3a0570c

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
1.6MB

MD5
5db24de7b14462a027888203e8263fd0

SHA1
b0c1886b4871580ab20691a54e5ca3f2eec67c7a

SHA256
b83dd1a89af1a5718de03a428450fb132bd4a1f009669b99ce8023ad1ddfbc60

SHA512
f9442609ffe5e3b51862490119c1608069aeaae02197b42dc7a8f0ec73f2e3986632b4412b14ff5e3ee8894d257de4bdde12bcbc2c365548608adf967344c648

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
1.6MB

MD5
d0b671f148a875e5b24f12d6ce4cc41f

SHA1
ad0326f7efd803843d40371dabbc04c5fd476691

SHA256
38fddb2d17fbd3e534a138a223577c6be9d0c6d50514a7ec21ac5cd440f0ff75

SHA512
89ed6d749f734cc2e73dc3f1dfb1270b210dfe6ebe0401fb9f318c25a55bb94b336f6ba6cb5a2a5f14ecc6b9006fe64ef171786ae46f63392475710715ea7dbc

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
1.6MB

MD5
51623d9f0d13a90133b75220cf745b02

SHA1
56d4926a3ed7b6823622ee34a133f6afef34edf5

SHA256
84d19b3ad0cf86cb88d1d5291f1243c7deed1c1128fa447aed9512a7701f86be

SHA512
e3b99f424b89757358d057875dfbc622a3c093fd43740fc9a29eee420b230ff69d90d236635170ec609f3904ea58195620c1725f29b2b4c6729d2d1b1f810ed1

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
1.6MB

MD5
e6ce6e935a33015dbd1389d05721711c

SHA1
0a050786dfcf24c1d4d576cd5de246192864e854

SHA256
83b0f872f44c8482fd6f1525826fe099cf58e33beeddec9ed3a5943f73c83eda

SHA512
67a594e2a69e5b241daca48aa5f59d8146cd4ccd39505eb9d8434f15c3a2eb017ae727146d0c7ff537d0a4ca9e6d4e06a22f4b8f33c23294ea377dd7b1205a4d

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
1.6MB

MD5
e32cbdf3b9cdf5c8e65755be110d7941

SHA1
cd1cd33b89e4a8f5c884aeb73b4f8286d11f5f75

SHA256
1a1166eb80164e0d29ed5adc4d7d9f348b8bd641d5f6be86fd861f6a6095c167

SHA512
60fef53bfd1ec0a130cc2ae3abbf7673145f30d8ba2ffb7ad1641fd19a0038ac3d63d33ac412658889ac62146e4cf092481c2dafa07234f806b34e24717f1602

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
1.6MB

MD5
ba1770e7579ae240f2fc2d9558f63d6e

SHA1
3bb22be22363e12dad06ad1ab56bc84547dd0222

SHA256
3031ab7998b96e8060ba9cf8359baf81f9a87dc454c384354f8a4063f9d2482a

SHA512
7de3ebc89d43606260cddba3392fe129506739250ae5061696e4aeb64390795a89d37ef9e311ec42e2171e83053e284ff857e2960dc210b6617b244cc6e50c12

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
1.6MB

MD5
dd7fe8de53142bfaff82ec83fa02f106

SHA1
39ccbfeec8fe83a4e0d7c8afc58217a4605b82e2

SHA256
2999be4509e63b2200b93554be734910a9e650a50c9a764c31b95bdbd19abfc9

SHA512
ba3f04295c9e2b0aec193d1e96fe74ced19ab625ff6509780570c061758cacd5186c17285bf3dccef4a1e6b35c307e8ebe7085c7d0c525d4401124e307f19e83

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
1.6MB

MD5
5fcfb83a59fe2c80d35055cbc72f807b

SHA1
3356c0b02c874156bd14f72fc2ce074e7c7f89af

SHA256
cfffddf4a886925175cd85ee284b6973dbd18648065eb2a7f498e870e4ffd2da

SHA512
372701ed2e04b8a8c4993f1953252a8a2af20e97f1ff83d15d29db6bb598e74f13dcbd0690ec3f91934c153280f157a94c13202594b453b985b758b491baf8bf

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
1.6MB

MD5
e0484458957edd5de13a9bb6e2aa24fa

SHA1
077947242eb3d77b18dd912c99c30a0ea59d190a

SHA256
ff94be5234239507ca259094e319f884e72c5d4cee4efc327135369f8aa7ac48

SHA512
01aa8b7eae01e975ef7c81760fc22433b54fd44b901f8f0756ee0e9d45faf210bbd16c49a7f2dbd1a8d301286e20493d56711c6a323bb38ab640dafb71ba116f

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
1.6MB

MD5
15776fc66f1adf4c7b0dc73136a2e1b5

SHA1
cd596a296019377120235a986ccc4dfab2d22d0a

SHA256
daaa39c43d0af1dd80b0d4b57c89fabd24e941c11115e9b0763809478e6456e7

SHA512
0d843fef7ab8d3524984c4a8f10e76aba5ba093fa0cbae7d5d699f737e364c108332fb716b53a052ebf83e4d7e0a977b95762a486772bcd79cd4e255588c61c4

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
1.6MB

MD5
67e2f732d56c2587085d372d5556b961

SHA1
25615fd0250dbf869dacfd2731bf9bfe1b7a2ef3

SHA256
8534870f026241d6daf9c3c8908375ce77ef9e6586967f9a34a7c51a4112add4

SHA512
ea7ce86ba8a46707095f7bc8abee48f6cdcfff104272d09460cfb8c1fae3fba72974d7f36f1ae65411ca53201bc0b81e45c89882caf81a31dccd9f049398eb07

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
1.6MB

MD5
9a2fef6a74073e201e1d6f44141f3107

SHA1
03b9d1fa5210ee5aac21effafd2d02d6f32d3829

SHA256
10981fce6ba841ff377ecfa2453c0b0db7aa779c634ce06d266a9b591528cd1a

SHA512
95e4ecdaaaf0831574d9d61c6d5500120839f275f80abb648186c14ceb15f5e81b728d0119fd147e7218eaacc284b6b9e18d5753309907a770f0ed30eb46f6a3

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
1.6MB

MD5
c1d7926e45c1ba9d3923c01705adf69f

SHA1
66f199f9a336838719f12b3a6bf3641b6dd9e68c

SHA256
5e019423d1830ae10d33fc7b9f80380b694635434b62b6e041c9159295e2197c

SHA512
bec20d3eed6ec9cfc66f068f6b0b0f76c2f7ba3ac8aa5252f1de4fb175fed51ffb2e0fa63ceef44258dd0c3d96407e5214180401655995bd0719eda4d16a183d

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
1.6MB

MD5
012003e3e5cc6dabad81df7201683058

SHA1
f862c454db531eb6594c7606daf39468efa406c3

SHA256
9552a0f3a59ff51a9e2f4207c7a0ffada5e1ae63cb72f69e4ff06e4747f903ac

SHA512
73cdfeb34e8d784408c4afce6880db0b8a846107b7ba8630eec97604c49cf85f48ff915201b9817f40b7e578418bdd6a75eb2b9ae1dd962932b6254bac739ac8

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
1.6MB

MD5
31c65846e047b81020f7bcbfd7b96724

SHA1
10ccc1bb883f0e7c6e52addef25393c71552601d

SHA256
83ae1b29143445c5e24ee1df9a53ec04abaf83c1819f7f1e056419a0d57ec47b

SHA512
d645e4b21002e67c16030d92d7543cbf294666e8fd0670ac314e230d7a951d0f11e8838889e43d01fb4b77b9d7e9e3393a6f49267005d658e660fdcebf512eb4

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
1.6MB

MD5
a4e25f8f19dd4889e12a1b6da3caddda

SHA1
9943fdbb3b0abaaa0272fa8e82c1ef199fda4f65

SHA256
13c4924e69ab7a8f0e0a6663a28f77f2a8b900b870e8d359c84b3c8b3febfd6a

SHA512
825aed8fdd67706c8c691ac7c649fc2bfb30f7e2bc0cce1d178bcb9e88b1e84d12eb87932476f94d8f60a037e33f67ac0a72c8701a23f1f87ec17fca1327a004

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
1.6MB

MD5
d04f48fc2ee032ca3df885ba3fa6bcd9

SHA1
011009bc0b2e89329de9fe63f16b637cf3de47e9

SHA256
63171ecaa9d2ba7431a7fa327fa65c1670c45098b7380f8e39c8a2102701ef29

SHA512
bec3bee454afec2156606b90866e32daa7702e35c8952e13897e8cbf1d354aa37003ff18f569eb82bef421653d40b9f1e46ad9b2bdbaacf1d6cb40a72c153776

Download Submit
memory/64-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/800-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2052-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads