9056dc4e3ede0d8ba77e7dd6a153c8aca4e15304af92956adcbba6adf0dd4fbe

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9056dc4e3ede0d8ba77e7dd6a153c8aca4e15304af92956adcbba6adf0dd4fbe_NeikiAnalytics.exe
Size

67KB
MD5

edf3699a880c553e8db5ca4923531e80
SHA1

46d330c0b89c320fc6954ad8dfd9d682ce98472d
SHA256

9056dc4e3ede0d8ba77e7dd6a153c8aca4e15304af92956adcbba6adf0dd4fbe
SHA512

03b1a480e487d837c5f63e24542a4ddc19a95731ed7e77dfa30c05dd7c84b0a3a9255d020ca7597fe147d86160c28f9ac06235a0a211f4cb0e32d315758ac29c
SSDEEP

1536:CzTSul4ChTrGAYarrXOeaT+/y7CPQxRxMy5yXA351cgCe8uC:cTziKaTLhxM3AJugCe8uC

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9056dc4e3ede0d8ba77e7dd6a153c8aca4e15304af92956adcbba6adf0dd4fbe_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9056dc4e3ede0d8ba77e7dd6a153c8aca4e15304af92956adcbba6adf0dd4fbe_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe

Executes dropped EXE 30 IoCs

pid	Process
724	Gbldaffp.exe
3140	Hmdedo32.exe
4804	Hfljmdjc.exe
4088	Hjjbcbqj.exe
3568	Hccglh32.exe
1448	Icgqggce.exe
4312	Ijdeiaio.exe
1696	Iapjlk32.exe
4336	Ibccic32.exe
4516	Jdcpcf32.exe
3572	Jjpeepnb.exe
1432	Jjbako32.exe
4984	Jmbklj32.exe
640	Jiikak32.exe
3268	Kmgdgjek.exe
4832	Kphmie32.exe
1100	Kdffocib.exe
1988	Liekmj32.exe
2180	Lpappc32.exe
3712	Lilanioo.exe
1940	Lphfpbdi.exe
316	Mgekbljc.exe
4860	Mpolqa32.exe
3280	Mpaifalo.exe
3444	Mpdelajl.exe
2436	Nqfbaq32.exe
5000	Nnjbke32.exe
4148	Nbhkac32.exe
1276	Nbkhfc32.exe
3356	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Gbldaffp.exe	9056dc4e3ede0d8ba77e7dd6a153c8aca4e15304af92956adcbba6adf0dd4fbe_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ijdeiaio.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Qngfmkdl.dll	Icgqggce.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	9056dc4e3ede0d8ba77e7dd6a153c8aca4e15304af92956adcbba6adf0dd4fbe_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jdcpcf32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Hccglh32.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jdcpcf32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmgdgjek.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3452	3356	WerFault.exe	111

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll"	9056dc4e3ede0d8ba77e7dd6a153c8aca4e15304af92956adcbba6adf0dd4fbe_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9056dc4e3ede0d8ba77e7dd6a153c8aca4e15304af92956adcbba6adf0dd4fbe_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9056dc4e3ede0d8ba77e7dd6a153c8aca4e15304af92956adcbba6adf0dd4fbe_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpdme32.dll"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9056dc4e3ede0d8ba77e7dd6a153c8aca4e15304af92956adcbba6adf0dd4fbe_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 724	1692	9056dc4e3ede0d8ba77e7dd6a153c8aca4e15304af92956adcbba6adf0dd4fbe_NeikiAnalytics.exe	82
PID 1692 wrote to memory of 724	1692	9056dc4e3ede0d8ba77e7dd6a153c8aca4e15304af92956adcbba6adf0dd4fbe_NeikiAnalytics.exe	82
PID 1692 wrote to memory of 724	1692	9056dc4e3ede0d8ba77e7dd6a153c8aca4e15304af92956adcbba6adf0dd4fbe_NeikiAnalytics.exe	82
PID 724 wrote to memory of 3140	724	Gbldaffp.exe	83
PID 724 wrote to memory of 3140	724	Gbldaffp.exe	83
PID 724 wrote to memory of 3140	724	Gbldaffp.exe	83
PID 3140 wrote to memory of 4804	3140	Hmdedo32.exe	84
PID 3140 wrote to memory of 4804	3140	Hmdedo32.exe	84
PID 3140 wrote to memory of 4804	3140	Hmdedo32.exe	84
PID 4804 wrote to memory of 4088	4804	Hfljmdjc.exe	85
PID 4804 wrote to memory of 4088	4804	Hfljmdjc.exe	85
PID 4804 wrote to memory of 4088	4804	Hfljmdjc.exe	85
PID 4088 wrote to memory of 3568	4088	Hjjbcbqj.exe	86
PID 4088 wrote to memory of 3568	4088	Hjjbcbqj.exe	86
PID 4088 wrote to memory of 3568	4088	Hjjbcbqj.exe	86
PID 3568 wrote to memory of 1448	3568	Hccglh32.exe	87
PID 3568 wrote to memory of 1448	3568	Hccglh32.exe	87
PID 3568 wrote to memory of 1448	3568	Hccglh32.exe	87
PID 1448 wrote to memory of 4312	1448	Icgqggce.exe	88
PID 1448 wrote to memory of 4312	1448	Icgqggce.exe	88
PID 1448 wrote to memory of 4312	1448	Icgqggce.exe	88
PID 4312 wrote to memory of 1696	4312	Ijdeiaio.exe	89
PID 4312 wrote to memory of 1696	4312	Ijdeiaio.exe	89
PID 4312 wrote to memory of 1696	4312	Ijdeiaio.exe	89
PID 1696 wrote to memory of 4336	1696	Iapjlk32.exe	90
PID 1696 wrote to memory of 4336	1696	Iapjlk32.exe	90
PID 1696 wrote to memory of 4336	1696	Iapjlk32.exe	90
PID 4336 wrote to memory of 4516	4336	Ibccic32.exe	91
PID 4336 wrote to memory of 4516	4336	Ibccic32.exe	91
PID 4336 wrote to memory of 4516	4336	Ibccic32.exe	91
PID 4516 wrote to memory of 3572	4516	Jdcpcf32.exe	92
PID 4516 wrote to memory of 3572	4516	Jdcpcf32.exe	92
PID 4516 wrote to memory of 3572	4516	Jdcpcf32.exe	92
PID 3572 wrote to memory of 1432	3572	Jjpeepnb.exe	93
PID 3572 wrote to memory of 1432	3572	Jjpeepnb.exe	93
PID 3572 wrote to memory of 1432	3572	Jjpeepnb.exe	93
PID 1432 wrote to memory of 4984	1432	Jjbako32.exe	94
PID 1432 wrote to memory of 4984	1432	Jjbako32.exe	94
PID 1432 wrote to memory of 4984	1432	Jjbako32.exe	94
PID 4984 wrote to memory of 640	4984	Jmbklj32.exe	95
PID 4984 wrote to memory of 640	4984	Jmbklj32.exe	95
PID 4984 wrote to memory of 640	4984	Jmbklj32.exe	95
PID 640 wrote to memory of 3268	640	Jiikak32.exe	96
PID 640 wrote to memory of 3268	640	Jiikak32.exe	96
PID 640 wrote to memory of 3268	640	Jiikak32.exe	96
PID 3268 wrote to memory of 4832	3268	Kmgdgjek.exe	97
PID 3268 wrote to memory of 4832	3268	Kmgdgjek.exe	97
PID 3268 wrote to memory of 4832	3268	Kmgdgjek.exe	97
PID 4832 wrote to memory of 1100	4832	Kphmie32.exe	98
PID 4832 wrote to memory of 1100	4832	Kphmie32.exe	98
PID 4832 wrote to memory of 1100	4832	Kphmie32.exe	98
PID 1100 wrote to memory of 1988	1100	Kdffocib.exe	99
PID 1100 wrote to memory of 1988	1100	Kdffocib.exe	99
PID 1100 wrote to memory of 1988	1100	Kdffocib.exe	99
PID 1988 wrote to memory of 2180	1988	Liekmj32.exe	100
PID 1988 wrote to memory of 2180	1988	Liekmj32.exe	100
PID 1988 wrote to memory of 2180	1988	Liekmj32.exe	100
PID 2180 wrote to memory of 3712	2180	Lpappc32.exe	101
PID 2180 wrote to memory of 3712	2180	Lpappc32.exe	101
PID 2180 wrote to memory of 3712	2180	Lpappc32.exe	101
PID 3712 wrote to memory of 1940	3712	Lilanioo.exe	102
PID 3712 wrote to memory of 1940	3712	Lilanioo.exe	102
PID 3712 wrote to memory of 1940	3712	Lilanioo.exe	102
PID 1940 wrote to memory of 316	1940	Lphfpbdi.exe	103

C:\Users\Admin\AppData\Local\Temp\9056dc4e3ede0d8ba77e7dd6a153c8aca4e15304af92956adcbba6adf0dd4fbe_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9056dc4e3ede0d8ba77e7dd6a153c8aca4e15304af92956adcbba6adf0dd4fbe_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\Gbldaffp.exe
  C:\Windows\system32\Gbldaffp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Windows\SysWOW64\Hmdedo32.exe
    C:\Windows\system32\Hmdedo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\SysWOW64\Hfljmdjc.exe
      C:\Windows\system32\Hfljmdjc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        31⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 400
        32⤵
        Program crash
        
        PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3356 -ip 3356
1⤵
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
67KB

MD5
64dabe166c21aa483acbe36c0819ba35

SHA1
a1fc7e5b677a6faf8de23a8bde9adbaeeb0c2898

SHA256
af2335c3beea4d65956e661f095444cae8320079ef19bfbacaf3826522800734

SHA512
0b59aad7a89031975d792297f44c7b2bf8a78d4f18f9e486cbc72c1ea121062a7559fdd45448cc3d170fd8b56ab4e5e69b2e49ff3adb532df707d30029860754

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
67KB

MD5
6fd2bd44da3e8b2435de691ed7a3c3a1

SHA1
b37971e19dd7414d9ed5a818d42f23ceddbd9489

SHA256
4854db5287f2abac7a2245ee3604e4bbf43376a7e795fb8ac16a264d56db4c1e

SHA512
03a21e860a7fe584822ef383370b420cd67fd8f1db91b8aeca90cc05bc1e018b04366a02c99679cb978e8c4710b5c4f88c7d9f21285cee14d52c8f36e6e11c95

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
67KB

MD5
fc11fcdd49ae7a335c38ec6d6f513a6b

SHA1
048334a70c605ac0cf0a9cdc9fce89bddfc3fd57

SHA256
832c3993e63ed2b68b9a6324d0362a981db7a4bd00021a8f2d7f3f2ac5a8db39

SHA512
a5e4c98ab86f7fd94a5a22651c776fac3f52d37182c92d57ea6918037b86879572febbe6a870879bc0be01bdbe47cdbe98c95240f1423bc66df7c311378adf10

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
67KB

MD5
dad26279614dd6bdd6f35815beded8c4

SHA1
4e27c2d6116052d37cc588e3a57e9aed9dc02eeb

SHA256
eae99a19382ca9f1be9ccb23152aad7ab2a245b8fa901d6ddca3c846a65c87b7

SHA512
2eee6294d652408304f38857e9b6020a16bf25c31248c04350f6df3df8cfead463b1bbf002c057b63e39a89403d6a29863eb99f0f56ceb1e5aec857b0f147902

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
67KB

MD5
c6e8567390483ca8883f5191cc666309

SHA1
61b228a222ea0e086f69504e7a18515e88ab3849

SHA256
94d7931c881d7b3995cad050c935804e0b5a4c6e34c66e0f5f134663296ef2a1

SHA512
8d46bf86712b7dd8aea91e671b10bb86235fecb588cf6d29a48e7e0b8896e7e928d0cd1ac6945f395c33e648f109b30839286cbf9146aeaca397ffecb801efb6

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
67KB

MD5
50df968d84464cb2ed1332d60e0396a7

SHA1
eae9ca5cc758b84df0e10720e4700964f408c61c

SHA256
779b3c5494815aa6cb2177d75f389c80331c236985ed8744e627e0bedc029811

SHA512
4abad4bd3582e6829d291a7c8ba63833143e1c969464c8a1bfe74d6cfad57156a1d03bc65d1d1cd7adbd304ff6d09bc0ae30cb5e16cd655eaac2d7accd158ac1

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
67KB

MD5
80e499a99dddda8bcc1d72f353f065e4

SHA1
34a4e904a9ed5bcec94ee43b460fc91ab9e7d290

SHA256
ab41426abdf2366b6020d148bbf1788c1f5071a01f3666bdef230fba223e6550

SHA512
213ca13f522b125e503ec71c07c3c7b0fc7dbd12e3bd54ee67289769bbd86bd6ca61b66800a0218f5566b7b498b4f6c615fd2ae5e2505b71d6219ed242ca301b

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
67KB

MD5
ae6164fe7c0d3bb3295c72a2d2a36433

SHA1
6f7fac6f11c51b4275a0dd476f6ed5e43f4e1d91

SHA256
fab2595263d41d615732c5ea4d00b2537972af9b945b707c365b269c0c3f72c8

SHA512
231622c67c84a93e2b24406ae434b861370a784130bdcf5365907554b604e5b5355a193b4e2f902d12fce6f1a6ffb695e3b916ae9c86aef2dc76cafe60a5f474

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
67KB

MD5
51d4c98d1119546645528c44fc7d3de5

SHA1
d66877510267174bd63f22865ea408e072f92c30

SHA256
032104888f55a18750e5639d632b822a32800cc7ee383837696754daa5597c90

SHA512
42467c8e6965a8fc15c759bb7280ecaa1734888a1fb29ecc41b56012c386b81da56246f261dbb25b8b4d8d9757df8c8ffce163b8ea5862e87b3bfd31fadaf552

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
67KB

MD5
4a8d6a154d8215b15a4b8d8d5934eeb2

SHA1
8f7b329a645cf043ad16bd2d064ec7f325d9e8ec

SHA256
4110b9fd92353a948efec9eb31ffe8a39feb22db0cecc2a6cd12758d79faa7ea

SHA512
7efb18dff4521f6a7f4991cc04db496287f6e19cc7e6f90af24706bf8a468206e834099f8b559e942b7738c333fdf458ff62b1a2092c026a45311486ffc645aa

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
67KB

MD5
8225e348c092b42545d2bd2e915d4b37

SHA1
b1c7a593dd513a1ebfeaef8c54b353e4a7534c6f

SHA256
984c172be77a3be1a1b19fb6425288a11b4a3567d4328f5283c51381f1a482d1

SHA512
bdeaa40a5034439dcf046ecb438e90eadf3ad96e0830cd180f328b440ddc8d77dc82fba7ac5546d2f0f3b9c85e52676349e7172c974b127469488c3ab0ac0e60

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
67KB

MD5
596b61ecbd6056f0add2499c92e91716

SHA1
04be1f229225dab0de5da9f6ec55b111001b5e6b

SHA256
ac755c726fc98b5a3fc4517a567fa6137a43818b89f5d4eff60b447502e680b6

SHA512
27590abf295e8409ae83c8363a01fc981e092836872416844d51fbe43138aa99883ed69adcc28f07c25a6b8c6ca00685524669c8da63f1517eca10aa7bb11c7e

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
67KB

MD5
2e5dc1750f3eea1e24e14ba96484d895

SHA1
bb049ca81d68e686054d8720081d8767f67945ee

SHA256
1e0558f0f98d59c8e8c12cba7326a27271faea538efbc9203b151ef1ce943a4a

SHA512
1c4a2ed490e2630d7862ede877a9d678dbf0795a8bbdafd9ca6623e66fb0e18fd60c9cded098f870a932496fccd0db97a048b92ca16a93a0487cedd2757da9c4

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
67KB

MD5
6f154a66b2840b3e3af02bc0a208ddf2

SHA1
b99fcc0fd8cb2fd3da18c2fa20fd31ff434027ff

SHA256
0e2748e571d049e9e6402bce5f15ad323c23f5885486257d1834daff700e93cf

SHA512
ae560aa3b6e1de3201a70aa2f263723ea5775c0e0efe809bfcf476b472da734b31ca2c5c884af1defde8000f00d12b6726bf680df311c7d4b47be82bc0b51a30

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
67KB

MD5
17af830b085ac7877782fe099858a110

SHA1
b346230490c4fe88560bebaf3af5167eeceab053

SHA256
2af7ca4a32874991d83c8ec726ee2f492328aad5633c971aefee2b7f88ba2b66

SHA512
adc54720a84279e5e2f60072493048a2a0bb5978a4790172e0af77c020a94a1ad11f75e4aaea867699c5b6169719c33212c7cf3278ac2aed03c6e79cf21c7796

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
67KB

MD5
7a31324004baad35d703f4d508b8bf3a

SHA1
85e368dc8d057aff225e59fc111020008cba8418

SHA256
8d58abe6126dd3cd0869fccfadce323cbf028943d492b82a31df97ca29024df9

SHA512
6ca25738bba41afc31d31d45a8f168305e840891df10a8c3c8448ba1b705c38631b679abe8408d713b84297c0e5b3466d506100c2637894f8af260536c4003e3

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
67KB

MD5
2524c71d3bb9871b0ca7345b4f335d8b

SHA1
0cb4e928d859a327e158fc5e80658744ce34423f

SHA256
de3d5b0bc3aac26a4dc6d21162cf0860610e0fa2616b48f3c27e22fb4cfda999

SHA512
3faab901fee37c76f0a7a1bee75322249bbf3e09096b53f90044695d645211c390876a4fd925fad766aadfef654ffc02ddce19b4cf06a1ab522336159b17b37c

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
67KB

MD5
d3423c10c8034ddaddd25a603299f0a2

SHA1
0e3538290e7282a964b67d61747c200a8aadcbc5

SHA256
941315c18959234d8a30d7c6930507d4792868958fa22584a9196af81f82e11d

SHA512
da5aa024df54d0bf3e69acca1a6c5a3b025dfd17064fdc521b9967f95b8e593d0ad0868272a279e4d560be0095e8a8b8e321777f89b599500f2c45b338bb6287

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
67KB

MD5
7c69bc9f00b7e91269dbafba3bf4cd1b

SHA1
7ccf54a682b80acdad5a769d6ca9d725f4a62e3a

SHA256
54864e11bd6b0a33b12eed12be860fb3b94827df29991bd42544baf8e7ba11db

SHA512
a659907ea44ba16f549205cb4a2d4900f20eb10231d190a500a23d3dbcb98be15773e7ca8b58ff6f12383dfd2e1bbc09f182f7d5a3c767de1819fce7fac96433

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
67KB

MD5
0d541432e166ffe5564b5b463e963ca0

SHA1
a5aca6335c16df947d363958dda2c3ec6dce6c55

SHA256
b9c737d1ef970b1f0cc1b9f6ea0ebe443c2d4d39fff7f0d375634dc715a1fc04

SHA512
8a55ff3dbc43e0d201ecc9ded0c4b3377145e38e82a361cfe1596237fb47a8d0ba876e35d119d83dcc85061b35c25502ea9ad9dd33ae8e32a9058f418406155b

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
67KB

MD5
ab7e774579bd3f716a8054bbe2b9ccc6

SHA1
2135b886ab0cc9eabc9730082ac0588cd42cac9f

SHA256
0b1dd8af9a0884ad52153ba7ad5a714744ab3cccd6ef3317cd73de33b9f3b6fc

SHA512
94c8452556632cf146c9562c4e8bad639e771cf71ce6dc59a05f46b9ca67e2c4df1dfb67ea93d638d1ed215b6e84b2589cf26f11ee84a35b38c5b0a2ac4febe2

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
67KB

MD5
05e4cadda94e22ce92d0ae2c0eaffc80

SHA1
16b7ba8aa9d267c27e41feb01c8163ca9b483f4e

SHA256
4ec298e2bfb087801be3eeb02fa1f2c1e614d47af384d826ce846407f6734f4c

SHA512
767c137d8055c4cba127dc95537a3c86e0f0a6d11e4b25df38515e9e2e09b423a87c08cb222688b6f5965e334d0473be01a337ff2edfb092069a1aead5fe304d

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
67KB

MD5
b1b51114b3439387055fb52a7ad07f8e

SHA1
eb53312b2305d149c2a0b943ac2a71d6201da367

SHA256
e8549e962219ba8d9cb071329c4e23f34d4beca1726b5242ba22bdf3fdf2d518

SHA512
7d1c1b89925bcf20e78e4ecf2f90f20d38ecc294823b83a9e304b7e84e77d37546c3159623b66c0e78687d90090860be901adabc70174a9fcd2280ac2a5ee308

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
67KB

MD5
bde8abd5fae4a3dc9bce64bf21a2f064

SHA1
a76c22d327223f02714357a19b89991aebb7fd2b

SHA256
3c8ac5c7b4f77625af4b8eeb04ecd429780ad5bfab91d2940da937649f15ed3f

SHA512
a0738f7f213492aca087cbc1b3f80addd0105052f39f40831cb98cdfa898a6ee12d9aa099835b2e5c07c8be788ecbffde4b90f1753db4f81d4d7dcb6564930ee

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
67KB

MD5
2c9bb7f99cfa639d9a9b45c3d69b3371

SHA1
641afc4a71ba0355fee0f5460a572efe0da1332c

SHA256
078a9528bc1e732ec846a8fc7f90a9c26ae530b32419002cccfbd15772c7dda1

SHA512
9246e20e6372197f96ebd34d6982abc585ac084137392d3232faee3068c4ea7eb1def8bfd3287fb42fdd427ebba2621f561ff33c6ffe8c2217427f5fb7f8422e

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
67KB

MD5
ece79fe720a85df327d201183963c1d7

SHA1
083f534e10b650bc3a118d60417d01c3e818cdaa

SHA256
1ea0d1190685a1dddc9fa9c658c9aad7bd32ef2cb4557dc20ce87a9345a39c32

SHA512
34e59208bddb48bcb7ca125b070f2bb766851ce97df795365f7805ff34826a69f3bfe82bdc8a8ea1a1cebd2818a3b9d89dd21cc9af115134595089687c910e9f

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
67KB

MD5
65fc27a40e2b5b6ad8ec3447ce2e6cb3

SHA1
22790db9c34488ecdcce149cb8054b042390b7d0

SHA256
02b07b643363e006eed89d710716a53d6bb3479066ba895be8daf1df72c7884f

SHA512
67578e175e92dadcae938d5e9b728a85a4f94abb4a8a32fbc89191422f6983a79671615dd4a3b823b034fe70f280f5228b39d9e0b93497bd00dfe0da6e05c1c1

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
67KB

MD5
11cd73edfde2772485e08c96fc6bc6c7

SHA1
47aee905876b56338e7378eaf577471cc8d60486

SHA256
5ffde53d5ce39b3fa1f482127611bf3df7b33cc3678b437f130b2be23d134b66

SHA512
2d1529be3eda3f003e68ed27e8e584e169deb8832f00b2670c023e7c0b4c1efc78bbb7a9db8fed36ec5f2fa33eb154281bebd5c159ccb72263868fe231b2767a

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
67KB

MD5
5a024c8231d058cfddfc226c2d239122

SHA1
c308e20aa42ad155d02df415a5dedfbefd45f1ea

SHA256
1e558b6e9f3e998ac6c5e3163cc36b979cd4febe364dfc1b46d7893d1549fa69

SHA512
db27228bf9011d210d34ba80c548d4d8b8f20719b2408507dbf6371e3da6824a7581574cc55e90cdeeb35d5e1aba51ff58f9e972dfba61a192aee0b006da884d

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
67KB

MD5
db58578d843eb03b5a49fbefe5307eb6

SHA1
9b94194b1505c29bd73d80740ef093f4c3abe7c0

SHA256
d0d0217247d9e7696cd8e4544172dc2871148abe1109978a048ec8247f99b96f

SHA512
06dcbdd2a523d6a9c753238c17d01ad6416896c94811b731881c52569fbbad8a25cd7f1b358e8d84af1352f4aa45d4d26f06f4a813852d7339b65a7ea55d36ba

Download Submit
memory/316-177-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/316-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/724-271-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/724-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1100-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1100-255-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1276-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1276-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1432-96-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1432-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1448-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1448-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1692-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-272-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1696-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1696-264-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1940-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1940-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1988-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1988-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2180-253-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2180-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2436-209-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2436-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3140-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3140-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3268-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3268-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3280-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3280-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3356-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3356-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3444-201-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3444-246-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3568-267-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3568-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3572-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3572-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3712-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3712-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4088-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4088-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4148-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4148-244-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4312-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4312-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4336-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4336-263-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4516-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4516-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4804-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4804-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4832-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4832-129-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4860-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4860-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4984-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4984-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5000-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5000-245-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads