0406ec35bf527dd278c5ef987f79effd5ca0cc0c3d37ad5cc8a9e894d016e3e0

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d8ab7022d7f90ee7951f816311074b0_NeikiAnalytics.exe
Size

208KB
MD5

3d8ab7022d7f90ee7951f816311074b0
SHA1

995d17715de7e6f7b3598a752a089f8b6d172108
SHA256

0406ec35bf527dd278c5ef987f79effd5ca0cc0c3d37ad5cc8a9e894d016e3e0
SHA512

ae8ea5046ccf45060a7a24f0b41ebf890f796da45bcdff1af2930b9862775f5c9b428275fdc3eeaf418105e0225218aa5e554a7b5a21907907571b0f21323346
SSDEEP

3072:YdVYVnqXL8lyBS1fqlj6+JB8M6m9jqLsFmsdYXmLlcJVIZen+Vcv2JBwwRBkBnRz:vVnuLJBNlj6MB8MhjwszeXmr8SeNpgg

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3d8ab7022d7f90ee7951f816311074b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3d8ab7022d7f90ee7951f816311074b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe

Executes dropped EXE 29 IoCs

pid	Process
2604	Kmnjhioc.exe
2012	Kpmfddnf.exe
1760	Kckbqpnj.exe
4120	Kgfoan32.exe
888	Lcmofolg.exe
2412	Liggbi32.exe
564	Lmccchkn.exe
1208	Lgkhlnbn.exe
3696	Lcbiao32.exe
3704	Laciofpa.exe
64	Lklnhlfb.exe
456	Lnjjdgee.exe
384	Lcgblncm.exe
1748	Mnlfigcc.exe
1684	Mpkbebbf.exe
2376	Mjcgohig.exe
1804	Majopeii.exe
2028	Mjeddggd.exe
1592	Mdkhapfj.exe
3528	Mjhqjg32.exe
1476	Mpaifalo.exe
4016	Mcpebmkb.exe
5096	Mpdelajl.exe
4620	Njljefql.exe
3560	Nklfoi32.exe
4232	Ngcgcjnc.exe
3620	Nbhkac32.exe
1972	Nnolfdcn.exe
3220	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	3d8ab7022d7f90ee7951f816311074b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	3d8ab7022d7f90ee7951f816311074b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lmccchkn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1908	3220	WerFault.exe	108

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	3d8ab7022d7f90ee7951f816311074b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3d8ab7022d7f90ee7951f816311074b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3d8ab7022d7f90ee7951f816311074b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 2604	4412	3d8ab7022d7f90ee7951f816311074b0_NeikiAnalytics.exe	80
PID 4412 wrote to memory of 2604	4412	3d8ab7022d7f90ee7951f816311074b0_NeikiAnalytics.exe	80
PID 4412 wrote to memory of 2604	4412	3d8ab7022d7f90ee7951f816311074b0_NeikiAnalytics.exe	80
PID 2604 wrote to memory of 2012	2604	Kmnjhioc.exe	81
PID 2604 wrote to memory of 2012	2604	Kmnjhioc.exe	81
PID 2604 wrote to memory of 2012	2604	Kmnjhioc.exe	81
PID 2012 wrote to memory of 1760	2012	Kpmfddnf.exe	82
PID 2012 wrote to memory of 1760	2012	Kpmfddnf.exe	82
PID 2012 wrote to memory of 1760	2012	Kpmfddnf.exe	82
PID 1760 wrote to memory of 4120	1760	Kckbqpnj.exe	83
PID 1760 wrote to memory of 4120	1760	Kckbqpnj.exe	83
PID 1760 wrote to memory of 4120	1760	Kckbqpnj.exe	83
PID 4120 wrote to memory of 888	4120	Kgfoan32.exe	84
PID 4120 wrote to memory of 888	4120	Kgfoan32.exe	84
PID 4120 wrote to memory of 888	4120	Kgfoan32.exe	84
PID 888 wrote to memory of 2412	888	Lcmofolg.exe	85
PID 888 wrote to memory of 2412	888	Lcmofolg.exe	85
PID 888 wrote to memory of 2412	888	Lcmofolg.exe	85
PID 2412 wrote to memory of 564	2412	Liggbi32.exe	86
PID 2412 wrote to memory of 564	2412	Liggbi32.exe	86
PID 2412 wrote to memory of 564	2412	Liggbi32.exe	86
PID 564 wrote to memory of 1208	564	Lmccchkn.exe	87
PID 564 wrote to memory of 1208	564	Lmccchkn.exe	87
PID 564 wrote to memory of 1208	564	Lmccchkn.exe	87
PID 1208 wrote to memory of 3696	1208	Lgkhlnbn.exe	88
PID 1208 wrote to memory of 3696	1208	Lgkhlnbn.exe	88
PID 1208 wrote to memory of 3696	1208	Lgkhlnbn.exe	88
PID 3696 wrote to memory of 3704	3696	Lcbiao32.exe	89
PID 3696 wrote to memory of 3704	3696	Lcbiao32.exe	89
PID 3696 wrote to memory of 3704	3696	Lcbiao32.exe	89
PID 3704 wrote to memory of 64	3704	Laciofpa.exe	90
PID 3704 wrote to memory of 64	3704	Laciofpa.exe	90
PID 3704 wrote to memory of 64	3704	Laciofpa.exe	90
PID 64 wrote to memory of 456	64	Lklnhlfb.exe	91
PID 64 wrote to memory of 456	64	Lklnhlfb.exe	91
PID 64 wrote to memory of 456	64	Lklnhlfb.exe	91
PID 456 wrote to memory of 384	456	Lnjjdgee.exe	92
PID 456 wrote to memory of 384	456	Lnjjdgee.exe	92
PID 456 wrote to memory of 384	456	Lnjjdgee.exe	92
PID 384 wrote to memory of 1748	384	Lcgblncm.exe	93
PID 384 wrote to memory of 1748	384	Lcgblncm.exe	93
PID 384 wrote to memory of 1748	384	Lcgblncm.exe	93
PID 1748 wrote to memory of 1684	1748	Mnlfigcc.exe	94
PID 1748 wrote to memory of 1684	1748	Mnlfigcc.exe	94
PID 1748 wrote to memory of 1684	1748	Mnlfigcc.exe	94
PID 1684 wrote to memory of 2376	1684	Mpkbebbf.exe	95
PID 1684 wrote to memory of 2376	1684	Mpkbebbf.exe	95
PID 1684 wrote to memory of 2376	1684	Mpkbebbf.exe	95
PID 2376 wrote to memory of 1804	2376	Mjcgohig.exe	96
PID 2376 wrote to memory of 1804	2376	Mjcgohig.exe	96
PID 2376 wrote to memory of 1804	2376	Mjcgohig.exe	96
PID 1804 wrote to memory of 2028	1804	Majopeii.exe	97
PID 1804 wrote to memory of 2028	1804	Majopeii.exe	97
PID 1804 wrote to memory of 2028	1804	Majopeii.exe	97
PID 2028 wrote to memory of 1592	2028	Mjeddggd.exe	98
PID 2028 wrote to memory of 1592	2028	Mjeddggd.exe	98
PID 2028 wrote to memory of 1592	2028	Mjeddggd.exe	98
PID 1592 wrote to memory of 3528	1592	Mdkhapfj.exe	99
PID 1592 wrote to memory of 3528	1592	Mdkhapfj.exe	99
PID 1592 wrote to memory of 3528	1592	Mdkhapfj.exe	99
PID 3528 wrote to memory of 1476	3528	Mjhqjg32.exe	100
PID 3528 wrote to memory of 1476	3528	Mjhqjg32.exe	100
PID 3528 wrote to memory of 1476	3528	Mjhqjg32.exe	100
PID 1476 wrote to memory of 4016	1476	Mpaifalo.exe	101

C:\Users\Admin\AppData\Local\Temp\3d8ab7022d7f90ee7951f816311074b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3d8ab7022d7f90ee7951f816311074b0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\SysWOW64\Kmnjhioc.exe
  C:\Windows\system32\Kmnjhioc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\Kpmfddnf.exe
    C:\Windows\system32\Kpmfddnf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\SysWOW64\Kckbqpnj.exe
      C:\Windows\system32\Kckbqpnj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
      - C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        30⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 232
        31⤵
        Program crash
        
        PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3220 -ip 3220
1⤵
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
208KB

MD5
c0885bdd2c85b5815764d95c89f7e31b

SHA1
d2c1e134e281bc1b3ace3c39e7dc6a2faa895e41

SHA256
b1e8b1ae05afced69e8552c4f96525b0c1536e832dd997e77cebc125458ebf7d

SHA512
fa0a01380df661ca440ff290b8f9db2fbc885542369f16e2b3efa8be4f5547dabb3a63c8c4233bbf0bcca6278c30712dc79fffb14d75db6502628b3640119e67

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
208KB

MD5
d6d6e286bd03b5c33f90a87adabc8e9c

SHA1
3d163d776876727f84cc280c1739decd2f758ad0

SHA256
c765831004f852c607a47d0d5b2b881b731e9ad0b91e4faf140c215c2a30d974

SHA512
8f6431f2e973cbd45b17d745057612390340cd508e917c5575c2693b4bbea7fbf73944e06d28327f9fc45024bf1ca1afb94cfc3d75e85523add9c8b3e5b96f77

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
208KB

MD5
9e590c65fe5e5bac39c6576beb6eaf1d

SHA1
b2e2bf75fa5db92d06453da9f7464aa3a686a52b

SHA256
20f6918b54e399b85960f3d53beca424eb134bedf0bf5d295ea823f06285ae89

SHA512
c3976210c37d4e990f0eb1899e61be41e3638c70598451da0fa5d206e097c663f92409db97bb8fb7d6032f924ac978dc123a0f8cbd6821409576f389bc99de46

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
208KB

MD5
464fb7fddce9e2314859bfd2607e55cf

SHA1
6583d97c1a95b12a83a69e79fe9d3d0973895348

SHA256
bc337584bb8ab0eb33eb12d69a9b1db287d7eea25c9259a6f4c5ac0007c6dfea

SHA512
b989939a86afadbb6d92b7865817b1723d9ec9acf948e7429bafebc7a57947e41109eaf81e11ec482c7c802aae1290d89af683101786462178d27cf642849236

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
208KB

MD5
a728bdf266a0cfa5440154bf437fa00e

SHA1
cd3968819907059e12bdeb6ea9f97a7df164a5a3

SHA256
11c820bf20624929ff3bd9ce387bda3f0063481e0534bd3654ede102bceeb34f

SHA512
11b7d036c47bdc6e854c62c6ff69bad2c32e1359049a71ec3662bd5a4ed6644cc74552da6995a0cd43918d6603f75ce7ea97d87e81c08e0389310e0464943c0a

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
208KB

MD5
abb89990a5294256e5c68e46f259fb84

SHA1
722b1ca78261ecc11bbd407acc17a8635e94aadf

SHA256
f0f7a53d31d1b4a87e755e0f80d8a196386c6e0b97e4fc82b136537b74f23c69

SHA512
fda578363eeaa1e31c9ceda4622f699a08128c4db7a0ee98c6cf9c1daa01cf4939922078948ed250f6f7d9472f09f38c2d9510b3ad17cf40cbf7fdfa4a6c5424

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
208KB

MD5
b4fe68f0ff087e090fd98ed03b90aeb3

SHA1
42c0743538b241a182eee63fbdc06f68a9a8af7e

SHA256
a72ffa8094f19ab7b93ac11e29728f8a78b9e4114330714c0f92d2cd4da4a955

SHA512
caf795e51bd66554821fdb883fe43159863edae27c5c1a51ae063e697cd09c29141a3d3afba3ba7b08041a9808ad426d8af49863eb3326c566595108a3062eaf

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
208KB

MD5
7cb794f4ad950b8992976919d3918437

SHA1
b90649e348e6ca0697c589edfee34d9af4541180

SHA256
7bb953729a8aa82200f79100eab854c7c08322f1a2ce438295fc0e531c6b17e1

SHA512
71353972401f8f8d3611db438f480da7e39a8e8038990d10f2f04ad8c8268e2912bc86a025f1bdabdbc4a075f2011fdba7e073405eb5d1b10077d2fb2c0ca6ca

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
208KB

MD5
28b8fd070864663e83ed2ba9e9084d69

SHA1
cd0829deec07a44cf2b9c29639b121599422b464

SHA256
87a7703f5a3cf10371dfca4288f60d3621877781faf27ef18466e1628ec576af

SHA512
8de2f6bccb315995285a7e5abb5acd4dbf4c3e1f49e356e703aac90307f235bb0613f589ca33f38c6fdfa520952e467de104cf637482e46e58e2e5664b005964

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
208KB

MD5
9790e4dd7128fa8d741a0294ee7a81b9

SHA1
a32cc26691e7363a7b034a3abe22d0b05d8ee09f

SHA256
ae46db46b0d91a72ab0c15c437b8f9f8e8cf6400bf235b640fdcdf03018387c6

SHA512
50596559e129d1a58baf0bbc46b2412d95561188a0696bc887ea406c34dedaeb798efb70443b2a8f8374d3411ed6493eea6e58d217f09c6eaa23b4097d8b4afe

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
208KB

MD5
8097ad6cee72cde500374184b1f362d9

SHA1
c047e9b2faa3dbf7032182b8fc12f29a43226e56

SHA256
71e7daa3f0f2bf81cad9f8ec04e2e10ef3c074d48149708e6b0502e448d4fc6b

SHA512
deaea26df6caf2a3284b5722feaeee721963067bf353bd9f7277b6fa5184488ab4c0f59f00e827aa0014916c9a619ae7ad9541ab0fbc3338e9f39051e7c67696

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
208KB

MD5
338b50999c5822df3dcb66cd5363fd7f

SHA1
ef6f57bb48b61f4cbeae9439afd3f0ee5133544b

SHA256
0ba6286931338b683deea8ad4cc8d85dd89c19be8beeb2357ac6b385a3fd4a28

SHA512
0bc315711d6ebed64049b79563d83d2319c45f845cf5bfcd2f91a189f63f117ef6f891f67b984d377e104b718d063bd4cfb076ce11e36d99425350ec247a2f9f

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
208KB

MD5
3c3ea58c8bec8f566af641f39aa0400c

SHA1
b2d514a95150fe5d19a9984b21372a8e7264f0cf

SHA256
1321a9b41925725f51830d6e913ad734fac692ab6c280efe68a0b7a707156269

SHA512
24a563495d72bb2e16f342c68f089849877976f50e013509007ba0f59f924df76bca82c94ac0db32dbabbbad16d2aab00c79c55d5465fbbf72519d3677a87356

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
208KB

MD5
1fd3c71fc77096311b7c6eb5d50a2ebf

SHA1
57de8ae59638423e29ed20e77f7186767b58a81b

SHA256
72ddcdf4266dd56bd94d0db4d4bf8e94c4e762f908dcaaa9651c342ecb7aa370

SHA512
bd4ff0c96280d3af0bc816a98d1355c7053ba613049d5d9608831b02bf75ac9c7b9c9fc10f7363f1d0000ecb54b64c5aa8963693159216677bb72f63da6794cc

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
208KB

MD5
f198858b735218dfd35d6b8cca1ffaf9

SHA1
eb9bf44c98566f35fbef66d5efce626211c8a3a8

SHA256
f4a9cd1debb71093b80b3c27e85eb1b26632b8ec7149368f6623962e4ad0ff78

SHA512
be0334267898f42c7057ddcb3e2a8afec9ae04416d8b20122ccf679627b3e57e2a73b8ef53f166d283a077f493984a037860df1b8a7334cd0fac450772c3346e

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
208KB

MD5
e7483deaa9c77b0a1b3e66f6e40ff977

SHA1
365ab23b4573d15284409567bfe5e2bd151d4f19

SHA256
3e3d26a87674260a7a5d4ed84ec7afd5c85e4322983f4b81f6b4391c141679c9

SHA512
799b0c61c94712fea5df66e041949f6358e5405adbbb7a82926977b629ee63a7acee84e018268d78198c373e0e59c225a92da1336255ffc668de9ae0b19a6a31

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
208KB

MD5
0c98d4eb5bdc2d56b8a12e593e31c0a8

SHA1
45bd02f89ad7b0a221ba5035cdbe24e7cb8a3261

SHA256
38e8665812a8a9835185b3e5e3ac241261252f7e3562584630d9f8d820e12e41

SHA512
c289858a2becf71cf3bde3b20ceb702e654e1dc0c4ec9490a647413fb7e737f21923bd30dbd0161d39383651f7761ef24f0b85009f18819b12ae39b5d5b8c9c4

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
208KB

MD5
a94788ec9438f90819163192d7136aea

SHA1
1c28e3f895f4223c3a30c905fef1d42add006557

SHA256
acc2c8e9df6d626119e72b03f01ad06ea756b15d646e8f1e19b933886233ae78

SHA512
4f401407a0c2bdbca6c5e8a31e8ed8a709c7ccadeba1cd9ef4972528569a8f6429a455469132d98263ecea2fe7f92b8c1a63dbcccdf77532ca6341d90d59f4ff

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
208KB

MD5
970b9a22b861f9625cd89baf83b8220f

SHA1
55f29bfeabc1e35e1eb7c8e34568b4b33c9daadd

SHA256
c5e1de5f45ae7916ff538c7476f68210bace119445630ea525b28fadf99b086d

SHA512
7c676185c3382987a1c42a7360a710a87ad47ae8370a7e2f506cfad9fd651caca4554c555426b522e821be85d9dd0a8a28336e2531e5374b95140d7a370e50d2

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
208KB

MD5
d6667df0093a3ca3b466a52b8ceb2de0

SHA1
567f83d0bd05c64a56aede71602d5cda1433bf6a

SHA256
7f054752cb3858e5e3e40607519ed21e41d1954c468921bcb9165feefe0f5408

SHA512
692eb942b0c6f0ace9813729c1bed6b8e08d7668877e6b035b0624b2d9aa60aab54281ca43a73efa4a0c34636ddf63e47b98bc4a3a66ef6b8f9650f4ba978ac1

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
208KB

MD5
4374f5a94cd7f5968755856e088a8501

SHA1
4b8099d85a8903df165790738197e93af477f3f2

SHA256
8fcf7f372018cfb900f6400af1fc8b40bba49a83c0a0a5d1391f0b4f825bf2b8

SHA512
6367afe874b2bd63d2ce395de1da66f6cf95ff12d2eab474b6ea20b8b52bb3d36e8a4e3db1a56bc205adddee7c2ac233355b4575d89892c9ab9c7bfbbf65c5ba

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
208KB

MD5
a7a8f765c4cca63ed9843b5a2d3b4436

SHA1
383f4fb0dfd653c9380815214b92f2cdc509fd3c

SHA256
cb1aeb97735c4e7d6672ae367e87a325e4cec5a673f7106eb67b307b48b185d9

SHA512
fad7612f69ed9b8e1c553740d60e3559b606b4bfcad2f85231c6fcc19da6489658010827b823c296b0f260aa4b62455608976ff9654aaf387842c49f92580fb3

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
208KB

MD5
d6869768d78b88ff4392b554f8b47f84

SHA1
349f0f10ce1694588bf98142b4cec51128d7927b

SHA256
014a6f29d50fc5921c3bfb8affb6791ee522f74603c1d220d96ade21b53080ab

SHA512
36bbbd4b2616c0c2caf56495f65211b7942e5793a24a7623883bee39d54cdb525988ac821e2b7b382f582e7586d5ea1f7912977d0a5540faf568058e9ca5a761

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
208KB

MD5
037e95e5b26251c068fb0fb5cd617a3a

SHA1
b5653e66ffe6e6d0940468cf960f3476caab9557

SHA256
03f7fccb0e81019eb58f797f9df40b38232b0aeb9066bb309796de4b43d384ad

SHA512
77ceb0460e8493066f124edc1820da6c33ff6d270bebc40bc23d2fd05a33a8b5a7ab6a79d08b75616b34feb8cc43135befefd98c162d16ee3015bdb6d9daefb7

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
208KB

MD5
083d30c7b617e243a93ddf0e6102151a

SHA1
c22c3b01ad0c28e1763a5140a25bd26737ea8775

SHA256
653caa886a4eaeb67093954e7e99aaf627a5caa99ac4f4549162f2241bbd1abd

SHA512
bf59882dfcfe20cd11f2e9876d3150b3dfc18ca576eeb3b350520207f438a70eb63a939f6cb6d01dbed4afccdc0e09e88c027b4c2a4d7516e86c745fb37aa4d3

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
208KB

MD5
a0ad6fcbe0f766e609e9fdc91740eef2

SHA1
7ff0a5f4826f3f6118fd7597e471ddea1dd15716

SHA256
087cbb67f4fb6646bc599f067a5429387d5c3aecaed24e85a5cb982b38c937f6

SHA512
a2acf971d0f29ec41ad2b84d9fdef97f084bffca0f8c399985f391c69543e25a5aee814d95a4dc7834966f46278c28a23ef9336162607525f242e4392d73e69b

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
208KB

MD5
334b966a49b3e1db8be65b716defa09e

SHA1
5a460e183740252400ebf8c0276924ce7f3648d5

SHA256
48c85be46bbb673663eb57c2af68941039fda9036e7a25389240426c42787ef7

SHA512
bff6993c5f4c0c542528e83fd51861c7e419653647ef5e35aa535b0d214f624a6c5ad2c6d1aefaeab19500ea1c171c05b25fdae5f5c8653e2c1aaeff64bffeda

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
208KB

MD5
01bb4006032d49657f5b08e1fbc5bce8

SHA1
5b1dd20145cd6aa35750a6c681b5827382259ca5

SHA256
a22e846627420296de4cfab069aea9a0d60380b6e1423026fe453eadfa2118d1

SHA512
46d8613b8734d9dcc50d2f319230b4d46545b647d084a4b801aafe24421d723457922ca0526c09fbc7216fa83164a72dd9d5f91792bf9ed48e1a7d407be2aac6

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
208KB

MD5
4ed2117a5c301cc4cfb3ead1ee1906e2

SHA1
5632924bdb3d303b8a27a2ca6a788f91fe3744af

SHA256
0435ec6205c6aa774ca3986d1e7a6010d9254c808f63d2664a36af46714ee985

SHA512
33463b48bd33ea2a53c18bf0e8a9730961e8e623b72e66c4830cb5d817a42531d68e6848e70c66221d832b16c51aa2db38768cb53533fc8eb9b4b461fd270fab

Download Submit
memory/64-252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/64-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/384-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/384-250-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/456-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/456-251-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/564-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/564-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/888-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/888-258-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1208-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1208-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1476-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1476-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1592-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1592-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1684-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1684-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1748-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1748-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1760-260-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1760-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1804-246-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1804-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1972-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1972-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2012-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2028-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2028-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2376-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2376-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2412-53-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2412-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2604-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2604-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3220-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3220-235-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3528-243-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3528-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3560-238-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3560-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3620-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3620-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3696-254-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3696-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3704-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3704-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4016-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4016-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4120-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4120-259-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4232-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4232-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4412-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4412-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4412-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4620-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4620-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5096-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5096-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads