fab60e0d825064510f4f9b8662e7a8fd4d4fed5b0a854a81c183364a6b0010e2

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 19:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5061802e2d9b6a26b945ba8f08d16c70_NeikiAnalytics.exe
Size

304KB
MD5

5061802e2d9b6a26b945ba8f08d16c70
SHA1

08ebf9373b8e3eac7dc580a0efc7203459aa1a5d
SHA256

fab60e0d825064510f4f9b8662e7a8fd4d4fed5b0a854a81c183364a6b0010e2
SHA512

f5fc9642ac40fd6930299b9fe98eba0512ef971a1a2d19ea873af3679a7685c2b979c5b7b7623e132986b9bdc328320f9922ccdd677a012e0b7ff081a0c9f94f
SSDEEP

6144:++ocwscO7JfnrFVoXJtpNr1RgAaa6FlFlcOuLr2/24qXPAbgPBFpYrFVO/fnrFVC:9o0JfnYdsWfna

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dchali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdapak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ennaieib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dchali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elmigj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ennaieib.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkmmhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epfhbign.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebinic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Facdeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeqdep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gejcjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eeqdep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebinic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5061802e2d9b6a26b945ba8f08d16c70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fioija32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdapak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffpmnf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fioija32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnneja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5061802e2d9b6a26b945ba8f08d16c70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnneja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Facdeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epfhbign.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe

Executes dropped EXE 28 IoCs

pid	Process
1644	Dkmmhf32.exe
2712	Dchali32.exe
2552	Dnneja32.exe
1720	Eeqdep32.exe
2580	Epfhbign.exe
2464	Elmigj32.exe
2496	Ennaieib.exe
2808	Ebinic32.exe
3000	Fehjeo32.exe
1780	Facdeo32.exe
2784	Fdapak32.exe
2688	Ffpmnf32.exe
1668	Fioija32.exe
2424	Glaoalkh.exe
2960	Gejcjbah.exe
1108	Gbnccfpb.exe
1836	Hdfflm32.exe
420	Hkpnhgge.exe
2328	Hicodd32.exe
1552	Hpmgqnfl.exe
300	Hckcmjep.exe
1264	Hggomh32.exe
320	Hlcgeo32.exe
2408	Hobcak32.exe
2980	Ieqeidnl.exe
2524	Ihoafpmp.exe
1596	Ioijbj32.exe
2588	Iagfoe32.exe

Loads dropped DLL 60 IoCs

pid	Process
1976	5061802e2d9b6a26b945ba8f08d16c70_NeikiAnalytics.exe
1976	5061802e2d9b6a26b945ba8f08d16c70_NeikiAnalytics.exe
1644	Dkmmhf32.exe
1644	Dkmmhf32.exe
2712	Dchali32.exe
2712	Dchali32.exe
2552	Dnneja32.exe
2552	Dnneja32.exe
1720	Eeqdep32.exe
1720	Eeqdep32.exe
2580	Epfhbign.exe
2580	Epfhbign.exe
2464	Elmigj32.exe
2464	Elmigj32.exe
2496	Ennaieib.exe
2496	Ennaieib.exe
2808	Ebinic32.exe
2808	Ebinic32.exe
3000	Fehjeo32.exe
3000	Fehjeo32.exe
1780	Facdeo32.exe
1780	Facdeo32.exe
2784	Fdapak32.exe
2784	Fdapak32.exe
2688	Ffpmnf32.exe
2688	Ffpmnf32.exe
1668	Fioija32.exe
1668	Fioija32.exe
2424	Glaoalkh.exe
2424	Glaoalkh.exe
2960	Gejcjbah.exe
2960	Gejcjbah.exe
1108	Gbnccfpb.exe
1108	Gbnccfpb.exe
1836	Hdfflm32.exe
1836	Hdfflm32.exe
420	Hkpnhgge.exe
420	Hkpnhgge.exe
2328	Hicodd32.exe
2328	Hicodd32.exe
1552	Hpmgqnfl.exe
1552	Hpmgqnfl.exe
300	Hckcmjep.exe
300	Hckcmjep.exe
1264	Hggomh32.exe
1264	Hggomh32.exe
320	Hlcgeo32.exe
320	Hlcgeo32.exe
2408	Hobcak32.exe
2408	Hobcak32.exe
2980	Ieqeidnl.exe
2980	Ieqeidnl.exe
2524	Ihoafpmp.exe
2524	Ihoafpmp.exe
1596	Ioijbj32.exe
1596	Ioijbj32.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Epfhbign.exe	Eeqdep32.exe
File created	C:\Windows\SysWOW64\Fehjeo32.exe	Ebinic32.exe
File opened for modification	C:\Windows\SysWOW64\Fehjeo32.exe	Ebinic32.exe
File created	C:\Windows\SysWOW64\Phofkg32.dll	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Ebagmn32.dll	Dchali32.exe
File created	C:\Windows\SysWOW64\Ebinic32.exe	Ennaieib.exe
File opened for modification	C:\Windows\SysWOW64\Gbnccfpb.exe	Gejcjbah.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Hicodd32.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Dkmmhf32.exe	5061802e2d9b6a26b945ba8f08d16c70_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Fioija32.exe	Ffpmnf32.exe
File created	C:\Windows\SysWOW64\Ldahol32.dll	Glaoalkh.exe
File opened for modification	C:\Windows\SysWOW64\Hdfflm32.exe	Gbnccfpb.exe
File opened for modification	C:\Windows\SysWOW64\Ennaieib.exe	Elmigj32.exe
File created	C:\Windows\SysWOW64\Jkamkfgh.dll	Fehjeo32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Ogjbla32.dll	Epfhbign.exe
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Nopodm32.dll	Facdeo32.exe
File created	C:\Windows\SysWOW64\Hdfflm32.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hckcmjep.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Dnneja32.exe	Dchali32.exe
File opened for modification	C:\Windows\SysWOW64\Eeqdep32.exe	Dnneja32.exe
File created	C:\Windows\SysWOW64\Pinfim32.dll	Ennaieib.exe
File opened for modification	C:\Windows\SysWOW64\Facdeo32.exe	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hobcak32.exe
File created	C:\Windows\SysWOW64\Chcphm32.dll	Eeqdep32.exe
File created	C:\Windows\SysWOW64\Dlgohm32.dll	Ebinic32.exe
File created	C:\Windows\SysWOW64\Dcdooi32.dll	Fdapak32.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Pabfdklg.dll	Gejcjbah.exe
File opened for modification	C:\Windows\SysWOW64\Hicodd32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Fdapak32.exe	Facdeo32.exe
File opened for modification	C:\Windows\SysWOW64\Fdapak32.exe	Facdeo32.exe
File created	C:\Windows\SysWOW64\Ghqknigk.dll	Ffpmnf32.exe
File opened for modification	C:\Windows\SysWOW64\Glaoalkh.exe	Fioija32.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Dnneja32.exe	Dchali32.exe
File created	C:\Windows\SysWOW64\Ennaieib.exe	Elmigj32.exe
File created	C:\Windows\SysWOW64\Gejcjbah.exe	Glaoalkh.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Dchali32.exe	Dkmmhf32.exe
File created	C:\Windows\SysWOW64\Acpmei32.dll	Elmigj32.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Ndkakief.dll	Dnneja32.exe
File opened for modification	C:\Windows\SysWOW64\Elmigj32.exe	Epfhbign.exe
File opened for modification	C:\Windows\SysWOW64\Ebinic32.exe	Ennaieib.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hckcmjep.exe
File opened for modification	C:\Windows\SysWOW64\Ffpmnf32.exe	Fdapak32.exe
File created	C:\Windows\SysWOW64\Fioija32.exe	Ffpmnf32.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Nobdlg32.dll	Dkmmhf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2632	2588	WerFault.exe	55

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll"	Gejcjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5061802e2d9b6a26b945ba8f08d16c70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnneja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll"	Fdapak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebagmn32.dll"	Dchali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ennaieib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dchali32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epfhbign.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdapak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5061802e2d9b6a26b945ba8f08d16c70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5061802e2d9b6a26b945ba8f08d16c70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll"	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dchali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll"	Dnneja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll"	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5061802e2d9b6a26b945ba8f08d16c70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eeqdep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinfim32.dll"	Ennaieib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chcphm32.dll"	Eeqdep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eeqdep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ennaieib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll"	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdapak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdfflm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1644	1976	5061802e2d9b6a26b945ba8f08d16c70_NeikiAnalytics.exe	28
PID 1976 wrote to memory of 1644	1976	5061802e2d9b6a26b945ba8f08d16c70_NeikiAnalytics.exe	28
PID 1976 wrote to memory of 1644	1976	5061802e2d9b6a26b945ba8f08d16c70_NeikiAnalytics.exe	28
PID 1976 wrote to memory of 1644	1976	5061802e2d9b6a26b945ba8f08d16c70_NeikiAnalytics.exe	28
PID 1644 wrote to memory of 2712	1644	Dkmmhf32.exe	29
PID 1644 wrote to memory of 2712	1644	Dkmmhf32.exe	29
PID 1644 wrote to memory of 2712	1644	Dkmmhf32.exe	29
PID 1644 wrote to memory of 2712	1644	Dkmmhf32.exe	29
PID 2712 wrote to memory of 2552	2712	Dchali32.exe	30
PID 2712 wrote to memory of 2552	2712	Dchali32.exe	30
PID 2712 wrote to memory of 2552	2712	Dchali32.exe	30
PID 2712 wrote to memory of 2552	2712	Dchali32.exe	30
PID 2552 wrote to memory of 1720	2552	Dnneja32.exe	31
PID 2552 wrote to memory of 1720	2552	Dnneja32.exe	31
PID 2552 wrote to memory of 1720	2552	Dnneja32.exe	31
PID 2552 wrote to memory of 1720	2552	Dnneja32.exe	31
PID 1720 wrote to memory of 2580	1720	Eeqdep32.exe	32
PID 1720 wrote to memory of 2580	1720	Eeqdep32.exe	32
PID 1720 wrote to memory of 2580	1720	Eeqdep32.exe	32
PID 1720 wrote to memory of 2580	1720	Eeqdep32.exe	32
PID 2580 wrote to memory of 2464	2580	Epfhbign.exe	33
PID 2580 wrote to memory of 2464	2580	Epfhbign.exe	33
PID 2580 wrote to memory of 2464	2580	Epfhbign.exe	33
PID 2580 wrote to memory of 2464	2580	Epfhbign.exe	33
PID 2464 wrote to memory of 2496	2464	Elmigj32.exe	34
PID 2464 wrote to memory of 2496	2464	Elmigj32.exe	34
PID 2464 wrote to memory of 2496	2464	Elmigj32.exe	34
PID 2464 wrote to memory of 2496	2464	Elmigj32.exe	34
PID 2496 wrote to memory of 2808	2496	Ennaieib.exe	35
PID 2496 wrote to memory of 2808	2496	Ennaieib.exe	35
PID 2496 wrote to memory of 2808	2496	Ennaieib.exe	35
PID 2496 wrote to memory of 2808	2496	Ennaieib.exe	35
PID 2808 wrote to memory of 3000	2808	Ebinic32.exe	36
PID 2808 wrote to memory of 3000	2808	Ebinic32.exe	36
PID 2808 wrote to memory of 3000	2808	Ebinic32.exe	36
PID 2808 wrote to memory of 3000	2808	Ebinic32.exe	36
PID 3000 wrote to memory of 1780	3000	Fehjeo32.exe	37
PID 3000 wrote to memory of 1780	3000	Fehjeo32.exe	37
PID 3000 wrote to memory of 1780	3000	Fehjeo32.exe	37
PID 3000 wrote to memory of 1780	3000	Fehjeo32.exe	37
PID 1780 wrote to memory of 2784	1780	Facdeo32.exe	38
PID 1780 wrote to memory of 2784	1780	Facdeo32.exe	38
PID 1780 wrote to memory of 2784	1780	Facdeo32.exe	38
PID 1780 wrote to memory of 2784	1780	Facdeo32.exe	38
PID 2784 wrote to memory of 2688	2784	Fdapak32.exe	39
PID 2784 wrote to memory of 2688	2784	Fdapak32.exe	39
PID 2784 wrote to memory of 2688	2784	Fdapak32.exe	39
PID 2784 wrote to memory of 2688	2784	Fdapak32.exe	39
PID 2688 wrote to memory of 1668	2688	Ffpmnf32.exe	40
PID 2688 wrote to memory of 1668	2688	Ffpmnf32.exe	40
PID 2688 wrote to memory of 1668	2688	Ffpmnf32.exe	40
PID 2688 wrote to memory of 1668	2688	Ffpmnf32.exe	40
PID 1668 wrote to memory of 2424	1668	Fioija32.exe	41
PID 1668 wrote to memory of 2424	1668	Fioija32.exe	41
PID 1668 wrote to memory of 2424	1668	Fioija32.exe	41
PID 1668 wrote to memory of 2424	1668	Fioija32.exe	41
PID 2424 wrote to memory of 2960	2424	Glaoalkh.exe	42
PID 2424 wrote to memory of 2960	2424	Glaoalkh.exe	42
PID 2424 wrote to memory of 2960	2424	Glaoalkh.exe	42
PID 2424 wrote to memory of 2960	2424	Glaoalkh.exe	42
PID 2960 wrote to memory of 1108	2960	Gejcjbah.exe	43
PID 2960 wrote to memory of 1108	2960	Gejcjbah.exe	43
PID 2960 wrote to memory of 1108	2960	Gejcjbah.exe	43
PID 2960 wrote to memory of 1108	2960	Gejcjbah.exe	43

C:\Users\Admin\AppData\Local\Temp\5061802e2d9b6a26b945ba8f08d16c70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5061802e2d9b6a26b945ba8f08d16c70_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\Dkmmhf32.exe
  C:\Windows\system32\Dkmmhf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\Dchali32.exe
    C:\Windows\system32\Dchali32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\Dnneja32.exe
      C:\Windows\system32\Dnneja32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\SysWOW64\Eeqdep32.exe
        
        C:\Windows\system32\Eeqdep32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - C:\Windows\SysWOW64\Epfhbign.exe
        
        C:\Windows\system32\Epfhbign.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Elmigj32.exe
        
        C:\Windows\system32\Elmigj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ennaieib.exe
        
        C:\Windows\system32\Ennaieib.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Ebinic32.exe
        
        C:\Windows\system32\Ebinic32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Fehjeo32.exe
        
        C:\Windows\system32\Fehjeo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Facdeo32.exe
        
        C:\Windows\system32\Facdeo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Fdapak32.exe
        
        C:\Windows\system32\Fdapak32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Ffpmnf32.exe
        
        C:\Windows\system32\Ffpmnf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Fioija32.exe
        
        C:\Windows\system32\Fioija32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Glaoalkh.exe
        
        C:\Windows\system32\Glaoalkh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Gejcjbah.exe
        
        C:\Windows\system32\Gejcjbah.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Gbnccfpb.exe
        
        C:\Windows\system32\Gbnccfpb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:420
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Hpmgqnfl.exe
        
        C:\Windows\system32\Hpmgqnfl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:300
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        29⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 140
        30⤵
        Loads dropped DLL
        Program crash
        
        PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dchali32.exe

Filesize
304KB

MD5
70e192c9d98d9c60a8224cfdf47c12f4

SHA1
60abbc6393eb877201460f1c1ae052a8890864ca

SHA256
02c3578ab08d1ce70b3ea8688249371aa0767be2c4e90dac0859c58b05d0caa0

SHA512
fcce75d1b0fab5171bc3bb5ee161c51a84ff3a6325c2d885fa3ac4ed71a4d761f8ec757b8e596bcecee2c18140b3f500cb74fbc1822093401f5fc9b9d7b0c6d3

Download Submit
C:\Windows\SysWOW64\Dnneja32.exe

Filesize
304KB

MD5
2909608bc7e044d7b5464d4494bda13a

SHA1
9edda7e32add16ffc116c794cee54c96b33c6320

SHA256
cdd34ab17c876a6b53b934076c22cd9d038087fb9f32b6b5919e7eb4fd1b9a63

SHA512
b3f6972a1e47f55fd65e8969ac9f21c669a4339e142bf0086edfeb09e0bfe01908376e916395720de70a057b446d52378dda080e4ceae1ef230557ef766dda46

Download Submit
C:\Windows\SysWOW64\Ebinic32.exe

Filesize
304KB

MD5
c0a9f87ca260a9bc070b3396470e227e

SHA1
34dc17f70e3fd0230016568108c3fbc467b552df

SHA256
d34f2363e39c7d1b43e416b5e18cd5f9d5df0a314bd2414b556d7aae943ab15c

SHA512
9a8b8fd0c25bb811ce33f0ed7c65f19eaf180b2f2b820a61245aa315300afc7946687686bb06ab84bf9c4bf0c305cc751e745b444964868895709fa6e450c442

Download Submit
C:\Windows\SysWOW64\Epfhbign.exe

Filesize
304KB

MD5
d985dbab0cffefd7c5c6771b874b22e9

SHA1
14be60af58de19e23dd0d6328a1e60c9714b3489

SHA256
6d67b40d1fae5ab86295d7201f7cd220af58391de69cff725024b28e4abe7c46

SHA512
c4a2dfb97b6fc58409aac38cd85dcca8903f149342cea5ce073bdf3e3396ec5003cd4dbdcf102d9710d6e7eb51f9f463c71c8501185cd215f74ff8113a880c28

Download Submit
C:\Windows\SysWOW64\Facdeo32.exe

Filesize
304KB

MD5
ae864dc00aa7a52e49f249d1f4c8e382

SHA1
6523242c45dac0d75aab4b1b0cecc36af5e864a1

SHA256
fad2ebf4270d3944122e453f771b9374d27da5a2467b4a6e0eb6ced9c3a5d91b

SHA512
b39758f7ab4e57b2bd3f503aac32cf22fc43a83f970b181e356207e02145438dd588b79251f698475a3b396899ec8a490f77ddff2c0468ca9d561974e1da1027

Download Submit
C:\Windows\SysWOW64\Fdapak32.exe

Filesize
304KB

MD5
9c07b6c31421da0c92ed951a0a71adad

SHA1
e3fe5d1ab0ea4e744cd15011024d62f608e68dab

SHA256
cece011187658333bcf11af5b327806661613f64bfbdc122f412fe2bfe36aad0

SHA512
cec07b183c78ba4080f2724f743125f8d9656899cfb1a55ac9f4329b44e9c357ed6e2268f4f34449b90fafc0051d9916103e083a4d701de427b63976a554a320

Download Submit
C:\Windows\SysWOW64\Fehjeo32.exe

Filesize
304KB

MD5
4d9c3fabbe3233328a0d7e0ed2baafa1

SHA1
2da8197e75f56ee00c6bf5a379c4cbed36bd89a6

SHA256
0b29ec7e6c40c3725c62ba9860eb58822a4e6b1da956eeed4c9904897c047cfa

SHA512
c31a1719b2cbb41c20c1f0c7513a0c50dd175d98dcd05ddb6f906d989a0ca2d0ff1d6ac312484fd8ea7accb3a47edccd58273ac8fe8c10604f22d4d9b9900f0a

Download Submit
C:\Windows\SysWOW64\Ffpmnf32.exe

Filesize
304KB

MD5
202447110c25f7f8860699fac1082b75

SHA1
ee0c57cdde7059052d28f81a67858d9d71b5010b

SHA256
74fef1a2dfb01eeabd2bb8636042f6d02048b72189258996c5b42a628bd72758

SHA512
01043596dadda7b9c610302cabbaf732314ef30d83bccc6736db1d26fe9bbe2b49d4543088f10f66d6ef99e6755736f6ec8d366209c8f161984b543fb268cf9d

Download Submit
C:\Windows\SysWOW64\Gbnccfpb.exe

Filesize
304KB

MD5
ae28505a0a69f5fdf098ade474fea08d

SHA1
c8f95e9b2abddf149c3eb30d8a8b6f3762c491e8

SHA256
952ec80f30396a10c9dfc60516bd9eda055f5eb12bd0d441746926789113f7a8

SHA512
360fd77ef853c235e37fd23393b7fb0d66c02a0e8e025c0d96b6441590d69ab9f6af96ba9b4cb12abe901616931c48d0d2b4001afb17f92838afda12a9bfc8de

Download Submit
C:\Windows\SysWOW64\Gejcjbah.exe

Filesize
304KB

MD5
83caecd99def6fbb33c67e6afe7d3f3d

SHA1
340f539683d756d703f49f7baf35f1e8a15d8a58

SHA256
a8e31627dfa2d2b989c82e96b0d94f5dfa21269e66ed3078e2772fa5fc61dbbe

SHA512
606381dcdacf79ecf666ea9df96c240342e4d950bce1f16e036afddc02b88c8d552adb634d2efd1f285b792e88fbf023b01c03b72c84d9814206edc204e340b6

Download Submit
C:\Windows\SysWOW64\Glaoalkh.exe

Filesize
304KB

MD5
9f992cd9793723cbe8e4938f284dd68a

SHA1
7afb5410349a7f627fe1071c244708f64399fc60

SHA256
4388acc7e7ff70eec537042a436b9bbb45229167dc9f45b157d6619ee35332b2

SHA512
3d8f316404668243750f38de02b01dc2f0938baa902e534fe080f1293f9731f654ea9b541658ca9ca40f299fd068f928e4c1cd24448fd2a0cb63224a01722396

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
304KB

MD5
fc4bcbd05a5227e76f5661967235dba1

SHA1
52bd7a0fad5b94e2d9d820dc113da84478f8884a

SHA256
19566f7227d7990031a632cbb5c851b781c76b3139d823eb242da7f3444ff75f

SHA512
d7cb3465cdccccf51dbdb3312e06bfdc8a5e9d20fc4eb0d3c61a548ed868942d9e5db52a2836dea611870ec13a975e9e189d11504a470b6086eb45834ed0619b

Download Submit
C:\Windows\SysWOW64\Hdfflm32.exe

Filesize
304KB

MD5
1d5c8095263e456f14ce9f0f1a978afc

SHA1
4a3490d6a9fb69fc3f25a06bad674a217c9cdfb9

SHA256
60bbaa7287d4ca599a8933d2b291911442e7eb12d10639dd4f61e57b113000a9

SHA512
099c6e4b97fc6d88135071870b4aa6dc72575617bd3bf89e6bc89f36c7e31893a371bb877ca0085f9f5a1cacf4e04e50272844bbd9e84595bc03cbd849c3bfa7

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
304KB

MD5
9507352125f78d86ba07190ce089aa51

SHA1
7b7a26913c207c5a5e71e1cce17871b631a03d01

SHA256
b722acad9adcf2542d387ca9677c7741cfe60e554a83c9fc55eaec5193b93314

SHA512
9da4c858f62bb14308e2249e3e192065337ec2b311f2e9b75ebcdb08440c4db02a44efe51973e4cb81d57a812d464c1c932ebffa33631426775956a40cfb2a64

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
304KB

MD5
f1ed4eec7d16543163da384cefd96ef7

SHA1
70f5e67e80591690fa9a0d302ccf9f864f6cc5d8

SHA256
a65df8efea682bd39bc970a81b3616207e2a7c548358332d0bcbda974cdb432e

SHA512
d6756bf0c2b17d260dabbfe2866cb86d0f66a005afa26d1af0c855c8afffc6bcca484dd7d253a8c710ef0caa19997f843f8ae2704079d97a78c8c0313b28d458

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
304KB

MD5
a9133a12b95557a4d260814f3b7847f6

SHA1
b96763ef279abd481aa28407d60d76a4910f68c7

SHA256
d33673ace558b5c99909b5469c9d32bd36adb8963d20c2e0b95ceffdfe9bb7de

SHA512
2dab1ea37221b55c027b64cd57cb0b8b237d5c6e4f9aa9e0b7345dd904d1889ced3431de028233922327d47fa5c6ec1e0f994cc82e7f6d593b1259c59da91584

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
304KB

MD5
e5a82606f4abb455abdc1f93952fdbd0

SHA1
cc4ba262e1afd1c5e2133f440da3aa586f7b6a24

SHA256
c06a86f14403fc12d77ffdd6a2d2fb94c873aee462cbc955e26bb8d37f99a611

SHA512
56efffdc7c307fc18ed435fa3eeb0b456fb2aa8abcda606bfacabc3fa27eeaf0f07286485b3b7b973f19c67c6a66e91451b680aa9913749bb73d5a25076c6126

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
304KB

MD5
e194d525c478334ac538fa88b3f89ae3

SHA1
fb00254f8a594d1d5fd48cb6dd1667b40a8e58a6

SHA256
a65e938094dc0d596f39909f22f0f6302f86e964b53a3856d49a39edeb9736c9

SHA512
a0937def1b4f93d182e0e2d5ff9946420044f7e68129d69afd1784c22d575591151138f8c96340bf6c07ef8e1a2d3ca445011d68a053f1adf39d4760aab32c3d

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
304KB

MD5
f2cb422112074b0b3287445ab98adf82

SHA1
37dee79b2b78cf0d0fc4caf9e08758e882b5b214

SHA256
90907fafcbc65660e5eb9e8095459b799374c6a8abfeac27d7ff927cf5acca1c

SHA512
53eb91ff324e9c9d4e925a9188aa6a1b298bd3c03f004a04e5fb9aa5ebf0ca88d42cce59045183298efb4045029461ff6abf2ab2a08c94fd1f109ae2cf84e0c3

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
304KB

MD5
b776d6d3bd38e890c2b396f9bc371708

SHA1
25e0dd76176698f76ec0e63c661c4ba497b69b4d

SHA256
5cfce7b0bccf6bc4c0d7bb3d9c7531e985bec4061d83cb6395d9360a0a2a898a

SHA512
62939017254a0c7c2e269f3f2f50fe01310abfc7848b0e04feccac51871377a5518d40c18d6827861a5b84b03b260ce3d378dc9752e3d4a625045a616b3bc17e

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
304KB

MD5
cd0e275759c341aa926731d8a681bbec

SHA1
850f8a754b97417a414ba50cc9c314c94d2ae104

SHA256
a723d81e0bcb8a656ca2921be6f745a3a37d2c4ec20ff7702cbf44726cb40a2f

SHA512
f34833afc1415628d826b8ee1a6cdc21c6a1171dbd4b9f28691400bbaca1f850761fe61b332db469fe89f6217c4ea3fc1e9175aa194fc0501bbe4e34d4fbeef7

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
304KB

MD5
8f73d3e2be6b22f56cf05bb069a748a0

SHA1
565357c8b98286ba8b684c8e9a5f0404e7832e5d

SHA256
d6680da3de6561739e009b1a48a13925349e4eaca21314c8497b066cfe8064c0

SHA512
9ef7d4eedc44d2fe6ebc65cbd8facbdf769d974bb05551a7e074dd5169670d7091ec10dfb797940f9b7cb81cdded9cc77efec22ec8ab5b19983108d3499b6e0f

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
304KB

MD5
75ff6aa0b7dd5455d64d2e0c85523f39

SHA1
7f72fa722171581cc04e83cb1bf6b6eb83cb2e67

SHA256
d790ab92f5388f904a34afa487f12cc9ec2af857b9399d2dfe373501d1fb1d70

SHA512
2abf77987b2783df13e86199feaff14293ec8156d83206544439cef3f18003c6690b62c668325edf88b7f57e82f0d3ca1506529788d301c200bfd3eca1a8502b

Download Submit
\Windows\SysWOW64\Dkmmhf32.exe

Filesize
304KB

MD5
aca14a8fedc3b0b4ae638611e0e88d3e

SHA1
d5ff9ee8ddfc6828068d0b049a3369960f82afbf

SHA256
c48ddcca3f2872baf3241a09fe29858a2793f3d326a17f1bab8acdce16326745

SHA512
c5ee32cb005c41592c750c2bce26620ecd49b7b2f579245f23134e99c07190d19cd698f43f8456f94c28fde9aa949cfdc2189fe8ac307123c9208a732d577bb1

Download Submit
\Windows\SysWOW64\Eeqdep32.exe

Filesize
304KB

MD5
e71145c9de1ee078b9a838a60df51273

SHA1
8624cf47a018ca1e41f80aa152c8916eb2de56c9

SHA256
56890738ad5fc3a7185825d9470a17d02435a48c772ee913b4b5dd455cd33016

SHA512
dfef20ed62c290c06e11aba8fd7bf65a3172c0342dfbdc6d7a46f895a896b3bbe973ac5698bed312fdba3fe9d9d50c4f2804cabf2c09d1c14e43ce1378b06cf5

Download Submit
\Windows\SysWOW64\Elmigj32.exe

Filesize
304KB

MD5
3225b515143900c7489c840fc7312746

SHA1
abd0d2f3753bedd7f8f5b7eea70b5399888f4735

SHA256
08de643aff9819fbddb9023dd97ef76b736454b2cda63628897ca3aca7ece9a8

SHA512
f6daa3fd3ca497b34582e18dc2218317b14507df179e5ab0d668f92f737a5b20255baa2763dff1d793df25a1501970a6da528d39e48b9a0cc4f3c5249590e380

Download Submit
\Windows\SysWOW64\Ennaieib.exe

Filesize
304KB

MD5
0dd7ac877817c3296c9878d64d054663

SHA1
ad9a8e25cabb81f3c63535a487a4c98b372aaf2b

SHA256
aa78474f6dd803e439d5caaed4c13aaade2a8eb8635cc82fbb0bdbe2b75d4210

SHA512
8bd76957a26a24cdba7dd3998242f1b696e20c5d2a0e9fb0e27865d091419c1b7e6caa2931e95e320a9562f55289bf06298c81e7d486c1fa3efc9ad2161a0be1

Download Submit
\Windows\SysWOW64\Fioija32.exe

Filesize
304KB

MD5
e5117ed5a581d911d702f7db12cf14f9

SHA1
7c94fc7414bcb9ccd630c8406e23f15b4d60326a

SHA256
2536ec93ee1645751f4f7e0686664890873744e40f952815e7db51c7ff723953

SHA512
171d736660d006ee455c1493c5cff86cd1d4263887e0775fe4e0d117b436576279f6d5aea23ecf631c04bc9105331341891ed9f969c9b6d75c883e6b8fffd5fe

Download Submit
memory/300-272-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/300-457-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/300-291-0x0000000000260000-0x00000000002D7000-memory.dmp

Filesize
476KB

Download
memory/300-282-0x0000000000260000-0x00000000002D7000-memory.dmp

Filesize
476KB

Download
memory/320-309-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/320-304-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/320-461-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/320-298-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/420-251-0x0000000000280000-0x00000000002F7000-memory.dmp

Filesize
476KB

Download
memory/420-451-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/420-250-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1108-229-0x0000000000330000-0x00000000003A7000-memory.dmp

Filesize
476KB

Download
memory/1108-219-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1108-447-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1108-230-0x0000000000330000-0x00000000003A7000-memory.dmp

Filesize
476KB

Download
memory/1264-299-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/1264-459-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1264-292-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1264-297-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/1552-276-0x0000000000280000-0x00000000002F7000-memory.dmp

Filesize
476KB

Download
memory/1552-455-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1552-271-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1596-345-0x0000000000480000-0x00000000004F7000-memory.dmp

Filesize
476KB

Download
memory/1596-349-0x0000000000480000-0x00000000004F7000-memory.dmp

Filesize
476KB

Download
memory/1596-469-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1596-339-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1644-19-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1644-412-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1668-187-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/1668-441-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1668-186-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/1668-174-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1720-418-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1780-150-0x0000000000280000-0x00000000002F7000-memory.dmp

Filesize
476KB

Download
memory/1780-435-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1780-136-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1780-144-0x0000000000280000-0x00000000002F7000-memory.dmp

Filesize
476KB

Download
memory/1836-249-0x00000000006F0000-0x0000000000767000-memory.dmp

Filesize
476KB

Download
memory/1836-449-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1836-231-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1836-245-0x00000000006F0000-0x0000000000767000-memory.dmp

Filesize
476KB

Download
memory/1976-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1976-6-0x0000000000480000-0x00000000004F7000-memory.dmp

Filesize
476KB

Download
memory/1976-12-0x0000000000480000-0x00000000004F7000-memory.dmp

Filesize
476KB

Download
memory/1976-410-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2328-267-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2328-453-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2328-265-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2328-252-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2408-317-0x0000000000310000-0x0000000000387000-memory.dmp

Filesize
476KB

Download
memory/2408-315-0x0000000000310000-0x0000000000387000-memory.dmp

Filesize
476KB

Download
memory/2408-310-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2408-463-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2424-443-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2424-189-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2424-201-0x0000000001FC0000-0x0000000002037000-memory.dmp

Filesize
476KB

Download
memory/2424-202-0x0000000001FC0000-0x0000000002037000-memory.dmp

Filesize
476KB

Download
memory/2464-427-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2496-104-0x0000000000340000-0x00000000003B7000-memory.dmp

Filesize
476KB

Download
memory/2496-429-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2524-338-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2524-467-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2524-332-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2524-337-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2552-40-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2552-65-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2552-416-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2580-74-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/2580-66-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2580-425-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2588-350-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2688-439-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2688-167-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2688-172-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/2712-32-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2712-414-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2784-158-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2784-437-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2784-159-0x0000000000250000-0x00000000002C7000-memory.dmp

Filesize
476KB

Download
memory/2808-431-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2808-117-0x00000000002B0000-0x0000000000327000-memory.dmp

Filesize
476KB

Download
memory/2960-204-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2960-445-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2960-217-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/2960-216-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/2980-327-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/2980-321-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2980-465-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2980-323-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/3000-118-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3000-433-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads