6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805

Analysis

max time kernel
143s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe
Size

60KB
MD5

2059fb9ac1de660307eafd5df35f27c0
SHA1

b7410627bf40f234be7f642f6a0c2c824937d47e
SHA256

6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805
SHA512

7aa728af72422b04f9db7c3ae4ccba2a8fc38cc4813a2a1126916c26fde1e790316f07c80089e1e4ad1b8675d81112473c6118f89fea96b9934731b87cce283e
SSDEEP

768:DoRRjPVaZP+I+o0xrElbwPYL2S5+bNzMfy2GrdYXk+woaucRrrrX6OZpl//1H5rB:DA5Gbu+S7+woWrrrXnTX+B86l1rs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knpemf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghjel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mffimglk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkhofjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcojjmea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laegiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kklpekno.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkolkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkolkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgocb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kegqdqbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kegqdqbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knpemf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndjfeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkhofjoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdcpdp32.exe

Executes dropped EXE 24 IoCs

pid	Process
1948	Kjifhc32.exe
2564	Kklpekno.exe
2612	Kkolkk32.exe
2736	Kegqdqbl.exe
2456	Knpemf32.exe
3016	Lghjel32.exe
580	Lcojjmea.exe
572	Lmgocb32.exe
2868	Laegiq32.exe
2784	Liplnc32.exe
2812	Lpjdjmfp.exe
2776	Libicbma.exe
624	Mffimglk.exe
1228	Moanaiie.exe
2636	Mkhofjoj.exe
1760	Mlhkpm32.exe
288	Mdcpdp32.exe
936	Ndemjoae.exe
1492	Nmnace32.exe
1324	Ndhipoob.exe
1680	Nmpnhdfc.exe
2312	Ndjfeo32.exe
1516	Ngkogj32.exe
3040	Nlhgoqhh.exe

Loads dropped DLL 52 IoCs

pid	Process
2000	6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe
2000	6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe
1948	Kjifhc32.exe
1948	Kjifhc32.exe
2564	Kklpekno.exe
2564	Kklpekno.exe
2612	Kkolkk32.exe
2612	Kkolkk32.exe
2736	Kegqdqbl.exe
2736	Kegqdqbl.exe
2456	Knpemf32.exe
2456	Knpemf32.exe
3016	Lghjel32.exe
3016	Lghjel32.exe
580	Lcojjmea.exe
580	Lcojjmea.exe
572	Lmgocb32.exe
572	Lmgocb32.exe
2868	Laegiq32.exe
2868	Laegiq32.exe
2784	Liplnc32.exe
2784	Liplnc32.exe
2812	Lpjdjmfp.exe
2812	Lpjdjmfp.exe
2776	Libicbma.exe
2776	Libicbma.exe
624	Mffimglk.exe
624	Mffimglk.exe
1228	Moanaiie.exe
1228	Moanaiie.exe
2636	Mkhofjoj.exe
2636	Mkhofjoj.exe
1760	Mlhkpm32.exe
1760	Mlhkpm32.exe
288	Mdcpdp32.exe
288	Mdcpdp32.exe
936	Ndemjoae.exe
936	Ndemjoae.exe
1492	Nmnace32.exe
1492	Nmnace32.exe
1324	Ndhipoob.exe
1324	Ndhipoob.exe
1680	Nmpnhdfc.exe
1680	Nmpnhdfc.exe
2312	Ndjfeo32.exe
2312	Ndjfeo32.exe
1516	Ngkogj32.exe
1516	Ngkogj32.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lnlmhpjh.dll	Moanaiie.exe
File created	C:\Windows\SysWOW64\Ndemjoae.exe	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Ngkogj32.exe
File opened for modification	C:\Windows\SysWOW64\Lmgocb32.exe	Lcojjmea.exe
File opened for modification	C:\Windows\SysWOW64\Moanaiie.exe	Mffimglk.exe
File created	C:\Windows\SysWOW64\Ihlfca32.dll	Kkolkk32.exe
File created	C:\Windows\SysWOW64\Libicbma.exe	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Gpbgnedh.dll	Mffimglk.exe
File created	C:\Windows\SysWOW64\Ndjfeo32.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Kjifhc32.exe	6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kegqdqbl.exe	Kkolkk32.exe
File opened for modification	C:\Windows\SysWOW64\Nmnace32.exe	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Fibkpd32.dll	Ndemjoae.exe
File opened for modification	C:\Windows\SysWOW64\Mkhofjoj.exe	Moanaiie.exe
File opened for modification	C:\Windows\SysWOW64\Ndjfeo32.exe	Nmpnhdfc.exe
File opened for modification	C:\Windows\SysWOW64\Lpjdjmfp.exe	Liplnc32.exe
File created	C:\Windows\SysWOW64\Mffimglk.exe	Libicbma.exe
File created	C:\Windows\SysWOW64\Mlhkpm32.exe	Mkhofjoj.exe
File created	C:\Windows\SysWOW64\Mgecadnb.dll	Mkhofjoj.exe
File created	C:\Windows\SysWOW64\Noomnjpj.dll	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Nmnace32.exe	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Lmgocb32.exe	Lcojjmea.exe
File created	C:\Windows\SysWOW64\Liplnc32.exe	Laegiq32.exe
File opened for modification	C:\Windows\SysWOW64\Ngkogj32.exe	Ndjfeo32.exe
File opened for modification	C:\Windows\SysWOW64\Laegiq32.exe	Lmgocb32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhkpm32.exe	Mkhofjoj.exe
File created	C:\Windows\SysWOW64\Aeaceffc.dll	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Eeieql32.dll	Kklpekno.exe
File created	C:\Windows\SysWOW64\Lcojjmea.exe	Lghjel32.exe
File created	C:\Windows\SysWOW64\Jjnbaf32.dll	Kjifhc32.exe
File created	C:\Windows\SysWOW64\Lghjel32.exe	Knpemf32.exe
File created	C:\Windows\SysWOW64\Gkcfcoqm.dll	Liplnc32.exe
File opened for modification	C:\Windows\SysWOW64\Ndhipoob.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Fpcqjacl.dll	6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lgpmbcmh.dll	Laegiq32.exe
File created	C:\Windows\SysWOW64\Dlfdghbq.dll	Lcojjmea.exe
File created	C:\Windows\SysWOW64\Kkolkk32.exe	Kklpekno.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Lpjdjmfp.exe	Liplnc32.exe
File opened for modification	C:\Windows\SysWOW64\Mffimglk.exe	Libicbma.exe
File opened for modification	C:\Windows\SysWOW64\Ndemjoae.exe	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Kjbgng32.dll	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Ngkogj32.exe	Ndjfeo32.exe
File opened for modification	C:\Windows\SysWOW64\Knpemf32.exe	Kegqdqbl.exe
File created	C:\Windows\SysWOW64\Nffjeaid.dll	Lghjel32.exe
File created	C:\Windows\SysWOW64\Mpcnkg32.dll	Knpemf32.exe
File opened for modification	C:\Windows\SysWOW64\Nmpnhdfc.exe	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Mdcpdp32.exe	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Ndhipoob.exe	Nmnace32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngkogj32.exe
File opened for modification	C:\Windows\SysWOW64\Lghjel32.exe	Knpemf32.exe
File opened for modification	C:\Windows\SysWOW64\Liplnc32.exe	Laegiq32.exe
File opened for modification	C:\Windows\SysWOW64\Lcojjmea.exe	Lghjel32.exe
File opened for modification	C:\Windows\SysWOW64\Kklpekno.exe	Kjifhc32.exe
File created	C:\Windows\SysWOW64\Knpemf32.exe	Kegqdqbl.exe
File opened for modification	C:\Windows\SysWOW64\Libicbma.exe	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Kbelde32.dll	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Moanaiie.exe	Mffimglk.exe
File created	C:\Windows\SysWOW64\Mkhofjoj.exe	Moanaiie.exe
File opened for modification	C:\Windows\SysWOW64\Mdcpdp32.exe	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Nmpnhdfc.exe	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Kegqdqbl.exe	Kkolkk32.exe
File created	C:\Windows\SysWOW64\Ihclng32.dll	Kegqdqbl.exe
File created	C:\Windows\SysWOW64\Lmnppf32.dll	Ndhipoob.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2196	3040	WerFault.exe	51

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnppf32.dll"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbgng32.dll"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpmbcmh.dll"	Laegiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkhofjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeaceffc.dll"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkolkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihclng32.dll"	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmgocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpbgnedh.dll"	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeieql32.dll"	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Libicbma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcojjmea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkcfcoqm.dll"	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll"	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffjeaid.dll"	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlmhpjh.dll"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibkpd32.dll"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knpemf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfdghbq.dll"	Lcojjmea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Libicbma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkhofjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjifhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpcnkg32.dll"	Knpemf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knpemf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndjfeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkolkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfca32.dll"	Kkolkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndjfeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgecadnb.dll"	Mkhofjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdcpdp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1948	2000	6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe	28
PID 2000 wrote to memory of 1948	2000	6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe	28
PID 2000 wrote to memory of 1948	2000	6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe	28
PID 2000 wrote to memory of 1948	2000	6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 2564	1948	Kjifhc32.exe	29
PID 1948 wrote to memory of 2564	1948	Kjifhc32.exe	29
PID 1948 wrote to memory of 2564	1948	Kjifhc32.exe	29
PID 1948 wrote to memory of 2564	1948	Kjifhc32.exe	29
PID 2564 wrote to memory of 2612	2564	Kklpekno.exe	30
PID 2564 wrote to memory of 2612	2564	Kklpekno.exe	30
PID 2564 wrote to memory of 2612	2564	Kklpekno.exe	30
PID 2564 wrote to memory of 2612	2564	Kklpekno.exe	30
PID 2612 wrote to memory of 2736	2612	Kkolkk32.exe	31
PID 2612 wrote to memory of 2736	2612	Kkolkk32.exe	31
PID 2612 wrote to memory of 2736	2612	Kkolkk32.exe	31
PID 2612 wrote to memory of 2736	2612	Kkolkk32.exe	31
PID 2736 wrote to memory of 2456	2736	Kegqdqbl.exe	32
PID 2736 wrote to memory of 2456	2736	Kegqdqbl.exe	32
PID 2736 wrote to memory of 2456	2736	Kegqdqbl.exe	32
PID 2736 wrote to memory of 2456	2736	Kegqdqbl.exe	32
PID 2456 wrote to memory of 3016	2456	Knpemf32.exe	33
PID 2456 wrote to memory of 3016	2456	Knpemf32.exe	33
PID 2456 wrote to memory of 3016	2456	Knpemf32.exe	33
PID 2456 wrote to memory of 3016	2456	Knpemf32.exe	33
PID 3016 wrote to memory of 580	3016	Lghjel32.exe	34
PID 3016 wrote to memory of 580	3016	Lghjel32.exe	34
PID 3016 wrote to memory of 580	3016	Lghjel32.exe	34
PID 3016 wrote to memory of 580	3016	Lghjel32.exe	34
PID 580 wrote to memory of 572	580	Lcojjmea.exe	35
PID 580 wrote to memory of 572	580	Lcojjmea.exe	35
PID 580 wrote to memory of 572	580	Lcojjmea.exe	35
PID 580 wrote to memory of 572	580	Lcojjmea.exe	35
PID 572 wrote to memory of 2868	572	Lmgocb32.exe	36
PID 572 wrote to memory of 2868	572	Lmgocb32.exe	36
PID 572 wrote to memory of 2868	572	Lmgocb32.exe	36
PID 572 wrote to memory of 2868	572	Lmgocb32.exe	36
PID 2868 wrote to memory of 2784	2868	Laegiq32.exe	37
PID 2868 wrote to memory of 2784	2868	Laegiq32.exe	37
PID 2868 wrote to memory of 2784	2868	Laegiq32.exe	37
PID 2868 wrote to memory of 2784	2868	Laegiq32.exe	37
PID 2784 wrote to memory of 2812	2784	Liplnc32.exe	38
PID 2784 wrote to memory of 2812	2784	Liplnc32.exe	38
PID 2784 wrote to memory of 2812	2784	Liplnc32.exe	38
PID 2784 wrote to memory of 2812	2784	Liplnc32.exe	38
PID 2812 wrote to memory of 2776	2812	Lpjdjmfp.exe	39
PID 2812 wrote to memory of 2776	2812	Lpjdjmfp.exe	39
PID 2812 wrote to memory of 2776	2812	Lpjdjmfp.exe	39
PID 2812 wrote to memory of 2776	2812	Lpjdjmfp.exe	39
PID 2776 wrote to memory of 624	2776	Libicbma.exe	40
PID 2776 wrote to memory of 624	2776	Libicbma.exe	40
PID 2776 wrote to memory of 624	2776	Libicbma.exe	40
PID 2776 wrote to memory of 624	2776	Libicbma.exe	40
PID 624 wrote to memory of 1228	624	Mffimglk.exe	41
PID 624 wrote to memory of 1228	624	Mffimglk.exe	41
PID 624 wrote to memory of 1228	624	Mffimglk.exe	41
PID 624 wrote to memory of 1228	624	Mffimglk.exe	41
PID 1228 wrote to memory of 2636	1228	Moanaiie.exe	42
PID 1228 wrote to memory of 2636	1228	Moanaiie.exe	42
PID 1228 wrote to memory of 2636	1228	Moanaiie.exe	42
PID 1228 wrote to memory of 2636	1228	Moanaiie.exe	42
PID 2636 wrote to memory of 1760	2636	Mkhofjoj.exe	43
PID 2636 wrote to memory of 1760	2636	Mkhofjoj.exe	43
PID 2636 wrote to memory of 1760	2636	Mkhofjoj.exe	43
PID 2636 wrote to memory of 1760	2636	Mkhofjoj.exe	43

C:\Users\Admin\AppData\Local\Temp\6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6763f8cb3394bb0e744ecc1462a2198a7b3ee9dfaa97afcac1e122e46cb3e805_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\Kjifhc32.exe
  C:\Windows\system32\Kjifhc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\Kklpekno.exe
    C:\Windows\system32\Kklpekno.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\Kkolkk32.exe
      C:\Windows\system32\Kkolkk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\Kegqdqbl.exe
        
        C:\Windows\system32\Kegqdqbl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\SysWOW64\Knpemf32.exe
        
        C:\Windows\system32\Knpemf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Lghjel32.exe
        
        C:\Windows\system32\Lghjel32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Lcojjmea.exe
        
        C:\Windows\system32\Lcojjmea.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Lmgocb32.exe
        
        C:\Windows\system32\Lmgocb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Laegiq32.exe
        
        C:\Windows\system32\Laegiq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Liplnc32.exe
        
        C:\Windows\system32\Liplnc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Lpjdjmfp.exe
        
        C:\Windows\system32\Lpjdjmfp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Libicbma.exe
        
        C:\Windows\system32\Libicbma.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Mffimglk.exe
        
        C:\Windows\system32\Mffimglk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Moanaiie.exe
        
        C:\Windows\system32\Moanaiie.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Mkhofjoj.exe
        
        C:\Windows\system32\Mkhofjoj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Mlhkpm32.exe
        
        C:\Windows\system32\Mlhkpm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Mdcpdp32.exe
        
        C:\Windows\system32\Mdcpdp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:288
        
        C:\Windows\SysWOW64\Ndemjoae.exe
        
        C:\Windows\system32\Ndemjoae.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Nmnace32.exe
        
        C:\Windows\system32\Nmnace32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Ndhipoob.exe
        
        C:\Windows\system32\Ndhipoob.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Nmpnhdfc.exe
        
        C:\Windows\system32\Nmpnhdfc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Ndjfeo32.exe
        
        C:\Windows\system32\Ndjfeo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        25⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 140
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Knpemf32.exe

Filesize
60KB

MD5
307ce6650904351e913f6a0b25f16457

SHA1
513e9cd12bf8e3e5575abda31423d70644089da6

SHA256
7b8e79922b71aeca78a73b4743c721d508e0d6fd4af845d0645bfce107486d01

SHA512
668f7bee5997b315e2cd03d5fdb492ef45a40527e52fdf8abff20978acfcda943d214d68e734e9032f8bcd271407f32d2c5d13ba146aac3142b30bd4cfe5ae45

Download Submit
C:\Windows\SysWOW64\Lcojjmea.exe

Filesize
60KB

MD5
946234fd83a1e4d4279d1966449bac2e

SHA1
d598ef51cb2c5b1b633c81e55cbb83734823645c

SHA256
7faf61b007a4cd1f90c74bee9744d5e29ac6b93264d65893b4c45bc45eb7e051

SHA512
55a26312ddec94a489d32bd4516f10fef427631ba17a2c724bbbcdfe33b8cc759fe74c263b9f9b94ca925475654e2597d3ed8c46c37c7705f162fbb895e973c6

Download Submit
C:\Windows\SysWOW64\Lghjel32.exe

Filesize
60KB

MD5
d072588757cef27ed591cc72e31bea51

SHA1
048520ad03cca045b12d1de04965078ba3ba54d3

SHA256
10ca81fbfaa01888fa6a64c526785b199644c1b8e0c6e5cb6b24b04a3bd13413

SHA512
5c955ec32e989e3e59287cf4c121fbeae27eff4367a544415a738ba2ab096173bb8066ed511f88fafdc57383beef61aab9acd5420eb30cd5476c54b8b2b24b09

Download Submit
C:\Windows\SysWOW64\Liplnc32.exe

Filesize
60KB

MD5
416e936f499d8548b381da9f2f65a369

SHA1
186cfd95f3e46b56dc6a7c9314f02d47e5b5ae5c

SHA256
9df664031aca91fbbfeae902a198ef36d9d844bcea0e630f91fe6500b627208f

SHA512
743b6852b3c15ae164cf884ddc6b5831544339a63f5db77e06ae744df6979a3f76e32a1936b59e5b8836f09b274e47ae5b18a8eafb9a908305f7ceafbaafe73f

Download Submit
C:\Windows\SysWOW64\Lmgocb32.exe

Filesize
60KB

MD5
d0368d4f45b4d0d996324f3d35d5ec33

SHA1
344043e19f56baab7ad19bc7a36dc1ce047e08c1

SHA256
1000ba40f9d6d1853e7dc7925887d9da01afdfa73f46ec6e25c9bfb19e470bda

SHA512
60dc973a869111f267f5c881bd987d628e2f823352797225d6cffee07a45243479c1a709efc49bdf002a079f6fce9d248082450583428ca032171a09f8bd4305

Download Submit
C:\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
60KB

MD5
0991c077e24e85b00b59789d6601a61d

SHA1
c0999fed403e702bb92d3ec195486dae8ef5309c

SHA256
fd51620aa709b6e715c1e75198c7a650dfee676a49d1bade904ab32e892e45aa

SHA512
288594ffd080ad8251ba372ed9128c80b6f8cec0bf5fc5f20c5e4f6d40d739ee599278cbc46ebc4779b2738f57160984c34b075ca18758110a0efd3e1a14d2a8

Download Submit
C:\Windows\SysWOW64\Mdcpdp32.exe

Filesize
60KB

MD5
5a05888612dff6fab4e06f4a6dd52055

SHA1
a9082829a3fd4d5ed8c88960319f402bec429f8c

SHA256
9bb3c94ed6cf10b3c61392aaf8540a8625060b4f561c7eeffd18386673a73004

SHA512
62a81a437e6b7ad532f244525655beb128dbe0b5ed0ef669db770d1a2da9d022fcffb8dc0fb6fc6ba34a5e665fbe1bdce142f99d0addc86be5a4f58f4624b921

Download Submit
C:\Windows\SysWOW64\Mffimglk.exe

Filesize
60KB

MD5
0de6dbd442fd6e3ebf56def7bd26ebd0

SHA1
fcf013ccdb8a723cdcf6b256b16e1b100df4ee8e

SHA256
395bd73e17259ca826624740d5970b883e452eb1d01c3f84b0f5edf939267c6d

SHA512
7dd6bb9ca212077a78a234b07df4f5a9bf944b4d72a348e75e20cc1534edd3de9c325d5cde4bea5759b443e3b73ef5b915be94bc13beccec5e2196e03e69bf81

Download Submit
C:\Windows\SysWOW64\Ndemjoae.exe

Filesize
60KB

MD5
f710c89e752c4d11a969cad685863fc6

SHA1
a8444c4fc6aade8e4c7291682cff2d6cdcb99b66

SHA256
7d539e6b1b54e30869eab3681921c2cf4bd99893b8fae5585fc02f1c737907f8

SHA512
86e44ebffca7ce7bf88851a970a9c4a77c3d51d8c09ee42ff43234dfe4b9a6d3778bff584f2c96e1d0fcf5f3969bb3c0bb30ad7ad4237f2ba9a7379dae79af30

Download Submit
C:\Windows\SysWOW64\Ndhipoob.exe

Filesize
60KB

MD5
6294273d90f5162d3675dbc4810161df

SHA1
c6a8f3ec19d96e12e02eba37ff0d43de625cb343

SHA256
b32da02c65d9043e31f07c61af42ac56cd3a05aa8404d0fd6f92940e0ac6d3d4

SHA512
945faeb9b7e3a7cfa6283a28742cc3cf69c1d81d3e27de91e6ad36ab1fd9879a96b435fff6f89a9bffa9ab796f12048da798cf9724a287d13eb36ecd0d6b4a89

Download Submit
C:\Windows\SysWOW64\Ndjfeo32.exe

Filesize
60KB

MD5
a9759f8e78580e29f19c6f69c8760892

SHA1
6b18b45e4cdabe1fa4ecac9fcfeb63124e6cb634

SHA256
deb017b344037921a279b28e261b768fffd7622b2c99396b0e7db4ce7fe157d2

SHA512
818759b62c3fb41d96b448f425c0d2dc705ffe371b4637812c5c7d96b8a5ea27612dc7729d2c3e0542ac5d1918c5adc1dabad8377858646c077e033fe4271cf0

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
60KB

MD5
653e1a76883bdb0e852b544c535c2389

SHA1
ec29e115f74a5f5217e3c244adbff2ed3dec74e6

SHA256
4f6a9ea17e64ca0a1bbbc263561b6a531d310c89ca47aea52ad66c64fed00f93

SHA512
4d6b7084d473c4d45ec1abae4b7a210190d8e937e14b101da912e8f91078d8a61f308e096dbafc12110630feaa67401478800c501c90192f7537a86312b88f9d

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
60KB

MD5
5e9988a5579bef058d3aa8f4051edcd2

SHA1
b92394e57b5e4cccaf52fcbf7a970a8f41e2d642

SHA256
168fa14152cc3bf3a2220b8bd0f63e3f84bcf1aa8ed81d02493972f21aaaa57b

SHA512
52a2e45ad8e894a8f7318fa447be1170176d61bbd7801cb97d582cc744b56c350758b176c38a2d98717c88021918c4843614c8c4399d058fd868a7552fa8c800

Download Submit
C:\Windows\SysWOW64\Nmnace32.exe

Filesize
60KB

MD5
d85c9f2ed39e4c421afd365224ed75cc

SHA1
34a04f3ed64dbfb94e0bbc43caa9256f2ce5d3fc

SHA256
466410971ca992b10020eca392c3aec55cd6e1cdac64cabcac6a9849e8f62bae

SHA512
6cc836a66b31f8eb7b673ec190c5eba9578aebdc3ad812df806c91f426aa73ee3cdf8f996373dd1c7fb5cf1443d81f224dfc9a8f98b84496150e998693daa622

Download Submit
C:\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
60KB

MD5
f79f3e92eaa9fc008120c452b63c35f9

SHA1
3dc5c4e3df6186c3b34d2de1c663a5442e1585a7

SHA256
801f2c8d495332612abe1f0157153fab2d227759d8a289d789c1e623e3ef52e9

SHA512
b269b162c0b761e3fcbbdc3d5a0218579499777e589b24653f6097db918368231f1051e31f34fba39c04bf1c5e6e7615a5b82437fcbf9673291046873200f7da

Download Submit
\Windows\SysWOW64\Kegqdqbl.exe

Filesize
60KB

MD5
d024e6d399223c4f2de6bf50b94514ca

SHA1
e3f3b2b71979da77ab9b33847f1c9ee0a8bef519

SHA256
07b5e4d6afc4597c2c636297b1bc793937f03af4a295e5b7dd75079e3d5c1be2

SHA512
8975a97bee45add2ad13244d592fed1c71f6d21501f000181c46bcdab1e9fda506a2873386d8965f069b4f4534d5fe253ac6aac71b65f30727e1310f282b169a

Download Submit
\Windows\SysWOW64\Kjifhc32.exe

Filesize
60KB

MD5
9eac5e27e2ff3ab34dc1659202f8fde4

SHA1
ea7ddfd1dcd9541c2f627239913775603757e301

SHA256
7d957e1aee837890eba076330ec40360a8766190e660417d3de00d703354cc80

SHA512
cc903ea8d9ed339455bde5f22da952ff3da48bdbdd82f871a801f168b580565673dbe78d0ba9d3ff51a290df16530e8430fefa08424488bdf08790082c6cb6e7

Download Submit
\Windows\SysWOW64\Kklpekno.exe

Filesize
60KB

MD5
787fa35b6e45350fda140bf62a15679d

SHA1
211c5c29e8570ea1214a5601b7b759359dbae60e

SHA256
5239931dfa5ddc7917970b1e9fe706220c5e954b94443f8634dc7ca5b7bf80c1

SHA512
e5daff6ccfbb61e8a7173c6c39557b2be7843e597fa29648868a843da6aed811e7c2edf8d3891e5d813b24a863abecb2a7436e4231727d603d6bdb24901b2758

Download Submit
\Windows\SysWOW64\Kkolkk32.exe

Filesize
60KB

MD5
282ad363d0987b42be5c2b5826bf3f52

SHA1
0e13256e28fdd8ca50529571afc199b9504852e1

SHA256
9b9556f2481e462278992886af5610bfe3d50fdc9450a90aa992a030f0dabd99

SHA512
2bcb48e6fa0bf59a01d9952871241caddc6a191d12960f324dde652e12b4a12e87b7fb7454913a84fc1a05f3df36ca7530e4c4e6588af3e2d8d41377ef2c62e2

Download Submit
\Windows\SysWOW64\Laegiq32.exe

Filesize
60KB

MD5
6be5650c0034f0cb1ac4d480a4784383

SHA1
2e134e349ffbb5ab20feaf6245e1bc4f6957a829

SHA256
1b61a2690587ceef553ef72064fc18c584ec12c7af6b80c56cdd882f48ea06b9

SHA512
cc50acba3e02b8452cc64c856bcafde813c246bfccb453f0848e25e5eaba4e05286b39e601e29096170e69471906b5b5d1f878b6e7af8a2b9e2614bfdaca0826

Download Submit
\Windows\SysWOW64\Libicbma.exe

Filesize
60KB

MD5
4e0703948224bf718de2e0093f1dcdfd

SHA1
ab46ffcd8663118507177e248d15683b8c7383b5

SHA256
c0922eb47d14e3f19f3e14173402f4c0698879d90a692af0402c346887c327ec

SHA512
0e7e43c9b8bd71b6587330a34aa739f09d92ef38c3545a7472ad252e1e651ea7925d5ee539443dbaf0799ba7347bd1a959aeae39019e9a5e75605cb980f609a1

Download Submit
\Windows\SysWOW64\Mkhofjoj.exe

Filesize
60KB

MD5
e558d5951851de5aeadec0142bfa0e3f

SHA1
f73596511e597c835290b03b2e58e3f1bf1d89dd

SHA256
936168398c9c530fc6b286d20146f52a08edfc4ef8509763d8db64df2d798e9d

SHA512
68532a2180bc714b91b6bd439db9aa765f510f4679a91e3439f78ed9e6022bd810f0d88d3b777bf5d84f397003197acb94b1fd64f346b0986ec3620381e7d962

Download Submit
\Windows\SysWOW64\Mlhkpm32.exe

Filesize
60KB

MD5
e0ff80a5c3ba19de728208a107cf220b

SHA1
fbbee94268fc33b9aecfadffebe30816e8f46f6d

SHA256
50e4d2357650baf46f582970814e496ae02adc69f2ceff927d8bb5d2839af7f7

SHA512
922294204c0bc48510a87047a04e19bc7648a3934f686708c19902a9e9728dd2a751bf5190bc9e0289c2c0264ccc0279f78fec4f1bc7d54955f888538f0c9a99

Download Submit
\Windows\SysWOW64\Moanaiie.exe

Filesize
60KB

MD5
12f1efedb7ecf835ea3673818ed25c92

SHA1
42d71eeb0b3e6bdf4c5a08fe8ce23b6e59c49999

SHA256
0bd426f8c5af21fc911aac6e1c2c4a6686c8d017b05aa2f59fdbff3924f0e30f

SHA512
a6d01859c8ee77ec2aebb61b03ff5309cca4f249838e8b0d3a8170e1eac4e11a5da55846c4343e46ea2a416778fd53102c721b6b59455c1de992ad1700b47d66

Download Submit
memory/288-414-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/288-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/288-283-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/572-396-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/572-113-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/572-120-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/580-168-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/580-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/580-112-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/580-105-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/624-253-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/624-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/624-199-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/624-254-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/624-198-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/624-185-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/936-416-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/936-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/936-264-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/1228-201-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1228-272-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1228-217-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1228-408-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1228-209-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1228-265-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1324-277-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1324-317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1324-320-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1324-420-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1492-266-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1492-418-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1516-312-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1516-371-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/1516-318-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/1516-426-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-422-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-287-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-296-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1760-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1760-243-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1760-239-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1760-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1760-276-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1948-84-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-21-0x0000000000230000-0x0000000000266000-memory.dmp

Filesize
216KB

Download
memory/1948-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2000-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2000-69-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/2000-6-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/2000-83-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/2000-380-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2000-61-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2312-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2312-297-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2312-306-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2312-307-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2456-155-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2456-75-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2456-157-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2456-390-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2564-384-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2564-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2564-35-0x00000000001B0000-0x00000000001E6000-memory.dmp

Filesize
216KB

Download
memory/2612-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2612-49-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2612-386-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2636-410-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2636-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2736-62-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2736-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-172-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-404-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-238-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2784-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2784-142-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-208-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-156-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-216-0x00000000002B0000-0x00000000002E6000-memory.dmp

Filesize
216KB

Download
memory/2812-402-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-171-0x00000000002B0000-0x00000000002E6000-memory.dmp

Filesize
216KB

Download
memory/2868-197-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2868-398-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2868-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2868-140-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2868-141-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/3016-93-0x00000000001C0000-0x00000000001F6000-memory.dmp

Filesize
216KB

Download
memory/3016-85-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3016-392-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3040-372-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3040-319-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads