718b0a40b3607e16c16d5bd9049eb9d7ba806c87fb8e11395cdbe254cb591b05

Analysis

max time kernel
134s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6262eaee974a39f99462714de88cbb0_NeikiAnalytics.exe
Size

844KB
MD5

c6262eaee974a39f99462714de88cbb0
SHA1

5776bb4730ad74c534fa8ac582f1f0ccad52a804
SHA256

718b0a40b3607e16c16d5bd9049eb9d7ba806c87fb8e11395cdbe254cb591b05
SHA512

6a51e7722aaa9fe7518c3b20572545c2fe2923782ffbf750e351d253abdc2eb5f5c82e88f6b336cf658665f5963a93d7e5f484829ba849c2413fcccc6c77323f
SSDEEP

24576:8w0fH5W3TnbQihMpQnqrdX72LbY6x46uR/qYglMi:h+H5W3TbQihw+cdX2x46uhqllMi

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c6262eaee974a39f99462714de88cbb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c6262eaee974a39f99462714de88cbb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe

Malware Dropper & Backdoor - Berbew 29 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000800000002342a-6.dat	family_berbew
behavioral2/files/0x0007000000023432-14.dat	family_berbew
behavioral2/files/0x0007000000023434-21.dat	family_berbew
behavioral2/files/0x0007000000023436-30.dat	family_berbew
behavioral2/files/0x0007000000023438-38.dat	family_berbew
behavioral2/files/0x000700000002343b-46.dat	family_berbew
behavioral2/files/0x000700000002343d-54.dat	family_berbew
behavioral2/files/0x000700000002343f-63.dat	family_berbew
behavioral2/files/0x0007000000023441-71.dat	family_berbew
behavioral2/files/0x0007000000023443-79.dat	family_berbew
behavioral2/files/0x0007000000023445-86.dat	family_berbew
behavioral2/files/0x000800000002342e-94.dat	family_berbew
behavioral2/files/0x0007000000023448-102.dat	family_berbew
behavioral2/files/0x000700000002344a-111.dat	family_berbew
behavioral2/files/0x000700000002344c-119.dat	family_berbew
behavioral2/files/0x000700000002344e-125.dat	family_berbew
behavioral2/files/0x0007000000023450-134.dat	family_berbew
behavioral2/files/0x0007000000023452-142.dat	family_berbew
behavioral2/files/0x0007000000023454-150.dat	family_berbew
behavioral2/files/0x0007000000023456-158.dat	family_berbew
behavioral2/files/0x0007000000023458-166.dat	family_berbew
behavioral2/files/0x000700000002345a-174.dat	family_berbew
behavioral2/files/0x000700000002345c-183.dat	family_berbew
behavioral2/files/0x000700000002345e-191.dat	family_berbew
behavioral2/files/0x0007000000023460-198.dat	family_berbew
behavioral2/files/0x0007000000023462-206.dat	family_berbew
behavioral2/files/0x0007000000023464-213.dat	family_berbew
behavioral2/files/0x0007000000023466-223.dat	family_berbew
behavioral2/files/0x0007000000023468-231.dat	family_berbew

Executes dropped EXE 29 IoCs

pid	Process
2744	Pgllfp32.exe
3668	Pdpmpdbd.exe
4100	Pjmehkqk.exe
948	Qdbiedpa.exe
2372	Qmmnjfnl.exe
2856	Aqkgpedc.exe
3112	Ageolo32.exe
3944	Aeiofcji.exe
4444	Aeklkchg.exe
4464	Afmhck32.exe
4556	Aglemn32.exe
3152	Bagflcje.exe
4900	Bfdodjhm.exe
4716	Bgcknmop.exe
1536	Bjagjhnc.exe
2524	Bmpcfdmg.exe
2260	Beglgani.exe
3136	Bgehcmmm.exe
324	Cdcoim32.exe
2216	Ceckcp32.exe
5116	Cmnpgb32.exe
664	Cjbpaf32.exe
1096	Ddjejl32.exe
3052	Dmcibama.exe
4940	Deokon32.exe
4532	Dfpgffpm.exe
4720	Deagdn32.exe
3924	Dgbdlf32.exe
2788	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	c6262eaee974a39f99462714de88cbb0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	c6262eaee974a39f99462714de88cbb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	c6262eaee974a39f99462714de88cbb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4876	2788	WerFault.exe	114

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c6262eaee974a39f99462714de88cbb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c6262eaee974a39f99462714de88cbb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	c6262eaee974a39f99462714de88cbb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	c6262eaee974a39f99462714de88cbb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	c6262eaee974a39f99462714de88cbb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2744	1884	c6262eaee974a39f99462714de88cbb0_NeikiAnalytics.exe	85
PID 1884 wrote to memory of 2744	1884	c6262eaee974a39f99462714de88cbb0_NeikiAnalytics.exe	85
PID 1884 wrote to memory of 2744	1884	c6262eaee974a39f99462714de88cbb0_NeikiAnalytics.exe	85
PID 2744 wrote to memory of 3668	2744	Pgllfp32.exe	86
PID 2744 wrote to memory of 3668	2744	Pgllfp32.exe	86
PID 2744 wrote to memory of 3668	2744	Pgllfp32.exe	86
PID 3668 wrote to memory of 4100	3668	Pdpmpdbd.exe	87
PID 3668 wrote to memory of 4100	3668	Pdpmpdbd.exe	87
PID 3668 wrote to memory of 4100	3668	Pdpmpdbd.exe	87
PID 4100 wrote to memory of 948	4100	Pjmehkqk.exe	88
PID 4100 wrote to memory of 948	4100	Pjmehkqk.exe	88
PID 4100 wrote to memory of 948	4100	Pjmehkqk.exe	88
PID 948 wrote to memory of 2372	948	Qdbiedpa.exe	89
PID 948 wrote to memory of 2372	948	Qdbiedpa.exe	89
PID 948 wrote to memory of 2372	948	Qdbiedpa.exe	89
PID 2372 wrote to memory of 2856	2372	Qmmnjfnl.exe	90
PID 2372 wrote to memory of 2856	2372	Qmmnjfnl.exe	90
PID 2372 wrote to memory of 2856	2372	Qmmnjfnl.exe	90
PID 2856 wrote to memory of 3112	2856	Aqkgpedc.exe	91
PID 2856 wrote to memory of 3112	2856	Aqkgpedc.exe	91
PID 2856 wrote to memory of 3112	2856	Aqkgpedc.exe	91
PID 3112 wrote to memory of 3944	3112	Ageolo32.exe	92
PID 3112 wrote to memory of 3944	3112	Ageolo32.exe	92
PID 3112 wrote to memory of 3944	3112	Ageolo32.exe	92
PID 3944 wrote to memory of 4444	3944	Aeiofcji.exe	93
PID 3944 wrote to memory of 4444	3944	Aeiofcji.exe	93
PID 3944 wrote to memory of 4444	3944	Aeiofcji.exe	93
PID 4444 wrote to memory of 4464	4444	Aeklkchg.exe	94
PID 4444 wrote to memory of 4464	4444	Aeklkchg.exe	94
PID 4444 wrote to memory of 4464	4444	Aeklkchg.exe	94
PID 4464 wrote to memory of 4556	4464	Afmhck32.exe	95
PID 4464 wrote to memory of 4556	4464	Afmhck32.exe	95
PID 4464 wrote to memory of 4556	4464	Afmhck32.exe	95
PID 4556 wrote to memory of 3152	4556	Aglemn32.exe	96
PID 4556 wrote to memory of 3152	4556	Aglemn32.exe	96
PID 4556 wrote to memory of 3152	4556	Aglemn32.exe	96
PID 3152 wrote to memory of 4900	3152	Bagflcje.exe	97
PID 3152 wrote to memory of 4900	3152	Bagflcje.exe	97
PID 3152 wrote to memory of 4900	3152	Bagflcje.exe	97
PID 4900 wrote to memory of 4716	4900	Bfdodjhm.exe	98
PID 4900 wrote to memory of 4716	4900	Bfdodjhm.exe	98
PID 4900 wrote to memory of 4716	4900	Bfdodjhm.exe	98
PID 4716 wrote to memory of 1536	4716	Bgcknmop.exe	99
PID 4716 wrote to memory of 1536	4716	Bgcknmop.exe	99
PID 4716 wrote to memory of 1536	4716	Bgcknmop.exe	99
PID 1536 wrote to memory of 2524	1536	Bjagjhnc.exe	100
PID 1536 wrote to memory of 2524	1536	Bjagjhnc.exe	100
PID 1536 wrote to memory of 2524	1536	Bjagjhnc.exe	100
PID 2524 wrote to memory of 2260	2524	Bmpcfdmg.exe	101
PID 2524 wrote to memory of 2260	2524	Bmpcfdmg.exe	101
PID 2524 wrote to memory of 2260	2524	Bmpcfdmg.exe	101
PID 2260 wrote to memory of 3136	2260	Beglgani.exe	102
PID 2260 wrote to memory of 3136	2260	Beglgani.exe	102
PID 2260 wrote to memory of 3136	2260	Beglgani.exe	102
PID 3136 wrote to memory of 324	3136	Bgehcmmm.exe	103
PID 3136 wrote to memory of 324	3136	Bgehcmmm.exe	103
PID 3136 wrote to memory of 324	3136	Bgehcmmm.exe	103
PID 324 wrote to memory of 2216	324	Cdcoim32.exe	104
PID 324 wrote to memory of 2216	324	Cdcoim32.exe	104
PID 324 wrote to memory of 2216	324	Cdcoim32.exe	104
PID 2216 wrote to memory of 5116	2216	Ceckcp32.exe	105
PID 2216 wrote to memory of 5116	2216	Ceckcp32.exe	105
PID 2216 wrote to memory of 5116	2216	Ceckcp32.exe	105
PID 5116 wrote to memory of 664	5116	Cmnpgb32.exe	106

C:\Users\Admin\AppData\Local\Temp\c6262eaee974a39f99462714de88cbb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c6262eaee974a39f99462714de88cbb0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\Pgllfp32.exe
  C:\Windows\system32\Pgllfp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\Pdpmpdbd.exe
    C:\Windows\system32\Pdpmpdbd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\SysWOW64\Pjmehkqk.exe
      C:\Windows\system32\Pjmehkqk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4100
    - - C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
      - C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        30⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 412
        31⤵
        Program crash
        
        PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2788 -ip 2788
1⤵
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
844KB

MD5
0a7d39850276fe81d7c50998f39e8380

SHA1
9a3413777e3a2979f03e7b14d7cd25f6b590a137

SHA256
5b33b1822442ca239cb31dff4cc747d312dc568b9143d1430dc2f51e2addd027

SHA512
3a347c6e381dadc6d350c49a65aad92991da4e817c82d0d59808a712ad80708cb52cf15886147345ad4af0aae201fbabeadfb52ca241952fae287bbf4bdfbb10

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
844KB

MD5
043c40a367b53a484393e91aee53d80c

SHA1
2f6f8bb35eccab65db4b0b333db1bc515e8fb6cf

SHA256
d22d71d3a2b9ddf1cfdfaf56b63118652769e6056dec11cced502ac2cf5c497d

SHA512
31ed11b87c49b36c8717853671dc1e2b4c23c13b786b93c00358f8b56c1853f8aab4f94fedc37627d834a7bdb2a17d8dd7d6f289ecac99a9d4d86da5ccc22861

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
844KB

MD5
9e4b3fa9882189e98956af6b2f375307

SHA1
5dbaa7cad2acd64b79ec956bab6d58d0dd16ff3a

SHA256
c0f26db141d43249797fa45d308d38287197f9efe922bbefa390d930de0e0993

SHA512
dea8c4b69502d959f5811e207637f6b86cae7b960dbb28700f8475d583101d1638e6d9f1f20abc73f66b77530799af8dc50f5ffd1ccd8d90e694f36d64f4e747

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
844KB

MD5
517e5c1426b184c9f0068bf1a41a1ae4

SHA1
463f45efa61d129d8b45ac8d77e73b4f8c24c553

SHA256
0e4b19788c28d7be97da90936f822c431206a7a5cf2c66a4d1e9c1bda51846ce

SHA512
cb4fe034a4af6d7e6b3b9ef6a9ba6612e5cb6d49baa3e3e707303a6b107a8c58fa3bfe74e02a49e222bfdd2eafbfdad3b5b66052ca72c3d715b0a3370e40a620

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
844KB

MD5
23e6f48d3f2eae1bc7f12982b9382e29

SHA1
5bcda02555367f1481d14a96b0cf09a68e11571c

SHA256
cf2319b39eb9678f3c1f3b23782d66e92fc7bee43a5bd08868889ee515e4676c

SHA512
7ecd6080e7c78dd2dc79391e6dd9098d59a39410d7a5f734ead71f99212a7d3c9202698f7146be7b33ef5b1f07fdea07a2a5e0613c5a1d02a2248bf0d8343e42

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
844KB

MD5
f31d90e15edbca213bf807e3f71941e8

SHA1
5e4fff79ce10ee4dd0659b5ecadc1d706b31bc43

SHA256
c75fb9926f7e7824cf8588bc4584285f0bda12c4a0c868c507dc25332aa8fcf3

SHA512
94b72a0e7cc8e022c816a19addf8972c5f665aba14403e8f7e0b5542a4e82f5166ea30edc4c7e54f3d2612e39ff1ca3a2a2e8902c5e5123866f5a31e1ab1abd3

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
844KB

MD5
2277de328877cc1b703fa68d8e55a5d4

SHA1
fc8e12eb6bbca8d0b577a095ddf3e269bbbf8a93

SHA256
c0b62ab75596ed27a4ad6b4a4ccb4e93634ccda14a05e6c550234df532fa19f5

SHA512
d81a886443b94d3861eb2bd6db29accc658bdc54454eff40131546b7905ab75204652f842dbfb15d76144b040c9d3363f617d632c16c086785bc21ad390b0819

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
844KB

MD5
2eb4cabdf17b3a0c2b611c2b886c4ef9

SHA1
2d5a3c1ec1013456cb55340c718b78b39473b673

SHA256
60037733645b63b14503a39bb417941c7104ff906193cec418350ebe10641df9

SHA512
18e95bb32c0fac2d29c255597a2605b25058424ce81c9babfdaa07740d890999bba053c9c1f4064a0518b5e1c7375c0061c4e54cae452947b1d52b31bd8c9469

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
844KB

MD5
75d207eb381d6f061cd035522cab0256

SHA1
5850b76c87a7653218440bf543702f706ecaddd4

SHA256
e6289c6050c3e52fa03c2e42a08da2eb5d5e860b0635d8158f116bbdf2d8ca09

SHA512
401d32678b8a1f2c943e8d9423e2ac1388ef7798d32c2d8339ae3e345750eaaee5f702430929600074eb1cc5c63c32b04a3fb253a2366c19d607d82bff43f2c4

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
844KB

MD5
b6a6cb2b3c49fbc42d4b4cd216be6758

SHA1
0d876edfe3ac82a210d0c281e7939e73509a9820

SHA256
4059d53a2b013bd38973a19f39f28d88c86126ca9dbb20602e83f1a8df0077c2

SHA512
5b04a81e1f40fc597bf621ddf72cb1c2b48bdf5655be6086504e78a3a12b4eb51e448812ff0276398088ff72acdacd25d256dbf57fea64bad7adbf0bca91f039

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
844KB

MD5
713ea4ac2d80eebe2abd497fe4207117

SHA1
bdc612b8643e11584244ac6260484aab190fb1d8

SHA256
acfeb2c4d6c0cb927cac0251b4b8ace6cb9177556472a784b13f4dae0c495c12

SHA512
92198361a6f1cee400e4b73348322475ec84041ebbd0469fbf2e9c4f5e23b400e045096a3d7f2d80a26c98e2a156a9aae226afadd50ea3d42c367e3e673389d4

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
844KB

MD5
b3163736c11f2400845a68030427f835

SHA1
8ddfb2bcebe20bc14c3099c6c0a71d8c42ef4c77

SHA256
f658252d32232e99652d29eb11ad2f078fb3beb930493b50c3d55454d756342f

SHA512
bdb7ae30dde8a01c3db852c8ba86931a7f2951bfc79013ee27ef3b5c498a34266b220a1cbae07dadf43b56a8ee67026294607110220625a4751f61404dd12ac3

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
844KB

MD5
6b3a0c392c9a69accfb858cbff6b7200

SHA1
dca7adbba91b091ef4ae15502cd64798bef584bf

SHA256
a4c624ee50e3dc0ecd4d2b9c472f5f8151fb67c526491daf793f7ce5ef650a84

SHA512
be3b95145e335879b2f311db251b27471b31d89b3be17b5330133727775409e813168ef0e590e652d3fe5d9bdf0f6eda5819443e6666c5d83afa0432dbdd5c0e

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
844KB

MD5
3c5684260b33a1c130c961d0b422a47a

SHA1
2e402937af6d6581d8dfc497db3d1d8e020e4bac

SHA256
c1e5407d088884743fb65f8c84aaeb4f016d57ef2cf6cbd2cb2f69ac8d4de90b

SHA512
fff178bc1d279900613732195cceff0ae05d8a927ed99d6cb2c8557521e949e4e1f94fe7daa18da601b2e4593eddabb8016acc3eb755ff4e985d19e536640cd8

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
844KB

MD5
41882432b73ec1ed1801c4b030c0cfdd

SHA1
e3e7f0fc2b2bb4682f22513e85ed2bcb5853e92b

SHA256
8f816083b787f9ab73b1e21399441e158410fc8c8d6c03cf5c2635db597206b0

SHA512
1354a5160eec75ed1a617c3fb513c23ee3e7dbd406d6605917e5a2b1dd9db671d1639a4a4fdbb3a8cc13037a970f30d60a35aff20ed3d3df8aa96bd5bf39a9c8

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
844KB

MD5
ab9ae0ad16fc12f784c36cb01773b57c

SHA1
d7fe59a112d7f90966706a77c769e713c0ec00d5

SHA256
569f955b124867e24c97bf0dc2dc249b2ab930a11e4ae478a942696f74a1324f

SHA512
e5d6dd1ace63cd00d553342c7bbf218fd92c1207a814441e8fdcf3192ea09120924c2ccf7a85205cbaff9031cd250d8b3cff6bfc089ea4ce5789e53c7e2ab1b1

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
844KB

MD5
adfc522bf11a69a27a381fb888c6beea

SHA1
a0c779c246f7226b0fe20bdebcc0ccc2373aa4cf

SHA256
3ee70cebf9497ca4d96b267b574c95dd6926ba013e63c31a461682968a512109

SHA512
da2a9698056da10352d89b61dda784b4fe9388f16fbd5e1ca992ae60cda9d0f57acf336ffc2dd0d948f8932398810ad4298d1d8528585e63db18eb5eae013793

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
844KB

MD5
fe2e434fa338038b3c94f11434c088fd

SHA1
2a6a23b052b67261d832d7990d163d38c4fdfe1c

SHA256
65c0d1116800f0f48e78dc4442abeaf4b8db63cba0c50edb2e6b84e65a2ae7e9

SHA512
c155acd65011e4e2a1716f3d4c142036fcb595a0d6f6d885e8f34d932f553c57eb47d7260927b56300476d750c3c9d9da463d7ba11ab61c42f2bea90167a11e6

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
844KB

MD5
6b25193b7d3be44703e900c679408c31

SHA1
4345616d94c028f8ecb2e40d2875a8ce0484abd1

SHA256
3ac46f8689770f9968836545799fb866ae7988d17e8aac49d49d9eed8e75ba75

SHA512
d15f8edcdfb2c7c4d2597b493473d4fbde35ccb2d0794f82f6cf0bcf71cca7ccd36b2fbd822a7b30c6fd9e7b4bbd5b8e13afb4490c190e7a60047fa2461438b4

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
844KB

MD5
21ebbb649645c118a06d00df606c9aee

SHA1
01edefe3fbf1f1810093ed28f7733600027a3b0d

SHA256
471361c96dae1e32c9e78ffa9021bc17f30f2c2fe7d821059a88f29c08176be9

SHA512
7b74ca9c8f32fcf30c549912f5f0a029634a135ac17e06ad9d5248d79a20fc62db0a54f647cd52380401bbcf67da0659d308a48135016d89b8c70ff1839d86c6

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
844KB

MD5
02d93fb9c3b5264441eb5097b0712a75

SHA1
b71a610bce78051716ba5a66d8339855ee3b1a42

SHA256
55bc0421d09b727e9af7d5bea407d48b96442b3d1245758b2d123bb331d6414f

SHA512
e969e18875b0790a00157df4e4304d43a53f64d219e597174697847380a22a3565244f73d4a625f855ca7cfd19000d910557de032feefd69a19d9da0c723208e

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
844KB

MD5
586f38e1288396302d9a2de4becff86d

SHA1
541d3516b5ac0fe52d966b81e7481d41e9f122d3

SHA256
8951e9a75649c6d8d920d6ae55dcc334f38899736ac9e7744e872724ed834955

SHA512
7d81b69227748abe7bfb1105a4e9caf9d7c5d9ed6255b201ce37d9ff3bd56d113f6101abfcabc586223f1e1d526c325c521eee04517285d4f4e33084251f22d3

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
844KB

MD5
0b685cc16c66268513b6a041949772d9

SHA1
dd9ecc2713338eabc05896290600113efe624e4b

SHA256
0bb2fd95bd690a72dbab0305838fe74e12de13615f412c3307758c753ea63ce8

SHA512
6344f9f9536f307eec004f86c4ecdecdd26a8a69c7f041ca8caa928f69cd674913cd0c1d2468b6acb78f999ac7cf204cd5707ce241efa1be1bebed80b185c3f7

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
844KB

MD5
0dce094a0426d645c5f8b0246c3e99da

SHA1
e9645cfb2889f99e6b6bd58c62423cabfe8f6871

SHA256
3933b0515ee4773ea0bbab515e353b5032ae45a8e0a9b2e1bb106a6a1c97f374

SHA512
00b6b32b6d7448a85c2a0e9546759b3a1aed9e5120f679a53221217a519dcc0104e815b1bb1334332ad43dc42b77520e5ae71005526dbf71be77e86f9c0a7883

Download Submit
C:\Windows\SysWOW64\Kgngca32.dll

Filesize
7KB

MD5
08da06e47e86757cdb6c67e856a68fe6

SHA1
cadaa729219388b2610a24c713d00984e948261d

SHA256
0684186ebd1ce145ea6ebf8d459ed462023261b426b7edd8b45f2172c6a34e78

SHA512
865725856b964c972a4ed4d450a63b67e953f1dffd50fdda8901909703c2de092cebd3a6a122d00eab0ee6fae4f3eff72b3c20a1b71ed59fb550b94a58e6a9da

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
844KB

MD5
c395f0c3a3b3f721d65b1700792c7695

SHA1
18415e44473b9ec57149f9c294c53343ba792fba

SHA256
017019aa9db33c7a31d67a61730615cd5d3e7dcfd4b0844d2c373127a0ea8a50

SHA512
2f8846325da8aef289898e4d1ad6b0d409226df61c76d37b2dd64d0bd6c862d98f3041274a11ecc4921db2db3815083c3680f537df3d1b0c22665a974529bd5b

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
844KB

MD5
c82691c120d95dc6ff6469fdea31ddc7

SHA1
35f4e5c994b3a6f9ace3bc2b934bea0a815a77f6

SHA256
5f2d21c17f731eea472429520f0d11617f9784348cf785dea03d626f0ba167f8

SHA512
b956cfd219de2842e2d30c356d513d31e5820d07a447384d9f84d57b7594bff8c47c773df14fd80de2273816e816f8cfdb5433a1f876dbff3b2abbcedd2a9692

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
844KB

MD5
363be36c6254207777549b053c35fc39

SHA1
4ea821670f80ad459b599d55dbfb8be8605b9141

SHA256
c97db5b5e1073ebb2c5c975270b0f91400c943ed76973c85d8fc88ae4bf03b72

SHA512
c635a7c13a01c636f04bdf6e70091b5869a6a69bf33bd82f34ee2745bd289623dcb7545266db1859ba647ae8469fbb043538c71db26356788e37fcdf9ed57056

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
844KB

MD5
6f6a2343ea6d56d8ebf16d114dc822d9

SHA1
f1610833cf282c92285a5f84b00d00f6f11c934b

SHA256
325a327a2545991a4eb04ea2b98289e2a9db9e8ae819c8d9e47ee8d8dcbe97bd

SHA512
9332a95cd5eb266c35ec3dfa25321097e50a817bfb8da7cc019b99ad3f8d221b4cb39bdefebbd536e89ea0bc344872175ff40fadbad9dbd268d35ac8b41a8559

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
844KB

MD5
06b7333d663f11593c9f06d9854e8d5e

SHA1
cc4c2a3d54841ab7dad8c21f18b3ec293f764ca5

SHA256
aac1cf0aeddaf85f34ed52999021c7099142323a74e114c84a8a7c0b851696d9

SHA512
4cd038bcf06a77bd666e437164b6211acef7291ec0804813b6afe19fd97c1620a1d781e7f8c2e5349b4cb7a9cae537e7c638faaa8888bc07a5abd4e99f65b532

Download Submit
memory/324-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/324-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/664-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/664-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/948-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/948-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1096-238-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1096-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1536-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1884-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1884-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-246-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2260-140-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2372-252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2372-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2524-243-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2524-132-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2744-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2744-11-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2788-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-251-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3112-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3112-250-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3136-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3136-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3152-100-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3668-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3668-254-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3924-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3924-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3944-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3944-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4100-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4100-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4464-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4464-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4532-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4532-235-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4556-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4556-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4716-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4716-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4720-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4720-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4900-109-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4940-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4940-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5116-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5116-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads