648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe
Size

483KB
MD5

cd981d5ad54900da25e5c1e311d93c30
SHA1

5ada0dd9265736470f29457d188dee1b85b28917
SHA256

648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a
SHA512

7a017ff1fdf37507f70d8982100b642738b6c551162a58cea604a9a03c74476cbace1e137beaae1b753165500b2aa740188d4fdc6ff7abe83c8ebfeb5f3d818a
SSDEEP

6144:9JJUBxo8KtFy5v1k3RMZebBDRMZebBGzxUur/THL1k3RMZebBvG0NPhGcRPTDpLd:iXWtY5vARM0RM/3ARMSG0dhvARMoHG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocbkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfpgmdog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlekia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amelne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocbkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llohjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocfigjlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfpgmdog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkjcplpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maedhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llohjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maedhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkkmqnck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjcplpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkkmqnck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe

Executes dropped EXE 24 IoCs

pid	Process
1460	Kocbkk32.exe
2356	Kkjcplpa.exe
2680	Kfpgmdog.exe
2724	Lanaiahq.exe
1292	Llohjo32.exe
2552	Maedhd32.exe
2460	Ndemjoae.exe
2792	Nlekia32.exe
2780	Nilhhdga.exe
2144	Ocfigjlp.exe
808	Pngphgbf.exe
1640	Pnimnfpc.exe
2752	Picnndmb.exe
1660	Piekcd32.exe
3016	Pmccjbaf.exe
2100	Qijdocfj.exe
1516	Qkkmqnck.exe
428	Akmjfn32.exe
1524	Afgkfl32.exe
1648	Ajecmj32.exe
1624	Amelne32.exe
2176	Bjdplm32.exe
2988	Baadng32.exe
1104	Cacacg32.exe

Loads dropped DLL 52 IoCs

pid	Process
2404	648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe
2404	648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe
1460	Kocbkk32.exe
1460	Kocbkk32.exe
2356	Kkjcplpa.exe
2356	Kkjcplpa.exe
2680	Kfpgmdog.exe
2680	Kfpgmdog.exe
2724	Lanaiahq.exe
2724	Lanaiahq.exe
1292	Llohjo32.exe
1292	Llohjo32.exe
2552	Maedhd32.exe
2552	Maedhd32.exe
2460	Ndemjoae.exe
2460	Ndemjoae.exe
2792	Nlekia32.exe
2792	Nlekia32.exe
2780	Nilhhdga.exe
2780	Nilhhdga.exe
2144	Ocfigjlp.exe
2144	Ocfigjlp.exe
808	Pngphgbf.exe
808	Pngphgbf.exe
1640	Pnimnfpc.exe
1640	Pnimnfpc.exe
2752	Picnndmb.exe
2752	Picnndmb.exe
1660	Piekcd32.exe
1660	Piekcd32.exe
3016	Pmccjbaf.exe
3016	Pmccjbaf.exe
2100	Qijdocfj.exe
2100	Qijdocfj.exe
1516	Qkkmqnck.exe
1516	Qkkmqnck.exe
428	Akmjfn32.exe
428	Akmjfn32.exe
1524	Afgkfl32.exe
1524	Afgkfl32.exe
1648	Ajecmj32.exe
1648	Ajecmj32.exe
1624	Amelne32.exe
1624	Amelne32.exe
2176	Bjdplm32.exe
2176	Bjdplm32.exe
2988	Baadng32.exe
2988	Baadng32.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kfpgmdog.exe	Kkjcplpa.exe
File opened for modification	C:\Windows\SysWOW64\Nilhhdga.exe	Nlekia32.exe
File opened for modification	C:\Windows\SysWOW64\Picnndmb.exe	Pnimnfpc.exe
File opened for modification	C:\Windows\SysWOW64\Piekcd32.exe	Picnndmb.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Kocbkk32.exe	648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Piekcd32.exe	Picnndmb.exe
File opened for modification	C:\Windows\SysWOW64\Pmccjbaf.exe	Piekcd32.exe
File opened for modification	C:\Windows\SysWOW64\Amelne32.exe	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Pnimnfpc.exe	Pngphgbf.exe
File created	C:\Windows\SysWOW64\Llohjo32.exe	Lanaiahq.exe
File created	C:\Windows\SysWOW64\Qijdocfj.exe	Pmccjbaf.exe
File opened for modification	C:\Windows\SysWOW64\Qkkmqnck.exe	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Ajecmj32.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Amelne32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Kkjcplpa.exe	Kocbkk32.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Lanaiahq.exe	Kfpgmdog.exe
File opened for modification	C:\Windows\SysWOW64\Lanaiahq.exe	Kfpgmdog.exe
File created	C:\Windows\SysWOW64\Malllmgi.dll	Kfpgmdog.exe
File created	C:\Windows\SysWOW64\Macalohk.dll	Llohjo32.exe
File created	C:\Windows\SysWOW64\Fekagf32.dll	Afgkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Amelne32.exe
File opened for modification	C:\Windows\SysWOW64\Kkjcplpa.exe	Kocbkk32.exe
File created	C:\Windows\SysWOW64\Noomnjpj.dll	Maedhd32.exe
File created	C:\Windows\SysWOW64\Ocfigjlp.exe	Nilhhdga.exe
File created	C:\Windows\SysWOW64\Ajecmj32.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Baadng32.exe
File created	C:\Windows\SysWOW64\Kocbkk32.exe	648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Olliabba.dll	Lanaiahq.exe
File created	C:\Windows\SysWOW64\Phmkjbfe.dll	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Pngphgbf.exe	Ocfigjlp.exe
File opened for modification	C:\Windows\SysWOW64\Afgkfl32.exe	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Ciopcmhp.dll	648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Amelne32.exe
File opened for modification	C:\Windows\SysWOW64\Ocfigjlp.exe	Nilhhdga.exe
File created	C:\Windows\SysWOW64\Maedhd32.exe	Llohjo32.exe
File opened for modification	C:\Windows\SysWOW64\Pngphgbf.exe	Ocfigjlp.exe
File created	C:\Windows\SysWOW64\Ebjnie32.dll	Ajecmj32.exe
File opened for modification	C:\Windows\SysWOW64\Llohjo32.exe	Lanaiahq.exe
File opened for modification	C:\Windows\SysWOW64\Maedhd32.exe	Llohjo32.exe
File created	C:\Windows\SysWOW64\Ncmdic32.dll	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Cophek32.dll	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Amelne32.exe	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Jjmoilnn.dll	Pnimnfpc.exe
File created	C:\Windows\SysWOW64\Nilhhdga.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Bfenfipk.dll	Nlekia32.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Picnndmb.exe
File created	C:\Windows\SysWOW64\Afgkfl32.exe	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Pbefefec.dll	Kocbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Qijdocfj.exe	Pmccjbaf.exe
File opened for modification	C:\Windows\SysWOW64\Akmjfn32.exe	Qkkmqnck.exe
File created	C:\Windows\SysWOW64\Elmnchif.dll	Qkkmqnck.exe
File opened for modification	C:\Windows\SysWOW64\Ndemjoae.exe	Maedhd32.exe
File created	C:\Windows\SysWOW64\Ndemjoae.exe	Maedhd32.exe
File opened for modification	C:\Windows\SysWOW64\Nlekia32.exe	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Pmccjbaf.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Oodajl32.dll	Piekcd32.exe
File created	C:\Windows\SysWOW64\Qkkmqnck.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Akmjfn32.exe	Qkkmqnck.exe
File opened for modification	C:\Windows\SysWOW64\Kfpgmdog.exe	Kkjcplpa.exe
File created	C:\Windows\SysWOW64\Nlekia32.exe	Ndemjoae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3044	1104	WerFault.exe	51

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnaga32.dll"	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoilnn.dll"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amelne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkjcplpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlekia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llohjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopcmhp.dll"	648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Picnndmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll"	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejaekc32.dll"	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfenfipk.dll"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maedhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbefefec.dll"	Kocbkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkjcplpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lanaiahq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llohjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbgfk32.dll"	Ocfigjlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfpgmdog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapefgai.dll"	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekagf32.dll"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kocbkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macalohk.dll"	Llohjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkkmqnck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olliabba.dll"	Lanaiahq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malllmgi.dll"	Kfpgmdog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfpgmdog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocfigjlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qijdocfj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1460	2404	648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe	28
PID 2404 wrote to memory of 1460	2404	648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe	28
PID 2404 wrote to memory of 1460	2404	648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe	28
PID 2404 wrote to memory of 1460	2404	648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe	28
PID 1460 wrote to memory of 2356	1460	Kocbkk32.exe	29
PID 1460 wrote to memory of 2356	1460	Kocbkk32.exe	29
PID 1460 wrote to memory of 2356	1460	Kocbkk32.exe	29
PID 1460 wrote to memory of 2356	1460	Kocbkk32.exe	29
PID 2356 wrote to memory of 2680	2356	Kkjcplpa.exe	30
PID 2356 wrote to memory of 2680	2356	Kkjcplpa.exe	30
PID 2356 wrote to memory of 2680	2356	Kkjcplpa.exe	30
PID 2356 wrote to memory of 2680	2356	Kkjcplpa.exe	30
PID 2680 wrote to memory of 2724	2680	Kfpgmdog.exe	31
PID 2680 wrote to memory of 2724	2680	Kfpgmdog.exe	31
PID 2680 wrote to memory of 2724	2680	Kfpgmdog.exe	31
PID 2680 wrote to memory of 2724	2680	Kfpgmdog.exe	31
PID 2724 wrote to memory of 1292	2724	Lanaiahq.exe	32
PID 2724 wrote to memory of 1292	2724	Lanaiahq.exe	32
PID 2724 wrote to memory of 1292	2724	Lanaiahq.exe	32
PID 2724 wrote to memory of 1292	2724	Lanaiahq.exe	32
PID 1292 wrote to memory of 2552	1292	Llohjo32.exe	33
PID 1292 wrote to memory of 2552	1292	Llohjo32.exe	33
PID 1292 wrote to memory of 2552	1292	Llohjo32.exe	33
PID 1292 wrote to memory of 2552	1292	Llohjo32.exe	33
PID 2552 wrote to memory of 2460	2552	Maedhd32.exe	34
PID 2552 wrote to memory of 2460	2552	Maedhd32.exe	34
PID 2552 wrote to memory of 2460	2552	Maedhd32.exe	34
PID 2552 wrote to memory of 2460	2552	Maedhd32.exe	34
PID 2460 wrote to memory of 2792	2460	Ndemjoae.exe	35
PID 2460 wrote to memory of 2792	2460	Ndemjoae.exe	35
PID 2460 wrote to memory of 2792	2460	Ndemjoae.exe	35
PID 2460 wrote to memory of 2792	2460	Ndemjoae.exe	35
PID 2792 wrote to memory of 2780	2792	Nlekia32.exe	36
PID 2792 wrote to memory of 2780	2792	Nlekia32.exe	36
PID 2792 wrote to memory of 2780	2792	Nlekia32.exe	36
PID 2792 wrote to memory of 2780	2792	Nlekia32.exe	36
PID 2780 wrote to memory of 2144	2780	Nilhhdga.exe	37
PID 2780 wrote to memory of 2144	2780	Nilhhdga.exe	37
PID 2780 wrote to memory of 2144	2780	Nilhhdga.exe	37
PID 2780 wrote to memory of 2144	2780	Nilhhdga.exe	37
PID 2144 wrote to memory of 808	2144	Ocfigjlp.exe	38
PID 2144 wrote to memory of 808	2144	Ocfigjlp.exe	38
PID 2144 wrote to memory of 808	2144	Ocfigjlp.exe	38
PID 2144 wrote to memory of 808	2144	Ocfigjlp.exe	38
PID 808 wrote to memory of 1640	808	Pngphgbf.exe	39
PID 808 wrote to memory of 1640	808	Pngphgbf.exe	39
PID 808 wrote to memory of 1640	808	Pngphgbf.exe	39
PID 808 wrote to memory of 1640	808	Pngphgbf.exe	39
PID 1640 wrote to memory of 2752	1640	Pnimnfpc.exe	40
PID 1640 wrote to memory of 2752	1640	Pnimnfpc.exe	40
PID 1640 wrote to memory of 2752	1640	Pnimnfpc.exe	40
PID 1640 wrote to memory of 2752	1640	Pnimnfpc.exe	40
PID 2752 wrote to memory of 1660	2752	Picnndmb.exe	41
PID 2752 wrote to memory of 1660	2752	Picnndmb.exe	41
PID 2752 wrote to memory of 1660	2752	Picnndmb.exe	41
PID 2752 wrote to memory of 1660	2752	Picnndmb.exe	41
PID 1660 wrote to memory of 3016	1660	Piekcd32.exe	42
PID 1660 wrote to memory of 3016	1660	Piekcd32.exe	42
PID 1660 wrote to memory of 3016	1660	Piekcd32.exe	42
PID 1660 wrote to memory of 3016	1660	Piekcd32.exe	42
PID 3016 wrote to memory of 2100	3016	Pmccjbaf.exe	43
PID 3016 wrote to memory of 2100	3016	Pmccjbaf.exe	43
PID 3016 wrote to memory of 2100	3016	Pmccjbaf.exe	43
PID 3016 wrote to memory of 2100	3016	Pmccjbaf.exe	43

C:\Users\Admin\AppData\Local\Temp\648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\648fbfc3b3a84ef52ea618fa7ddf931a2c795116b8e91cc84482e8123ad5310a_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\Kocbkk32.exe
  C:\Windows\system32\Kocbkk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\Kkjcplpa.exe
    C:\Windows\system32\Kkjcplpa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\Kfpgmdog.exe
      C:\Windows\system32\Kfpgmdog.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\SysWOW64\Lanaiahq.exe
        
        C:\Windows\system32\Lanaiahq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\Llohjo32.exe
        
        C:\Windows\system32\Llohjo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Maedhd32.exe
        
        C:\Windows\system32\Maedhd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Ndemjoae.exe
        
        C:\Windows\system32\Ndemjoae.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Nlekia32.exe
        
        C:\Windows\system32\Nlekia32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Nilhhdga.exe
        
        C:\Windows\system32\Nilhhdga.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Ocfigjlp.exe
        
        C:\Windows\system32\Ocfigjlp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Pnimnfpc.exe
        
        C:\Windows\system32\Pnimnfpc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        25⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 140
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
483KB

MD5
a7cb7df5ca50f0dad795ea6961d2f396

SHA1
ff0a3dc0a770efbf922fbd025cc10b5060fcf221

SHA256
5ba6c4a7361f45e428b6498798f7a3fd0379f2965e7092ceaf2ecd734234cd8b

SHA512
22dd8dbc69faacd7df2702ae18c2b4d7d57417ea90aa5a1db4ad7e2f82e48b4738b16d23fc75cbd09c4ee9ed5e5a2ddc6527e785f1ca2439e62c145361da1698

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
483KB

MD5
2ddde8c5bc6b7e06ecb70afc456d4731

SHA1
0a6b8a4173c82d61d8bddceaa6cee7f45755e10a

SHA256
a70ce212102929515f22d21e9978f066069d8e40f845afea4200c4b4f3ac42f5

SHA512
87604fe82ea41da1e0ed63cefb6b732aa0f62a2a1701e8015cffaebbf9693ba9f48f2949c14e22211b197ec43d3ac045c946141e0c28667bc0df9fadb5f38e61

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
483KB

MD5
0f0c800853c883904c459f072397cec1

SHA1
01cceca09c5f6d049e486ca603fe3c32c007ebee

SHA256
7c859915a04256f5f2e47cd792186185f80ed974b1080e87df7490e3814e20ee

SHA512
d7b2524aaeff61fe1db896c5c3800e2bff8f2030112b33d01aa6d74ad759872d43fd92a45bea3fa2387e18dc5c1ed43bbbaf839fd99863223a43a097f1c54a60

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
483KB

MD5
c0cfb8b6f33afdb6094ac63857dfa303

SHA1
b3f274f159a0796167537e36b20586853d8aea33

SHA256
35679de9e3f4fd5266c8227de14f85acd52411b906f957784f0193bc891608e0

SHA512
a7d2df29fb7d4e45ed442af4abc95f0efc0882f57cadf8e191eefb924844e35573f336aa5474a1cbb7659dd3c62d8b719c4441b7fe20cfd4fa8ac01f99778600

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
483KB

MD5
40ceecbee853f82e01a858d20ca0ca01

SHA1
3cf144420a8b807e7628a9a353bd0c7badb98847

SHA256
307c2bbbff9a90a6f42aa8c4d02e631a7e540997cbaa917eabf63c5498487ff5

SHA512
0b08d65001c281dfb679bbc9a2d01efde2e24020fb9239da42d31bd9c1c3389d2196ce56e81083eb5966e78f1e26b40b59fc77b76ae314b793717fb10d339da1

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
483KB

MD5
a416b98e53618d052f2ea5641a67c18c

SHA1
5404537e824fd71275690f005e159adb318335f4

SHA256
cfa63d6e24f7b2581abd50fa827367878ae83eb9e765636ea0e134f72d9ad0de

SHA512
f0f0def0ef9538b6343708c39b6d659161c3c3ce284db8d9d66a0af2632cf21c24a942c9ff1c6563a8eb7ac79cf24864446372842eaba75fc22329c6007ceab1

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
483KB

MD5
7ec59cbd709af1228989bfd18c55ef48

SHA1
5ca6b87ff6cca8ea284de7f39087dcfb83ab871f

SHA256
9767a8df928b2d2f35f58112d460fe9f16e86c55bc43b4d607600fa3fd8ad443

SHA512
6adb0965127433a0d6e3bf167e02522995686e5371fe7cf651707f7e39172bab70bd7676013f8c8662b069fdbab2a34ed5d69e4887e0fa4d037c6c0d0ec9d16f

Download Submit
C:\Windows\SysWOW64\Kfpgmdog.exe

Filesize
483KB

MD5
9301b2f08aff2847f880707971240171

SHA1
a5e32d8a6a1103812449f84597270e1137a0d2dc

SHA256
09774e59327ac5c53f1120ec30c6e901173a657951cc71006caccebc674456c8

SHA512
741c326b3838a78068074293920ec2e2e00626bac4f40e71c0542a333645176d0a4bd222f8c6cefb92921770b3091129cc274dd7923213c5c2898d397bc83bb3

Download Submit
C:\Windows\SysWOW64\Kkjcplpa.exe

Filesize
483KB

MD5
d1ce4f8fc4592598d44305a3495d7c4f

SHA1
ba854bff661147d2060259bdade152c14e7d9bbd

SHA256
0c24c355749779914192193f1b9c8d9392667cb4837b0582c0a7f48c279ae161

SHA512
ed5d68e6c2495c6f6ffa203b0eff6ab45e518278eb014a086a13e3f5764b4f4f2a1764526f26e0582050a35e4790a31b131fac86fb4563c6f509aaa2f4cba5f3

Download Submit
C:\Windows\SysWOW64\Kocbkk32.exe

Filesize
483KB

MD5
47c1d006cf146b40c137fee453b8ac3f

SHA1
b030c67275405a4a167fd1b01622474133fc1c9e

SHA256
231f969f2d3049cce7ebb87cf0d85d1897470712a512f739a625006c98405a3a

SHA512
93779507044463185109e71cdcbd3b8f704830460b41e5d5e7748b0159539a6797033d5493a808bce4083c9a899b7a45c50009a706e00c3ed870a36907a8abc9

Download Submit
C:\Windows\SysWOW64\Nilhhdga.exe

Filesize
483KB

MD5
be75041ada29d42bbaec175728b5ab35

SHA1
c40881ca019a40e9431f116918b1e2e483769996

SHA256
8d7876384de391b546a81ee3b176e6433f92029f0f51d7ed7c9f144683796e1f

SHA512
345c920b41fa7f7df2a7db283af87e4526e54c22df6f685d05c73ec2b2a7fcb2de2b04c283df446a58f936682ec9f6ba4c0b99c689014138650e144b62349fd6

Download Submit
C:\Windows\SysWOW64\Nlekia32.exe

Filesize
483KB

MD5
2324ae069f2cd8bd320744a6514ad32c

SHA1
1fd8f336601bbb1b19ac390a47dae9dc5da051e0

SHA256
0e44c04fd8348abc47bfa78f0012b6502557f63bcc021049df8e21b8ec80341e

SHA512
2e3d37b70a0f4b377a158a06e6daaa6752dec1e76c1eb2b4e58f9257949fd494113f3ccca9ebc21e89f935313bcd0189c334000eba205ea53458bc945d5fed49

Download Submit
C:\Windows\SysWOW64\Ocfigjlp.exe

Filesize
483KB

MD5
21d5725108edaa27bb6e1be6316dfc85

SHA1
3801cf430512a0c4a334f93f3c655c4fd17df351

SHA256
0a5a0505d087857a13837c2633773ce0c4fca2788880c99354425c203e0e1d95

SHA512
0ba6f740667fd514626dcd65b5335c7c43267b1bf2ee0d0b07e6fb1e653101aba3471d5f6cf358675ce06e427548d0103e94b7a7df792ee6fa60e17bc500706d

Download Submit
C:\Windows\SysWOW64\Picnndmb.exe

Filesize
483KB

MD5
a9239b5b0086a06384a8c730bac64653

SHA1
be5ef2624195b057d83857b257f4cb93786d2473

SHA256
a78a3df5e61161e75d244376b0cb71ecdf48ec88280edbea5c81eaafcb27fedb

SHA512
0304953ff6418c91d364a7e318dea24e632c08d5c9df850b8cad953b414f9065c1709fd0e920638a044abb4886079bdad6079795ba2d0b8a1f0157768c35064e

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
483KB

MD5
80f0d0a681b7ae8909e40051e3740e8b

SHA1
4b18bec2268a16d8d985e172efdf19e2193b509b

SHA256
c2428bf0220cd72bb6006c66be8bffa9235971c8a263454ad0132c0713641e49

SHA512
e4170902e6c498bbe748952db0def0e7267f6c3cc1a186096aa8ffe2a21585909981d47b8bd2b82e4a936fcd0a353d3a925c49dea8a9269b1dedf91870735f5e

Download Submit
C:\Windows\SysWOW64\Pngphgbf.exe

Filesize
483KB

MD5
76a077e7c6e0c44f4e7db8d8ba9f4ae0

SHA1
39aa8b4c7a1e5cd50a37a6ec23628e58bb42b1a9

SHA256
24d1969a956d8779d6e87aba320d68963d1dda4edd30f61b3bba00c96ea71c3f

SHA512
4c22129a3c5e8eb32f899703036b19e28df75e5a1792812aaeb8b09f9a774950a0b03dc77b7d0af8b0af5766961751286f345d13f0ab74a848f02ca063b68fc0

Download Submit
C:\Windows\SysWOW64\Pnimnfpc.exe

Filesize
483KB

MD5
34e8588d22a5910a3d759a62007753e1

SHA1
4e841ed4b5c68af009bb6e2b4e8736f623744a7b

SHA256
57f378044b566a59e8b203dc51061eb0229ab84377bea852d9cfd7cb445dbc15

SHA512
abac7f5c16f7d340ee1f4200d4ca4dd4cdeb7c824828ea87ffcd7584fde554ee94b1e0b557d3344716e1808f2a4232a145716155c768a3f07c0e1f95b44ad692

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
483KB

MD5
2830297806450840c0cc245fa54f98a2

SHA1
2b59588208eca00f80c63e3945dbdf0b6f678dbe

SHA256
c7808447b52973a168e4f0883620f77044897f62ae3fbf3d2deedc5366007162

SHA512
67eb970fd337c5160e87d9a312b295baffe1000c39b8c0c56221a2d39e22f5ed89039d65d0e9a5e61f0abed88a211c382dd0a7da1308c806df8f1e48bd148af8

Download Submit
C:\Windows\SysWOW64\Qkkmqnck.exe

Filesize
483KB

MD5
4d2a2564a1aacd7affde7ef323b52bdc

SHA1
aea1b6b18d5fbac4878679dfbefe1317c1892f6a

SHA256
4cb05267df566f0c83af72b610040a1ce94e72f3b9d2dd8fcb12297a919bd1ea

SHA512
d49b0c45e9c8bc2f31962cea8a6bf24b676dbdd7f84727c89970747272988105c50829ed2a7cd8bd396576ba9598bdef9e84a9e22e038fb46691a572fc05a185

Download Submit
\Windows\SysWOW64\Lanaiahq.exe

Filesize
483KB

MD5
65fc42a120bbe262b679d69788ce0985

SHA1
3a0a6d3f469b9536d0744324db702d56ba8a32b6

SHA256
35192f1df6f3e1bce5c8ed2fc6d52581f8e0a867f70cf16c802bc39770bcb80e

SHA512
58cbeb39e8a2ad2983b316aba7ab16efe063667bc266eea4f331c96f313aeb8b25f368ddf9562c53e9d1d862532c3cdd2173210dfca7c5fec87f19d44bd63d1c

Download Submit
\Windows\SysWOW64\Llohjo32.exe

Filesize
483KB

MD5
669d4b816c387f2b0ce42298a7fa6729

SHA1
57579c02dfcd3aa6a6096f4b6f3f50ccebc84718

SHA256
b8c2022d09b1dd08e81ef54b99b2a5dc38559591f17e99a69e618f9779c2a66b

SHA512
e71acaa55810afbf0d5e56b96107a6f8a7f9fb44797f382fcb7a9ce839e2b8ad0aced9c68d7aa8b918a9a9668d359cc84a39652c75fb42990380d73d133489ec

Download Submit
\Windows\SysWOW64\Maedhd32.exe

Filesize
483KB

MD5
380c16dc2e5d1c480b3216f7a8be8d34

SHA1
adc9c2017fa46a1283f358398b5cb6e8d2dd8f85

SHA256
3b73a19cc15f12f2482caac4be48e960215c4dc7184ab83c2579f04364033b8d

SHA512
fe96f5ff158fc742a150c71c4100107a367bcd454302b24e0d83f59f32484cd44bd4b7c8c514696b461d71fee4aedc3a07ee1ce8ab04c3278a93b0b62cf2c274

Download Submit
\Windows\SysWOW64\Ndemjoae.exe

Filesize
483KB

MD5
66ac5799d2ebaa829d2bb2df026db9ce

SHA1
9e4283f4779accc527b823f1ccefa4dec583742b

SHA256
3d26631faf9ae242c6bf40a36b2345634dd74351c1ae92edc06fa6a2d8e7d16d

SHA512
0d12fc8849652eff3b50222535fa55608197ce70224f092b3158795755ad522b6fd60646813aeb853035349dd3df2ec16c5cd1ceee6facbda510b0cfcb0c38f4

Download Submit
\Windows\SysWOW64\Pmccjbaf.exe

Filesize
483KB

MD5
88065e778f5a5e34f9698b2e34b732b1

SHA1
5cd71e81365a6cb9227db1cc27b6f3f3e83b173e

SHA256
c73b00083d0e3536c9c1f5f6a35adca640ceec60c126041a29c7b8517e863bdb

SHA512
5148ca6c73314cef9fbb479380d8aec3f8d7cd5ca9b6602772433051bb0670deccda1b30d2186110ce2d94d8dd4268ca5346941d65b78131291a2bc7682f22cb

Download Submit
memory/428-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/428-256-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/808-319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/808-156-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/808-172-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1104-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1292-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1292-78-0x00000000003C0000-0x00000000003FF000-memory.dmp

Filesize
252KB

Download
memory/1292-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1460-312-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1460-26-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-250-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1516-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-248-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1516-236-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1524-266-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1524-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-290-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1624-291-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1640-173-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1640-183-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1640-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1648-267-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1648-277-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1648-276-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1648-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1660-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1660-210-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1660-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-229-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-235-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/2144-155-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2144-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2176-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2176-298-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/2176-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2356-45-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2356-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2356-27-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2404-12-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2404-13-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2404-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2404-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2460-106-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2460-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2460-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2460-113-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2552-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2552-85-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2552-96-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/2680-46-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2680-62-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2680-61-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2724-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2724-69-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2752-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2752-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2780-318-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2780-144-0x00000000005D0000-0x000000000060F000-memory.dmp

Filesize
252KB

Download
memory/2780-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2792-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2792-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2792-126-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2988-308-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2988-309-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2988-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2988-329-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3016-323-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3016-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3016-225-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/3016-224-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads