10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe
Size

224KB
MD5

f8e5890b2eb34dda8baf8e944f34c310
SHA1

7d164e703b13ff2d6c3ca000d0f75424e51b935c
SHA256

10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e
SHA512

3a55252dd12cddf4c67ed5679332527975c826e779305999b758de4f4a270b73757bd9d1dda040c183dd1176c5efdc75d957e7587ceba089c04ae36bb2006119
SSDEEP

6144:D0xT/JE4f9FIUpOVw86CmOJfTo9FIUIhrcflDML:oTOaAD6RrI1+lDML

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilfcpqm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Modkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laegiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjbpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jqnejn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqnejn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnbbbffj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lfdmggnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kilfcpqm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlekia32.exe

Executes dropped EXE 15 IoCs

pid	Process
3012	Jjbpgd32.exe
2748	Jqnejn32.exe
1304	Kilfcpqm.exe
2416	Kbidgeci.exe
2516	Kbkameaf.exe
1236	Lnbbbffj.exe
1052	Laegiq32.exe
2824	Lfdmggnm.exe
2288	Mpmapm32.exe
2040	Modkfi32.exe
1924	Mlhkpm32.exe
1368	Ngdifkpi.exe
924	Nckjkl32.exe
2100	Nlekia32.exe
1928	Nlhgoqhh.exe

Loads dropped DLL 34 IoCs

pid	Process
2140	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe
2140	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe
3012	Jjbpgd32.exe
3012	Jjbpgd32.exe
2748	Jqnejn32.exe
2748	Jqnejn32.exe
1304	Kilfcpqm.exe
1304	Kilfcpqm.exe
2416	Kbidgeci.exe
2416	Kbidgeci.exe
2516	Kbkameaf.exe
2516	Kbkameaf.exe
1236	Lnbbbffj.exe
1236	Lnbbbffj.exe
1052	Laegiq32.exe
1052	Laegiq32.exe
2824	Lfdmggnm.exe
2824	Lfdmggnm.exe
2288	Mpmapm32.exe
2288	Mpmapm32.exe
2040	Modkfi32.exe
2040	Modkfi32.exe
1924	Mlhkpm32.exe
1924	Mlhkpm32.exe
1368	Ngdifkpi.exe
1368	Ngdifkpi.exe
924	Nckjkl32.exe
924	Nckjkl32.exe
2100	Nlekia32.exe
2100	Nlekia32.exe
2660	WerFault.exe
2660	WerFault.exe
2660	WerFault.exe
2660	WerFault.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mpmapm32.exe	Lfdmggnm.exe
File created	C:\Windows\SysWOW64\Modkfi32.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Nckjkl32.exe	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Pelggd32.dll	Kilfcpqm.exe
File created	C:\Windows\SysWOW64\Lnbbbffj.exe	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Kbidgeci.exe	Kilfcpqm.exe
File opened for modification	C:\Windows\SysWOW64\Kbkameaf.exe	Kbidgeci.exe
File created	C:\Windows\SysWOW64\Aadlcdpk.dll	Lnbbbffj.exe
File opened for modification	C:\Windows\SysWOW64\Modkfi32.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Mgecadnb.dll	Modkfi32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Jqnejn32.exe	Jjbpgd32.exe
File opened for modification	C:\Windows\SysWOW64\Jqnejn32.exe	Jjbpgd32.exe
File opened for modification	C:\Windows\SysWOW64\Ngdifkpi.exe	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Fbpljhnf.dll	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Kcpnnfqg.dll	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Phmkjbfe.dll	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbpgd32.exe	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kbidgeci.exe	Kilfcpqm.exe
File created	C:\Windows\SysWOW64\Lfdmggnm.exe	Laegiq32.exe
File opened for modification	C:\Windows\SysWOW64\Lfdmggnm.exe	Laegiq32.exe
File created	C:\Windows\SysWOW64\Fhhmapcq.dll	Laegiq32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhkpm32.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Kbkameaf.exe	Kbidgeci.exe
File created	C:\Windows\SysWOW64\Hoaebk32.dll	Kbidgeci.exe
File created	C:\Windows\SysWOW64\Laegiq32.exe	Lnbbbffj.exe
File opened for modification	C:\Windows\SysWOW64\Laegiq32.exe	Lnbbbffj.exe
File opened for modification	C:\Windows\SysWOW64\Nckjkl32.exe	Ngdifkpi.exe
File opened for modification	C:\Windows\SysWOW64\Nlekia32.exe	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Akbipbbd.dll	Jjbpgd32.exe
File opened for modification	C:\Windows\SysWOW64\Kilfcpqm.exe	Jqnejn32.exe
File created	C:\Windows\SysWOW64\Hfjiem32.dll	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Iggbhk32.dll	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Mlhkpm32.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Nlekia32.exe	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nlekia32.exe
File created	C:\Windows\SysWOW64\Jjbpgd32.exe	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kilfcpqm.exe	Jqnejn32.exe
File created	C:\Windows\SysWOW64\Ngdifkpi.exe	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Kmcipd32.dll	Jqnejn32.exe
File created	C:\Windows\SysWOW64\Olahaplc.dll	Lfdmggnm.exe
File created	C:\Windows\SysWOW64\Mpmapm32.exe	Lfdmggnm.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Qkhgoi32.dll	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lnbbbffj.exe	Kbkameaf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2660	1928	WerFault.exe	42

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlcdpk.dll"	Lnbbbffj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nlekia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjbpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjbpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll"	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhgoi32.dll"	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcipd32.dll"	Jqnejn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kilfcpqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnbbbffj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahaplc.dll"	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgecadnb.dll"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjiem32.dll"	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akbipbbd.dll"	Jjbpgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoaebk32.dll"	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lfdmggnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jqnejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kilfcpqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Modkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhmapcq.dll"	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jqnejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelggd32.dll"	Kilfcpqm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 3012	2140	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 3012	2140	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 3012	2140	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 3012	2140	10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe	28
PID 3012 wrote to memory of 2748	3012	Jjbpgd32.exe	29
PID 3012 wrote to memory of 2748	3012	Jjbpgd32.exe	29
PID 3012 wrote to memory of 2748	3012	Jjbpgd32.exe	29
PID 3012 wrote to memory of 2748	3012	Jjbpgd32.exe	29
PID 2748 wrote to memory of 1304	2748	Jqnejn32.exe	30
PID 2748 wrote to memory of 1304	2748	Jqnejn32.exe	30
PID 2748 wrote to memory of 1304	2748	Jqnejn32.exe	30
PID 2748 wrote to memory of 1304	2748	Jqnejn32.exe	30
PID 1304 wrote to memory of 2416	1304	Kilfcpqm.exe	31
PID 1304 wrote to memory of 2416	1304	Kilfcpqm.exe	31
PID 1304 wrote to memory of 2416	1304	Kilfcpqm.exe	31
PID 1304 wrote to memory of 2416	1304	Kilfcpqm.exe	31
PID 2416 wrote to memory of 2516	2416	Kbidgeci.exe	32
PID 2416 wrote to memory of 2516	2416	Kbidgeci.exe	32
PID 2416 wrote to memory of 2516	2416	Kbidgeci.exe	32
PID 2416 wrote to memory of 2516	2416	Kbidgeci.exe	32
PID 2516 wrote to memory of 1236	2516	Kbkameaf.exe	33
PID 2516 wrote to memory of 1236	2516	Kbkameaf.exe	33
PID 2516 wrote to memory of 1236	2516	Kbkameaf.exe	33
PID 2516 wrote to memory of 1236	2516	Kbkameaf.exe	33
PID 1236 wrote to memory of 1052	1236	Lnbbbffj.exe	34
PID 1236 wrote to memory of 1052	1236	Lnbbbffj.exe	34
PID 1236 wrote to memory of 1052	1236	Lnbbbffj.exe	34
PID 1236 wrote to memory of 1052	1236	Lnbbbffj.exe	34
PID 1052 wrote to memory of 2824	1052	Laegiq32.exe	35
PID 1052 wrote to memory of 2824	1052	Laegiq32.exe	35
PID 1052 wrote to memory of 2824	1052	Laegiq32.exe	35
PID 1052 wrote to memory of 2824	1052	Laegiq32.exe	35
PID 2824 wrote to memory of 2288	2824	Lfdmggnm.exe	36
PID 2824 wrote to memory of 2288	2824	Lfdmggnm.exe	36
PID 2824 wrote to memory of 2288	2824	Lfdmggnm.exe	36
PID 2824 wrote to memory of 2288	2824	Lfdmggnm.exe	36
PID 2288 wrote to memory of 2040	2288	Mpmapm32.exe	37
PID 2288 wrote to memory of 2040	2288	Mpmapm32.exe	37
PID 2288 wrote to memory of 2040	2288	Mpmapm32.exe	37
PID 2288 wrote to memory of 2040	2288	Mpmapm32.exe	37
PID 2040 wrote to memory of 1924	2040	Modkfi32.exe	38
PID 2040 wrote to memory of 1924	2040	Modkfi32.exe	38
PID 2040 wrote to memory of 1924	2040	Modkfi32.exe	38
PID 2040 wrote to memory of 1924	2040	Modkfi32.exe	38
PID 1924 wrote to memory of 1368	1924	Mlhkpm32.exe	39
PID 1924 wrote to memory of 1368	1924	Mlhkpm32.exe	39
PID 1924 wrote to memory of 1368	1924	Mlhkpm32.exe	39
PID 1924 wrote to memory of 1368	1924	Mlhkpm32.exe	39
PID 1368 wrote to memory of 924	1368	Ngdifkpi.exe	40
PID 1368 wrote to memory of 924	1368	Ngdifkpi.exe	40
PID 1368 wrote to memory of 924	1368	Ngdifkpi.exe	40
PID 1368 wrote to memory of 924	1368	Ngdifkpi.exe	40
PID 924 wrote to memory of 2100	924	Nckjkl32.exe	41
PID 924 wrote to memory of 2100	924	Nckjkl32.exe	41
PID 924 wrote to memory of 2100	924	Nckjkl32.exe	41
PID 924 wrote to memory of 2100	924	Nckjkl32.exe	41
PID 2100 wrote to memory of 1928	2100	Nlekia32.exe	42
PID 2100 wrote to memory of 1928	2100	Nlekia32.exe	42
PID 2100 wrote to memory of 1928	2100	Nlekia32.exe	42
PID 2100 wrote to memory of 1928	2100	Nlekia32.exe	42
PID 1928 wrote to memory of 2660	1928	Nlhgoqhh.exe	43
PID 1928 wrote to memory of 2660	1928	Nlhgoqhh.exe	43
PID 1928 wrote to memory of 2660	1928	Nlhgoqhh.exe	43
PID 1928 wrote to memory of 2660	1928	Nlhgoqhh.exe	43

C:\Users\Admin\AppData\Local\Temp\10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\10a2de1d5518536d40392bce1fc86ea3982aef4ff1771ecb67007f07285b7f9e_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\Jjbpgd32.exe
  C:\Windows\system32\Jjbpgd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\Jqnejn32.exe
    C:\Windows\system32\Jqnejn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\Kilfcpqm.exe
      C:\Windows\system32\Kilfcpqm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Windows\SysWOW64\Kbidgeci.exe
        
        C:\Windows\system32\Kbidgeci.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Windows\SysWOW64\Kbkameaf.exe
        
        C:\Windows\system32\Kbkameaf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Lnbbbffj.exe
        
        C:\Windows\system32\Lnbbbffj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Laegiq32.exe
        
        C:\Windows\system32\Laegiq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Lfdmggnm.exe
        
        C:\Windows\system32\Lfdmggnm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Mpmapm32.exe
        
        C:\Windows\system32\Mpmapm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Modkfi32.exe
        
        C:\Windows\system32\Modkfi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Mlhkpm32.exe
        
        C:\Windows\system32\Mlhkpm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Ngdifkpi.exe
        
        C:\Windows\system32\Ngdifkpi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Nlekia32.exe
        
        C:\Windows\system32\Nlekia32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 140
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hoaebk32.dll

Filesize
7KB

MD5
7e268ffee038960d1ed0d59defc606b7

SHA1
54145d0e8a9cbee22994ef90f079ca566de12771

SHA256
3d3929ae3accaa16c7fa8394e1e6548b735ad18f922510d197d8c57af4bccec3

SHA512
f626bdbfca17f25b28557ecb38e97107a9c2282aae734c110bca026587c973fe0edd5bb0b4d4fdab945e985f2e82559d838ff4b7dd2d62ee75811b4b1f07d2af

Download Submit
C:\Windows\SysWOW64\Jqnejn32.exe

Filesize
224KB

MD5
5f8b5c39c8585b38dc902317bd22e412

SHA1
4be0ddc9ad626cb3dbd4347e82693554a74a7a4d

SHA256
8cedd531253e6051abf8d2a5b65b2d8ca552b06b45d4ccfd0a2d02b9f816562d

SHA512
4d55c8d152acd11ae45cf1f090ddbff8d1ee2a5864dc59feaf1d721bfd6a3d9deb4bf00a92abf9fbbea4d8ad2c8483252b0ac0cc280fdddd49b2f5c51197ef00

Download Submit
C:\Windows\SysWOW64\Kbkameaf.exe

Filesize
224KB

MD5
01aa988a5c6889866302611fdb6da47e

SHA1
253f8a00f6930ac659ac6ddc34ca18fc2770b098

SHA256
2265931fb44b218503b2e949af4abd202fcc06c54dc9b9bb74c7b31f745ae90a

SHA512
37933bf7f4dfdba54a7dac9aca463c51f0ee94ef5ae5789d9ea99874e015ac0e1538e3355b513073af49c6fb44216effe3ebd8ab2b12f86dc4293dbb1c3a81f8

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
224KB

MD5
2788a29399eeba024c4daea8b35eb621

SHA1
01274e3f367d0b40972365e955a55a0835e7ce64

SHA256
9596cd922623a308c65772b30297918811896a0450ec362b967944eb7f31deb8

SHA512
368b87f0a1bdc82d6ed3c471db9d2ac70b11fd108aad3f2185703b884b7cc202793f31b7d49c543a321f48f709f553bce0ecdd610207e1dc02dc665589df1d45

Download Submit
C:\Windows\SysWOW64\Nlekia32.exe

Filesize
224KB

MD5
7ec486a34a30f4ec4e4b36d53952d3f6

SHA1
e27accfc02ed60ff8f0166c3d181acdc1d76164c

SHA256
ed7f9bdfd1e5fce619d9c4ed301da47fcd91e94d5241010d7329de74e292a5aa

SHA512
5d6ac46bf19023f28002e04f9e57e76d1aeae44632de173e4007c92d20f3efbf49cbd0dde55cb14488810714a6af2828bcba86b80e79a05629103610156b0d3a

Download Submit
\Windows\SysWOW64\Jjbpgd32.exe

Filesize
224KB

MD5
c45a9a868f437a42c30fbfcdca9dedf2

SHA1
520ed0379912706a9b3bfac130ea9f609c128c80

SHA256
db2b38167da30434ab71dc90d10f1d3ad89874a4efc721d67bb05122c8e7b3ff

SHA512
8bade1feba95270a33b7a6dc535f5246a9ff4d9c4e1ddc8db6c1de5a7a583247419777daf8eb6a7416063fe98de1048e5f2f1ab30239c4f7e06fe03232bd57c2

Download Submit
\Windows\SysWOW64\Kbidgeci.exe

Filesize
224KB

MD5
ff38a24ee032ccd8ed00b83bf0b47448

SHA1
18fd2876d1bebec33911d0967ae565419d3167bf

SHA256
c69725c74efb15dbc67840dd6f22bc487cf251482163d76d0e78a59f9b0f8c67

SHA512
a91d27d4770f2e4385169d48038942cb71fdaf1eb3155ef82712c6a4779b10775a693c5972fcd0b56a0ecddacac3034c601a12847ee6921803a4752f90bbfd48

Download Submit
\Windows\SysWOW64\Kilfcpqm.exe

Filesize
224KB

MD5
1e37869d95eac03a51dbb157c351a21a

SHA1
34b33aa950dcd833c9190ef1140a61635a1ebd57

SHA256
7a0810592000be548e605fe2d51cd2c846d9f78b1c32af78459de01a09f10061

SHA512
d9711259957d47fd2c886f9432386ea492cb8bac569c14b84b4aa01fa402eee263b340ce5cef5ad2890d076c96732a3ff4275e877336fd8a75f82acecb0b1800

Download Submit
\Windows\SysWOW64\Laegiq32.exe

Filesize
224KB

MD5
9d1df7c530edb3af626b1da413032aa9

SHA1
baa03d8fcadceb78cc089b400adf6352d9f61ade

SHA256
6b3d7ccf394100989e5fbd653c78fa475dd29e88e8654644733f9626d142074f

SHA512
f710ed19683bbb3d625c85084cef94854650ffe22232981a73f74ed7455b2cadc6834a30b9004fecd4553f72171bdf893071c53ab00a1ef3f2cf05d6e4a4b588

Download Submit
\Windows\SysWOW64\Lfdmggnm.exe

Filesize
224KB

MD5
8bbaadc2c8499b8c3d84815549fb5a76

SHA1
b91f6b9cb1a4d80418b19f6536ccf94a8dfd9acf

SHA256
f9593d2afbe26902a236fa98140c093b15db5f1a3a73492fd37e11b2669c5719

SHA512
19c00c73353f901f9ae18aab9c8b2ed4ac881a842a5cc5ce3f1d2fbf53b104bc6b6c4fecb9a0166c49dbe7865ceacfd889d998b13be1f42d02fd36552d8071d0

Download Submit
\Windows\SysWOW64\Lnbbbffj.exe

Filesize
224KB

MD5
120ab2a1585d17bf35e19dd2669c68c4

SHA1
a6d63cc290391c0ef91508679f2e001aca10a62a

SHA256
c8979f363f3d3c2a14d730f1321cccf628c472298fc8d50b2d1225c25a3dcaaa

SHA512
7614e805be04fd1fa510b3c0a66cd4f10e3ffafbcd27637553d9f915d24195878e0a8ec3acc9fc161f1ae020e46106061fc03bcacc7189612b1eceb7e163aef2

Download Submit
\Windows\SysWOW64\Mlhkpm32.exe

Filesize
224KB

MD5
813b9cbbf4734182c6884e546acfb81e

SHA1
7f4be41b4a74cef59df1caf6decedbe9ce574f1b

SHA256
da2cc1609750c49d86a0129d5176b2d79d5bd3091775f8107266c77e1264c8ea

SHA512
ca223f61c641069c71fb66b63f6fa25fa0107c41d7df1569a1ae4c907def284260af7c472a4768faa1db6f1011fbdf6ab53fcd0913f45294de13f24e94d02d16

Download Submit
\Windows\SysWOW64\Modkfi32.exe

Filesize
224KB

MD5
29187f19b02aa48e86a42baa06057196

SHA1
9aa7485d19cf91e7fd0c6df6ae10b2425539f0de

SHA256
e0a96162312ac6424c95faddd1875ca7f9c04da8965270679696ea148493a6e8

SHA512
d2f1400ca76940ba4923aee0b60e64fc00f09465dde51b43f2f66e9b4ab54ea26f9b5f428821b29a3c1b5e61adc39a70a69f00cbfc70e07807a85baed2bae27a

Download Submit
\Windows\SysWOW64\Mpmapm32.exe

Filesize
224KB

MD5
7ee8e21aef2e123ff8a8024fd01e953f

SHA1
04c902b2d26fc3f0f4e15d85c4a487a96e0d4ddb

SHA256
9a1df6ef99c23e80e03d46e6c689ad09c4953fa4fe20924f0e70888524d9496c

SHA512
1e6e98220d00f397acbd57d3d1123bac7b5a623fe9d43c1a19476f116d888aab5f0d0a7c1c10f6eae6b53a07c3c7393abe4d8f118e52a5260874920f6fc4041d

Download Submit
\Windows\SysWOW64\Ngdifkpi.exe

Filesize
224KB

MD5
25f04422af12585d5f2c1b17bd1294eb

SHA1
1b3935a4f380de1bde032ea6c8bd3ff6c9af9b71

SHA256
450185a6a56d75b8408fd49b7ac7bdd1a753b9801fb9426723c89709725a0f39

SHA512
e4d9df038117d5d5408484993c442bb07a264ccf9c34c6b0363e053073ca1f6c49c08e46306a8f6abe5db5cf652bf4c2321463d306ab63535c1fcc55d6dd8ec9

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
224KB

MD5
282c5483b115d82efd207c01ce78f639

SHA1
0f8ca98a3bad35a6661c4b3fa739e32547010fb4

SHA256
fedecd42901ebbed2370131f575fbbebd81831508c5641b95a102c8322832357

SHA512
fd2fbbef7bb6e6a1c62529fd5c71b943babd6988d0cebf329583ecaa3d60f959ec5d624edde4c851387ce00da08b1b6076cd5a4deaf1235584d6f28a03826ec4

Download Submit
memory/924-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/924-184-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1052-115-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1052-97-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1052-219-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1236-218-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1304-216-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1304-50-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1304-42-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1368-183-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1368-223-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1368-166-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1924-222-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1924-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1924-164-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1928-208-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2040-221-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2040-151-0x00000000002C0000-0x00000000002F9000-memory.dmp

Filesize
228KB

Download
memory/2100-201-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2100-198-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2100-207-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2140-213-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2140-13-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/2140-6-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/2140-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2288-220-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2288-125-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2288-137-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2416-74-0x00000000002A0000-0x00000000002D9000-memory.dmp

Filesize
228KB

Download
memory/2416-217-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2416-73-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2516-78-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2516-83-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2516-75-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2748-39-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2748-27-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2748-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2748-40-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2824-116-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2824-119-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/3012-26-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/3012-214-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads