78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
Size

275KB
MD5

ece550966133138854a4b24679844c60
SHA1

293bf606cacb8486e48a82c936adfbc1ff09e4c4
SHA256

78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a
SHA512

964e17ca5cb2f2b61066dc7390d93aa481927c108597c2676800375950641db4e33380fcd09fb16c8765b8049240f8b8b87a25275bf845a96394917e26c98744
SSDEEP

6144:tkuliPEgzL2V4cpC0L4AY7YWT63cpC0L4f:tJliZL2/p9i7drp9S

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okoafmkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocalkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokieo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onbgmg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okoafmkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odhfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odhfob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Picnndmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnagk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjnmlk32.exe

Executes dropped EXE 23 IoCs

pid	Process
1948	Magqncba.exe
2588	Ndjfeo32.exe
2652	Npagjpcd.exe
2696	Ngkogj32.exe
2632	Okoafmkm.exe
2500	Odhfob32.exe
592	Onbgmg32.exe
1120	Ocalkn32.exe
2836	Pokieo32.exe
2544	Picnndmb.exe
2812	Pbnoliap.exe
2028	Qeohnd32.exe
1992	Qbbhgi32.exe
1944	Qjnmlk32.exe
2964	Aaloddnn.exe
2220	Acmhepko.exe
396	Afnagk32.exe
2820	Bphbeplm.exe
1360	Blobjaba.exe
2204	Bjdplm32.exe
1640	Bejdiffp.exe
2164	Bobhal32.exe
2416	Cacacg32.exe

Loads dropped DLL 50 IoCs

pid	Process
2000	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
2000	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
1948	Magqncba.exe
1948	Magqncba.exe
2588	Ndjfeo32.exe
2588	Ndjfeo32.exe
2652	Npagjpcd.exe
2652	Npagjpcd.exe
2696	Ngkogj32.exe
2696	Ngkogj32.exe
2632	Okoafmkm.exe
2632	Okoafmkm.exe
2500	Odhfob32.exe
2500	Odhfob32.exe
592	Onbgmg32.exe
592	Onbgmg32.exe
1120	Ocalkn32.exe
1120	Ocalkn32.exe
2836	Pokieo32.exe
2836	Pokieo32.exe
2544	Picnndmb.exe
2544	Picnndmb.exe
2812	Pbnoliap.exe
2812	Pbnoliap.exe
2028	Qeohnd32.exe
2028	Qeohnd32.exe
1992	Qbbhgi32.exe
1992	Qbbhgi32.exe
1944	Qjnmlk32.exe
1944	Qjnmlk32.exe
2964	Aaloddnn.exe
2964	Aaloddnn.exe
2220	Acmhepko.exe
2220	Acmhepko.exe
396	Afnagk32.exe
396	Afnagk32.exe
2820	Bphbeplm.exe
2820	Bphbeplm.exe
1360	Blobjaba.exe
1360	Blobjaba.exe
2204	Bjdplm32.exe
2204	Bjdplm32.exe
1640	Bejdiffp.exe
1640	Bejdiffp.exe
2164	Bobhal32.exe
2164	Bobhal32.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Mahqjm32.dll	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Kklcab32.dll	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Onbgmg32.exe	Odhfob32.exe
File created	C:\Windows\SysWOW64\Mhpeoj32.dll	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Afnagk32.exe	Acmhepko.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Ndjfeo32.exe
File opened for modification	C:\Windows\SysWOW64\Picnndmb.exe	Pokieo32.exe
File created	C:\Windows\SysWOW64\Lclclfdi.dll	Picnndmb.exe
File opened for modification	C:\Windows\SysWOW64\Okoafmkm.exe	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Ihmnkh32.dll	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Eioojl32.dll	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Mgjcep32.dll	Acmhepko.exe
File opened for modification	C:\Windows\SysWOW64\Bphbeplm.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Kganqf32.dll	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Magqncba.exe	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ndjfeo32.exe	Magqncba.exe
File created	C:\Windows\SysWOW64\Picnndmb.exe	Pokieo32.exe
File created	C:\Windows\SysWOW64\Dcnilecc.dll	Odhfob32.exe
File created	C:\Windows\SysWOW64\Hmomkh32.dll	Ocalkn32.exe
File created	C:\Windows\SysWOW64\Gcnmkd32.dll	Qeohnd32.exe
File opened for modification	C:\Windows\SysWOW64\Pokieo32.exe	Ocalkn32.exe
File created	C:\Windows\SysWOW64\Odhfob32.exe	Okoafmkm.exe
File created	C:\Windows\SysWOW64\Pnalpimd.dll	Okoafmkm.exe
File created	C:\Windows\SysWOW64\Oepbgcpb.dll	Onbgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Afnagk32.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Okoafmkm.exe	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Qbbhgi32.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Aaloddnn.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Kjbgng32.dll	Magqncba.exe
File created	C:\Windows\SysWOW64\Ocalkn32.exe	Onbgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Qbbhgi32.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Pokieo32.exe	Ocalkn32.exe
File created	C:\Windows\SysWOW64\Acmhepko.exe	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Blobjaba.exe	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Qjnmlk32.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Elonamqm.dll	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Mfbnoibb.dll	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Ngkogj32.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Onbgmg32.exe	Odhfob32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Qeohnd32.exe	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Gioicn32.dll	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Ldhfglad.dll	Afnagk32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Ndjfeo32.exe	Magqncba.exe
File opened for modification	C:\Windows\SysWOW64\Ngkogj32.exe	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Ocalkn32.exe	Onbgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Odhfob32.exe	Okoafmkm.exe
File created	C:\Windows\SysWOW64\Jjmoilnn.dll	Pokieo32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Acmhepko.exe	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Pbnoliap.exe	Picnndmb.exe

Program crash 1 IoCs

pid	pid_target	Process
2168	2416	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okoafmkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odhfob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pokieo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okoafmkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocalkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnoibb.dll"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepbgcpb.dll"	Onbgmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbgng32.dll"	Magqncba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acmhepko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmomkh32.dll"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll"	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Picnndmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjcep32.dll"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoilnn.dll"	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pokieo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioojl32.dll"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elonamqm.dll"	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalpimd.dll"	Okoafmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odhfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnmkd32.dll"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaloddnn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1948	2000	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe	28
PID 2000 wrote to memory of 1948	2000	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe	28
PID 2000 wrote to memory of 1948	2000	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe	28
PID 2000 wrote to memory of 1948	2000	78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 2588	1948	Magqncba.exe	29
PID 1948 wrote to memory of 2588	1948	Magqncba.exe	29
PID 1948 wrote to memory of 2588	1948	Magqncba.exe	29
PID 1948 wrote to memory of 2588	1948	Magqncba.exe	29
PID 2588 wrote to memory of 2652	2588	Ndjfeo32.exe	30
PID 2588 wrote to memory of 2652	2588	Ndjfeo32.exe	30
PID 2588 wrote to memory of 2652	2588	Ndjfeo32.exe	30
PID 2588 wrote to memory of 2652	2588	Ndjfeo32.exe	30
PID 2652 wrote to memory of 2696	2652	Npagjpcd.exe	31
PID 2652 wrote to memory of 2696	2652	Npagjpcd.exe	31
PID 2652 wrote to memory of 2696	2652	Npagjpcd.exe	31
PID 2652 wrote to memory of 2696	2652	Npagjpcd.exe	31
PID 2696 wrote to memory of 2632	2696	Ngkogj32.exe	32
PID 2696 wrote to memory of 2632	2696	Ngkogj32.exe	32
PID 2696 wrote to memory of 2632	2696	Ngkogj32.exe	32
PID 2696 wrote to memory of 2632	2696	Ngkogj32.exe	32
PID 2632 wrote to memory of 2500	2632	Okoafmkm.exe	33
PID 2632 wrote to memory of 2500	2632	Okoafmkm.exe	33
PID 2632 wrote to memory of 2500	2632	Okoafmkm.exe	33
PID 2632 wrote to memory of 2500	2632	Okoafmkm.exe	33
PID 2500 wrote to memory of 592	2500	Odhfob32.exe	34
PID 2500 wrote to memory of 592	2500	Odhfob32.exe	34
PID 2500 wrote to memory of 592	2500	Odhfob32.exe	34
PID 2500 wrote to memory of 592	2500	Odhfob32.exe	34
PID 592 wrote to memory of 1120	592	Onbgmg32.exe	35
PID 592 wrote to memory of 1120	592	Onbgmg32.exe	35
PID 592 wrote to memory of 1120	592	Onbgmg32.exe	35
PID 592 wrote to memory of 1120	592	Onbgmg32.exe	35
PID 1120 wrote to memory of 2836	1120	Ocalkn32.exe	36
PID 1120 wrote to memory of 2836	1120	Ocalkn32.exe	36
PID 1120 wrote to memory of 2836	1120	Ocalkn32.exe	36
PID 1120 wrote to memory of 2836	1120	Ocalkn32.exe	36
PID 2836 wrote to memory of 2544	2836	Pokieo32.exe	37
PID 2836 wrote to memory of 2544	2836	Pokieo32.exe	37
PID 2836 wrote to memory of 2544	2836	Pokieo32.exe	37
PID 2836 wrote to memory of 2544	2836	Pokieo32.exe	37
PID 2544 wrote to memory of 2812	2544	Picnndmb.exe	38
PID 2544 wrote to memory of 2812	2544	Picnndmb.exe	38
PID 2544 wrote to memory of 2812	2544	Picnndmb.exe	38
PID 2544 wrote to memory of 2812	2544	Picnndmb.exe	38
PID 2812 wrote to memory of 2028	2812	Pbnoliap.exe	39
PID 2812 wrote to memory of 2028	2812	Pbnoliap.exe	39
PID 2812 wrote to memory of 2028	2812	Pbnoliap.exe	39
PID 2812 wrote to memory of 2028	2812	Pbnoliap.exe	39
PID 2028 wrote to memory of 1992	2028	Qeohnd32.exe	40
PID 2028 wrote to memory of 1992	2028	Qeohnd32.exe	40
PID 2028 wrote to memory of 1992	2028	Qeohnd32.exe	40
PID 2028 wrote to memory of 1992	2028	Qeohnd32.exe	40
PID 1992 wrote to memory of 1944	1992	Qbbhgi32.exe	41
PID 1992 wrote to memory of 1944	1992	Qbbhgi32.exe	41
PID 1992 wrote to memory of 1944	1992	Qbbhgi32.exe	41
PID 1992 wrote to memory of 1944	1992	Qbbhgi32.exe	41
PID 1944 wrote to memory of 2964	1944	Qjnmlk32.exe	42
PID 1944 wrote to memory of 2964	1944	Qjnmlk32.exe	42
PID 1944 wrote to memory of 2964	1944	Qjnmlk32.exe	42
PID 1944 wrote to memory of 2964	1944	Qjnmlk32.exe	42
PID 2964 wrote to memory of 2220	2964	Aaloddnn.exe	43
PID 2964 wrote to memory of 2220	2964	Aaloddnn.exe	43
PID 2964 wrote to memory of 2220	2964	Aaloddnn.exe	43
PID 2964 wrote to memory of 2220	2964	Aaloddnn.exe	43

C:\Users\Admin\AppData\Local\Temp\78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\78a820e83caa39af1c8f481b273d6572dea6fc1456bf9125deb19cf3886ecd5a_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\Magqncba.exe
  C:\Windows\system32\Magqncba.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\Ndjfeo32.exe
    C:\Windows\system32\Ndjfeo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\Npagjpcd.exe
      C:\Windows\system32\Npagjpcd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\Okoafmkm.exe
        
        C:\Windows\system32\Okoafmkm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Odhfob32.exe
        
        C:\Windows\system32\Odhfob32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Onbgmg32.exe
        
        C:\Windows\system32\Onbgmg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Ocalkn32.exe
        
        C:\Windows\system32\Ocalkn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Pokieo32.exe
        
        C:\Windows\system32\Pokieo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        24⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 140
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afnagk32.exe

Filesize
275KB

MD5
153d2d5c8f422e7d29919a36ad1ebc73

SHA1
32beef619f0aa407f9613422bacf22a2471213b7

SHA256
ce2593398a6894872346f7def559ecf965f814c56bff1fcc8654b8de050f49fb

SHA512
1fd13bdd5e3cbfbf55275c23dfaa344631cb1a7ba3722112bf9921d5abc737562ded19b468f5413b46e6311f624166b0a10fc15b2ec413f4f8e43fd88a5685fb

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
275KB

MD5
c9dcae3c3e86ab54e355e7fd9579556a

SHA1
cb9aef1addb48449614dad1feb85ddc1b3d25dfa

SHA256
fbee310771d7e02a0ba514c83b4f237355eb3b89ee29c749ec511a4a05cbfd6d

SHA512
7f77dc08d2abee0818042bd924fac5b18300d7359ca6238ff8c4b662e5cd723539aca8befc00d8afba158232b737db82514e15256e9ddbdad210a8025f33e670

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
275KB

MD5
5ac837f85bb6c03d349cd84d8f8b0577

SHA1
691d7bbcdd66ae5fa417155d783ac8212c7d4190

SHA256
1e73347886439a64f0ef0c7f05c949fbe43317bfd97051e1688da2c8f5fe39b0

SHA512
6c961c0e123a51fa1a331a348796560cb425221e2cbdb4b191a4376c559b876844e03f662661baa5309c780b7563322239e8f5e5c5afc32b78aac282af177d28

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
275KB

MD5
9ca056de6446370db697a8ef5b3f1e8f

SHA1
a35449f5493e38bf9b63fc1315e68d6508bb4577

SHA256
979488b829512e56b629f4eb2a24dd839d1c6cacfb599132f093564dfb0f4c29

SHA512
e578e2d53a50f2c1a139156ba3592ab0789aea59ba585679cf3e790209162936ee7991bc1cb060717b48ccfe2693a8fbecd177dd737f249ed171333ddd3a50ac

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
275KB

MD5
3293fc6fa7fdb5f72329492bc8e411a1

SHA1
6cc75a9fb69abdc194ac8245be530fb24cee3006

SHA256
c5b71b4f9c34b5f0c168876f5d8391d79ed6631e8ef004a8b79deeba338656ce

SHA512
a95ee2d6d26a84d1baa996b44e8e5e281230b95c20ebef75803d327ec899cb9b97698307af16ab7b6ec7760f2eba58e5c767c637d2c0fa01e362bff19ac45b18

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
275KB

MD5
51c9d6b557c934f193aafab456551b39

SHA1
ea1c66ce44daeeaa681379c404fc29fb3eb82e4d

SHA256
05d9213b3ebca713722b97e5e22335c3c2841f8ee2b6b9a4a3e6b2737c6b1606

SHA512
3835f60619c153bb6e5ca77f93de9828036c4bf1d0bcd8483fd85438eb5828eb41257ef78b2759d36e54967e68d32577f47800e0d2d48bdfa38ca98e77b28df1

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
275KB

MD5
d459b17346a9cd21e8c7ad84f45779f0

SHA1
7f75375914070ca73f6fac4b166d61624bc09361

SHA256
3bf39716d0156d8c816b76ae7dd4371301092fdea3b116b93a015054c0399593

SHA512
93b65afe774c366b45eb039b83e92d09b71fec300818bea2ef4c5fb035a2d4e2dd8ea8c906b804059f00aba6e39e4d810d472dd74851490cfcf681488f30209e

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
275KB

MD5
ae0b77fdcf4c45695fe8f816fcd3b9e1

SHA1
aeb01f0fb5c03dd799ad2ed760fd41c4f6404798

SHA256
f2e556b98a708c6fabccbbc072af23f3c3e078b5171ad930b7156f3c52fe0e45

SHA512
e533e7f1c08b40d83003dbcf62b010931bfed710b5aea95ca14a27a263dbf3cd9a7fa105a581b1c89fc74d00bb2b6ded05925ad5961f128bfef7290a160ad66d

Download Submit
C:\Windows\SysWOW64\Ocalkn32.exe

Filesize
275KB

MD5
79ce9687a6a22aa049aeed1af533d2c7

SHA1
88c440c384df4274f48f0b3a86770d8c17247262

SHA256
302f8d26c995d19b4571bc06c3799df7d95b1c29df5c34c81543771b9584bdd2

SHA512
223d2f0620edeae9581e3b9d2844277a82f05004b0770bb75bf998fe77d4d9402f9b3dd4624f67a614d557821d44c1b9118ffcc868adc1bd17e6e5e52fb871af

Download Submit
C:\Windows\SysWOW64\Odhfob32.exe

Filesize
275KB

MD5
2a5f6153fd4bb94735984e09b2229671

SHA1
879bfb19da04c2887538908da283b79a0c2a2a50

SHA256
826a3c64038308eae5da46f17fcfed8b7edfe046696faf355b30eae971509c3a

SHA512
05eef3b60658fda553a9e86e42c1d323ed735ed98e796542f9f080c427fd0cff5ee7fdded0f40c4a3ca4d2c8704087390ef346c374e1f568df984b0db24f3782

Download Submit
C:\Windows\SysWOW64\Okoafmkm.exe

Filesize
275KB

MD5
12c6c32027e67db7b6833f28683b0a8f

SHA1
f62e003a09626454c03f33593866137832c12ad4

SHA256
9adee3803ff2809c3bba4931462d37cfaffe7fbaf37515586ab918135dcb95b4

SHA512
af3a8487e5ba69edacc69f0f9cf2621f57330dd8a3d4a4e731782f1d152e142062e4b2613600dd0c99f025eb19d33adf6129bcad4cdfefd720a41cab217c4676

Download Submit
C:\Windows\SysWOW64\Pokieo32.exe

Filesize
275KB

MD5
3cbca8bd3e997eacf8d789fb2527caa9

SHA1
25bb8b15318f2edb5ed5d418868f788490e376e7

SHA256
1bf7ba27a5cf329403e9fb08fb8fd1f6e64a7520ebf34322af0c3970992e182d

SHA512
11938655bcbeb482655ec39e420528f4c2a5f1642ed4812d3b50a0ae5daa47327b1cbc5b9f03e83f72a03573286ee751e76685163749c0f5b84855b8b2c6275f

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
275KB

MD5
25fdf1e5d38160ec37f813f3e6ae958a

SHA1
1a9a35c527bf3a7f6d03291619135a5b6fe0b97e

SHA256
4f1ca40a27e08f82be96dbc366889b5e459246671f6adb50b47ad2fd2e5758c7

SHA512
835c29a7876676ad0b10b5e6d546601eaee418c64a665224ef9f5e0361f5db3ca820780b464e87953acd32b614b6d02a5dde062e13bb4c43372ba3127709a87b

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
275KB

MD5
27c8a294f092b88299beb808b50b48c5

SHA1
7d5f093ed62f7a40e7193c70eaefe0faab184def

SHA256
c8277d4ada8a00d2803128814d8dd2b39f3e7503b38a33d2d25e486107579605

SHA512
e84a76288ba6737596f3615bf8b8444be2af00480102597f13c01b1c4919a523589f28a68ba42555ac779ac1800b44dbc7d795cae80b3a76c07db8f11d16927b

Download Submit
\Windows\SysWOW64\Aaloddnn.exe

Filesize
275KB

MD5
bbe8d3e66308b032659ac250aef0b5dc

SHA1
44cdd0852a9133c3400173234f8764c32441eeca

SHA256
2df7b952314494eff5647928c642b7ec40c4f1c1d2c3371d47e7ee5606e1210b

SHA512
ea3a8df1effdb83f92b77dc741fc47da3c4d8175e3b9992ea203ccf9e723923d277f5ca5b1fd8cfc46fd4817bfa2b5bde351ff4d83b193a7afa6862b54ca1e1f

Download Submit
\Windows\SysWOW64\Acmhepko.exe

Filesize
275KB

MD5
fd83745d130656c44c60149d63689e00

SHA1
968de39c670374e51aea36dc9dd36d522ef29a8b

SHA256
aba3644bef69efc87ee3ec9ae572a0df2adace5e76825beab3f16d8e485bd927

SHA512
fe929b25b223e68a226178048718a5f479e4574742ceda38a0ac7d5488a0561e4f6dafe4497d5ef413ef13bc94b602cef8c685c124de0dfd87647f06e4848117

Download Submit
\Windows\SysWOW64\Magqncba.exe

Filesize
275KB

MD5
04291d0b51ad0b3832422b53b33192cf

SHA1
cf3b9c0b9c2ed9aa1c899ca1dd25c63d498259b0

SHA256
8d5667b3195f1cf25dbfa0eb0643056f467350649defed5e734790635e7fff16

SHA512
02848e94d4cb165f0ca85f12d9872f564d89ed5e374d203c77c475f1c926e26a86622b8cc43b550cf7e2ba3477ce5a042709a250ca7bcf5d2ad5d9e37757ab73

Download Submit
\Windows\SysWOW64\Ndjfeo32.exe

Filesize
275KB

MD5
93f765c52ef73e198d54dd14e92d6a5a

SHA1
666aa6c65ff55b6ade606439c9920f0fc1b98c2e

SHA256
c3b265cf13f2f8012ebf787e4f51b9b878078a231e53a9a198c8d27588c66d1f

SHA512
b133052c35a10eebd005a46307e1cbf7e5f0ca4cf6bc99bcabb81f782c3e4eadab39b2048a68fe6876bd88bed621b33c0253940a771c03c899b8c7e30a49e139

Download Submit
\Windows\SysWOW64\Npagjpcd.exe

Filesize
275KB

MD5
9e9827df62625395c1beaa7fe48ed348

SHA1
5dd921994e548a1fcfbf7a49ebadcee67f5d5e65

SHA256
9612408bf75b233726d33e12002d168bbca6292b4c073eebb24618082c8e4e1e

SHA512
25b2aa64e1c587c8d2187b1b2d9a9b34f89ceed5dd54b4f814cdf3def86c567623b8a2706cce809c358f2bee51ff59666076678552904afb285bbb5e972a197f

Download Submit
\Windows\SysWOW64\Onbgmg32.exe

Filesize
275KB

MD5
80b084a02922179a183617d58332ce19

SHA1
e3903116b8e920156312feef5bc1384275795942

SHA256
1780b17c6af9b81707584932e93743c661224ba9eb2eb4af647af7da4bf01347

SHA512
89140dc710636fad1f9e1a90e13634f3f15e5508a3c8f1e8abc4e3ca73e4b649d10c34a92e97342deafccaacde9ab035cf325eecad6511e93948b088f498db6b

Download Submit
\Windows\SysWOW64\Pbnoliap.exe

Filesize
275KB

MD5
6865be67dccd48925912b0939f0343eb

SHA1
17e8e1bbcfc4047ec88d5a5695c2a110ee106078

SHA256
299878eaff46dad656637b33861e433d61634f7907ee0fb2f2ed2137ae8607a9

SHA512
be4513cd315d5d3f698f39b7b89470cf42efa276daa0aa51793f3b5e7b0088f4492b09fa8a0faec8d4e9e117e7ccad463dbefed52e5bbb82cac4dece4da94046

Download Submit
\Windows\SysWOW64\Picnndmb.exe

Filesize
275KB

MD5
d8d7e99708aa81f4131ae5c5b5c1520a

SHA1
ab427fd680689ded97abbd2a6f52bc205c421290

SHA256
c401385bebed4f99f5c53514d1aab48c74d22662769848df7679f2a421757945

SHA512
9da16d2dccbeb0e06cba515f3e6e6c9aa390ffe4842049d524939543de345eff39708e87154af3f27e5f447be1afe8dbb4a5c7a19020f5195777b9e2813e09a2

Download Submit
\Windows\SysWOW64\Qjnmlk32.exe

Filesize
275KB

MD5
78a20fce07741ba541a8a06d2897a57f

SHA1
085e122047c99471bc5402e4aade5980b1a8aea6

SHA256
7b79cc8bdab430630f1fdf0d7aba90e57bd8d1022cf4b594c7dad78a79b88428

SHA512
73416d69e31bef815d0764823c2076a1bbb721af0f933a5e8a660a158dbe3709d3344d7b9b288c935ad33a5ee0302dadb84b0899d8c83407117013f0583f59fd

Download Submit
memory/396-255-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/396-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/396-318-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/396-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/592-109-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/592-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/592-182-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/1120-110-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1120-184-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1120-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1120-123-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1360-280-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1360-324-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1360-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1360-325-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1640-329-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1640-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1640-305-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1640-307-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1944-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1948-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1948-24-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1992-245-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-198-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1992-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-254-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2000-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-75-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-6-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/2028-244-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/2028-185-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/2028-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-246-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/2164-321-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2164-320-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2164-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2164-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-327-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2204-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-299-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2204-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-300-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2204-328-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2220-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2220-243-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/2220-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2220-297-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/2220-247-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/2220-306-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/2416-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2500-154-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2500-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2500-89-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/2544-141-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2544-210-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2588-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2588-26-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2632-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2632-138-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2652-44-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-65-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2696-52-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-137-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2696-67-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2812-155-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2812-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2820-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2820-323-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2820-266-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2820-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-139-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2836-201-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2836-130-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-230-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2964-229-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2964-287-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2964-285-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads