34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9

Analysis

max time kernel
145s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
Size

163KB
MD5

db32c4c9a4e8e7ad2e5dcd2f9a4da490
SHA1

2057bae2e9d6bcaa93b0e7cdf3b4aed02e0b6ca2
SHA256

34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9
SHA512

f4904a97970be5c6492429d9152152ba264337c36864a1f30f30d60e4b3431dd72f6f86f218157f2a06e6964ba1be4eec1c98d1fe6303583ce326073ecbf5df5
SSDEEP

3072:gVI42/5ZOj8FxOVolbPltOrWKDBr+yJb:gu42/5wATOVebPLOf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exeHhehek32.exeHgmalg32.exeJnicmdli.exeKjfjbdle.exeLcojjmea.exeMpmapm32.exeIjbdha32.exeJdgdempa.exeKiqpop32.exeKkaiqk32.exeNdemjoae.exeNiebhf32.exeNodgel32.exeKfmjgeaj.exeLabkdack.exeIcfofg32.exeJocflgga.exeJchhkjhn.exeMkklljmg.exeNibebfpl.exeLmikibio.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhehek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhehek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgmalg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnicmdli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjfjbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcojjmea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijbdha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijbdha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdgdempa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiqpop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkaiqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmjgeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiqpop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Labkdack.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icfofg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jocflgga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jchhkjhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkaiqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcojjmea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgmalg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnicmdli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jchhkjhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Labkdack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjfjbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icfofg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jocflgga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdgdempa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmjgeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nibebfpl.exe

Executes dropped EXE 22 IoCs

Processes:

Hhehek32.exeHgmalg32.exeIcfofg32.exeIjbdha32.exeJocflgga.exeJnicmdli.exeJchhkjhn.exeJdgdempa.exeKjfjbdle.exeKfmjgeaj.exeKiqpop32.exeKkaiqk32.exeLcojjmea.exeLabkdack.exeLmikibio.exeMpmapm32.exeMkklljmg.exeNdemjoae.exeNibebfpl.exeNiebhf32.exeNodgel32.exeNlhgoqhh.exe

pid	process
2524	Hhehek32.exe
2652	Hgmalg32.exe
2720	Icfofg32.exe
2636	Ijbdha32.exe
2664	Jocflgga.exe
2564	Jnicmdli.exe
2132	Jchhkjhn.exe
2820	Jdgdempa.exe
2484	Kjfjbdle.exe
1936	Kfmjgeaj.exe
1548	Kiqpop32.exe
2504	Kkaiqk32.exe
2004	Lcojjmea.exe
1372	Labkdack.exe
2116	Lmikibio.exe
1272	Mpmapm32.exe
2020	Mkklljmg.exe
1184	Ndemjoae.exe
2316	Nibebfpl.exe
2332	Niebhf32.exe
1104	Nodgel32.exe
1624	Nlhgoqhh.exe

Loads dropped DLL 48 IoCs

Processes:

34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exeHhehek32.exeHgmalg32.exeIcfofg32.exeIjbdha32.exeJocflgga.exeJnicmdli.exeJchhkjhn.exeJdgdempa.exeKjfjbdle.exeKfmjgeaj.exeKiqpop32.exeKkaiqk32.exeLcojjmea.exeLabkdack.exeLmikibio.exeMpmapm32.exeMkklljmg.exeNdemjoae.exeNibebfpl.exeNiebhf32.exeNodgel32.exeWerFault.exe

pid	process
2012	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
2012	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
2524	Hhehek32.exe
2524	Hhehek32.exe
2652	Hgmalg32.exe
2652	Hgmalg32.exe
2720	Icfofg32.exe
2720	Icfofg32.exe
2636	Ijbdha32.exe
2636	Ijbdha32.exe
2664	Jocflgga.exe
2664	Jocflgga.exe
2564	Jnicmdli.exe
2564	Jnicmdli.exe
2132	Jchhkjhn.exe
2132	Jchhkjhn.exe
2820	Jdgdempa.exe
2820	Jdgdempa.exe
2484	Kjfjbdle.exe
2484	Kjfjbdle.exe
1936	Kfmjgeaj.exe
1936	Kfmjgeaj.exe
1548	Kiqpop32.exe
1548	Kiqpop32.exe
2504	Kkaiqk32.exe
2504	Kkaiqk32.exe
2004	Lcojjmea.exe
2004	Lcojjmea.exe
1372	Labkdack.exe
1372	Labkdack.exe
2116	Lmikibio.exe
2116	Lmikibio.exe
1272	Mpmapm32.exe
1272	Mpmapm32.exe
2020	Mkklljmg.exe
2020	Mkklljmg.exe
1184	Ndemjoae.exe
1184	Ndemjoae.exe
2316	Nibebfpl.exe
2316	Nibebfpl.exe
2332	Niebhf32.exe
2332	Niebhf32.exe
1104	Nodgel32.exe
1104	Nodgel32.exe
1112	WerFault.exe
1112	WerFault.exe
1112	WerFault.exe
1112	WerFault.exe

Drops file in System32 directory 64 IoCs

Processes:

Kiqpop32.exeNdemjoae.exeNiebhf32.exeNodgel32.exe34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exeKjfjbdle.exeMkklljmg.exeJocflgga.exeKkaiqk32.exeJdgdempa.exeLmikibio.exeHhehek32.exeIcfofg32.exeNibebfpl.exeLabkdack.exeMpmapm32.exeIjbdha32.exeJnicmdli.exeKfmjgeaj.exeHgmalg32.exeLcojjmea.exeJchhkjhn.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Deeieqod.dll	Kiqpop32.exe
File created	C:\Windows\SysWOW64\Gbdalp32.dll	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	Niebhf32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nodgel32.exe
File opened for modification	C:\Windows\SysWOW64\Hhehek32.exe	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Giegfm32.dll	Kjfjbdle.exe
File created	C:\Windows\SysWOW64\Ndemjoae.exe	Mkklljmg.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nodgel32.exe
File opened for modification	C:\Windows\SysWOW64\Jnicmdli.exe	Jocflgga.exe
File created	C:\Windows\SysWOW64\Lcojjmea.exe	Kkaiqk32.exe
File created	C:\Windows\SysWOW64\Kjfjbdle.exe	Jdgdempa.exe
File created	C:\Windows\SysWOW64\Mpmapm32.exe	Lmikibio.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	Niebhf32.exe
File created	C:\Windows\SysWOW64\Lijigk32.dll	Hhehek32.exe
File created	C:\Windows\SysWOW64\Fdebncjd.dll	Icfofg32.exe
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Biddmpnf.dll	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nibebfpl.exe	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Hkijpd32.dll	Labkdack.exe
File opened for modification	C:\Windows\SysWOW64\Mkklljmg.exe	Mpmapm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndemjoae.exe	Mkklljmg.exe
File opened for modification	C:\Windows\SysWOW64\Jocflgga.exe	Ijbdha32.exe
File created	C:\Windows\SysWOW64\Enlejpga.dll	Jdgdempa.exe
File opened for modification	C:\Windows\SysWOW64\Ijbdha32.exe	Icfofg32.exe
File created	C:\Windows\SysWOW64\Jchhkjhn.exe	Jnicmdli.exe
File created	C:\Windows\SysWOW64\Kiqpop32.exe	Kfmjgeaj.exe
File opened for modification	C:\Windows\SysWOW64\Lmikibio.exe	Labkdack.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Hhehek32.exe	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Icfofg32.exe	Hgmalg32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmapm32.exe	Lmikibio.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Jnicmdli.exe	Jocflgga.exe
File opened for modification	C:\Windows\SysWOW64\Lcojjmea.exe	Kkaiqk32.exe
File created	C:\Windows\SysWOW64\Labkdack.exe	Lcojjmea.exe
File opened for modification	C:\Windows\SysWOW64\Labkdack.exe	Lcojjmea.exe
File created	C:\Windows\SysWOW64\Mkklljmg.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Nibebfpl.exe	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Cogbjdmj.dll	Ijbdha32.exe
File created	C:\Windows\SysWOW64\Indgjihl.dll	Jchhkjhn.exe
File opened for modification	C:\Windows\SysWOW64\Kfmjgeaj.exe	Kjfjbdle.exe
File created	C:\Windows\SysWOW64\Kkaiqk32.exe	Kiqpop32.exe
File opened for modification	C:\Windows\SysWOW64\Hgmalg32.exe	Hhehek32.exe
File opened for modification	C:\Windows\SysWOW64\Kjfjbdle.exe	Jdgdempa.exe
File opened for modification	C:\Windows\SysWOW64\Jdgdempa.exe	Jchhkjhn.exe
File opened for modification	C:\Windows\SysWOW64\Kkaiqk32.exe	Kiqpop32.exe
File created	C:\Windows\SysWOW64\Nffjeaid.dll	Kkaiqk32.exe
File created	C:\Windows\SysWOW64\Hgmalg32.exe	Hhehek32.exe
File created	C:\Windows\SysWOW64\Nqdgapkm.dll	Jnicmdli.exe
File created	C:\Windows\SysWOW64\Lmikibio.exe	Labkdack.exe
File created	C:\Windows\SysWOW64\Icfofg32.exe	Hgmalg32.exe
File created	C:\Windows\SysWOW64\Jocflgga.exe	Ijbdha32.exe
File created	C:\Windows\SysWOW64\Noomnjpj.dll	Mkklljmg.exe
File created	C:\Windows\SysWOW64\Kfmjgeaj.exe	Kjfjbdle.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Nibebfpl.exe
File opened for modification	C:\Windows\SysWOW64\Jchhkjhn.exe	Jnicmdli.exe
File created	C:\Windows\SysWOW64\Jdgdempa.exe	Jchhkjhn.exe
File created	C:\Windows\SysWOW64\Olahaplc.dll	Lmikibio.exe
File created	C:\Windows\SysWOW64\Oaajloig.dll	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Ipnndn32.dll	Jocflgga.exe
File created	C:\Windows\SysWOW64\Bpmiamoh.dll	Kfmjgeaj.exe
File opened for modification	C:\Windows\SysWOW64\Kiqpop32.exe	Kfmjgeaj.exe
File created	C:\Windows\SysWOW64\Aepjgc32.dll	Lcojjmea.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1112 1624 WerFault.exe Nlhgoqhh.exe

pid	pid_target	process	target process
1112	1624	WerFault.exe	Nlhgoqhh.exe

Modifies registry class 64 IoCs

Processes:

Hhehek32.exeIcfofg32.exeJdgdempa.exeLabkdack.exeNibebfpl.exeNiebhf32.exe34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exeHgmalg32.exeIjbdha32.exeJnicmdli.exeMpmapm32.exeMkklljmg.exeNdemjoae.exeKfmjgeaj.exeKiqpop32.exeNodgel32.exeKjfjbdle.exeLmikibio.exeKkaiqk32.exeLcojjmea.exeJocflgga.exeJchhkjhn.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhehek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icfofg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlejpga.dll"	Jdgdempa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Labkdack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhehek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgmalg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijbdha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnicmdli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfmjgeaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiqpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddaaf32.dll"	Hgmalg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijbdha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icfofg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdgapkm.dll"	Jnicmdli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdgdempa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjfjbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giegfm32.dll"	Kjfjbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll"	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkijpd32.dll"	Labkdack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahaplc.dll"	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdebncjd.dll"	Icfofg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkaiqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcojjmea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Labkdack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffjeaid.dll"	Kkaiqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgmalg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jocflgga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jocflgga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaajloig.dll"	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijigk32.dll"	Hhehek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogbjdmj.dll"	Ijbdha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdgdempa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgc32.dll"	Lcojjmea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biddmpnf.dll"	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmiamoh.dll"	Kfmjgeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfmjgeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Indgjihl.dll"	Jchhkjhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcojjmea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjfjbdle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkaiqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmikibio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnndn32.dll"	Jocflgga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnicmdli.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2012 wrote to memory of 2524	2012	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe	Hhehek32.exe
PID 2012 wrote to memory of 2524	2012	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe	Hhehek32.exe
PID 2012 wrote to memory of 2524	2012	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe	Hhehek32.exe
PID 2012 wrote to memory of 2524	2012	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe	Hhehek32.exe
PID 2524 wrote to memory of 2652	2524	Hhehek32.exe	Hgmalg32.exe
PID 2524 wrote to memory of 2652	2524	Hhehek32.exe	Hgmalg32.exe
PID 2524 wrote to memory of 2652	2524	Hhehek32.exe	Hgmalg32.exe
PID 2524 wrote to memory of 2652	2524	Hhehek32.exe	Hgmalg32.exe
PID 2652 wrote to memory of 2720	2652	Hgmalg32.exe	Icfofg32.exe
PID 2652 wrote to memory of 2720	2652	Hgmalg32.exe	Icfofg32.exe
PID 2652 wrote to memory of 2720	2652	Hgmalg32.exe	Icfofg32.exe
PID 2652 wrote to memory of 2720	2652	Hgmalg32.exe	Icfofg32.exe
PID 2720 wrote to memory of 2636	2720	Icfofg32.exe	Ijbdha32.exe
PID 2720 wrote to memory of 2636	2720	Icfofg32.exe	Ijbdha32.exe
PID 2720 wrote to memory of 2636	2720	Icfofg32.exe	Ijbdha32.exe
PID 2720 wrote to memory of 2636	2720	Icfofg32.exe	Ijbdha32.exe
PID 2636 wrote to memory of 2664	2636	Ijbdha32.exe	Jocflgga.exe
PID 2636 wrote to memory of 2664	2636	Ijbdha32.exe	Jocflgga.exe
PID 2636 wrote to memory of 2664	2636	Ijbdha32.exe	Jocflgga.exe
PID 2636 wrote to memory of 2664	2636	Ijbdha32.exe	Jocflgga.exe
PID 2664 wrote to memory of 2564	2664	Jocflgga.exe	Jnicmdli.exe
PID 2664 wrote to memory of 2564	2664	Jocflgga.exe	Jnicmdli.exe
PID 2664 wrote to memory of 2564	2664	Jocflgga.exe	Jnicmdli.exe
PID 2664 wrote to memory of 2564	2664	Jocflgga.exe	Jnicmdli.exe
PID 2564 wrote to memory of 2132	2564	Jnicmdli.exe	Jchhkjhn.exe
PID 2564 wrote to memory of 2132	2564	Jnicmdli.exe	Jchhkjhn.exe
PID 2564 wrote to memory of 2132	2564	Jnicmdli.exe	Jchhkjhn.exe
PID 2564 wrote to memory of 2132	2564	Jnicmdli.exe	Jchhkjhn.exe
PID 2132 wrote to memory of 2820	2132	Jchhkjhn.exe	Jdgdempa.exe
PID 2132 wrote to memory of 2820	2132	Jchhkjhn.exe	Jdgdempa.exe
PID 2132 wrote to memory of 2820	2132	Jchhkjhn.exe	Jdgdempa.exe
PID 2132 wrote to memory of 2820	2132	Jchhkjhn.exe	Jdgdempa.exe
PID 2820 wrote to memory of 2484	2820	Jdgdempa.exe	Kjfjbdle.exe
PID 2820 wrote to memory of 2484	2820	Jdgdempa.exe	Kjfjbdle.exe
PID 2820 wrote to memory of 2484	2820	Jdgdempa.exe	Kjfjbdle.exe
PID 2820 wrote to memory of 2484	2820	Jdgdempa.exe	Kjfjbdle.exe
PID 2484 wrote to memory of 1936	2484	Kjfjbdle.exe	Kfmjgeaj.exe
PID 2484 wrote to memory of 1936	2484	Kjfjbdle.exe	Kfmjgeaj.exe
PID 2484 wrote to memory of 1936	2484	Kjfjbdle.exe	Kfmjgeaj.exe
PID 2484 wrote to memory of 1936	2484	Kjfjbdle.exe	Kfmjgeaj.exe
PID 1936 wrote to memory of 1548	1936	Kfmjgeaj.exe	Kiqpop32.exe
PID 1936 wrote to memory of 1548	1936	Kfmjgeaj.exe	Kiqpop32.exe
PID 1936 wrote to memory of 1548	1936	Kfmjgeaj.exe	Kiqpop32.exe
PID 1936 wrote to memory of 1548	1936	Kfmjgeaj.exe	Kiqpop32.exe
PID 1548 wrote to memory of 2504	1548	Kiqpop32.exe	Kkaiqk32.exe
PID 1548 wrote to memory of 2504	1548	Kiqpop32.exe	Kkaiqk32.exe
PID 1548 wrote to memory of 2504	1548	Kiqpop32.exe	Kkaiqk32.exe
PID 1548 wrote to memory of 2504	1548	Kiqpop32.exe	Kkaiqk32.exe
PID 2504 wrote to memory of 2004	2504	Kkaiqk32.exe	Lcojjmea.exe
PID 2504 wrote to memory of 2004	2504	Kkaiqk32.exe	Lcojjmea.exe
PID 2504 wrote to memory of 2004	2504	Kkaiqk32.exe	Lcojjmea.exe
PID 2504 wrote to memory of 2004	2504	Kkaiqk32.exe	Lcojjmea.exe
PID 2004 wrote to memory of 1372	2004	Lcojjmea.exe	Labkdack.exe
PID 2004 wrote to memory of 1372	2004	Lcojjmea.exe	Labkdack.exe
PID 2004 wrote to memory of 1372	2004	Lcojjmea.exe	Labkdack.exe
PID 2004 wrote to memory of 1372	2004	Lcojjmea.exe	Labkdack.exe
PID 1372 wrote to memory of 2116	1372	Labkdack.exe	Lmikibio.exe
PID 1372 wrote to memory of 2116	1372	Labkdack.exe	Lmikibio.exe
PID 1372 wrote to memory of 2116	1372	Labkdack.exe	Lmikibio.exe
PID 1372 wrote to memory of 2116	1372	Labkdack.exe	Lmikibio.exe
PID 2116 wrote to memory of 1272	2116	Lmikibio.exe	Mpmapm32.exe
PID 2116 wrote to memory of 1272	2116	Lmikibio.exe	Mpmapm32.exe
PID 2116 wrote to memory of 1272	2116	Lmikibio.exe	Mpmapm32.exe
PID 2116 wrote to memory of 1272	2116	Lmikibio.exe	Mpmapm32.exe

C:\Users\Admin\AppData\Local\Temp\34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\Hhehek32.exe
C:\Windows\system32\Hhehek32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\Hgmalg32.exe
C:\Windows\system32\Hgmalg32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\Icfofg32.exe
C:\Windows\system32\Icfofg32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\Ijbdha32.exe
C:\Windows\system32\Ijbdha32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\Jocflgga.exe
C:\Windows\system32\Jocflgga.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\Jnicmdli.exe
C:\Windows\system32\Jnicmdli.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\Jchhkjhn.exe
C:\Windows\system32\Jchhkjhn.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\Jdgdempa.exe
C:\Windows\system32\Jdgdempa.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\Kjfjbdle.exe
C:\Windows\system32\Kjfjbdle.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\Kfmjgeaj.exe
C:\Windows\system32\Kfmjgeaj.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\Kiqpop32.exe
C:\Windows\system32\Kiqpop32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\Kkaiqk32.exe
C:\Windows\system32\Kkaiqk32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\Lcojjmea.exe
C:\Windows\system32\Lcojjmea.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\Labkdack.exe
C:\Windows\system32\Labkdack.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\Lmikibio.exe
C:\Windows\system32\Lmikibio.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\Mpmapm32.exe
C:\Windows\system32\Mpmapm32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1272

C:\Windows\SysWOW64\Mkklljmg.exe
C:\Windows\system32\Mkklljmg.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2020

C:\Windows\SysWOW64\Ndemjoae.exe
C:\Windows\system32\Ndemjoae.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1184

C:\Windows\SysWOW64\Nibebfpl.exe
C:\Windows\system32\Nibebfpl.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2316

C:\Windows\SysWOW64\Niebhf32.exe
C:\Windows\system32\Niebhf32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2332

C:\Windows\SysWOW64\Nodgel32.exe
C:\Windows\system32\Nodgel32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1104

C:\Windows\SysWOW64\Nlhgoqhh.exe
C:\Windows\system32\Nlhgoqhh.exe
23⤵
- Executes dropped EXE
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 140
24⤵
- Loads dropped DLL
- Program crash
PID:1112

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jdgdempa.exe
Filesize
163KB

MD5
49858b7112753a36252037fee251fc67

SHA1
66484aaa809b53637c5e3555d6aa62655531542a

SHA256
452790a490900ab3f621aadff3b9e67fff6d0f83f4549590bf535f1234037b6b

SHA512
c663dfaa4bdcb8d1824ad5e16f4f725ff915a666b3fbfa7ac4a59c82dc7810ba698896bc146c8ecdfd2b7bdaf5a292b0725a12e628b96c852d5151bc8397d0c2

Download Submit
C:\Windows\SysWOW64\Mkklljmg.exe
Filesize
163KB

MD5
c27cf30945444bfa2897ff69e4bffe61

SHA1
219e0084918e7f762a233b464e25c35f501c10af

SHA256
3c0ade39541c6684eee09d0d264643ad66a749e9bc497e146a18ecbecb88b9cb

SHA512
1d4f1b689968e8ecbf88c99676a5e6db5fa336ae48e60a88034daa8b293dad7ff39f44ee0f4ac10a6162f1288030b4bd5010187b7e5c4882e00533cbcc72b1dc

Download Submit
C:\Windows\SysWOW64\Ndemjoae.exe
Filesize
163KB

MD5
fb9ba53221fcc394d092191978b6c703

SHA1
89bc61b3588648f40717e4a01c1c4736c333884a

SHA256
f5435014e9b93a068859f684d38cce5b6c0f9376a44e578b7ec01e34fa67e9e5

SHA512
1d8148cad32ebbb76933e89a13a47474f1abf355ced189a05fa59fc04dcd518fcfcd7b76d751c8204c0abc493e8926457ace742ef10fb4db6e5b5fcbb3ab6c4b

Download Submit
C:\Windows\SysWOW64\Nibebfpl.exe
Filesize
163KB

MD5
ab553043a19f93c8b1a5fe147d32cf7a

SHA1
0e8f783dbab0bbd93ac30856a950ac912bb101cf

SHA256
4891de4245b62d233ed4696176cebdbafe584dfbf95d3d0e6e977be760488e26

SHA512
0fc084d66fea481133fee420bf54fbc339daa3458296ef82c18dea04193401a1871e69b6223911909b003f226f02ed671f212bfc3701fc98d8e334c989081293

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe
Filesize
163KB

MD5
c84164b81ed80a69c4a74d86302e3def

SHA1
9374b17367832ed9488ece8d64cda17942893bc7

SHA256
9e30912f33ca14a0214566a1709bbd9d16d90673ab31f341f11b7264346a66cf

SHA512
11f07f4be38bcd1cecba5a4cdecab2e22760d5ad1d671ef7d04619110dedffff6802ddc1d6dcbba9de41c8e55eef09c7e5f4b9f4cd30df8157428d94b8959f13

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe
Filesize
163KB

MD5
c9e0610ca1a30491a9018b50a03b726f

SHA1
5765b3ed54a02f2bf78ca4abea9b1f22b288b154

SHA256
f8dc324a9662bf28292992312dc1fa9d62dc600e63a1e19214add09dcb520166

SHA512
6ce5a8cab77d63395fbb75f9e086e76c10fbf9543eee71b009734c827629ca4c6759fde4501c5c25bda30cbc14128777a034f9944191aa6d163e755c7777ab49

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe
Filesize
163KB

MD5
0be8c92e2f4246422ded466d2cdb7a3c

SHA1
c1e82aee1adbce51aecfe5a5242f91add43a91ed

SHA256
ab819b06656da95ea45febe1709aaeef4120a4698bd0ac376bf831347372b182

SHA512
2df5c2af6a569e2074ca9e2990a65edbaf8178ed4b3d8036326f5b67d9fe3fd7bc5b5d2a41fc1c29ccf53a7012ba6527d9719e82ba9ba10aef5c162b55e34c1b

Download Submit
\Windows\SysWOW64\Hgmalg32.exe
Filesize
163KB

MD5
d844a6880326fbd46d98d368a26c02f9

SHA1
a282058770da7cda1c4454c7c330aeb0e20b3d6f

SHA256
a83fb5031e92237eeb989c1487ac799f9bad4424ec9720f9e51317181a3a4e0e

SHA512
ba39236ac8f54201d4aad8b973763cfb32d4b8a47194261876da2ae16ef186ae8f5e2a98c7cf01f52e3e3ac342787d502c413ab329a9c68686b0754226253f0c

Download Submit
\Windows\SysWOW64\Hhehek32.exe
Filesize
163KB

MD5
382d553f8fccad03c895be194d562b59

SHA1
405b8ee6dad6cb75d56af62d20ba0a78ee226195

SHA256
4341c67cfef88c4046d75d9efa2fc64a531961f9ab8ee5730b15dc1ca75151c8

SHA512
4deb767cf22fdc4b7cfc552c427ea5ee0870389b1314ce9d192626bbd9fa7770c08aaa5f3153b11628681798a9a5ab8a2b3ff475ca6cb79cb980e5d87999edec

Download Submit
\Windows\SysWOW64\Icfofg32.exe
Filesize
163KB

MD5
efea936ff92d6022bd00d9833ab9a7ba

SHA1
1811e7c5358892a846f1ab9b95463e7a556bae6f

SHA256
9f9cf1a134ab540264ac95bb08b3373b56529213f9a41ca24a35829652a6ea13

SHA512
a810c7085616e91ef98af5396e0a57308456276695d3401bdc4a1d18cb84b128b2f5ff1c9b7ad5924b989aeb380fc07cfd3426fafd765c3e25021d3b3dd79a7b

Download Submit
\Windows\SysWOW64\Ijbdha32.exe
Filesize
163KB

MD5
1473a911dcee3f8d41df6b0a7e024dc6

SHA1
a6e34a9bffbd19d2179086a23e5e741926e30129

SHA256
954081a594265d2cef3843d45b5b499d4995ae662581f5c99395ce23ffe09f04

SHA512
1bc988c0ba7adbd158590ef559391708ca11528d0863e5ca1a4783c3f4d64417e8b05e0cfd95227189818361eed6244450901fd2b8b6fdbee2b11ca9e6b1d921

Download Submit
\Windows\SysWOW64\Jchhkjhn.exe
Filesize
163KB

MD5
7346a49ec31657cf7562fa4cc2c442d7

SHA1
473cff02b1ad6446b541cca1e67d40e874d1d6ac

SHA256
a40fc09ce63ef1a9f1a872dc04e57ae072cbf6a3094d989128ee99208dfa30bd

SHA512
c16a1ab581a495f4a9c1d9591507f08475dc04ff2fe14a251db981d00822dbbbf2287b987032a09a9e3af32b8ada2064c6debba49163c22caaa3d130901833cd

Download Submit
\Windows\SysWOW64\Jnicmdli.exe
Filesize
163KB

MD5
3b1a134a41d395b9977b39a04d7ac601

SHA1
023e91b935e5982b854b3a36a7ab5b70c1333191

SHA256
95972ce79513a1b2ddc7cd6c804a4876159710f7b246fc587260840bd3a50c21

SHA512
a4698c8c5459ef05189c9429bdbf35e43128a06736040d43961a4d2207b19d57849b9d45afa4951b52dc8dbb08fe6367486ef2e279d84ccbe2a58594e8df0d9b

Download Submit
\Windows\SysWOW64\Jocflgga.exe
Filesize
163KB

MD5
be6b0bd6a92f915a9eb647235f13f253

SHA1
67a6daee475290855003c83523aba6f66e2ab484

SHA256
026580828efff92d870e9006889a0c27ccdf9d1ba3f7d945c1683861b2ee140a

SHA512
1b32d440cd59af2ef3f10baf7affa9eb756e03c58f86f90d2a5f88742958300063ac313cbd1061a9e607f7842ee9362bd050508b70247076fbe7fd4a12d89df2

Download Submit
\Windows\SysWOW64\Kfmjgeaj.exe
Filesize
163KB

MD5
f98b6a3f651a815872c45d80b47bacc3

SHA1
29d90fcad388c26e17807a6a065265227ed2de68

SHA256
33ed84585c4dd9780e33063221e86a2dd3b81dd804052c68baf6a7fb031c87b6

SHA512
dbca8577fdf58edd068a89c4eb6b1e96c281f9b76deef902712c844eb7409250a7b9d4a8fc7f9f6c1f91a1ea525a859f605f81b7cb82785bdd99df5e7129889b

Download Submit
\Windows\SysWOW64\Kiqpop32.exe
Filesize
163KB

MD5
43853c605ae6d3f360ae6709de0aee6e

SHA1
8c42ecac72c1c85dc782c69615b3a347b217679f

SHA256
1c9fd063c454a5f7a3f556bc637b63451dc9ec286ba6d7ed1b3724f940a63be6

SHA512
7a9b6b5135a370abdfd8db0f50b3c5164a79b61a0e511f1c8a41d9b8650cc031c5eb69095a35b1a7141fdeef96c573375c2a98f8e7646ef33d278f93938aa7fb

Download Submit
\Windows\SysWOW64\Kjfjbdle.exe
Filesize
163KB

MD5
1dcbb9fb393c08c95bb2c67accbd42d4

SHA1
b97b432f111bdd4417b6f5fc936acaafd754e66d

SHA256
beba1991e3e0a83638ae88dffa1b3593273cb6f183e181bfa7ca5f3457ecf495

SHA512
520b6426f3d47c615607b760f20a15bc200487ade83633077aaf140d171e61a3c88304b5a20049b3798a9eb0340452b894871c1d93a6d861fead441d0436b137

Download Submit
\Windows\SysWOW64\Kkaiqk32.exe
Filesize
163KB

MD5
751e3ee7000141784efd26fd39008a55

SHA1
9f92baa7855f99d1f595548d11de500f800b0f65

SHA256
c5c9a2ae9ef2dc6146c0878a522d070cf52d1e56af528e4673f72b7872301469

SHA512
f31e10610cbd2b34902ddc31a0786e4ecaa36c24bc601a241fe553385dc7a8300cbe526d27072b21c7d76738bd9e20334ea206a5f482cfa5b0d86713a0a2d2da

Download Submit
\Windows\SysWOW64\Labkdack.exe
Filesize
163KB

MD5
a629d7d38c1c6aac710032cfc8d1be2e

SHA1
ebba8ec2089fdec851bd5bb944da9b9c11c0b22f

SHA256
a8a758f8929b9aa41e14ae4398ecf38a3fff315fc3c0a572427f0db8dc6dbcfc

SHA512
39b026d5799422f944e8cf2a3eace5d319f07324709650a4523d9b1b7860649b7c213f456ddaf34806f874ced1a58e3496756a49d977a066b17e475960a5f73f

Download Submit
\Windows\SysWOW64\Lcojjmea.exe
Filesize
163KB

MD5
0772b541b70d530a552ee3ca3842842d

SHA1
39d3c90565b57bad705e1767350e58229b04cb8c

SHA256
b384bb1f13b8aa150b208bc42c57380d254c0ed48c2364602c22496dfebed11a

SHA512
d5f92243d42932bb550e12e61799eb7901a9da045c9311cf63adcabe4cd6fb1455f550e54bdccbc65ac528b96f01dab5e5606a7b637212bfd3344a0a9fd2ef48

Download Submit
\Windows\SysWOW64\Lmikibio.exe
Filesize
163KB

MD5
d2c818551e0d8df4a158d4eb1b914895

SHA1
8d8d1bfe577c61cf135002d29251e2d96c0fe92b

SHA256
f145bf0ec06e1e0c77d101ba6e4c8b505b068259a625cd11f2244643dcfd253a

SHA512
e3e615d6e045409c605dc2774a81ef6c403577873bc8517fc876e8ac51c1603b51e2823388252d545d5b4d57067014da4a90bcf9f4209a201f593f507bf6a381

Download Submit
\Windows\SysWOW64\Mpmapm32.exe
Filesize
163KB

MD5
d22771150fc83113de538611739b547d

SHA1
df27d39e793fae3af6ec6c1b9df28c4397988ecb

SHA256
24e8363d680db74be66e6af1684f909878ff15bc27c9baea00feba62d4f7b7d7

SHA512
f9d906e2a237e2fe702d05b5feb54c507a12a9ccc0ac6afe9b00b4115047a797b28961fd6b43022481dddc43fca4286e08552c10ec973ef9c3b629f3b78da833

Download Submit
memory/1104-273-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1104-275-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/1104-279-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/1104-374-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1184-245-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/1184-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1184-246-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/1184-368-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1272-213-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1272-364-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1272-224-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/1272-223-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/1372-204-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/1372-360-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1372-191-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/1548-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1548-354-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1624-280-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1936-352-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2004-358-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2012-6-0x0000000001BE0000-0x0000000001C33000-memory.dmp

Filesize
332KB

Download
memory/2012-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2012-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2020-234-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/2020-235-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/2020-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2020-366-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2116-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2116-210-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2116-211-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2116-362-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2132-343-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2316-256-0x00000000002B0000-0x0000000000303000-memory.dmp

Filesize
332KB

Download
memory/2316-257-0x00000000002B0000-0x0000000000303000-memory.dmp

Filesize
332KB

Download
memory/2316-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2316-251-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2332-372-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2332-268-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2332-258-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2332-267-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2484-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2484-131-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/2484-126-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2504-158-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2504-170-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/2504-356-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2524-25-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/2524-331-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2524-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2524-26-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/2564-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2564-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2636-63-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/2636-337-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-35-0x0000000000270000-0x00000000002C3000-memory.dmp

Filesize
332KB

Download
memory/2652-333-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-28-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2664-339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2720-54-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/2720-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2720-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2820-345-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2820-106-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads