5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908

Analysis

max time kernel
148s
max time network
127s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe
Size

320KB
MD5

d40fd3561263c63d38588a460220c220
SHA1

5305bd11dc7bc49e479a8bfed5f4e4fbc20103b4
SHA256

5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908
SHA512

474414ba627e30022f5eed1a756f0b9c428e6466f9d63a59a2f77007971f0ed585fac746b3f1b154ebffb67f4b7ddbaf1528702e00d1341ee43cec7ce0c808a5
SSDEEP

6144:+w9uBnPBw6/eKxSlKKZ74ueKxff0qjwszeX9z6/ojwx:KxMlr54ujjgj8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kqqboncb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leljop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmlhnagm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgfqaiod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqqboncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leljop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgfqaiod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mponel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhjbjopf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odhfob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odhfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mponel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmlhnagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lccdel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe

Executes dropped EXE 25 IoCs

pid	Process
2592	Jgfqaiod.exe
2780	Kqqboncb.exe
2636	Kbidgeci.exe
2724	Leljop32.exe
2500	Lccdel32.exe
2948	Lmlhnagm.exe
1944	Mponel32.exe
784	Mhjbjopf.exe
756	Mlhkpm32.exe
2000	Mgalqkbk.exe
2028	Niikceid.exe
1572	Nilhhdga.exe
1676	Odhfob32.exe
2384	Pqemdbaj.exe
2880	Pcibkm32.exe
1976	Qqeicede.exe
3012	Aniimjbo.exe
1920	Aaolidlk.exe
1820	Ajgpbj32.exe
1324	Biojif32.exe
2468	Boplllob.exe
2844	Bhhpeafc.exe
1524	Cfnmfn32.exe
2248	Cphndc32.exe
896	Ceegmj32.exe

Loads dropped DLL 54 IoCs

pid	Process
1992	5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe
1992	5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe
2592	Jgfqaiod.exe
2592	Jgfqaiod.exe
2780	Kqqboncb.exe
2780	Kqqboncb.exe
2636	Kbidgeci.exe
2636	Kbidgeci.exe
2724	Leljop32.exe
2724	Leljop32.exe
2500	Lccdel32.exe
2500	Lccdel32.exe
2948	Lmlhnagm.exe
2948	Lmlhnagm.exe
1944	Mponel32.exe
1944	Mponel32.exe
784	Mhjbjopf.exe
784	Mhjbjopf.exe
756	Mlhkpm32.exe
756	Mlhkpm32.exe
2000	Mgalqkbk.exe
2000	Mgalqkbk.exe
2028	Niikceid.exe
2028	Niikceid.exe
1572	Nilhhdga.exe
1572	Nilhhdga.exe
1676	Odhfob32.exe
1676	Odhfob32.exe
2384	Pqemdbaj.exe
2384	Pqemdbaj.exe
2880	Pcibkm32.exe
2880	Pcibkm32.exe
1976	Qqeicede.exe
1976	Qqeicede.exe
3012	Aniimjbo.exe
3012	Aniimjbo.exe
1920	Aaolidlk.exe
1920	Aaolidlk.exe
1820	Ajgpbj32.exe
1820	Ajgpbj32.exe
1324	Biojif32.exe
1324	Biojif32.exe
2468	Boplllob.exe
2468	Boplllob.exe
2844	Bhhpeafc.exe
2844	Bhhpeafc.exe
1524	Cfnmfn32.exe
1524	Cfnmfn32.exe
2248	Cphndc32.exe
2248	Cphndc32.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Niikceid.exe	Mgalqkbk.exe
File opened for modification	C:\Windows\SysWOW64\Niikceid.exe	Mgalqkbk.exe
File opened for modification	C:\Windows\SysWOW64\Nilhhdga.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Pnalpimd.dll	Nilhhdga.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cphndc32.exe
File opened for modification	C:\Windows\SysWOW64\Boplllob.exe	Biojif32.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Boplllob.exe
File created	C:\Windows\SysWOW64\Gcopbn32.dll	Kbidgeci.exe
File opened for modification	C:\Windows\SysWOW64\Mponel32.exe	Lmlhnagm.exe
File created	C:\Windows\SysWOW64\Mlhkpm32.exe	Mhjbjopf.exe
File opened for modification	C:\Windows\SysWOW64\Aniimjbo.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Biojif32.exe	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Mponel32.exe	Lmlhnagm.exe
File opened for modification	C:\Windows\SysWOW64\Mhjbjopf.exe	Mponel32.exe
File created	C:\Windows\SysWOW64\Bfenfipk.dll	Niikceid.exe
File created	C:\Windows\SysWOW64\Aniimjbo.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Ipjcbn32.dll	Lccdel32.exe
File created	C:\Windows\SysWOW64\Mhjbjopf.exe	Mponel32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhkpm32.exe	Mhjbjopf.exe
File created	C:\Windows\SysWOW64\Pqemdbaj.exe	Odhfob32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Badffggh.dll	5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Qocjhb32.dll	Jgfqaiod.exe
File created	C:\Windows\SysWOW64\Kbidgeci.exe	Kqqboncb.exe
File created	C:\Windows\SysWOW64\Leljop32.exe	Kbidgeci.exe
File opened for modification	C:\Windows\SysWOW64\Lccdel32.exe	Leljop32.exe
File created	C:\Windows\SysWOW64\Odhfob32.exe	Nilhhdga.exe
File created	C:\Windows\SysWOW64\Bmnbjfam.dll	Aaolidlk.exe
File opened for modification	C:\Windows\SysWOW64\Biojif32.exe	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Fdbnmk32.dll	Leljop32.exe
File created	C:\Windows\SysWOW64\Qqeicede.exe	Pcibkm32.exe
File created	C:\Windows\SysWOW64\Bfqgjgep.dll	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Cphndc32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Lccdel32.exe	Leljop32.exe
File created	C:\Windows\SysWOW64\Dnlbnp32.dll	Mgalqkbk.exe
File created	C:\Windows\SysWOW64\Pcibkm32.exe	Pqemdbaj.exe
File opened for modification	C:\Windows\SysWOW64\Pcibkm32.exe	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Aaolidlk.exe	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Biojif32.exe
File created	C:\Windows\SysWOW64\Jmogdj32.dll	Qqeicede.exe
File opened for modification	C:\Windows\SysWOW64\Ajgpbj32.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Bhhpeafc.exe
File opened for modification	C:\Windows\SysWOW64\Kbidgeci.exe	Kqqboncb.exe
File opened for modification	C:\Windows\SysWOW64\Jgfqaiod.exe	5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Imbiaa32.dll	Mponel32.exe
File created	C:\Windows\SysWOW64\Lopdpdmj.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cphndc32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cphndc32.exe
File opened for modification	C:\Windows\SysWOW64\Cphndc32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Effqclic.dll	Lmlhnagm.exe
File created	C:\Windows\SysWOW64\Mgecadnb.dll	Mhjbjopf.exe
File created	C:\Windows\SysWOW64\Mgalqkbk.exe	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Nilhhdga.exe	Niikceid.exe
File opened for modification	C:\Windows\SysWOW64\Pqemdbaj.exe	Odhfob32.exe
File created	C:\Windows\SysWOW64\Jcbemfmf.dll	Odhfob32.exe
File created	C:\Windows\SysWOW64\Jgfqaiod.exe	5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Qqeicede.exe	Pcibkm32.exe
File opened for modification	C:\Windows\SysWOW64\Aaolidlk.exe	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Ajgpbj32.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Biojif32.exe
File created	C:\Windows\SysWOW64\Pelggd32.dll	Kqqboncb.exe
File opened for modification	C:\Windows\SysWOW64\Mgalqkbk.exe	Mlhkpm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2332	896	WerFault.exe	52

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmlhnagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mponel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcopbn32.dll"	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhjbjopf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qocjhb32.dll"	Jgfqaiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kqqboncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbiaa32.dll"	Mponel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odhfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mponel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnbjfam.dll"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leljop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgecadnb.dll"	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll"	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Pcibkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgfqaiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgfqaiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbnmk32.dll"	Leljop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcibkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfenfipk.dll"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalpimd.dll"	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopdpdmj.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelggd32.dll"	Kqqboncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmlhnagm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kqqboncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leljop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lccdel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odhfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjcbn32.dll"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effqclic.dll"	Lmlhnagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenhpdh.dll"	Pqemdbaj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2592	1992	5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 2592	1992	5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 2592	1992	5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 2592	1992	5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe	28
PID 2592 wrote to memory of 2780	2592	Jgfqaiod.exe	29
PID 2592 wrote to memory of 2780	2592	Jgfqaiod.exe	29
PID 2592 wrote to memory of 2780	2592	Jgfqaiod.exe	29
PID 2592 wrote to memory of 2780	2592	Jgfqaiod.exe	29
PID 2780 wrote to memory of 2636	2780	Kqqboncb.exe	30
PID 2780 wrote to memory of 2636	2780	Kqqboncb.exe	30
PID 2780 wrote to memory of 2636	2780	Kqqboncb.exe	30
PID 2780 wrote to memory of 2636	2780	Kqqboncb.exe	30
PID 2636 wrote to memory of 2724	2636	Kbidgeci.exe	31
PID 2636 wrote to memory of 2724	2636	Kbidgeci.exe	31
PID 2636 wrote to memory of 2724	2636	Kbidgeci.exe	31
PID 2636 wrote to memory of 2724	2636	Kbidgeci.exe	31
PID 2724 wrote to memory of 2500	2724	Leljop32.exe	32
PID 2724 wrote to memory of 2500	2724	Leljop32.exe	32
PID 2724 wrote to memory of 2500	2724	Leljop32.exe	32
PID 2724 wrote to memory of 2500	2724	Leljop32.exe	32
PID 2500 wrote to memory of 2948	2500	Lccdel32.exe	33
PID 2500 wrote to memory of 2948	2500	Lccdel32.exe	33
PID 2500 wrote to memory of 2948	2500	Lccdel32.exe	33
PID 2500 wrote to memory of 2948	2500	Lccdel32.exe	33
PID 2948 wrote to memory of 1944	2948	Lmlhnagm.exe	34
PID 2948 wrote to memory of 1944	2948	Lmlhnagm.exe	34
PID 2948 wrote to memory of 1944	2948	Lmlhnagm.exe	34
PID 2948 wrote to memory of 1944	2948	Lmlhnagm.exe	34
PID 1944 wrote to memory of 784	1944	Mponel32.exe	35
PID 1944 wrote to memory of 784	1944	Mponel32.exe	35
PID 1944 wrote to memory of 784	1944	Mponel32.exe	35
PID 1944 wrote to memory of 784	1944	Mponel32.exe	35
PID 784 wrote to memory of 756	784	Mhjbjopf.exe	36
PID 784 wrote to memory of 756	784	Mhjbjopf.exe	36
PID 784 wrote to memory of 756	784	Mhjbjopf.exe	36
PID 784 wrote to memory of 756	784	Mhjbjopf.exe	36
PID 756 wrote to memory of 2000	756	Mlhkpm32.exe	37
PID 756 wrote to memory of 2000	756	Mlhkpm32.exe	37
PID 756 wrote to memory of 2000	756	Mlhkpm32.exe	37
PID 756 wrote to memory of 2000	756	Mlhkpm32.exe	37
PID 2000 wrote to memory of 2028	2000	Mgalqkbk.exe	38
PID 2000 wrote to memory of 2028	2000	Mgalqkbk.exe	38
PID 2000 wrote to memory of 2028	2000	Mgalqkbk.exe	38
PID 2000 wrote to memory of 2028	2000	Mgalqkbk.exe	38
PID 2028 wrote to memory of 1572	2028	Niikceid.exe	39
PID 2028 wrote to memory of 1572	2028	Niikceid.exe	39
PID 2028 wrote to memory of 1572	2028	Niikceid.exe	39
PID 2028 wrote to memory of 1572	2028	Niikceid.exe	39
PID 1572 wrote to memory of 1676	1572	Nilhhdga.exe	40
PID 1572 wrote to memory of 1676	1572	Nilhhdga.exe	40
PID 1572 wrote to memory of 1676	1572	Nilhhdga.exe	40
PID 1572 wrote to memory of 1676	1572	Nilhhdga.exe	40
PID 1676 wrote to memory of 2384	1676	Odhfob32.exe	41
PID 1676 wrote to memory of 2384	1676	Odhfob32.exe	41
PID 1676 wrote to memory of 2384	1676	Odhfob32.exe	41
PID 1676 wrote to memory of 2384	1676	Odhfob32.exe	41
PID 2384 wrote to memory of 2880	2384	Pqemdbaj.exe	42
PID 2384 wrote to memory of 2880	2384	Pqemdbaj.exe	42
PID 2384 wrote to memory of 2880	2384	Pqemdbaj.exe	42
PID 2384 wrote to memory of 2880	2384	Pqemdbaj.exe	42
PID 2880 wrote to memory of 1976	2880	Pcibkm32.exe	43
PID 2880 wrote to memory of 1976	2880	Pcibkm32.exe	43
PID 2880 wrote to memory of 1976	2880	Pcibkm32.exe	43
PID 2880 wrote to memory of 1976	2880	Pcibkm32.exe	43

C:\Users\Admin\AppData\Local\Temp\5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f8e42eab1f54ba64165f989f5bad517fbd71fa0faa2b028cbc1f55c275d8908_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\Jgfqaiod.exe
  C:\Windows\system32\Jgfqaiod.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\Kqqboncb.exe
    C:\Windows\system32\Kqqboncb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\Kbidgeci.exe
      C:\Windows\system32\Kbidgeci.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\Leljop32.exe
        
        C:\Windows\system32\Leljop32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\Lccdel32.exe
        
        C:\Windows\system32\Lccdel32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Lmlhnagm.exe
        
        C:\Windows\system32\Lmlhnagm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Mponel32.exe
        
        C:\Windows\system32\Mponel32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Mhjbjopf.exe
        
        C:\Windows\system32\Mhjbjopf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Mlhkpm32.exe
        
        C:\Windows\system32\Mlhkpm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Mgalqkbk.exe
        
        C:\Windows\system32\Mgalqkbk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Nilhhdga.exe
        
        C:\Windows\system32\Nilhhdga.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Odhfob32.exe
        
        C:\Windows\system32\Odhfob32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        26⤵
        Executes dropped EXE
        
        PID:896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 140
        27⤵
        Loads dropped DLL
        Program crash
        
        PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
320KB

MD5
a3c6ff15ae389d537d13cda00e1f42be

SHA1
686d834d7b5f39812fc74879315bf2e93b4509e3

SHA256
86e00d5f699b51991d4fd055e22e03383c85f5977708658b9fcd2a2d16265922

SHA512
16a1998f4905ba38f799d5fff4af13e83f63c43b047c98cb89c7c56d16f6e70365e0baf7d36c90cfa2643bc0923cfd499f0f0033d4ad97effb7f10346638b805

Download Submit
C:\Windows\SysWOW64\Ajgpbj32.exe

Filesize
320KB

MD5
f07e2ce4d9e3758f8d9d7e4e2423eceb

SHA1
5bee85cf94a6328d22221b04bbd6292e85495ad3

SHA256
9ab14c2c854ab4813cf96786135f8c18a00f6c9147e5274964a474d5e4a648cc

SHA512
d29543b10e6b220f20510721183900fd4fb055e8e040a9ff40a24d8bd7c152b227955c606cc2630361ae40b429b8e5e156603a8ab3165603c98b78ce5fa722c3

Download Submit
C:\Windows\SysWOW64\Aniimjbo.exe

Filesize
320KB

MD5
a2272173336f80342cc6326413fbbdce

SHA1
e56d183c1504fda33500fe7e52d72ce43284461f

SHA256
584d3e5a38915e9393c87ea4e0f43d1d4945c121a8f7a3ea2a9c8b1629e22b36

SHA512
355c40272ba2edad4cee80ba6ff0e3b74d4bfb176f3c818642a0ad8eeffeb123c9f0d1b17473ccf2392085ca93733ca7b750f6a9476161e152502d6198b42881

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
320KB

MD5
923a9b5ed46a57926cf0508cb9c3a718

SHA1
cebeebc67e3ec499859401a71afb1ed8bf63a7af

SHA256
6b20b9dd61600d867daf39e66624cf12e24dedfb29b9750f371bb1b0bd998cce

SHA512
858d2abb8f1293ea14294171803815c57e0ddc5c734d34efe08cfef39c0b4ed83d902bd9e444257754f1e05313998feece1d3f70067aa8bdaa10f93585995e56

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
320KB

MD5
0bb61962e28c47ffb02ef4dcb08da71c

SHA1
0ec9b25437eb45c6770a3d8d4970c315b78cbead

SHA256
adc276900e98bdc0bff2c46d068bdedb522a7b24374de019b515c46f34d81a84

SHA512
71feedf4da9985c8bd3167b918877976b50789e365fd048d9fea54b4827f57fb4ea209db5e70180a96f40ee34d88dcfb489b04040257106707bedda30b48d4d6

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
320KB

MD5
f7733b1f2600180c54bc4611a3dfe515

SHA1
bbec236bd30debbfd308afc858cf7e755113b2ec

SHA256
ac43e302434a12ee3625182a29de5b2209d50f8ce5efdff06bb3e520339480e9

SHA512
da8ce5a020f43d1d4762c2848310ae61cb5c19f37423c83783b7b196680f1424f10d540bcb945c51e206ed9432bb700067364c1932f23a96a037a208af92d929

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
320KB

MD5
8e6e7342f516c159b5ff2ad628128dd4

SHA1
10b60bfca9b86781202da71eac2140cbafc004d8

SHA256
1c8f595470e1c94a61bb22f9383c9724db8a1e2d361e6093181d69f601ed1ba9

SHA512
69f5e58b6f0908b7505b4ea64bca2f3859874de6c6a07c7982f9a7eb9e8abc4e39d2b54b63ccaa3bf5479b2cec9ae66d74088f73a1656dc7ea73823b0a2687ff

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
320KB

MD5
ae39a6c605749e8e9399f88f788496d5

SHA1
6d21cb92998e559d92d53172f02119c10874c1fa

SHA256
4deaba8a0d65237d9ecd5bd8856442deef1f7a666ca2f9ba4bee9985e7b86983

SHA512
45258f43a2c9da6c04c26a06c84e9cd7406bfce324e8ee480f01cb6db94bea9f7cb2659cef6162a4c1fba128a15d8633d77eee32f7f408d5fb17f00919633989

Download Submit
C:\Windows\SysWOW64\Cphndc32.exe

Filesize
320KB

MD5
d64b7ad35e46b90824d57421a303fdc7

SHA1
81e323e9a393bc501ad77d293101307586e526d5

SHA256
b96cd29078a5b4fb815093f772e7581743d74e2105a2059181a0d36dd78d8ac1

SHA512
b8ddfdf1a0c302d22a728f508ffb0ed1b0835f7518c6001d3933668149e2b16be81eb6952985ff490541361683ab58de2700ea6e7a5317189f4234dd3aa5339e

Download Submit
C:\Windows\SysWOW64\Lmlhnagm.exe

Filesize
320KB

MD5
7ee3a058769679a40176009b11ba02a5

SHA1
1bb7a72ee1054868d740157dfd392c65866683ec

SHA256
f579c89d65dd2508a57cfe791122ba62286a95ed1a451abc4df1499585dfbd5e

SHA512
ff408bdb9088b8e675df5130be8d58e461d3626d5e7a49edfcdbbbe5b9ea960a9fcb8d943cd5c45d77ed9b92fd189b45aec70d1f802d50b5818a47261ba8c6e1

Download Submit
C:\Windows\SysWOW64\Nilhhdga.exe

Filesize
320KB

MD5
fd9806b0289bef011b9bdb0980458969

SHA1
47850292907215b957cb13bc4aa61a5751fc9a5f

SHA256
b72bf0b3d5ee3cfbd147d30f8ff83f05ac9f097a3c09886dba4fef7c569f8ce2

SHA512
a2e30059e506e6f980b7d7d8fbf78bf564ef4c339d2ac4b0cfd542b645ca20054a66ae88cd8ae8e0dbeb122054343b3895b50fca4be353b3e78046e08094f2dc

Download Submit
\Windows\SysWOW64\Jgfqaiod.exe

Filesize
320KB

MD5
f089fc70293468c6be6adc6a63250648

SHA1
35b241487471ec1901fc747724df0670b6101b22

SHA256
7cf1244db70301a2a2a4233be9bab1fcbf09a55675896b06f4b3b7930ac047c4

SHA512
264217bfb9f1b1106bd351c9502a33f6d5f8ad332ac9ab4115a022b276d417c10c579ab304f4c68b0083a441030835018114f49932a6568e1163b1d41df4a39d

Download Submit
\Windows\SysWOW64\Kbidgeci.exe

Filesize
320KB

MD5
9376be6b8644bfcff0a89a3e7f804f32

SHA1
3517df4b7ca2c477265cb98c77784e9975c347c1

SHA256
bfc28c905a3e34b54f9235543d07c9fe101bcd4811ecef384ff248d8057c4c7d

SHA512
1ce5f4afc6dd0fbf169dca8069777d6d36be0f717de08d222ec3133e65446845cd1bf4b3c8e3b896b0b4a6b4f99c9356afd67c48f1a4033cf21b864ff6188b12

Download Submit
\Windows\SysWOW64\Kqqboncb.exe

Filesize
320KB

MD5
8f44d347849f07d2940f59f73801c67d

SHA1
13bf0655ed71745e6012d70d3deacbe7781a0b55

SHA256
202e8edf9ad2b153f9e1e542bb16746d43731e7ae34226b34b60bed8f58749fc

SHA512
71d0ddd96097c1a79f0133ef0e7ec5211893e5dece631372609837932158214426174e627fa9015ef94c7d2b321aa0fde3944232ecc0315e4cf7bcc854d60683

Download Submit
\Windows\SysWOW64\Lccdel32.exe

Filesize
320KB

MD5
53ec217e632c6105184b7c92c2b70306

SHA1
3ec64bb9ad1ef3b249657d9a617be5570827d683

SHA256
a90e47979160e0c177c202a136cb0498f07ef7e6ca818f4e7f3e476ed4143956

SHA512
bc13d3aeade628b72b5980e39ec99475f97f09fe7e230fd0494c59c4633ef06883b11f025f07f33931563e98e75b4aab58de97d3193cde8b072d3d28438d2406

Download Submit
\Windows\SysWOW64\Leljop32.exe

Filesize
320KB

MD5
2a0f82e522a5dfc0dd3912b38b795a20

SHA1
6c1d31b099b2934f9a89899cc813796f299c2864

SHA256
309a07eed65f56256925b738af7edd0d3c7f73d9348f89093c227a1738c34b36

SHA512
4028aa290698c79ef27bf5b5600699f98f1786efaee260786631529ffaa642e7c06fd2eb62fd03a8c41c7661419548f2b1aa1718d55dadc92702bc882056fb5a

Download Submit
\Windows\SysWOW64\Mgalqkbk.exe

Filesize
320KB

MD5
7707c76e17d0388e35d70af8ee6f5a64

SHA1
dfb7b7ba5774931b88a3c82f63514f7f51df0732

SHA256
e4d60625b0ebdf90ef9ed2f67fe0472d7d02fdb9f6596a946e8c8622f7c8d0de

SHA512
62d8e16a4f745d8772c9f120e40cbdccb05af9cea1893060242a3e32107d78424f397f7918ff28c2e27a81302a128894802fb8a5164d87eedcf04808cea14602

Download Submit
\Windows\SysWOW64\Mhjbjopf.exe

Filesize
320KB

MD5
0680fd3c5be15a2852dfae73a356769f

SHA1
6506c5b5e32531526f7c8dfd903eb74c75ba72e4

SHA256
80dfdceb4e5083d4c0d29883c49a004b19183b14090b53c63ca8c113fd120350

SHA512
0097d42b0f09d870c5a283418a0d1168fcbd49c581260e608acf31fdb3ebf4c19c5cf7ceacfa29c611350de2c4eceb98fd98e10930d0df680bbca18123e7c517

Download Submit
\Windows\SysWOW64\Mlhkpm32.exe

Filesize
320KB

MD5
83f00ac07c3d0530e3446d2db8d64785

SHA1
73df4536f09321e988e510e9213cefbd7d2d945f

SHA256
304d4cb5f150f4fea8b39fda11a5b4378cfa1671b3cb9a2f824c6b442aeb082b

SHA512
f572f461f3e0c050c22e9b2ef9ce4b3c8b8400a40421305c764f6387b4b28cc2fea2ea559d6a0f7567d93efb7330e6bae733bbf94b23498ea1564a2b2678900e

Download Submit
\Windows\SysWOW64\Mponel32.exe

Filesize
320KB

MD5
d96ccbd23973f4b0c6bd677ed485e7c6

SHA1
241f5a8fd863c2bfe387768ac528ff0de4cbeaff

SHA256
54a8be722f58967baf7f25c9ab2884b8502276bf25cf475b73a56c5972567bb9

SHA512
9582b8feee8e94ed1085c0cd29c49eab1850c59f66227a9b5c2d905ab2eda89416d96e1aff761fce9aeef9012d6bc02adc04693c708a85fc33aa79ffcc4543fb

Download Submit
\Windows\SysWOW64\Niikceid.exe

Filesize
320KB

MD5
6cf0c4317026e2fdcf4cb2ec8fb912a8

SHA1
ae6e02d9be2a0989d69e4f93ab85bdb0cbe4c2c4

SHA256
f4fb7cd77c8cdc9ba0fbda2d8492b14b1da521c58b81f56e1e90c4fe73bc1ece

SHA512
0d7a90776ed54684f67d4d19419bf68f267943a3a264bcc456c0e2451e5ebfae3f5c6b473f6b8d33a8e5421f8ab40f9ce1373efa89bcc0d40bd34b73fa106ca3

Download Submit
\Windows\SysWOW64\Odhfob32.exe

Filesize
320KB

MD5
660e2df9cc3e317b253be1540da1b409

SHA1
488d0959b2e896e236d12d8927510547bbec5661

SHA256
9f0d6a07c1c070b5d86f5d97d9fed91f813d4ce5c1a41d6f5fb3086dfaa90aae

SHA512
c7945c72a59528f05a27c813c47730b44e65bb0cc59a5785f2291b8e6c76abf614740f34c31de16335e936e4dbe7aeedc62df2682c4372357f96eef1e9b01868

Download Submit
\Windows\SysWOW64\Pcibkm32.exe

Filesize
320KB

MD5
806adcb8f7cc449b1527d653d93b0775

SHA1
f8175198f0b36f5f7254878925e9e7f1976dbb83

SHA256
c7eb8a07ab73b0642e0ab2b1f62bccc53d5b0f54d69a08594ea1d74690476ed2

SHA512
3edb99544b02449d6564b5cd6d281874d6ecd70f91f5c2bc68bc7846d0f2e6de75169a86a9becc8e16d6953f790cccc8471c99dfcd0f1bb1397eeefa7e01f772

Download Submit
\Windows\SysWOW64\Pqemdbaj.exe

Filesize
320KB

MD5
9d14afa727b930e79906a5b3ed6c17f8

SHA1
346db3bddaf0bf154a3e2d238c953d072d2353bf

SHA256
e3c14219f73d67c909c6c1a9ac32416617ebaa0f4480c5246fd4f6e33004d2d5

SHA512
fb57b155b0923659dfba474ee3a4e55fe3b408b930143ec2cb224ac9098ec1b6f781ac2110c9cc8ab3806f9dc4ae87a9f3397df706f94ba2aa74b6fc704e6247

Download Submit
\Windows\SysWOW64\Qqeicede.exe

Filesize
320KB

MD5
34d997bfe0014f06807bf890cfbde0e9

SHA1
5097274b40f8f15648a50fff040e3ffcf1906090

SHA256
527af7bf8da1a7031c280e84ea7b5e4f70141d36885281780279bc6baaf990c0

SHA512
25ed650136c539fa299da5f6cc073e992086a53c87276e57449e89b0dec74b59928d0b7df6f89c329d70ba782de6b60f6c36391a369d4d3fa4ae05683a12a1f8

Download Submit
memory/756-394-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/756-129-0x0000000000290000-0x0000000000305000-memory.dmp

Filesize
468KB

Download
memory/784-392-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/784-105-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/896-317-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1324-274-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/1324-273-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/1324-419-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1324-264-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1524-425-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1524-305-0x0000000000260000-0x00000000002D5000-memory.dmp

Filesize
468KB

Download
memory/1572-172-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/1572-163-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1572-171-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/1572-400-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1676-187-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/1676-174-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1676-402-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1676-186-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/1820-417-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1820-262-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/1820-263-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/1820-257-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1920-242-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1920-252-0x0000000000310000-0x0000000000385000-memory.dmp

Filesize
468KB

Download
memory/1920-415-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1920-251-0x0000000000310000-0x0000000000385000-memory.dmp

Filesize
468KB

Download
memory/1944-92-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1944-390-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1976-229-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/1976-234-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/1976-217-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1976-411-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1992-371-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1992-0-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1992-6-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2000-131-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2000-396-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2000-157-0x00000000002D0000-0x0000000000345000-memory.dmp

Filesize
468KB

Download
memory/2028-164-0x0000000001C20000-0x0000000001C95000-memory.dmp

Filesize
468KB

Download
memory/2028-162-0x0000000001C20000-0x0000000001C95000-memory.dmp

Filesize
468KB

Download
memory/2028-398-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2248-309-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2248-427-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2248-316-0x0000000000290000-0x0000000000305000-memory.dmp

Filesize
468KB

Download
memory/2248-315-0x0000000000290000-0x0000000000305000-memory.dmp

Filesize
468KB

Download
memory/2384-407-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2384-190-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2384-215-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2384-202-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2468-421-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2468-287-0x0000000001C10000-0x0000000001C85000-memory.dmp

Filesize
468KB

Download
memory/2468-289-0x0000000001C10000-0x0000000001C85000-memory.dmp

Filesize
468KB

Download
memory/2468-283-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2500-382-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2500-67-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2592-25-0x0000000000260000-0x00000000002D5000-memory.dmp

Filesize
468KB

Download
memory/2592-373-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2592-20-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2636-377-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2724-379-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2724-53-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2780-375-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2780-27-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2780-35-0x0000000001BA0000-0x0000000001C15000-memory.dmp

Filesize
468KB

Download
memory/2844-288-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2844-423-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2844-303-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2844-304-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2880-216-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2880-409-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2880-224-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2880-222-0x0000000000220000-0x0000000000295000-memory.dmp

Filesize
468KB

Download
memory/2948-79-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2948-388-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3012-413-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3012-241-0x00000000006F0000-0x0000000000765000-memory.dmp

Filesize
468KB

Download
memory/3012-240-0x00000000006F0000-0x0000000000765000-memory.dmp

Filesize
468KB

Download
memory/3012-236-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads