52bd70e8816cbf574eaea5678236dd5faeee9b7698e421c89e3cfb52017f2bad

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52bd70e8816cbf574eaea5678236dd5faeee9b7698e421c89e3cfb52017f2bad_NeikiAnalytics.exe
Size

304KB
MD5

1b98e7acbdb84656ca79d5fc465610d0
SHA1

fb28857409afc911ad3a340de67b0417f4b840d8
SHA256

52bd70e8816cbf574eaea5678236dd5faeee9b7698e421c89e3cfb52017f2bad
SHA512

2469745be4e8cbaaf7dbed75380ea5d31ae8369e9d4f2bfaa7eaeb8b7a9916612349390aae0bf85c117c5da3bd1a63e937aed3740a9b7f3dc4e378610466170a
SSDEEP

6144:KUeB/Ex50U5oB3Yt3XbaHJUByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6MxE:ZQcz0b6t3XGCByvNv54B9f01ZmHByvNE

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	52bd70e8816cbf574eaea5678236dd5faeee9b7698e421c89e3cfb52017f2bad_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	52bd70e8816cbf574eaea5678236dd5faeee9b7698e421c89e3cfb52017f2bad_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddbqa32.exe

Executes dropped EXE 27 IoCs

pid	Process
872	Kgbefoji.exe
4272	Kpjjod32.exe
4164	Kcifkp32.exe
4568	Kkpnlm32.exe
3960	Kckbqpnj.exe
1020	Kkbkamnl.exe
3300	Lgikfn32.exe
4324	Laopdgcg.exe
3848	Lgkhlnbn.exe
3232	Lpcmec32.exe
2760	Lgneampk.exe
4260	Lpfijcfl.exe
3168	Lgpagm32.exe
1700	Lddbqa32.exe
2932	Mjqjih32.exe
4976	Mdfofakp.exe
4024	Mkpgck32.exe
4812	Majopeii.exe
1848	Mcklgm32.exe
3144	Mjhqjg32.exe
3644	Maaepd32.exe
5052	Nceonl32.exe
668	Nddkgonp.exe
4748	Nkncdifl.exe
3268	Ngedij32.exe
4040	Nqmhbpba.exe
3684	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	52bd70e8816cbf574eaea5678236dd5faeee9b7698e421c89e3cfb52017f2bad_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	52bd70e8816cbf574eaea5678236dd5faeee9b7698e421c89e3cfb52017f2bad_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Maaepd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
336	3684	WerFault.exe	106

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	52bd70e8816cbf574eaea5678236dd5faeee9b7698e421c89e3cfb52017f2bad_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	52bd70e8816cbf574eaea5678236dd5faeee9b7698e421c89e3cfb52017f2bad_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	52bd70e8816cbf574eaea5678236dd5faeee9b7698e421c89e3cfb52017f2bad_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	52bd70e8816cbf574eaea5678236dd5faeee9b7698e421c89e3cfb52017f2bad_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lddbqa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 872	1644	52bd70e8816cbf574eaea5678236dd5faeee9b7698e421c89e3cfb52017f2bad_NeikiAnalytics.exe	80
PID 1644 wrote to memory of 872	1644	52bd70e8816cbf574eaea5678236dd5faeee9b7698e421c89e3cfb52017f2bad_NeikiAnalytics.exe	80
PID 1644 wrote to memory of 872	1644	52bd70e8816cbf574eaea5678236dd5faeee9b7698e421c89e3cfb52017f2bad_NeikiAnalytics.exe	80
PID 872 wrote to memory of 4272	872	Kgbefoji.exe	81
PID 872 wrote to memory of 4272	872	Kgbefoji.exe	81
PID 872 wrote to memory of 4272	872	Kgbefoji.exe	81
PID 4272 wrote to memory of 4164	4272	Kpjjod32.exe	82
PID 4272 wrote to memory of 4164	4272	Kpjjod32.exe	82
PID 4272 wrote to memory of 4164	4272	Kpjjod32.exe	82
PID 4164 wrote to memory of 4568	4164	Kcifkp32.exe	83
PID 4164 wrote to memory of 4568	4164	Kcifkp32.exe	83
PID 4164 wrote to memory of 4568	4164	Kcifkp32.exe	83
PID 4568 wrote to memory of 3960	4568	Kkpnlm32.exe	84
PID 4568 wrote to memory of 3960	4568	Kkpnlm32.exe	84
PID 4568 wrote to memory of 3960	4568	Kkpnlm32.exe	84
PID 3960 wrote to memory of 1020	3960	Kckbqpnj.exe	85
PID 3960 wrote to memory of 1020	3960	Kckbqpnj.exe	85
PID 3960 wrote to memory of 1020	3960	Kckbqpnj.exe	85
PID 1020 wrote to memory of 3300	1020	Kkbkamnl.exe	86
PID 1020 wrote to memory of 3300	1020	Kkbkamnl.exe	86
PID 1020 wrote to memory of 3300	1020	Kkbkamnl.exe	86
PID 3300 wrote to memory of 4324	3300	Lgikfn32.exe	87
PID 3300 wrote to memory of 4324	3300	Lgikfn32.exe	87
PID 3300 wrote to memory of 4324	3300	Lgikfn32.exe	87
PID 4324 wrote to memory of 3848	4324	Laopdgcg.exe	88
PID 4324 wrote to memory of 3848	4324	Laopdgcg.exe	88
PID 4324 wrote to memory of 3848	4324	Laopdgcg.exe	88
PID 3848 wrote to memory of 3232	3848	Lgkhlnbn.exe	89
PID 3848 wrote to memory of 3232	3848	Lgkhlnbn.exe	89
PID 3848 wrote to memory of 3232	3848	Lgkhlnbn.exe	89
PID 3232 wrote to memory of 2760	3232	Lpcmec32.exe	90
PID 3232 wrote to memory of 2760	3232	Lpcmec32.exe	90
PID 3232 wrote to memory of 2760	3232	Lpcmec32.exe	90
PID 2760 wrote to memory of 4260	2760	Lgneampk.exe	91
PID 2760 wrote to memory of 4260	2760	Lgneampk.exe	91
PID 2760 wrote to memory of 4260	2760	Lgneampk.exe	91
PID 4260 wrote to memory of 3168	4260	Lpfijcfl.exe	92
PID 4260 wrote to memory of 3168	4260	Lpfijcfl.exe	92
PID 4260 wrote to memory of 3168	4260	Lpfijcfl.exe	92
PID 3168 wrote to memory of 1700	3168	Lgpagm32.exe	93
PID 3168 wrote to memory of 1700	3168	Lgpagm32.exe	93
PID 3168 wrote to memory of 1700	3168	Lgpagm32.exe	93
PID 1700 wrote to memory of 2932	1700	Lddbqa32.exe	94
PID 1700 wrote to memory of 2932	1700	Lddbqa32.exe	94
PID 1700 wrote to memory of 2932	1700	Lddbqa32.exe	94
PID 2932 wrote to memory of 4976	2932	Mjqjih32.exe	95
PID 2932 wrote to memory of 4976	2932	Mjqjih32.exe	95
PID 2932 wrote to memory of 4976	2932	Mjqjih32.exe	95
PID 4976 wrote to memory of 4024	4976	Mdfofakp.exe	96
PID 4976 wrote to memory of 4024	4976	Mdfofakp.exe	96
PID 4976 wrote to memory of 4024	4976	Mdfofakp.exe	96
PID 4024 wrote to memory of 4812	4024	Mkpgck32.exe	97
PID 4024 wrote to memory of 4812	4024	Mkpgck32.exe	97
PID 4024 wrote to memory of 4812	4024	Mkpgck32.exe	97
PID 4812 wrote to memory of 1848	4812	Majopeii.exe	98
PID 4812 wrote to memory of 1848	4812	Majopeii.exe	98
PID 4812 wrote to memory of 1848	4812	Majopeii.exe	98
PID 1848 wrote to memory of 3144	1848	Mcklgm32.exe	99
PID 1848 wrote to memory of 3144	1848	Mcklgm32.exe	99
PID 1848 wrote to memory of 3144	1848	Mcklgm32.exe	99
PID 3144 wrote to memory of 3644	3144	Mjhqjg32.exe	100
PID 3144 wrote to memory of 3644	3144	Mjhqjg32.exe	100
PID 3144 wrote to memory of 3644	3144	Mjhqjg32.exe	100
PID 3644 wrote to memory of 5052	3644	Maaepd32.exe	101

C:\Users\Admin\AppData\Local\Temp\52bd70e8816cbf574eaea5678236dd5faeee9b7698e421c89e3cfb52017f2bad_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\52bd70e8816cbf574eaea5678236dd5faeee9b7698e421c89e3cfb52017f2bad_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\Kgbefoji.exe
  C:\Windows\system32\Kgbefoji.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\SysWOW64\Kpjjod32.exe
    C:\Windows\system32\Kpjjod32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\SysWOW64\Kcifkp32.exe
      C:\Windows\system32\Kcifkp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4164
    - - C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
      - C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        28⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 420
        29⤵
        Program crash
        
        PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3684 -ip 3684
1⤵
PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jplifcqp.dll

Filesize
7KB

MD5
8f2477b2e6d6c5ad5c003218d6ae9974

SHA1
3daae3dc04fdc5db8af070ca7202b8b8e276630e

SHA256
99d30ea0d09f5f10c765ff5a86634fc0262e14e9598eb5f9442e98263ff65c72

SHA512
4fb4b435cc4f5a3345794d3f77f447ffad491883839312df93e6ebcf523ac5e5b81a8ef0e436dae40126b86cb7b82fa78101ed6d58fded6ccced2aa2275b16c9

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
304KB

MD5
b84cf622309e7eaedaad544436f31eb2

SHA1
ccb4f005fc063d7b87ad3b6cc023a55636d31e73

SHA256
f964c81deb2f20c52da47e06743692103f5e853d8246feaecd433f4ffa1d778d

SHA512
f046998a0b1a3be7cf218ecd628bb68e61959fa366a346df54010cdbe7d70d656d43644a79d8edcf4fcbe52800f58160ad5346841f61a05545813dbaaf3345e6

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
304KB

MD5
76dd9c32f4d44ee00c4575816900c3a2

SHA1
16730f026099acacca730f306e43755a69abbe56

SHA256
9693149bb5096c9f8f0c53d044b17b006e1221a3dc0a7032684c32c150704f11

SHA512
a85d5e08d22f2e00ad593f03a99ec3cbfbd72c6910083a0b5f27ac10b472e9d7eaba52f9f336056aeebfca9caaf592876df456e9b49f19dead79f0ca757fdd7f

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
304KB

MD5
b16d363ffbcd9e3dbca98c8e276211b9

SHA1
1132ce70d6b7ba4c149b710753ad646834f7cc83

SHA256
e53ccc7e760a95c7f10eefda5c74f7e5d1d120fc03de68cc6cff7affe6507483

SHA512
4468aad78123c124db28be62229f6fc107177dbd62332a4735f8d71bd6ea2979fe5ac4caa93148f3ba9d00cfebe5a4c114c175c896c0fc5a9667234d7c11d47f

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
304KB

MD5
12f9d7c9bde4a1b15ed0906f4c496492

SHA1
82b590e24d061e3d539484027151b76468c0d14d

SHA256
2455f66a49a5e3fd8225696225021d455c0e89b71d75ff90e776e25b526736a1

SHA512
18146a8cb3eb7e25d50a6ce569f0b7392c8f7de3986cf77aebd03023636b4d8f49d3a984cee0fff33ef1231d46c01eaf1ec1cd00ffe67476b221396e5f4bc273

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
304KB

MD5
528fe8622c0f8ec51d4a8735ac12f444

SHA1
09a0885e590a2402c524b3428a84d4d1dbe824cd

SHA256
f528692bb6c934a80546b562725cb3291f3e1eeb2bf7b395ac45781f1736f674

SHA512
33d1102dd1e3de5e54837300be8a30b07fbe33dbb55efd7072767e00f7de6f9f6c85321168f5ca3f59aab94e2f6d23c09d6e7728e9800fc3fe52cbc3c42a69ba

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
304KB

MD5
29d9f37516ae3c34c72af6ffc6be83a5

SHA1
2ecafcdb3680371ebadacfeeca488c8a4eb44ee5

SHA256
a2a7362bd0e78302a568ae61e723e286170812746596c0afbb4bf0ff4ca6144b

SHA512
2faf446ea9987b9c700a0cb8d0b51942f510846df2af20f879bf7b2b039c133a6aef14fabba2fbe2dd458d5e484dde74b9a6f18d47b5f3160052e7068b398ca2

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
304KB

MD5
164df74835944b5bc2fe1ffa2b3e3db2

SHA1
b7569763bb9d21c9e79c8b7f2119c69997af2f8b

SHA256
37723907d8faa79a32fafab49056902682897737a83e6712e1456c10d8fda97b

SHA512
9cef55a28f71a09732d514e767a461b00c58e322dfa85017a1c8b4fbbb08f0104e294c5f662e4826c22c68e7e8a967f944da29db8a00a6d2941474e09f704e28

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
304KB

MD5
c23621d4aa34c15104f993b97510c911

SHA1
1f8e3d395da462bde96908d72ca85451d7110b1c

SHA256
312116233d46f01886b4fa814be63a18775e76e3630e96b4c86c948deb30c835

SHA512
20cdb6b35337bfbace6d091ed7ba547ad5c790c4d1bcbe5438acd4240fa629b8c29e68524f159741327d61b5d22f6845135e39bec2584097a1b17b3fc643d1af

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
304KB

MD5
8a8b79ea90cbdc3477dd143d54b6640a

SHA1
7adac8983da1aa148e9ad2dd0f67d400d837e817

SHA256
b1487e78c140fd03a2803ac4d3a12e8084e5e0b83d11f3740d043b6700142c67

SHA512
d4acd2c2be8c5bce337c86eab2a50df889551c824623bf22cec74b09d268dcb24ad52d6ae7fad555b68b3a3a187d7171b3976847cbf6735788f7b341d9694b04

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
304KB

MD5
46022594702281406fa0234dbd7d06e3

SHA1
e0cd8fb6a9fb87bb7f408d33bde84a0aaaa689ed

SHA256
639004412349804a8c2b91d7c2c160c16a219a988ef239ba7cb2be14a44539b6

SHA512
e56b573d79cd9f634b642bcc21076c87116ee9c26d138da848e51a636a7b65e2ee71b67dee05f6845d9fc1c4e0fa0a610b56c977ae98171ea4625b653524c4c1

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
304KB

MD5
7ee860998ff23cf2f6177f9160eb0f01

SHA1
b8251ef60cbe2fb2b21b5e0cc8533ae8420d7951

SHA256
7f148812ec40830a3c28ade6499861ef6f1629db8b2747ea181973bd232ff65a

SHA512
774fe103d367bf2b3a20fca5c36b1b84f9068e575925beba19be3f8d40ed70748f7e714d9939bb157057512dc58652e47dbe3aa3b228f409368802ea269b8a8f

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
304KB

MD5
d75ee544a7cbb419aff3467fb560030f

SHA1
18d9976596918c515f7f40fa30e665674a1a2fcf

SHA256
1b0e5ae909f26b30cc68aaccebe41496ff91db5aa07c1261c0782d72849e4983

SHA512
b69eb21799fba79eab1bb9a72f3f902e8e43a3b887cffc69941943a245b5ad0dc550f63cb2baa918ebcd7c3ffc2f2bc2b9b63c86b2aa7a969847e2957da2f34b

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
304KB

MD5
7d5952da7c5135630628176f2edc552d

SHA1
2305a93db56e0e455b68de1d78cc7e229120a456

SHA256
04be2261b9ed0d4f2eac59971d02083e3110a2439a97fcf56fcd09abfbed4772

SHA512
3bb18765c7df8c1aa5f96052ac7b52343fb87a216d0747b170a4d3f549a947611215ca50a62203a9996d88f3b188881377ff6ece4d6a3dc71c0684d0fa8f2744

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
304KB

MD5
497ec93adb8b4a8cbba8a8c5ebd188e3

SHA1
f2b260233b5937374420179ce51d56eb8ec638a8

SHA256
1126e64e202e82f294f070a9a39101ff0316537f2eef4673f6f37b547d44a08c

SHA512
522fd6c1be7aaf39beca2800477f4237273168690b08ea7a607417464c57a6c229c0650811420c8193f49068946d88c184910f88a2186081df58ee78e9b79655

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
304KB

MD5
3992e5d7556200b24aca1f453f5986f1

SHA1
3c6e8551838a8b4eedb651498443a64994467069

SHA256
c920e77a8d73c222db3e572e794c872ed2d35be43f54ee3d146c33ec107fbf99

SHA512
034f726bb24388d31d82a447d14d95d782db8c70e241ed9b54b88dac6840cfba955c97ea88c1b075fd44d6fa5eec75e36d989522b63ca90214af258593a75acd

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
304KB

MD5
663229f3ff03faa4dba4e0625b87bd17

SHA1
5fad27424e833616bee9d47a90cd218795bf9f15

SHA256
a459c961a5b15ee78246e7e01539859b756f72752ac8ff5283b13119eff6848a

SHA512
d59ba4fd34b1619edc6212c58403f3b3d9b0039fe0dd11728940d6a4d8263d0ac0967c0e96fa1f7e5a7bbf04eead8f123b89cfadcf0c301274a5d9da9f56722a

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
304KB

MD5
df4defae19672fb5b41f0a0911966ddb

SHA1
26f00fee31a177597de2cb1346358730fb8d193e

SHA256
68dd35467a5c3a6a78fd1958ad1234428dec53101083062b8ca7f5a7920cb15b

SHA512
a1c60fffb035d58d46c337564ae1bf640475dd39c449d3bca2a4f20b25b63767d94d6e29b06ac8e0111833d54fe122a5b90a47e5cf721a01409d012e896d6908

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
304KB

MD5
b754aa1da70207bc9e5676e69a8bd977

SHA1
c8cd9e94e35bb60af16aad3ebe892616bcff2291

SHA256
66d9966532b78933d27cd4d1c73acf0c4605e61285d66fb271366f76cad3c01e

SHA512
9e68a5a5ab288a4742864fb19fbb4c6da15e36c2cfa6b90faad61298276863aa39e22c1f83c0087a63b027b8d7750a69096d2c7dcec7cc14a2fb5f91e2356200

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
304KB

MD5
14ffd9aac07274f59dd300160cac650f

SHA1
974312a2cd058c4e0355582626cc4c3e6c621d87

SHA256
ae4de1d41a166c6d175adfaf1daff1b3371e72efbe30440942c6ee06c41286cb

SHA512
9aecdd3ae2f644b0325008580df667e438fa6924571631e2396d68f70e94aa8600d9efd2c37ff61e074cb393458f38afd6d38a20f763c2f6f00b54dfee9d6f48

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
304KB

MD5
11f0de1d3f35a64570d1f29993585e17

SHA1
9de69f12ba1f8fe49454dd122a4244ac005f6fe6

SHA256
7edbf9365da167568613d550df3551fb4089926084dd292a25320395d9b684c9

SHA512
1495728aa281377cd8f86dd336b0879f8db501edad23e64a4f0552e8be8e6ba4fc9bdff31de7210d6f8becd247df9f34ce160e695d6f5316858f27b7d8a95e3f

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
304KB

MD5
cbfeb47ca42e8a45c06a15ffdf9351b9

SHA1
c377306068acd56b4d1e2e536131fa1fa3642418

SHA256
dcb8b555b0c4c5cbb3ceed613b9a1904173d121df997995de378174808867b0d

SHA512
35fc7c63da39f596641a013a4e362424894f0f141bb1c2c9dde24b7b2f3d889a2a3a5fe3d89fbed703bc0b8252fba9f4eccf39f9237990163f8964236a0be9b5

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
304KB

MD5
75671fcfce67b5a77c4e5a4e46ad2a8b

SHA1
71016a9065c037fdc04b3bef339c27bf3e45eaa5

SHA256
5ef230c29ac34f5a76f3c904f2d4cb6d636cd8f8278441896699d94d33280117

SHA512
4f0e5f5b729c29288a5feded29a7be23ddbb11127689df4aff1f9e73b6163df80f4a7008e5cbd14b8dad5b6af9ae5581f8849877ae5b7a5e2a4996eaa09c30aa

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
304KB

MD5
9f9f8036444a2bd9c1fd871de67197fd

SHA1
9a717d00feeb980541fbe00b9d9e8465cf085fd1

SHA256
5a8a233dc8b3f9491e818576e48f18fda2b43142402970eee7c72201eabdd51d

SHA512
4d99de0f84b9d1a16c46f84ac2d29144c911cf4172905306b7dac1ccff3dd9f4044b9be89b7b3890b61e40815e1c8dc59a4f1f1ce583fccc1f43f04b489cab39

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
304KB

MD5
be21329a58512c8203267d4596589edf

SHA1
4e491b0dd839db5c33c7f119820a876ce28a3432

SHA256
0a9f511dacfe3dfff1b38ad0f6735054f26448aba78e972b0b01e90336d0812f

SHA512
5cf73fd3e8986709acb28c89996ba0db18f7c04d2e160f6176502670efb00d4daea41fc04a24bd2d76142ff785ff8f4d9205352784d2220ad67bbfc9aae84e9b

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
304KB

MD5
dc8527b4469b8f5ea2749a1b6d456007

SHA1
c8ee5ee24b4b8c019ff1d5fb1a58e2fd59ec2e63

SHA256
fe1ea16aceea280514d6b700bb66198c2b1d521c42795aee6ece2432509b7ec1

SHA512
234d20315ce3a722e1c83dc50e15d776f2c0e10ccaf8de75ea5568f9f0441bea3e07bb42c183f291ab9ddf5b035f3828c03704c541458a7b5ee3da030a338197

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
304KB

MD5
bab1444f10d6f65327b72b7e17cb88a9

SHA1
611f189470bfb9cd1dda7401126c0dfa5a238e89

SHA256
69d9db5caa0fc06fbf232f8da800e372b14c5850cc87f413793c6cf909400a3f

SHA512
48ce55b2c843fd250fe060cd45d58de7d0ca8ca824bdadee7eb740b228d50330b08f149c9dae2481a29123cf4a0968f2b9e29d20f3dc3b09d39ac4f968876dcb

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
304KB

MD5
26c0f46efb1cedea7501dee61a2378c7

SHA1
73b9129c2c131fe797160be3d03933fba17d73c6

SHA256
d549152081e12f7c5ae8944ee04b67d70c651b890efc4a68983cc54225fe3a97

SHA512
e96cf1fc9df5bbe9335d9468ef1b25f202795ace80dd7b17160b98385d4a745bc331e41c0f0da43d9c657d38cf04e60534ef980691f48a7b2b053c30ce50540b

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
304KB

MD5
4ed640f907171d9a4549a7a44c156bbc

SHA1
9d1426541a2f4601d01d01cea817bc998a34e1ec

SHA256
4981706ac092f474c9ce81fcb9c5c272744ddbe0340d09d2a3ddfa3bb5593de5

SHA512
e5c6d2abc1fc1c23b7a21f266705983ac341c5f312f514656fb287d2367a4bbebdc609346298ad582a9a4777238b178a1864447ec8d4f8da3d0d5609b6607aad

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
304KB

MD5
3f1c65a27cac225933fc3c9331cb5b2a

SHA1
e934d57f778f6084b916abe39599dbe36d3afdcd

SHA256
7196aabda987e54045b2365432b813ae5bf362a70dac1c03d8e31148e549f2e6

SHA512
a09150de9caed5993f26315225dc736499557e24dd43a8f34a002b34aeecdd5e9dcc2d7e9d25f69b11bf2b63b0e6636d85de865dba2aa358ddd3b39c69ed07cf

Download Submit
memory/668-184-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/668-223-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/872-7-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/872-242-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1020-238-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1020-48-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1644-243-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1644-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1700-230-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1700-112-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1848-225-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1848-151-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2760-88-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2760-233-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2932-229-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2932-120-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3144-160-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3144-224-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3168-231-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3168-103-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3232-234-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3232-79-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3268-199-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3268-218-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3300-237-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3300-56-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3644-167-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3644-222-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3684-216-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3684-219-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3848-72-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3848-235-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3960-44-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4024-227-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4024-136-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4040-217-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4040-207-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4164-240-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4164-23-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4260-232-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4260-96-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4272-19-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4272-241-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4324-236-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4324-64-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4568-32-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4568-239-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4748-191-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4748-220-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4812-144-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4812-226-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4976-228-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4976-128-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5052-221-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5052-175-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads