2f026e7379608d6b1027443f1a4b276681d87d53aeebe4b91a92972542ea6d19

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Size

313KB
MD5

7efd7ddff6331777761f916ff9f4edd0
SHA1

07c8e10eeea6d3e7839e368633aa04d62eed8970
SHA256

2f026e7379608d6b1027443f1a4b276681d87d53aeebe4b91a92972542ea6d19
SHA512

9ead709e07127102c1d396107adf3d20acd48ef35cf6159c48a2e6b84651b769b40c51ba8ae5311f993945563c199e282b24140ffbfff4e7e0efd0efe03e1832
SSDEEP

6144:3neEa0/KQ+CpB6qPgEUmKyIxLDXXoq9FJZCUmKyIxLX:31VKw32XXf9Do3+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goddhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe

Executes dropped EXE 27 IoCs

pid	Process
3004	Fbdqmghm.exe
2672	Fddmgjpo.exe
2660	Fiaeoang.exe
2460	Gfefiemq.exe
2488	Gopkmhjk.exe
2828	Ghhofmql.exe
112	Gaqcoc32.exe
1620	Goddhg32.exe
1588	Gkkemh32.exe
1448	Gphmeo32.exe
1548	Hgbebiao.exe
1428	Hpkjko32.exe
1364	Hgdbhi32.exe
2696	Hicodd32.exe
1052	Hggomh32.exe
3060	Hnagjbdf.exe
620	Hobcak32.exe
2232	Hjhhocjj.exe
1912	Hlfdkoin.exe
704	Hcplhi32.exe
2172	Henidd32.exe
2116	Hjjddchg.exe
1936	Hkkalk32.exe
1972	Icbimi32.exe
2796	Ieqeidnl.exe
1656	Ilknfn32.exe
2640	Iagfoe32.exe

Loads dropped DLL 58 IoCs

pid	Process
2252	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
2252	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
3004	Fbdqmghm.exe
3004	Fbdqmghm.exe
2672	Fddmgjpo.exe
2672	Fddmgjpo.exe
2660	Fiaeoang.exe
2660	Fiaeoang.exe
2460	Gfefiemq.exe
2460	Gfefiemq.exe
2488	Gopkmhjk.exe
2488	Gopkmhjk.exe
2828	Ghhofmql.exe
2828	Ghhofmql.exe
112	Gaqcoc32.exe
112	Gaqcoc32.exe
1620	Goddhg32.exe
1620	Goddhg32.exe
1588	Gkkemh32.exe
1588	Gkkemh32.exe
1448	Gphmeo32.exe
1448	Gphmeo32.exe
1548	Hgbebiao.exe
1548	Hgbebiao.exe
1428	Hpkjko32.exe
1428	Hpkjko32.exe
1364	Hgdbhi32.exe
1364	Hgdbhi32.exe
2696	Hicodd32.exe
2696	Hicodd32.exe
1052	Hggomh32.exe
1052	Hggomh32.exe
3060	Hnagjbdf.exe
3060	Hnagjbdf.exe
620	Hobcak32.exe
620	Hobcak32.exe
2232	Hjhhocjj.exe
2232	Hjhhocjj.exe
1912	Hlfdkoin.exe
1912	Hlfdkoin.exe
704	Hcplhi32.exe
704	Hcplhi32.exe
2172	Henidd32.exe
2172	Henidd32.exe
2116	Hjjddchg.exe
2116	Hjjddchg.exe
1936	Hkkalk32.exe
1936	Hkkalk32.exe
1972	Icbimi32.exe
1972	Icbimi32.exe
2796	Ieqeidnl.exe
2796	Ieqeidnl.exe
1656	Ilknfn32.exe
1656	Ilknfn32.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hicodd32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Fiaeoang.exe	Fddmgjpo.exe
File opened for modification	C:\Windows\SysWOW64\Fiaeoang.exe	Fddmgjpo.exe
File created	C:\Windows\SysWOW64\Hghmjpap.dll	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Jjcpjl32.dll	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Hgbebiao.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Hicodd32.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hkkmeglp.dll	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hjhhocjj.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	Fiaeoang.exe
File opened for modification	C:\Windows\SysWOW64\Ghhofmql.exe	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Ahpjhc32.dll	Gopkmhjk.exe
File opened for modification	C:\Windows\SysWOW64\Gkkemh32.exe	Goddhg32.exe
File opened for modification	C:\Windows\SysWOW64\Hpkjko32.exe	Hgbebiao.exe
File opened for modification	C:\Windows\SysWOW64\Hlfdkoin.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Qlidlf32.dll	Fbdqmghm.exe
File created	C:\Windows\SysWOW64\Gphmeo32.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Fbdqmghm.exe	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Clphjpmh.dll	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hgbebiao.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Gopkmhjk.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Ghhofmql.exe	Gopkmhjk.exe
File opened for modification	C:\Windows\SysWOW64\Goddhg32.exe	Gaqcoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Fddmgjpo.exe	Fbdqmghm.exe
File created	C:\Windows\SysWOW64\Kcaipkch.dll	Goddhg32.exe
File created	C:\Windows\SysWOW64\Codpklfq.dll	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Jgdmei32.dll	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Qhbpij32.dll	Gaqcoc32.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Fbdqmghm.exe	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Cmbmkg32.dll	Fddmgjpo.exe
File opened for modification	C:\Windows\SysWOW64\Hgbebiao.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Gaqcoc32.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Fndldonj.dll	Ghhofmql.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hpkjko32.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hlfdkoin.exe

Program crash 1 IoCs

pid	pid_target	Process
2628	2640	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll"	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Goddhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll"	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll"	Fddmgjpo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 3004	2252	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe	28
PID 2252 wrote to memory of 3004	2252	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe	28
PID 2252 wrote to memory of 3004	2252	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe	28
PID 2252 wrote to memory of 3004	2252	7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe	28
PID 3004 wrote to memory of 2672	3004	Fbdqmghm.exe	29
PID 3004 wrote to memory of 2672	3004	Fbdqmghm.exe	29
PID 3004 wrote to memory of 2672	3004	Fbdqmghm.exe	29
PID 3004 wrote to memory of 2672	3004	Fbdqmghm.exe	29
PID 2672 wrote to memory of 2660	2672	Fddmgjpo.exe	30
PID 2672 wrote to memory of 2660	2672	Fddmgjpo.exe	30
PID 2672 wrote to memory of 2660	2672	Fddmgjpo.exe	30
PID 2672 wrote to memory of 2660	2672	Fddmgjpo.exe	30
PID 2660 wrote to memory of 2460	2660	Fiaeoang.exe	31
PID 2660 wrote to memory of 2460	2660	Fiaeoang.exe	31
PID 2660 wrote to memory of 2460	2660	Fiaeoang.exe	31
PID 2660 wrote to memory of 2460	2660	Fiaeoang.exe	31
PID 2460 wrote to memory of 2488	2460	Gfefiemq.exe	32
PID 2460 wrote to memory of 2488	2460	Gfefiemq.exe	32
PID 2460 wrote to memory of 2488	2460	Gfefiemq.exe	32
PID 2460 wrote to memory of 2488	2460	Gfefiemq.exe	32
PID 2488 wrote to memory of 2828	2488	Gopkmhjk.exe	33
PID 2488 wrote to memory of 2828	2488	Gopkmhjk.exe	33
PID 2488 wrote to memory of 2828	2488	Gopkmhjk.exe	33
PID 2488 wrote to memory of 2828	2488	Gopkmhjk.exe	33
PID 2828 wrote to memory of 112	2828	Ghhofmql.exe	34
PID 2828 wrote to memory of 112	2828	Ghhofmql.exe	34
PID 2828 wrote to memory of 112	2828	Ghhofmql.exe	34
PID 2828 wrote to memory of 112	2828	Ghhofmql.exe	34
PID 112 wrote to memory of 1620	112	Gaqcoc32.exe	35
PID 112 wrote to memory of 1620	112	Gaqcoc32.exe	35
PID 112 wrote to memory of 1620	112	Gaqcoc32.exe	35
PID 112 wrote to memory of 1620	112	Gaqcoc32.exe	35
PID 1620 wrote to memory of 1588	1620	Goddhg32.exe	36
PID 1620 wrote to memory of 1588	1620	Goddhg32.exe	36
PID 1620 wrote to memory of 1588	1620	Goddhg32.exe	36
PID 1620 wrote to memory of 1588	1620	Goddhg32.exe	36
PID 1588 wrote to memory of 1448	1588	Gkkemh32.exe	37
PID 1588 wrote to memory of 1448	1588	Gkkemh32.exe	37
PID 1588 wrote to memory of 1448	1588	Gkkemh32.exe	37
PID 1588 wrote to memory of 1448	1588	Gkkemh32.exe	37
PID 1448 wrote to memory of 1548	1448	Gphmeo32.exe	38
PID 1448 wrote to memory of 1548	1448	Gphmeo32.exe	38
PID 1448 wrote to memory of 1548	1448	Gphmeo32.exe	38
PID 1448 wrote to memory of 1548	1448	Gphmeo32.exe	38
PID 1548 wrote to memory of 1428	1548	Hgbebiao.exe	39
PID 1548 wrote to memory of 1428	1548	Hgbebiao.exe	39
PID 1548 wrote to memory of 1428	1548	Hgbebiao.exe	39
PID 1548 wrote to memory of 1428	1548	Hgbebiao.exe	39
PID 1428 wrote to memory of 1364	1428	Hpkjko32.exe	40
PID 1428 wrote to memory of 1364	1428	Hpkjko32.exe	40
PID 1428 wrote to memory of 1364	1428	Hpkjko32.exe	40
PID 1428 wrote to memory of 1364	1428	Hpkjko32.exe	40
PID 1364 wrote to memory of 2696	1364	Hgdbhi32.exe	41
PID 1364 wrote to memory of 2696	1364	Hgdbhi32.exe	41
PID 1364 wrote to memory of 2696	1364	Hgdbhi32.exe	41
PID 1364 wrote to memory of 2696	1364	Hgdbhi32.exe	41
PID 2696 wrote to memory of 1052	2696	Hicodd32.exe	42
PID 2696 wrote to memory of 1052	2696	Hicodd32.exe	42
PID 2696 wrote to memory of 1052	2696	Hicodd32.exe	42
PID 2696 wrote to memory of 1052	2696	Hicodd32.exe	42
PID 1052 wrote to memory of 3060	1052	Hggomh32.exe	43
PID 1052 wrote to memory of 3060	1052	Hggomh32.exe	43
PID 1052 wrote to memory of 3060	1052	Hggomh32.exe	43
PID 1052 wrote to memory of 3060	1052	Hggomh32.exe	43

C:\Users\Admin\AppData\Local\Temp\7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7efd7ddff6331777761f916ff9f4edd0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\Fbdqmghm.exe
  C:\Windows\system32\Fbdqmghm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\Fddmgjpo.exe
    C:\Windows\system32\Fddmgjpo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\Fiaeoang.exe
      C:\Windows\system32\Fiaeoang.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
      - C:\Windows\SysWOW64\Gopkmhjk.exe
        
        C:\Windows\system32\Gopkmhjk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Ghhofmql.exe
        
        C:\Windows\system32\Ghhofmql.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Gaqcoc32.exe
        
        C:\Windows\system32\Gaqcoc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Goddhg32.exe
        
        C:\Windows\system32\Goddhg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:620
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        28⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 140
        29⤵
        Loads dropped DLL
        Program crash
        
        PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fiaeoang.exe

Filesize
313KB

MD5
58d7ecf6aebad089e1c11b86843066e4

SHA1
3f31401d11b59fe5956d13cccedd73f763aeead9

SHA256
c19e71b80f6cb80838286095bddea207c3fd7e5cd0b3063e064b071e10eaa14e

SHA512
f10a38bb853b9b6ab45d31df2e5aa01240269e63f9f108500bffd7f3169cf94bca98d87f93a165fd838ba23d37afa003cf07dc59be749cc8d1d046e3886bf46b

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
313KB

MD5
c50f886ff02b224188b2e2dac01aef77

SHA1
324e40e374607b31c88ed1c983cdb0b28780dd45

SHA256
214e9fc1ef8a2a5667faa2eab7268b41ec6e865cf282cdca819da358c430703d

SHA512
b91b939062a0d353024614c7939bf253dc02d69faa79f58d85f540a70463c5dc2825b26355744f0ddb8d806f7cf782c6c253368c00848c7e40684bb3751a7e15

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
313KB

MD5
6975bda9a8ffdd26dadf83db65b63ed9

SHA1
e786fd250282ec6fc70c81792176b960edf91268

SHA256
7fd72f44addcce0ed2237a137d15198124873e35b710c5bed5f58b67fbf383b9

SHA512
4765625995726dd44e47ab30ada58cefed05b50cdf03044794c2bab9b5a53c43f71e82ba26d836585b6183a17b8114357208423c0135a6df0c679362e39845c8

Download Submit
C:\Windows\SysWOW64\Hgdbhi32.exe

Filesize
313KB

MD5
0dfb6ea6c60b9c401bfdc3d27b45d6a8

SHA1
6918d1da290c70a0e04d61f16455a3e35e770c37

SHA256
e9e171e7bfe5d68506084e71abd05196154407f1d833bb620c9d8e7155885351

SHA512
c04b245d991c22c0c1dec85128f2041a1dac3df4ff06f17467244eefe23427f64e5452d49ae8d9f889faf01c83e2610db9cb046f79b5fc59c9468f44d9114468

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
313KB

MD5
55346c4b88b8d59183ef8eb97c8365de

SHA1
7d46253f9b502fc48581cc5a6b09dd942b689090

SHA256
5061b99793de0d0251dc81f8a767e0572747155d9adba887db540fa2fb93ee7e

SHA512
67f3241a06ade8608596791153058ffa921fec797f06543cb5dfb19cd7fb866c5538d22ddabb8136604948c8def57845c0ceb02787788e5430d7afc0eac4a6f0

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
313KB

MD5
3427cb1f2b5870983c1ba3cc2f0ddf97

SHA1
b35900dcf636fbbd3d9ae204462233f1593c7641

SHA256
473a471a4130387c527c8e4a150b826c38a5c16ba373ae3c39e769815c2d0d59

SHA512
c73ac35fb46e7002864576a718aa0f2fd42b53249ddd4bd1c6aecc71da9c6cad23fccedb064d80ef024131e896e323f0ee9bd62e9216679e5c4d905e2e262da3

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
313KB

MD5
391f7d45c3a6d7804366fa1c51cddc2d

SHA1
f2c69d458212903f1b9626c8f35cf68b77bcb518

SHA256
c5367d5939e0148c16865f0c751db10b8567ef3461c342c26d90b013cc3881ce

SHA512
4f428adbc79791a90309f735d0a1fa983ad0673f143e79f18f3373af095a09387132ba27858adab7c339ccca12110207731cbe77e8cc5355d78980efc5918507

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
313KB

MD5
5677c9d155d1ddf8c68d620ab14955a6

SHA1
7f760d6df772ba467d3aa14bf3ad25e0359664c2

SHA256
831b49c1c048d719159edc0222bdd159743279bc114c3e94c103bf61a61b1b64

SHA512
a12312e97101178ed9b6b91bf365896cf8af00ba4ac0ec7766cf8f1d43cd3ff5fc4b2891d46c64d16bb36151bf8193aa7327de1a8e7be223f468b98d226530f3

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
313KB

MD5
de7f4c95da6a57d2b08c6b5b226f8dc4

SHA1
9bce313d599068bf09bd9aa2af77fddc00dce52c

SHA256
f7454a03fe4d8bc70c5edcc0a8a3389bfe2e4cab7c6963b25275cb93a470b7d6

SHA512
11699a5e05299df420eca0d0116b52bbb28f355139cb679d9beaafd5159db02abccf6a844ecc354360e80177c570b916d4451f1621533840f7e61c295cb36487

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
313KB

MD5
7b99d087d1b9870033890422b19dbe78

SHA1
7e6377c4b94ca9f00b65be83cce82a8b8bc74976

SHA256
814ef8c683d703858bf046dd2614bf9f512c1146ef3fa48506967e9bfd43cbd6

SHA512
2e5d5b80fed918f5a2d539df2b27422887206db8083486de24af69f4b839c8f8f428e5376ea89e8918709ee004b425980ca7a935e6e1e3226b91b59d71f02c05

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
313KB

MD5
f2dac086a08227103f2aa87930c19b53

SHA1
c6d901ce4fd9b006faf8c887584500d099f96160

SHA256
27c5d36df6640dcf812a62cdf9f5d872b4ea67bfd6ea4feb3dfb5bb224b949d6

SHA512
c94f7b232f8213509cfa8806be2673bf77edcfd1333c667c92c350c969c06b8b2b7938377a260a8f0389a1998c78d169a99e34e39e9ae7d6bccc2f42e28b14a7

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
313KB

MD5
11a8c33e7331bf507dcccf2e67c9fcdd

SHA1
cd3769365e3ab953c85c02e87f45a680add5c252

SHA256
2898f9d89df72447ac2ec59f1ba1ecaf98b02b1025bd033f3138ce8855e0176b

SHA512
00be8b33c426a5decc6a358aefd2a0ab90b3777808ec8084f7c608d554c069e181ddb3a53e39c92a8e96f8f57a05e7c5b983ed24f9b65e0775dd5e43207e2b1a

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
313KB

MD5
dd66a66fd820dd53ac431d3c5a1c875f

SHA1
d9cf67c332504c74365e7045130fa145b11f71e4

SHA256
33f1a707e21cb546f1e3d5bd9d9e7b69ff88f2edbbcf467f2ac1bd7a73496abc

SHA512
b036ea65af81f1488858d63b4d0187ec3afc9dfc85b2b146346c0700c1b1993886dfb1930bfbb5a22786ec22a59d0316cc6b158f13eacdb84e76ab66c4d6ef1a

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
313KB

MD5
2393656442b8fd3e08c34a890bd73625

SHA1
bc741583c7789ecd5d1067cca3de0f6b23373c44

SHA256
de2eb5dc920c5eec96fe646efa5519ea86782573e1d5fe01572e90fe336339ac

SHA512
81d88806ca3f419804069fe4d56c276acc39bf1ca1031947f5d7f03648faf0ae8d514b6c47a5230bb20ba7652884d2550174b544fb9845628334268941ae8f24

Download Submit
C:\Windows\SysWOW64\Jgdmei32.dll

Filesize
7KB

MD5
63d280768be1409e23080c9fa276e111

SHA1
88922fb11a236581728f948ddd93706472b20ef6

SHA256
0dbaf254c12576700d9d67dd4b367e3327fd4c62a629470932ad76f111ee096f

SHA512
e6fedfce46189fb82cfa664273a491ee14caf3b2fe4487c408ca0343dc3eff8ef78e309cdb07d2233957f0c858be0b361b48306d889c3187e5b1a0727560051d

Download Submit
\Windows\SysWOW64\Fbdqmghm.exe

Filesize
313KB

MD5
cc0bba2a9bdb141f254d22c94fede2ed

SHA1
dd78326196171b2906fd9c27c8c2f37ad0442705

SHA256
8db19f634d0ac4af68d521415b4fdd1c606aabea7b9805ef9eef32bfbf447f70

SHA512
32fd5feca30f143f3b34b5451a189cb0fb8a9879763d5579c2eb58c36fda2e3bfe14f05abd59f73e4ad5a3cacde319339733f4cfe7af27226ad45ee2e1fdb350

Download Submit
\Windows\SysWOW64\Fddmgjpo.exe

Filesize
313KB

MD5
59b26cd17411fe289fba2b143f70009f

SHA1
5104936bfd8784fefa0b81bb1e64731ffa5ad03b

SHA256
a1adae8415b940d94ddfe7a28f640f512024c04aa1d1710158988cea135327db

SHA512
9297fba4a88e068643da94fd03b054ea782e374c8094c78b70b2fe4a0ac5fc990856dce780dc3baa19d41374e94605b4dcfeaa3fe464240c46cff3e8abd5c16f

Download Submit
\Windows\SysWOW64\Gaqcoc32.exe

Filesize
313KB

MD5
e50f48b39ebf2f6c9d0e99ef57c440ec

SHA1
869dea549933627736b6b3b8f309565cb29dd21d

SHA256
ef6cf09ed8fc22b2a0ff4d95f5c8bf287e3f3526742ba4b4703c7d1552b6647f

SHA512
9fb99f04af93af8e3c4727c8d85eedb3c0defb87a019da2f89f5a1bf3c6d0cf3722058bcb137d2dd77fffb4a444f1548e4b23e26236c1fe461d3a47ad2c63318

Download Submit
\Windows\SysWOW64\Gfefiemq.exe

Filesize
313KB

MD5
be5f89988ed92ed649f354f9c72484a5

SHA1
d64c7edcdbfd31df3a9ef769322ae891e0415d4c

SHA256
5c7e2979607f0ebb42d2a63fb9893b4359213b72cc560fa8734754c859f1817d

SHA512
d573e709a891e573163c3a99d98f9346dae395bda76a132181001d1c784cecadf807af417c39196fa48029f2362e67c5071ca44b0f2fe70c8e7dd4bd2c3d4360

Download Submit
\Windows\SysWOW64\Ghhofmql.exe

Filesize
313KB

MD5
5bd6878b042e862d368b9c88494419ba

SHA1
93fa91ca1bf5212a442225ea49ccc4d36eb9457f

SHA256
ac709315ecfd19a2f789b21e6990af893d1f1d22f9e11e381445c6114f8f98a0

SHA512
de4205c1c8334d678849bfa173baa5569f1d491e0c82bc47284bc0378a0bc80050c64670b992197462763cdb4d21bdc30db9d0f840eeeb3d201462a9d8ec70f5

Download Submit
\Windows\SysWOW64\Gkkemh32.exe

Filesize
313KB

MD5
caad37bf9bc5c85c337ccde764aa57c3

SHA1
49b4afe85d27e5044a77a542155d3fb63a061a78

SHA256
48705b16990d8309fd5511ab643019694318494bf60eca999ba92bc9671a7da8

SHA512
6ebdabf9baa4dd8aa1f80b78b758cc233cc3dc7fcc0be897d997ffa3b40373c4944dc6ca058f08cfb0f885908e4cd0f91a3767c8a7575dcadce1f7de2483cfd9

Download Submit
\Windows\SysWOW64\Goddhg32.exe

Filesize
313KB

MD5
fb86e1d818c981fb5c836fcddc271b01

SHA1
4b02643326ec9f4f0f6ff2520a3606536559fa8a

SHA256
9665a1314a813de4726fdc2d3a21c1df1c4fd0c8da378d75cdbe3dea74f990dd

SHA512
0b49a0a012aeb83bd4f85ce5c3cf3317cbb16b7f89f83d32ddebcf25d2205b642d9949c4501ab74ff4db151ff5e0bf95e10277d7d87f24bb205cfdbf6358e4db

Download Submit
\Windows\SysWOW64\Gopkmhjk.exe

Filesize
313KB

MD5
392dc960b20032ff9cd6553304628780

SHA1
af76e22d4663bf84eb408c59442d48c42a511925

SHA256
d112c28c75e9732d6c3c5b75f5c61762042b992c03227769d154ca9dc2186fc1

SHA512
e6576c69200643079d60babafcb8d29c3ce40305ea24268e4358390f6c02015b35e195399071f921cf504d1ced195933bf9656c2a4e0c950213e03737d959cb9

Download Submit
\Windows\SysWOW64\Gphmeo32.exe

Filesize
313KB

MD5
0458c27eb90e5adf97beb922073f4efc

SHA1
c5a0a6d7861880f68f9c910a1fef49252bfe68e8

SHA256
80c8d2c8e0e59e5b9b52011d7ca7bf52a6ab49999dfab2c124fda9bf204cb390

SHA512
9612ce3bf20d4ac2fa55c673bbad4dd36304b40130bdca18171105b93ac2261cba9ee4c2664aeab30e7439f839a9d9bdbff716ae2288ce368dfa6387a7778e24

Download Submit
\Windows\SysWOW64\Hgbebiao.exe

Filesize
313KB

MD5
73521ed3850f924943a48b05e977e669

SHA1
f288f2a6376f2aae8418d66abf1fab332d538573

SHA256
8ba2eb7b726ce519ef13a9bbcb461c31db10586ec1e0a0d87b0146f64679703e

SHA512
fb12e3f00f126d10fa78c58ff7257eda96b3f8b5842b73ac739079fc647f58f62df34680c1b5ed5385e60293507129aefe853f2662b6c1714edd55968a7333f9

Download Submit
\Windows\SysWOW64\Hicodd32.exe

Filesize
313KB

MD5
c529715dd8ac2f8c261a436dfabd1446

SHA1
6970ea5f64175dc122bc21bdc865ad0a22bd9f06

SHA256
6ce0ea1c657e23255e4dcf7fa95bf68dc044c6ccff1640eb6a628f13b239085d

SHA512
cf09a2e09d84e9af20ef2aac47b5ec00dbe740e598ba13bbe38c3b7f8119e0ed0b7639b459f7eb5c724fcc8cdac2fb3f57a411fd97808448272d582cd07f65b8

Download Submit
\Windows\SysWOW64\Hnagjbdf.exe

Filesize
313KB

MD5
9dc3851c31e7078dcddc23f303c4f585

SHA1
f47db6123d8ad3e0685ffdab30a733e48a2ea05c

SHA256
3c435ae8afaa0fde07ef08842d2168c8298980b05f695f4f7a35e1ce4ec08e6f

SHA512
473fb347335c51f60644796962ce0f68a9ac304286276f189906599182bdeb55dd618778ae974cd35822f227cec12558f11b471992e8fbfd7f7b5975d5155e40

Download Submit
\Windows\SysWOW64\Hpkjko32.exe

Filesize
313KB

MD5
eeb7869d7203109ee2c1ca7e186540b5

SHA1
cacb3f67cf19eae5370e391800ce8827605424ef

SHA256
39606c932e96490c0ee22a906b1acb5bbaa0d3d9bd51a105b0d85e2c1cd5a653

SHA512
03f64159decfbb761448784efe6f1a556d68b677442d4f0501a3352daec7e318539a4dc5590553c9c18b10e22b685212a93cc207a71b988f415316809fdae2f4

Download Submit
memory/112-112-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/112-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/112-100-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/620-247-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/620-248-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/620-234-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/620-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/704-282-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/704-273-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/704-267-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/704-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1052-354-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1052-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1052-218-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/1364-191-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/1364-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1428-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1428-189-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/1428-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1448-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1448-149-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1548-163-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/1548-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1548-155-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1588-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1588-350-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1588-139-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1620-126-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1620-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1656-336-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1656-341-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1656-342-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/1912-265-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1912-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1912-357-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1912-266-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1936-310-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1936-309-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1936-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-321-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/1972-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-320-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/2116-287-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2116-298-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/2116-299-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/2116-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-289-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2172-288-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2232-255-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2232-249-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2232-251-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2252-6-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2252-4-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2252-13-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2460-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2460-71-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2488-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2488-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2488-81-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2640-343-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-43-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-51-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2660-54-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2672-42-0x0000000000370000-0x00000000003AF000-memory.dmp

Filesize
252KB

Download
memory/2672-41-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-208-0x0000000000340000-0x000000000037F000-memory.dmp

Filesize
252KB

Download
memory/2696-353-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2796-335-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/2796-361-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2796-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2828-86-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2828-99-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/2828-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3004-40-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/3004-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3004-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3004-22-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/3060-233-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/3060-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads