3494af4f6f0e306d3f2431945e86f5e85dd6d48d0f8735860a57e1f03409b660

Analysis

max time kernel
41s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3494af4f6f0e306d3f2431945e86f5e85dd6d48d0f8735860a57e1f03409b660_NeikiAnalytics.exe
Size

52KB
MD5

59ea2c4b6f74be6ec18f5cefe20caf40
SHA1

ce7192ce33c17ddd20231a52f66ebd6005a8db5a
SHA256

3494af4f6f0e306d3f2431945e86f5e85dd6d48d0f8735860a57e1f03409b660
SHA512

c8f2d1b977f83d99592a70f5b79c747b28f4bb571c1255fe14d118cc351e173d82622eb53c9234c3671f8d14318ad42a6c5d05748a174fe35d6a2e321915f7dc
SSDEEP

768:k/Y3uesKNTg6N6qADKPBWyDLB5cLHVkZvUphcf8s/1H5F/sTMABvKWe:F3uesKxMDEBWy3BqjVWC7iWMAdKZ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Kgfoan32.exeLcbiao32.exeLdaeka32.exeNafokcol.exeLaopdgcg.exeLmqgnhmp.exeLgikfn32.exeLnepih32.exeNdghmo32.exeNggqoj32.exeNddkgonp.exeKdhbec32.exeLaciofpa.exeLddbqa32.exeMaohkd32.exeNgpjnkpf.exeNcgkcl32.exeKipabjil.exeLkgdml32.exeMdfofakp.exeMpmokb32.exeMjhqjg32.exeKkpnlm32.exeLphfpbdi.exeMnocof32.exeMjjmog32.exeNqklmpdd.exeMnapdf32.exeNqfbaq32.exeMgekbljc.exeNbhkac32.exeKbfiep32.exeLilanioo.exeLgpagm32.exeMaaepd32.exeNacbfdao.exeNgcgcjnc.exeLpocjdld.exeLiggbi32.exeNnmopdep.exeNcihikcg.exeMahbje32.exeMpkbebbf.exeMjcgohig.exeNjacpf32.exeNjljefql.exeNkqpjidj.exeNjcpee32.exeNnolfdcn.exeMgghhlhq.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe

Executes dropped EXE 64 IoCs

Processes:

Kphmie32.exeKbfiep32.exeKipabjil.exeKmlnbi32.exeKpjjod32.exeKcifkp32.exeKkpnlm32.exeKmnjhioc.exeKpmfddnf.exeKdhbec32.exeKgfoan32.exeLmqgnhmp.exeLpocjdld.exeLgikfn32.exeLiggbi32.exeLaopdgcg.exeLcpllo32.exeLgkhlnbn.exeLkgdml32.exeLnepih32.exeLpcmec32.exeLcbiao32.exeLgneampk.exeLilanioo.exeLaciofpa.exeLdaeka32.exeLgpagm32.exeLklnhlfb.exeLphfpbdi.exeLddbqa32.exeLknjmkdo.exeMahbje32.exeMpkbebbf.exeMdfofakp.exeMgekbljc.exeMjcgohig.exeMnocof32.exeMpmokb32.exeMdiklqhm.exeMgghhlhq.exeMjeddggd.exeMnapdf32.exeMdkhapfj.exeMgidml32.exeMjhqjg32.exeMaohkd32.exeMdmegp32.exeMcpebmkb.exeMglack32.exeMjjmog32.exeMaaepd32.exeMpdelajl.exeMdpalp32.exeNkjjij32.exeNjljefql.exeNacbfdao.exeNqfbaq32.exeNceonl32.exeNgpjnkpf.exeNklfoi32.exeNnjbke32.exeNafokcol.exeNddkgonp.exeNcgkcl32.exe

pid	process
4440	Kphmie32.exe
1896	Kbfiep32.exe
216	Kipabjil.exe
4428	Kmlnbi32.exe
860	Kpjjod32.exe
1476	Kcifkp32.exe
4468	Kkpnlm32.exe
3992	Kmnjhioc.exe
4204	Kpmfddnf.exe
2404	Kdhbec32.exe
3732	Kgfoan32.exe
2368	Lmqgnhmp.exe
1064	Lpocjdld.exe
4384	Lgikfn32.exe
840	Liggbi32.exe
3552	Laopdgcg.exe
440	Lcpllo32.exe
5112	Lgkhlnbn.exe
1196	Lkgdml32.exe
4748	Lnepih32.exe
2920	Lpcmec32.exe
1540	Lcbiao32.exe
2052	Lgneampk.exe
980	Lilanioo.exe
2840	Laciofpa.exe
1704	Ldaeka32.exe
2216	Lgpagm32.exe
4444	Lklnhlfb.exe
3236	Lphfpbdi.exe
4680	Lddbqa32.exe
2160	Lknjmkdo.exe
4876	Mahbje32.exe
2372	Mpkbebbf.exe
1312	Mdfofakp.exe
448	Mgekbljc.exe
4156	Mjcgohig.exe
4736	Mnocof32.exe
4796	Mpmokb32.exe
4152	Mdiklqhm.exe
1644	Mgghhlhq.exe
32	Mjeddggd.exe
4256	Mnapdf32.exe
516	Mdkhapfj.exe
3420	Mgidml32.exe
3132	Mjhqjg32.exe
2208	Maohkd32.exe
4968	Mdmegp32.exe
1360	Mcpebmkb.exe
5020	Mglack32.exe
3168	Mjjmog32.exe
2948	Maaepd32.exe
3268	Mpdelajl.exe
748	Mdpalp32.exe
1848	Nkjjij32.exe
1828	Njljefql.exe
752	Nacbfdao.exe
2116	Nqfbaq32.exe
3444	Nceonl32.exe
3136	Ngpjnkpf.exe
4664	Nklfoi32.exe
4536	Nnjbke32.exe
2432	Nafokcol.exe
4656	Nddkgonp.exe
1404	Ncgkcl32.exe

Drops file in System32 directory 64 IoCs

Processes:

Mjcgohig.exeNceonl32.exeNgpjnkpf.exeKipabjil.exeLddbqa32.exeMpkbebbf.exeNddkgonp.exeNcgkcl32.exeNcldnkae.exeLpocjdld.exeNkjjij32.exe3494af4f6f0e306d3f2431945e86f5e85dd6d48d0f8735860a57e1f03409b660_NeikiAnalytics.exeKmnjhioc.exeLaciofpa.exeNjljefql.exeMpdelajl.exeMdpalp32.exeKcifkp32.exeLmqgnhmp.exeLdaeka32.exeNkqpjidj.exeLnepih32.exeMgekbljc.exeLgneampk.exeMgghhlhq.exeKbfiep32.exeNbhkac32.exeLilanioo.exeMdkhapfj.exeMjhqjg32.exeMaaepd32.exeNklfoi32.exeNgcgcjnc.exeMjeddggd.exeNbkhfc32.exeLaopdgcg.exeMahbje32.exeKphmie32.exeLcbiao32.exeNacbfdao.exeMdmegp32.exeNjacpf32.exeKkpnlm32.exeMpmokb32.exeMnapdf32.exeNnjbke32.exeNafokcol.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	3494af4f6f0e306d3f2431945e86f5e85dd6d48d0f8735860a57e1f03409b660_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2268 4740 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
2268	4740	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Mgidml32.exeLpocjdld.exeMdpalp32.exeNbhkac32.exeNggqoj32.exeKbfiep32.exeKgfoan32.exeLkgdml32.exeNjljefql.exeNjacpf32.exeKpmfddnf.exeMdfofakp.exeMdkhapfj.exeNkjjij32.exeNklfoi32.exeNcgkcl32.exeKmlnbi32.exeLcbiao32.exeMpkbebbf.exe3494af4f6f0e306d3f2431945e86f5e85dd6d48d0f8735860a57e1f03409b660_NeikiAnalytics.exeMpmokb32.exeMpdelajl.exeLphfpbdi.exeMjhqjg32.exeMjeddggd.exeNceonl32.exeNnmopdep.exeKipabjil.exeLgikfn32.exeLiggbi32.exeLgkhlnbn.exeLddbqa32.exeMdiklqhm.exeNqmhbpba.exeLilanioo.exeLpcmec32.exeMaohkd32.exeKmnjhioc.exeMjjmog32.exeNdidbn32.exeLaopdgcg.exeNgpjnkpf.exeLklnhlfb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	3494af4f6f0e306d3f2431945e86f5e85dd6d48d0f8735860a57e1f03409b660_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3494af4f6f0e306d3f2431945e86f5e85dd6d48d0f8735860a57e1f03409b660_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3494af4f6f0e306d3f2431945e86f5e85dd6d48d0f8735860a57e1f03409b660_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3494af4f6f0e306d3f2431945e86f5e85dd6d48d0f8735860a57e1f03409b660_NeikiAnalytics.exeKphmie32.exeKbfiep32.exeKipabjil.exeKmlnbi32.exeKpjjod32.exeKcifkp32.exeKkpnlm32.exeKmnjhioc.exeKpmfddnf.exeKdhbec32.exeKgfoan32.exeLmqgnhmp.exeLpocjdld.exeLgikfn32.exeLiggbi32.exeLaopdgcg.exeLcpllo32.exeLgkhlnbn.exeLkgdml32.exeLnepih32.exeLpcmec32.exe

description	pid	process	target process
PID 432 wrote to memory of 4440	432	3494af4f6f0e306d3f2431945e86f5e85dd6d48d0f8735860a57e1f03409b660_NeikiAnalytics.exe	Kphmie32.exe
PID 432 wrote to memory of 4440	432	3494af4f6f0e306d3f2431945e86f5e85dd6d48d0f8735860a57e1f03409b660_NeikiAnalytics.exe	Kphmie32.exe
PID 432 wrote to memory of 4440	432	3494af4f6f0e306d3f2431945e86f5e85dd6d48d0f8735860a57e1f03409b660_NeikiAnalytics.exe	Kphmie32.exe
PID 4440 wrote to memory of 1896	4440	Kphmie32.exe	Kbfiep32.exe
PID 4440 wrote to memory of 1896	4440	Kphmie32.exe	Kbfiep32.exe
PID 4440 wrote to memory of 1896	4440	Kphmie32.exe	Kbfiep32.exe
PID 1896 wrote to memory of 216	1896	Kbfiep32.exe	Kipabjil.exe
PID 1896 wrote to memory of 216	1896	Kbfiep32.exe	Kipabjil.exe
PID 1896 wrote to memory of 216	1896	Kbfiep32.exe	Kipabjil.exe
PID 216 wrote to memory of 4428	216	Kipabjil.exe	Kmlnbi32.exe
PID 216 wrote to memory of 4428	216	Kipabjil.exe	Kmlnbi32.exe
PID 216 wrote to memory of 4428	216	Kipabjil.exe	Kmlnbi32.exe
PID 4428 wrote to memory of 860	4428	Kmlnbi32.exe	Kpjjod32.exe
PID 4428 wrote to memory of 860	4428	Kmlnbi32.exe	Kpjjod32.exe
PID 4428 wrote to memory of 860	4428	Kmlnbi32.exe	Kpjjod32.exe
PID 860 wrote to memory of 1476	860	Kpjjod32.exe	Kcifkp32.exe
PID 860 wrote to memory of 1476	860	Kpjjod32.exe	Kcifkp32.exe
PID 860 wrote to memory of 1476	860	Kpjjod32.exe	Kcifkp32.exe
PID 1476 wrote to memory of 4468	1476	Kcifkp32.exe	Kkpnlm32.exe
PID 1476 wrote to memory of 4468	1476	Kcifkp32.exe	Kkpnlm32.exe
PID 1476 wrote to memory of 4468	1476	Kcifkp32.exe	Kkpnlm32.exe
PID 4468 wrote to memory of 3992	4468	Kkpnlm32.exe	Kmnjhioc.exe
PID 4468 wrote to memory of 3992	4468	Kkpnlm32.exe	Kmnjhioc.exe
PID 4468 wrote to memory of 3992	4468	Kkpnlm32.exe	Kmnjhioc.exe
PID 3992 wrote to memory of 4204	3992	Kmnjhioc.exe	Kpmfddnf.exe
PID 3992 wrote to memory of 4204	3992	Kmnjhioc.exe	Kpmfddnf.exe
PID 3992 wrote to memory of 4204	3992	Kmnjhioc.exe	Kpmfddnf.exe
PID 4204 wrote to memory of 2404	4204	Kpmfddnf.exe	Kdhbec32.exe
PID 4204 wrote to memory of 2404	4204	Kpmfddnf.exe	Kdhbec32.exe
PID 4204 wrote to memory of 2404	4204	Kpmfddnf.exe	Kdhbec32.exe
PID 2404 wrote to memory of 3732	2404	Kdhbec32.exe	Kgfoan32.exe
PID 2404 wrote to memory of 3732	2404	Kdhbec32.exe	Kgfoan32.exe
PID 2404 wrote to memory of 3732	2404	Kdhbec32.exe	Kgfoan32.exe
PID 3732 wrote to memory of 2368	3732	Kgfoan32.exe	Lmqgnhmp.exe
PID 3732 wrote to memory of 2368	3732	Kgfoan32.exe	Lmqgnhmp.exe
PID 3732 wrote to memory of 2368	3732	Kgfoan32.exe	Lmqgnhmp.exe
PID 2368 wrote to memory of 1064	2368	Lmqgnhmp.exe	Lpocjdld.exe
PID 2368 wrote to memory of 1064	2368	Lmqgnhmp.exe	Lpocjdld.exe
PID 2368 wrote to memory of 1064	2368	Lmqgnhmp.exe	Lpocjdld.exe
PID 1064 wrote to memory of 4384	1064	Lpocjdld.exe	Lgikfn32.exe
PID 1064 wrote to memory of 4384	1064	Lpocjdld.exe	Lgikfn32.exe
PID 1064 wrote to memory of 4384	1064	Lpocjdld.exe	Lgikfn32.exe
PID 4384 wrote to memory of 840	4384	Lgikfn32.exe	Liggbi32.exe
PID 4384 wrote to memory of 840	4384	Lgikfn32.exe	Liggbi32.exe
PID 4384 wrote to memory of 840	4384	Lgikfn32.exe	Liggbi32.exe
PID 840 wrote to memory of 3552	840	Liggbi32.exe	Laopdgcg.exe
PID 840 wrote to memory of 3552	840	Liggbi32.exe	Laopdgcg.exe
PID 840 wrote to memory of 3552	840	Liggbi32.exe	Laopdgcg.exe
PID 3552 wrote to memory of 440	3552	Laopdgcg.exe	Lcpllo32.exe
PID 3552 wrote to memory of 440	3552	Laopdgcg.exe	Lcpllo32.exe
PID 3552 wrote to memory of 440	3552	Laopdgcg.exe	Lcpllo32.exe
PID 440 wrote to memory of 5112	440	Lcpllo32.exe	Lgkhlnbn.exe
PID 440 wrote to memory of 5112	440	Lcpllo32.exe	Lgkhlnbn.exe
PID 440 wrote to memory of 5112	440	Lcpllo32.exe	Lgkhlnbn.exe
PID 5112 wrote to memory of 1196	5112	Lgkhlnbn.exe	Lkgdml32.exe
PID 5112 wrote to memory of 1196	5112	Lgkhlnbn.exe	Lkgdml32.exe
PID 5112 wrote to memory of 1196	5112	Lgkhlnbn.exe	Lkgdml32.exe
PID 1196 wrote to memory of 4748	1196	Lkgdml32.exe	Lnepih32.exe
PID 1196 wrote to memory of 4748	1196	Lkgdml32.exe	Lnepih32.exe
PID 1196 wrote to memory of 4748	1196	Lkgdml32.exe	Lnepih32.exe
PID 4748 wrote to memory of 2920	4748	Lnepih32.exe	Lpcmec32.exe
PID 4748 wrote to memory of 2920	4748	Lnepih32.exe	Lpcmec32.exe
PID 4748 wrote to memory of 2920	4748	Lnepih32.exe	Lpcmec32.exe
PID 2920 wrote to memory of 1540	2920	Lpcmec32.exe	Lcbiao32.exe

C:\Users\Admin\AppData\Local\Temp\3494af4f6f0e306d3f2431945e86f5e85dd6d48d0f8735860a57e1f03409b660_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3494af4f6f0e306d3f2431945e86f5e85dd6d48d0f8735860a57e1f03409b660_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\Kmnjhioc.exe
C:\Windows\system32\Kmnjhioc.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1540

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2052

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:980

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2840

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1704

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2216

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
29⤵
- Executes dropped EXE
- Modifies registry class
PID:4444

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3236

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4680

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
32⤵
- Executes dropped EXE
PID:2160

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4876

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2372

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1312

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:448

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4156

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4736

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4796

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
40⤵
- Executes dropped EXE
- Modifies registry class
PID:4152

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1644

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:32

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4256

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:516

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
45⤵
- Executes dropped EXE
- Modifies registry class
PID:3420

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3132

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2208

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4968

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
49⤵
- Executes dropped EXE
PID:1360

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
50⤵
- Executes dropped EXE
PID:5020

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3168

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2948

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3268

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:748

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1848

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1828

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:752

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2116

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3444

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3136

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4664

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4536

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2432

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4656

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1404

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3304

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3052

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4376

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:228

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3188

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1396

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:544

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3852

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3980

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
76⤵
- Drops file in System32 directory
PID:4688

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
77⤵
- Modifies registry class
PID:3472

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
78⤵
- Modifies registry class
PID:1220

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
79⤵
- Drops file in System32 directory
PID:3832

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5008

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
81⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 400
82⤵
- Program crash
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4740 -ip 4740
1⤵
PID:2452

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kbfiep32.exe
Filesize
52KB

MD5
01bfc4ce1ce35dcdb7a0330af1f87fd1

SHA1
84056c3a2b11765bf9e4795d32cdfb529c5f8bb7

SHA256
99adf51f00874d9849b72343c2588ffd475629057168786a182fa07f0cf782ac

SHA512
8a47d3751a1a42998b5faacb3bd15046468f7b989ea6add014611d1385a5a56c7eb8e45d5320fc19c3eaf53094d095d052d24641ca11838c6247ccff5099d631

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe
Filesize
52KB

MD5
334786f04190beb85c1f1bd3f8e7174c

SHA1
edd5542f699c703bbddbde513c02ca12bf33b200

SHA256
7b78428210aed360b526f14ea27a29f3c10f182f8b25b6e158f8b4df17559cd6

SHA512
60ec935373161ec9364294777563726d4c321fdda730e9c4f3a06cfa501e497c0c59a4b6217344fca9582e2ab5f6da9d15f38a0d7cfebff2bea437b57c0d5118

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe
Filesize
52KB

MD5
76f4052ce74133e58fdc0db985f9b4c0

SHA1
15ba716861b934d67bd78ac4314ac582ecc086c5

SHA256
7f71aa5a0568e69ee28ae3b2f68138edbd8f5403fee8c109158356718ec96f3e

SHA512
d3adb82a003fcac60d1e5525cfb0fd7cec0a28103fccf83b716c8aa486ea2312f53659e71e5e6ed12149edb72e314990b6047d4d6fbc585a6e7ce6b67a8d9a30

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe
Filesize
52KB

MD5
255532bbb09b2cdca00392ebdae79c1e

SHA1
99f190386c9c5224492909f049dd23dd440b6936

SHA256
9d9e98186c8b736dfd0e064c926a8a80bb34e026ec16b0bb6454da461e60b720

SHA512
46260a55a48c688ecfd38b478f054d8a362977d01a76f8585a684a4b2c5ea236c64f21f58c82ccdab8b38a0590a249ec4e9c9f518363f975ee84fc6728c0e381

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe
Filesize
52KB

MD5
fef610226a38bdd79a9aa2afdef5d30b

SHA1
4bdcaf6d56f79ea52c883b5c17946450de4819e3

SHA256
35cc8d77d1ec0b9552a6350a211646a330144de772b0be501362af6d97086972

SHA512
fbe7849ba728760df6b2723776cdf28e1a14ef2e909ad2f09dcabf43a9e897fc9f35f4934fe2184884fac9a195947b21236fd0e6dd7776ab3a519eb1b7b151c4

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe
Filesize
52KB

MD5
f72560a34db3ebe0899c0c3d8630fc10

SHA1
7516f13fc86224855745873a17c5034328efa5a7

SHA256
067fe31f5c8e0801ebe8143913e5f08d7d9e73ec8736591f75ca5cff0821f636

SHA512
fdbf173351a762a2fd6de12a56a4c522f6e08dac6e5d7050336380579c890840cd84d01dfb2cb4a547653300600133453e33dee3ffcaf268572856c5aac49435

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe
Filesize
52KB

MD5
87b3b89b43ca9ee91d586206b1f7282a

SHA1
adba3d4e10c3280eb49e1c87addc70f34c9729ba

SHA256
b8ce73907d50c88459c757d45e50ec96d2aca531843cd4e70561008186ee3b04

SHA512
fa7fb5d24cf0706a71323a8e48862aa4563aadc75663420806732e038684863356d5672d69d3bfa9d82509684b9f2fe8d94b82ad81a5606ac75df683a0fdee58

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe
Filesize
52KB

MD5
2e35838dc9b206d298ed8c434f1ff489

SHA1
e89624ca86a979aebf75ad1f3e873c9bee2523ca

SHA256
3469ec5218485a29d872497262c83e0886ecda3cc5e55e5e89036aad91782066

SHA512
b7ab08318b987bdff4d2eb6547128bc82abf6e9d39c24d675cf9fdcda34a947599ad4b64531d003f2ff829ec6db1d4869504436d3ad0b7363ce7eb57c7d1fc09

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe
Filesize
52KB

MD5
0145870e17958ba06cf850d9632a8a0a

SHA1
18cf277e7bcdcb2636335e29f0792d4c60f47a34

SHA256
93b90f050223711f38eb665392b600a9f812efcf9230879864659e98580a4427

SHA512
cc0c750efdcfc52eae905b1ebf83f0fed2ff7e32e7027fc1fae62453b02cf5ac1ca74536ed71b642a2892a49fa36cb1b4995e4dda0b92f36f15ce1f04b95dcbc

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe
Filesize
52KB

MD5
695dbce763cb1bceacd7f306d82d9e38

SHA1
5f369db6a84dedac332f2395537997825444385b

SHA256
c544cf39d3a2db23e234aeb1599bbe2d9daf7708efe148a821444203b0ccc781

SHA512
e3646811f472ddded64d206fe940cd150bf9235da4c6f5772c9a48a5d78cb68548d05628f056ca2a3c125291229d315ceb6d753d5d067ee7e44001a0b9cb5528

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe
Filesize
52KB

MD5
5764c1ed39f90f88fa07692c979e67f5

SHA1
a80a2b79e68ebe263585102306f1a1a0be041634

SHA256
0ac54ffc87feb451b26c454c65e2f99870d327a3f2080e8a99d441cbd0c1c68c

SHA512
9f8eb2b57aa89cfff02af9c267bc0dfd588209be2320b4890387f3e5d8f20d337aa3a7ec4b3f41cc1337bfeb086f9ad63fa5597269d9e7f9fd1740062099b6b9

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe
Filesize
52KB

MD5
daa1fe73942505c132e1787410008164

SHA1
d55d92f74ac9125e55dce77e6dbe35c735c99a81

SHA256
806126a4c96e440c770a220a784d9a761741284780a3e88e147a6143ed3ae4a2

SHA512
47ea69984621538f7c3cb2d39e389aa0b20637f64be2ad9c3f8abacf538c4038fb551548a822c075d90004fe8b79ff8cc63ba8ce8795653256b74b605c59e7e2

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe
Filesize
52KB

MD5
2d0b753377057ffb107c1a73cf68aeef

SHA1
ca4632785c0dba4d9218e9b0e0aadc6877836382

SHA256
1547da2b3c100fb8d249f0ba661215f21bac208c8b56cc631f5659302019dc31

SHA512
49b09530e1ec7db4b670a83dc0486a5cbcd2a9db30405a9526ed641d5d8cd3848f96c9b855dfecce607d63300d7530b03638fa07984bab6e1d389405dd722dc5

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe
Filesize
52KB

MD5
9f97f510ebe97028f227e84e202cc58f

SHA1
992579715bc826a096bc9668112c2997757bc1c9

SHA256
26796da20bb1ff878e5be85436afc9ee88ffe76df76802e17059cd17773f3e53

SHA512
48b456beec2b7e7e26a57e83a54512a022bc0897b2d9781c639a6eb5f53d996f80e5a938c608ce5bae46c5feb73e0518d9f34f425df1636da1a240d3d7003e53

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe
Filesize
52KB

MD5
f17a86c67454b31b36091efc7b8c3889

SHA1
460002381a4b9abbf3067fd4924d89a41f634836

SHA256
3dd81c4ef90e428e7aade89703a4328ed825bce199e1b8625c478d6a56adf2c6

SHA512
e33420158f5aec4d941c0f21c472d20c5ff7e879f8bb0bfbf978fd3792fbdb03c3382ca19783855076537458be119bcbfe913c06950989af3f44fec3b9cc1bb5

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe
Filesize
52KB

MD5
32563aae2c95cc27491670f469788faf

SHA1
e09c682e31f68c70dcb3293683dabc0db038a3b7

SHA256
f92f6b3987818aa66638b0d63e6dce84e110baef707a8a320873c998f4d8da24

SHA512
820eb2ef94ce6c5b60929011c00a4bdfb3266a98339a53fc05a172e7dcbe757db0a2a94138a36fab30f1ac856a6ab947e947692bc839dc308dadf8edaa7ec219

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe
Filesize
52KB

MD5
1518bae2492ca0ded99a47276bc3a95d

SHA1
722b0b203a768442a80b12583fcf9187e9c3070f

SHA256
c0c72550109af7855a1f67ea77a1a573d721d8ff21b32f3ef501ce220dd24e8c

SHA512
a37a2f6b9b82ad8e210ee088f096fc9aa4e478a6fd68696b7619de50dfb97584ff0ad8da6ad91cd7db37012a8c48b42ae9209a73016b7bb814b318e2e19d748a

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe
Filesize
52KB

MD5
2692a9b92c516d207df93432118b93c3

SHA1
1b90f43adc1b178ffbcb8da42e1199f793c4d7b1

SHA256
5ef6ae206e1c28479de1cd7fd1340470de4a352e8d4c638ccea119a40a2c131b

SHA512
47623a694d3c15816c189710606a1d25b3c91b95ae1a5dcb364146629186e7779f8646b0bc4dbfecd12c4355ee091fa89e9ea292eeec77b55e9b989b07094fda

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe
Filesize
52KB

MD5
ff122b903dcc63db823a58b75170bab6

SHA1
3b91446cc5ae0f73dde79563590989489a7bdde1

SHA256
143e0f37befff10ab902255ee2c8e6b3e0c4773488ce0b829b8d728f81fd96cf

SHA512
8a46bd297f6a242e631bc583fea4d02a54ab42311a7f31b330c0107b48f030a66f824970c7ab07e375b09e64bd33e97590836eb5a56513ccb7729939d1b9715c

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe
Filesize
52KB

MD5
8438e8ab35da69edd242ad8a2fb79be9

SHA1
823d2640fe003aac4aea47359e017e5598531415

SHA256
691c3ebdcc77ac19f0eb1056d4813fad69593b4774864d7482ec17bd5b7ddcec

SHA512
a99dc68cbf7e972f74bb16c92aa84e7a503938f863227fe82ad111061a1d05ced901095ec04a4f043c82b6e5093402f4d92b5ecb6526a3e241e13d814298cb38

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe
Filesize
52KB

MD5
688e60ccd72ad54efac42028ad41e6f5

SHA1
2595c02adc8374b847424a802cfd5888ce5330f2

SHA256
ceb59aad005bd097413de1efb83f186a6cd2220e2138d873146673392fd893da

SHA512
e83bb0327eb3e50a392a28e952a16b2242f36b272bd3eb64ea1c212d9209b71e58c50e7c7eb254a334798c98d2c5183749d5fa2b7e69e053b3c0d4e640e59982

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe
Filesize
52KB

MD5
0b9ce093f5c2e3c7c8b0e2986c8bb18f

SHA1
aafecc4f4b22872485b5ba828f3ab56218ec32ae

SHA256
32ca43a72debd1bf48269869213c2efe4f2368300f6c4c99152b04edce7e1b23

SHA512
74f898614676b3d346f24d18d3b36037775beab9e7d17129bdfae74171d4a467e5571da28eaaf076e7731e870d8a063dd6c53e56e64b167295c9416d0716ab86

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe
Filesize
52KB

MD5
4db74809ae79bc223c2eeada405ee342

SHA1
5fccc3d89c175286604ed95895decbf75a57a4db

SHA256
005b8dfcf218c5deac9eb06ff97fa88c5c30f998152e83fabd2434c26ec12c1b

SHA512
1d387842b021a88436a8edfbcf6ddc998bc8776e20c4f67935a3b755c2174752d1bbbb19eaab20d2ca35edbd759ad8169dc14fa2a4bb623b9d3238733cba141a

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe
Filesize
52KB

MD5
4f52903ad1324be0a7b8fcb11b50b6c9

SHA1
b3322bcec861be284d75e0f26260ed0f3e7480e9

SHA256
29143d27eaae190fba4bd52e69937e4630114ae9e0104c2006f396ccd7e0e714

SHA512
b611732260d60ac3260514f18992c71fd693b456324b34d6d23519084bbffc73e767abcc25d57b2844318a423d593750499b04caefcc19572e9458692c2d1d76

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe
Filesize
52KB

MD5
7b8b14dc97824816e554c18b62e2034b

SHA1
3a44151e030211099b362c9f1338decbee0f0ef1

SHA256
0ad83ab1c6f83d3c98cb76062af31645f6683e9ecbcf20c42374557a1c8b190d

SHA512
adaba59669df80e71fb29326ee2581cbfaad83c880a51e4fb1c4854e72d636b016ec77bbafb24cfab1a36638e7aa496d54111b623a79ffb0b0bf2f5aa0219c1b

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe
Filesize
52KB

MD5
910c4acc939ff45bea4a1044a2ea0408

SHA1
6569ab322c00da89f165bc87bb70ec6a9795eec7

SHA256
1c844c8a60dbeb903e28ad600d0313e855eac8f754182a73f4e850f4011237aa

SHA512
14a129351151f37391dbc67965f23800f18de16f08109f64c7fcccb246a7473517e393d9668f5732c92fd92d714d7e09445bafd9015affff57ceb031c832f729

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe
Filesize
52KB

MD5
c8cc64401fd265180164a5bfa38a4ec8

SHA1
3db514cec97f7be1c898d254847c0a7208b3e82c

SHA256
eb0e65e38033f858e1aac31c9e15cd8e51ee5598e38b1f44e10c9bdf68e79ee2

SHA512
6f941bca3899d849219ba485dd83523f664bbd94112000493ec409ec6c407b9856b95a63baf5a2fbb114e232c37d338d8974b5c99a86b8bcd15355e761366e51

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe
Filesize
52KB

MD5
c9f70194e1702eb3133ebecb091e4708

SHA1
81c8e6abd688f45949a66a5bd37014b00cc6af9b

SHA256
18a7d56b8de62cb9d51f78a38bebdad1db692fbb2c4ee070e1a7fdb19da02b74

SHA512
300f2ee21aa1df45517fbb807357feb02f45ee98135927728be95751b744ee3239659ff578c1d6b02181b42fabb01dc1d5200867586837feddac772a0b6a9929

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe
Filesize
52KB

MD5
524806cc7909059217b4427fd3180f29

SHA1
94d85799531a4735b01331d54f7450c77f56e591

SHA256
0cf655f70e84515ef77b8b3d49576665dcba672cd301bd5af683deece16589e1

SHA512
76cd332e1a3358a0a984469694731984b915d1425a095ba806ad19e18010f0dc7b4045183e5a764cf1f46f1067d0d75e40c76c183e35ca0126fba0618d3217cf

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe
Filesize
52KB

MD5
e1986283a9e6790eeb65d3742ca89ba3

SHA1
fd8d19ff7af7592addc28df85f935609d50f83a9

SHA256
0714e75224d0aa8ba55e962d3f9664081de92db9bb2389465d1d0574e71b8f77

SHA512
c9134d5969fb8e5579e80fd2fdd96003abb7f0079ee2a2438d61f42191ea0c538bb92792799fd527cb6be7b0f7d634aac81fe82c84b46e4158fe98161c18d601

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe
Filesize
52KB

MD5
f98cce552d26d3aa973fba85e298a863

SHA1
4c798af44d25981d5516dbe1bb54b4932e650a9d

SHA256
eb0c6f9e84f909c801c2368954fa4d97f3c14cfebd98bab043e4791190630983

SHA512
4e7c702c5b602e6b16ee4319e68f28799e5d79130166eb06657266b4e63ede2ea021790ac2641b11abeaf35ef7f86fac373db92c99e9cff843f2bd28d6057f43

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe
Filesize
52KB

MD5
ab7312a5f240c6f25025a3b8659597f8

SHA1
c0e80656a4d1858c4fb9dac3a12650edd1063b59

SHA256
e86713cb3b8eab5af76f6cda7a330729931afeaa6b9e306e87774daf0915108c

SHA512
7f6a9969706b909910e21e0129d6d55ceffb89efc98d3b330eb715e0460b080075f4d6f10e8b6cab2f02f00788e7f2347a5c51bde11cd0d12c7aa61614a3d2d7

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe
Filesize
52KB

MD5
619e7ea996116105f1a2e5c1fb44f9bf

SHA1
a059b09a6b2458e69eac18c6509758b6e9aac689

SHA256
3fdd3b5a1571796e7a40bc5dee3097c5e09f307535a90492b46eb661376d4d44

SHA512
edd726628d1ddc21c808ede8ab94dfed1ee0fbb5e851e9bbdb17d88e9cce674c8b1c6f2cf350eeb98137b68ee48b3fa5f246399f0eed9916f00e7baf304e4eae

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe
Filesize
52KB

MD5
60493dc1051dbe55e98836640ffb569c

SHA1
d0b3897b6a9f06f1dc0be5657555bde77464ebaa

SHA256
ad4c1c819e424b71b000d9d3b91b9b7763d5a5f23820dcd05e41dba0b8adcc5b

SHA512
adb7409b615b863dcba88a41aa0e9b82eafcb2861df51343add59f091a19f68f60a26505bf27204b5009c025f6a54db841c4187bbc1e8ebec56713bda718076c

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe
Filesize
52KB

MD5
ab213764c4fd0e4bc9315cefc045a93e

SHA1
06a60a0341ee2005ccc13251420156736f44a78a

SHA256
4c3181c1d48227855a87110692b0ca5804ca55e8d3afa7f63f10fdf130f93a3e

SHA512
c8c93d730853023c847ec9b83ca3e4ae549d9f80b96216730385238f176f5e4eeb8f3b64d3dcefbfcbc2cf284f599f13079d2a717231a900b0a0b419f58b3038

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe
Filesize
52KB

MD5
34e81867060709aabb1e5505af8d06ec

SHA1
f158914fd8a73fed203c3aef1d79ab3468fa3c42

SHA256
4923165a7f2fb51387d90ab92f629f492cb2250807cfa480c512aa048838624f

SHA512
557c51477a3fad89bb683c5caa11b69921001b54435df95c2e4340858b26664419451d9fc56a23d84db9bbe6306f5d5ac15b9297d43f651f9e119673318e15ce

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe
Filesize
52KB

MD5
5bdafefc80bb51a09b9f34fb213b27a7

SHA1
ac4b88514a5ba4b170e63efaeea2570f77b3d536

SHA256
438f1623be34cd9635aa34f35067d3213955ee604320d6022d2e697b8626e307

SHA512
02298dabdead203c92eda082948fbd2a9943f591f705cb3c385b5a754aee639bd6e1af2714022406c065420d7754ff480481d7e0aba1fea507ac3be068dcdf2e

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe
Filesize
52KB

MD5
854f230213cd32cb432b64e7cad70dcd

SHA1
8002d6234efcbd0a732c9d32ecf99e1ac5be1a8a

SHA256
6fb170ae7dcd42b34ee55faced0e3e37854f28506b218053e1ef16ca42df16ad

SHA512
66f6fa972c05ff7d19ae1399fdd5f3efbaddc6220b1df413f85c804061611eec3df45d9a9a2a412672ec41b3268cb49e3370d5648fad251811d3dfaf875e78bc

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe
Filesize
52KB

MD5
c4067e6804ba90d19b9991fb8474304f

SHA1
097d7c2f88814994176c446d5b4f144737dfe98d

SHA256
8882649b988d3d04514d6e421dcb05a9ec8c41c9448fbea46faf1ee8ad56f41d

SHA512
2a32cd1a9b2128df339b168c34c597b0c6cc2afd12fe4362966c5dbaeb402561929b71851053f8848078dc8dd121a60f14cd355109b22adf04cf9f5ab608587c

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe
Filesize
52KB

MD5
0c940bc36a66ec7b084acef18ff4c724

SHA1
c4bc72e7a6220e17cd8ecab8114080c3b2cfcb21

SHA256
f6daad087e1b7fb9e19b2b74878aca50f666b43a18ae872dba3db05c5196cf80

SHA512
a39db99a19a44a1c46c2154f8b820961ec3cbc41f277b080103dcc55e239056e76166ffe9be52e215b95e43cde15ceedfaf6021981bee0d54ad68c96dd0b9d20

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe
Filesize
52KB

MD5
410c68204790bf5d5ee9ec4cd5cad728

SHA1
1e83d92734883839759d476ca8f87d637990095d

SHA256
44b0e061076a0a800713209e366027a20137b434782e1e33cbadfc375779b7ed

SHA512
926eaa9ab3bdd3c595f31c4649f752307c17840c4535aac7cec0787a11649087602a19f04d7136ee09eb50e59f7ca51277abe0a79543bab72de069ef9d552633

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe
Filesize
52KB

MD5
ecfc2d4302cca68764160d8d52c7c6cf

SHA1
4ac44b143853dfba6ed7fb150bd422f1660f7dae

SHA256
8fcbf3f916861e42b4a0d3bac6561ff3ee01d64290cfa4d47160fd445b85ce94

SHA512
58684641ceb35af017644f32e135f5fb8bd5e79598402bf8e2a4c2e2898ef4137c9ff954eda990602b59a84347622f0c046be3593b331e71fd119dbd1f51c6c9

Download Submit
memory/32-344-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/216-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/216-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/432-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/432-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/440-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/440-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/516-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/516-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/748-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-126-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/860-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/860-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/980-206-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/980-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1064-107-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1064-197-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1196-258-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1196-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1312-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1312-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1360-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1476-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1476-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1540-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1704-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1704-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1848-433-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1896-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1896-98-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2052-198-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2052-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2160-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2160-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2368-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2368-99-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2372-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2404-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2404-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2920-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2920-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2948-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3132-367-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3168-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3236-251-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3236-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3268-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3420-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3420-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3732-179-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3732-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3992-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3992-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4152-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4152-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4156-373-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4156-308-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4204-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4204-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4256-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4256-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4384-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4384-116-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4440-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4440-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-318-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4468-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4468-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4680-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4680-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4736-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4736-380-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4748-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4748-171-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4796-319-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4796-391-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4876-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4876-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4968-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5112-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5112-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads