841c044bfe183695b3fada82f2b8f9e694b6bee4acd5450e24f5f019d4ce3bce

Analysis

max time kernel
142s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26a35c5b12aa91781e98a50d247cad40_NeikiAnalytics.exe
Size

323KB
MD5

26a35c5b12aa91781e98a50d247cad40
SHA1

8e08c54f1e77ccac3ace361d2d5a63baeb6cf8b8
SHA256

841c044bfe183695b3fada82f2b8f9e694b6bee4acd5450e24f5f019d4ce3bce
SHA512

5270e020d47428e34a5a72e04a41c43a5ea09a02251979e2355ae0a87737146bb327ec082a68a432244a35d7daa37207eea1aa65b6ff672589ac7f6b46f0cf29
SSDEEP

6144:zWGD465IjZgFjlljd3rKzwN8Jlljd3njPX9ZAk3fs:zWor5IjZ0jpKXjtjP9Zt0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebinic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fejgko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkgkbipp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	26a35c5b12aa91781e98a50d247cad40_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkgkbipp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fejgko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eeempocb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gangic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmhheqje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmekoalh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	26a35c5b12aa91781e98a50d247cad40_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeempocb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hicodd32.exe

Executes dropped EXE 26 IoCs

pid	Process
1788	Eeempocb.exe
2980	Ebinic32.exe
2760	Fejgko32.exe
2748	Fmekoalh.exe
1668	Fmhheqje.exe
2548	Ffpmnf32.exe
2920	Fbgmbg32.exe
1064	Feeiob32.exe
1920	Gfefiemq.exe
2448	Gangic32.exe
2224	Gkgkbipp.exe
596	Glfhll32.exe
2008	Gkkemh32.exe
2304	Gphmeo32.exe
1516	Hdfflm32.exe
1688	Hicodd32.exe
1808	Hpmgqnfl.exe
996	Hggomh32.exe
840	Hnagjbdf.exe
1984	Hcnpbi32.exe
2944	Hodpgjha.exe
2280	Hcplhi32.exe
2972	Hlhaqogk.exe
2900	Hogmmjfo.exe
2456	Ieqeidnl.exe
1768	Ihoafpmp.exe

Loads dropped DLL 52 IoCs

pid	Process
2104	26a35c5b12aa91781e98a50d247cad40_NeikiAnalytics.exe
2104	26a35c5b12aa91781e98a50d247cad40_NeikiAnalytics.exe
1788	Eeempocb.exe
1788	Eeempocb.exe
2980	Ebinic32.exe
2980	Ebinic32.exe
2760	Fejgko32.exe
2760	Fejgko32.exe
2748	Fmekoalh.exe
2748	Fmekoalh.exe
1668	Fmhheqje.exe
1668	Fmhheqje.exe
2548	Ffpmnf32.exe
2548	Ffpmnf32.exe
2920	Fbgmbg32.exe
2920	Fbgmbg32.exe
1064	Feeiob32.exe
1064	Feeiob32.exe
1920	Gfefiemq.exe
1920	Gfefiemq.exe
2448	Gangic32.exe
2448	Gangic32.exe
2224	Gkgkbipp.exe
2224	Gkgkbipp.exe
596	Glfhll32.exe
596	Glfhll32.exe
2008	Gkkemh32.exe
2008	Gkkemh32.exe
2304	Gphmeo32.exe
2304	Gphmeo32.exe
1516	Hdfflm32.exe
1516	Hdfflm32.exe
1688	Hicodd32.exe
1688	Hicodd32.exe
1808	Hpmgqnfl.exe
1808	Hpmgqnfl.exe
996	Hggomh32.exe
996	Hggomh32.exe
840	Hnagjbdf.exe
840	Hnagjbdf.exe
1984	Hcnpbi32.exe
1984	Hcnpbi32.exe
2944	Hodpgjha.exe
2944	Hodpgjha.exe
2280	Hcplhi32.exe
2280	Hcplhi32.exe
2972	Hlhaqogk.exe
2972	Hlhaqogk.exe
2900	Hogmmjfo.exe
2900	Hogmmjfo.exe
2456	Ieqeidnl.exe
2456	Ieqeidnl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gkgkbipp.exe	Gangic32.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Bfekgp32.dll	Ffpmnf32.exe
File created	C:\Windows\SysWOW64\Kifjcn32.dll	Fbgmbg32.exe
File opened for modification	C:\Windows\SysWOW64\Hdfflm32.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Pinfim32.dll	Eeempocb.exe
File created	C:\Windows\SysWOW64\Hdfflm32.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Ebinic32.exe	Eeempocb.exe
File created	C:\Windows\SysWOW64\Gphmeo32.exe	Gkkemh32.exe
File opened for modification	C:\Windows\SysWOW64\Gphmeo32.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Fmhheqje.exe	Fmekoalh.exe
File created	C:\Windows\SysWOW64\Fbgmbg32.exe	Ffpmnf32.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Eeempocb.exe	26a35c5b12aa91781e98a50d247cad40_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Fmhheqje.exe	Fmekoalh.exe
File opened for modification	C:\Windows\SysWOW64\Ffpmnf32.exe	Fmhheqje.exe
File created	C:\Windows\SysWOW64\Dcdooi32.dll	Fmhheqje.exe
File created	C:\Windows\SysWOW64\Gfefiemq.exe	Feeiob32.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Qdcbfq32.dll	Ebinic32.exe
File opened for modification	C:\Windows\SysWOW64\Fbgmbg32.exe	Ffpmnf32.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Eeempocb.exe	26a35c5b12aa91781e98a50d247cad40_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Hdfflm32.exe
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Ongbcmlc.dll	Fejgko32.exe
File opened for modification	C:\Windows\SysWOW64\Feeiob32.exe	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Gangic32.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Mncnkh32.dll	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Gkkemh32.exe	Glfhll32.exe
File opened for modification	C:\Windows\SysWOW64\Hicodd32.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Hicodd32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Ebinic32.exe	Eeempocb.exe
File created	C:\Windows\SysWOW64\Feeiob32.exe	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hicodd32.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Liqebf32.dll	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Fmekoalh.exe	Fejgko32.exe
File created	C:\Windows\SysWOW64\Jeccgbbh.dll	Fmekoalh.exe
File created	C:\Windows\SysWOW64\Ffpmnf32.exe	Fmhheqje.exe
File opened for modification	C:\Windows\SysWOW64\Gkgkbipp.exe	Gangic32.exe
File created	C:\Windows\SysWOW64\Gkkemh32.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Phofkg32.dll	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Fejgko32.exe	Ebinic32.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Kcaipkch.dll	Glfhll32.exe
File created	C:\Windows\SysWOW64\Hkkmeglp.dll	Hdfflm32.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Hcplhi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2488	2796	WerFault.exe	54

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkgkbipp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	26a35c5b12aa91781e98a50d247cad40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll"	Fejgko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll"	Fmhheqje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffpmnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll"	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll"	26a35c5b12aa91781e98a50d247cad40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll"	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll"	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmhheqje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eeempocb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmkde32.dll"	Gangic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	26a35c5b12aa91781e98a50d247cad40_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fejgko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gangic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glfhll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 1788	2104	26a35c5b12aa91781e98a50d247cad40_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 1788	2104	26a35c5b12aa91781e98a50d247cad40_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 1788	2104	26a35c5b12aa91781e98a50d247cad40_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 1788	2104	26a35c5b12aa91781e98a50d247cad40_NeikiAnalytics.exe	28
PID 1788 wrote to memory of 2980	1788	Eeempocb.exe	29
PID 1788 wrote to memory of 2980	1788	Eeempocb.exe	29
PID 1788 wrote to memory of 2980	1788	Eeempocb.exe	29
PID 1788 wrote to memory of 2980	1788	Eeempocb.exe	29
PID 2980 wrote to memory of 2760	2980	Ebinic32.exe	30
PID 2980 wrote to memory of 2760	2980	Ebinic32.exe	30
PID 2980 wrote to memory of 2760	2980	Ebinic32.exe	30
PID 2980 wrote to memory of 2760	2980	Ebinic32.exe	30
PID 2760 wrote to memory of 2748	2760	Fejgko32.exe	31
PID 2760 wrote to memory of 2748	2760	Fejgko32.exe	31
PID 2760 wrote to memory of 2748	2760	Fejgko32.exe	31
PID 2760 wrote to memory of 2748	2760	Fejgko32.exe	31
PID 2748 wrote to memory of 1668	2748	Fmekoalh.exe	32
PID 2748 wrote to memory of 1668	2748	Fmekoalh.exe	32
PID 2748 wrote to memory of 1668	2748	Fmekoalh.exe	32
PID 2748 wrote to memory of 1668	2748	Fmekoalh.exe	32
PID 1668 wrote to memory of 2548	1668	Fmhheqje.exe	33
PID 1668 wrote to memory of 2548	1668	Fmhheqje.exe	33
PID 1668 wrote to memory of 2548	1668	Fmhheqje.exe	33
PID 1668 wrote to memory of 2548	1668	Fmhheqje.exe	33
PID 2548 wrote to memory of 2920	2548	Ffpmnf32.exe	34
PID 2548 wrote to memory of 2920	2548	Ffpmnf32.exe	34
PID 2548 wrote to memory of 2920	2548	Ffpmnf32.exe	34
PID 2548 wrote to memory of 2920	2548	Ffpmnf32.exe	34
PID 2920 wrote to memory of 1064	2920	Fbgmbg32.exe	35
PID 2920 wrote to memory of 1064	2920	Fbgmbg32.exe	35
PID 2920 wrote to memory of 1064	2920	Fbgmbg32.exe	35
PID 2920 wrote to memory of 1064	2920	Fbgmbg32.exe	35
PID 1064 wrote to memory of 1920	1064	Feeiob32.exe	36
PID 1064 wrote to memory of 1920	1064	Feeiob32.exe	36
PID 1064 wrote to memory of 1920	1064	Feeiob32.exe	36
PID 1064 wrote to memory of 1920	1064	Feeiob32.exe	36
PID 1920 wrote to memory of 2448	1920	Gfefiemq.exe	37
PID 1920 wrote to memory of 2448	1920	Gfefiemq.exe	37
PID 1920 wrote to memory of 2448	1920	Gfefiemq.exe	37
PID 1920 wrote to memory of 2448	1920	Gfefiemq.exe	37
PID 2448 wrote to memory of 2224	2448	Gangic32.exe	38
PID 2448 wrote to memory of 2224	2448	Gangic32.exe	38
PID 2448 wrote to memory of 2224	2448	Gangic32.exe	38
PID 2448 wrote to memory of 2224	2448	Gangic32.exe	38
PID 2224 wrote to memory of 596	2224	Gkgkbipp.exe	39
PID 2224 wrote to memory of 596	2224	Gkgkbipp.exe	39
PID 2224 wrote to memory of 596	2224	Gkgkbipp.exe	39
PID 2224 wrote to memory of 596	2224	Gkgkbipp.exe	39
PID 596 wrote to memory of 2008	596	Glfhll32.exe	40
PID 596 wrote to memory of 2008	596	Glfhll32.exe	40
PID 596 wrote to memory of 2008	596	Glfhll32.exe	40
PID 596 wrote to memory of 2008	596	Glfhll32.exe	40
PID 2008 wrote to memory of 2304	2008	Gkkemh32.exe	41
PID 2008 wrote to memory of 2304	2008	Gkkemh32.exe	41
PID 2008 wrote to memory of 2304	2008	Gkkemh32.exe	41
PID 2008 wrote to memory of 2304	2008	Gkkemh32.exe	41
PID 2304 wrote to memory of 1516	2304	Gphmeo32.exe	42
PID 2304 wrote to memory of 1516	2304	Gphmeo32.exe	42
PID 2304 wrote to memory of 1516	2304	Gphmeo32.exe	42
PID 2304 wrote to memory of 1516	2304	Gphmeo32.exe	42
PID 1516 wrote to memory of 1688	1516	Hdfflm32.exe	43
PID 1516 wrote to memory of 1688	1516	Hdfflm32.exe	43
PID 1516 wrote to memory of 1688	1516	Hdfflm32.exe	43
PID 1516 wrote to memory of 1688	1516	Hdfflm32.exe	43

C:\Users\Admin\AppData\Local\Temp\26a35c5b12aa91781e98a50d247cad40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\26a35c5b12aa91781e98a50d247cad40_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\Eeempocb.exe
  C:\Windows\system32\Eeempocb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\Ebinic32.exe
    C:\Windows\system32\Ebinic32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\Fejgko32.exe
      C:\Windows\system32\Fejgko32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\Fmekoalh.exe
        
        C:\Windows\system32\Fmekoalh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\SysWOW64\Fmhheqje.exe
        
        C:\Windows\system32\Fmhheqje.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Ffpmnf32.exe
        
        C:\Windows\system32\Ffpmnf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Fbgmbg32.exe
        
        C:\Windows\system32\Fbgmbg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Gangic32.exe
        
        C:\Windows\system32\Gangic32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Gkgkbipp.exe
        
        C:\Windows\system32\Gkgkbipp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Hpmgqnfl.exe
        
        C:\Windows\system32\Hpmgqnfl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        28⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 140
        29⤵
        Program crash
        
        PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebinic32.exe

Filesize
323KB

MD5
8cc92bcfc9490983054742aad483904e

SHA1
d8c3443b6bf04de93ae6afaa5e6a766e29e0931a

SHA256
46be921321182c77f5c702fa09ab5bcb0b1e6ebf4f07bf58365af02ed127d05e

SHA512
97389303f8dea3d87f711521fa5367c3f6e7ab13a170e9abf5c065e5d836d4a4c78ee6945901bd675f13a856a4272613cd1acf1776e7c87230feb6c7a2f649ec

Download Submit
C:\Windows\SysWOW64\Gangic32.exe

Filesize
323KB

MD5
87799f91ee396b666e860a66c948d78b

SHA1
5a59c5d1dc35db4dfc311a81edb3a32a07bd5707

SHA256
fd3988825559734ef7aa55fdceffcd87e8ca3f0d05160f4d6ebde309cdffd769

SHA512
f6880f52a2602928d74a6bf137b9efa6f2d81070312df5f381aec5fd1c8274affed7000d961693b8f1361abc90e7ef3caea47861cee216ff00c8231a89068eb4

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
323KB

MD5
c4461e93f6ad35790c6e6f0e5c5e8693

SHA1
ce71b370213743925d49f0c2c05848f41a479a15

SHA256
bdf569bc8cccd4d524cbd721d1659e6407b21fcf56393b25743d44f33ae8f112

SHA512
bea148ed24b0a1e3784604d434b81751216133955afbc9df323539d107d08f803ea7c7f416b3a9e36ec8871d012ef6c8ba88380f67f5b41f5ad2fefbf2809be0

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
323KB

MD5
9052d3ab03af02e2a5c978d6137d2313

SHA1
8ef6cb21ee0ecfa252c10c2f3420e58cbb447b6b

SHA256
3e5955882a19026880706b5c1b202ffdd7a60453af16cb72a12255629082cd7a

SHA512
edb30216cb87a1e460647165ef11df7f753e8d05485ebe4fc15c523cb271cfb98ef902a7584cf858ddacc54c217c1609690d8690658cf125df4a3609d3dcb4b5

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
323KB

MD5
f77590ffcb649369023b00d0b4496713

SHA1
6dea3d54c31b563f2ccd6a8a276b80762a1ce0bc

SHA256
15f36d48fc2e8e3092384506c5f60d56a2638e1e7ee8a4be50fd706e761d2d2d

SHA512
cc9575da8280cdd86c8d72d51f4bff4adf5a8cd3edf5cdccd2ec756ab197be48ca6b39bc8e4cd2a4c308e5b977edee9b28d64ec1f3be4ede34b7ada3a83bdee5

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
323KB

MD5
65920e1c66acbdd64b6fd65a19e80197

SHA1
4027677e759b860b23685cdabc7353ff4e7137a6

SHA256
ab1bb964271d1a247e6dceadf67534144de4b153c886e6ec6c76aad6b1649532

SHA512
77960597f130e99cd631fd2db1aa4bcb1fbe68634a622933eadbcb71e1468aec7134ae7893be69e09a529049fb44e5a5419e631d192d0fe4a2f2fd624cd30dc6

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
323KB

MD5
a334c42a34a52068a444d8eb4c84b6c3

SHA1
91371ba0296fbedd23547ccc3c27c29eaf9d2d8b

SHA256
c5c87479710414ee59da0ba71f533441ae3e7f59862bf2d216850b54d06d8d6e

SHA512
811891eb90592f4aa9948066a93e422258e8015e9a753f68437d27fa38ff7e4ed06edb390d154565bcb47e08c02ce83ab04b1ba174c6be4dc934b6f532c7e9e9

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
323KB

MD5
545119f57e616247e13baaf77a03c624

SHA1
91625ab386e3b9bb8c8a7d4809d4d4cd9cf54e86

SHA256
884c20c27c4bc9a74ec58a346f411ce46079de973a09efac95f4eaacad9850c2

SHA512
9fb1c4bf0fda0663d5937fe83e8160ed95f6aacda3e92ed192de3c4366b7df20ea9f6c6f3f425f5d2ef4877882a535b63c9ac403e4b247248951b2e31af8a45b

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
323KB

MD5
bffe5dd74364be3e3fee822e7e12b34e

SHA1
0a519ba92921462f04c07bad0ccb21c03b75a649

SHA256
b92aa67204515eba72579636cf3f9a4839dcd6b49876c3c786e83aa1a399d302

SHA512
d06fb3b1ca92b77919525037e26692a85864252acf457db102397515c37e118a41fa91e053702d42bc7049045b9c5af94be7ef27187aaecc2206bc5f921a03d1

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
323KB

MD5
2237e7e6f5ab996bdeb7ede02339cccc

SHA1
dccc72b3503173c8c59383e8ebeb554306729d60

SHA256
e8d50815eff12a1f2bf6c0b74d4ca1213f9caa065d33f70e36629d9abfa4b3e9

SHA512
a1d65eecb85858c3a9ca5c5eec0d8ae56437af4b02016d09180ba735d63a9667d1ee2f17fbb1676b140bd5246e3c36b439f1a983b2064a812627046d6ad11d27

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
323KB

MD5
1a2955dd8fdcbb1cbbf870be29daf2a4

SHA1
cb3857ce739030c7572419b2fdc0a793eaef7433

SHA256
ab1ac38881208937849a0c1936080bdcd719d1b6e4b7254512cfc5ab144c7f58

SHA512
7b3c8f3d0b2cac653d90a996e136afe6b92a87c147a2a2f33fe3ab54775019a8cfb76f03e344dd19443ef046dd17815b95b181b8e274e2d36dcf48de594a0331

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
323KB

MD5
e82fcb26a20ada414700c58747f39c59

SHA1
47e9b034187a294dc08bd4b2dfd6d73d1ac6997a

SHA256
b69f24feb38ea6fe4d5e8bda05160c56108593f9209db2a202593cd73b3a72e2

SHA512
4aec88ef6f313c79bf3ee6a6166f3cb8b70c0b7f0735f1ca3bad2dfb8faa12b6788a25fd9dc4c4eb9320bde7b37e24be2b8b6f3ab7960f00b8ed813d2f2a4185

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
323KB

MD5
11efbbb438114de6850cf83be093ad8b

SHA1
469d7d6b11b4e8337a9a7b4b638fbf6335a38df7

SHA256
fcb10948860083d211ee1bee92eeb200f5623d2c64389d6c28692ab6a74a0b24

SHA512
a2bd969d41732af647467484670925d605e7a9101ba6c490b9d6e6eee49a2f2480897078660dc7d730498f933983389db5ece1f1ee5b6cd6ff1cb0b3579be3f0

Download Submit
\Windows\SysWOW64\Eeempocb.exe

Filesize
323KB

MD5
9c040ef829e1cbd0fae9e7a90b872bf9

SHA1
d16616d74e0c6a75d5d993989eeef41828c0d7a4

SHA256
b24c143a00a9dd221dbf6e4c20844ddd15513fd096a76068ee2b2634fc36086e

SHA512
57b5d1ad03bcd2821812a4fcd2f703b798cf215d1776c9bdfe8379c82c661bd870b58f875f1b02e06be67364fe6772f40b2b390e2ef2eec71b1938d769c59a63

Download Submit
\Windows\SysWOW64\Fbgmbg32.exe

Filesize
323KB

MD5
3bc956f7de6a06530df54c123736cb6a

SHA1
d6d693de9b9b9de32c1b93d59c4e2518e41eebf5

SHA256
b11a659b69e5910e5f12bd328cd9ca6e69d06b616abd8a8017ecb85e2a254590

SHA512
00a3c31c6de066cd75caf19663642e635e7e2dafaf20609cb463a292bd6145caede572a601f437aded7fb2a51583d2ab30170ed3ce189ffb03346094d2dc0cb6

Download Submit
\Windows\SysWOW64\Feeiob32.exe

Filesize
323KB

MD5
73f07cc119d066dbbad5bd329fbf0ed8

SHA1
24c3464fa88e1361e5eb7a38dab4057ddb7a07b5

SHA256
dea4f9057d3d1383445ed5bfc0eebc1ae692168f3c0b95c3da53dfa0cded8427

SHA512
cd98ba15bb17b1e6e462d4c1891a400a0a1607f9305676753badc26369428d6e879d195d97ce4eaa4b264259411a19384f7fb7107f7c2dea5992763dae7e11f7

Download Submit
\Windows\SysWOW64\Fejgko32.exe

Filesize
323KB

MD5
c78c1b5130991baf45b4451ac831d990

SHA1
0545bf88097f354e9b758deda8a03905bbde1dea

SHA256
10c3c9897f36bab11b43ef9345d7fa71c5d644d469256010314b2cc5b09c0dff

SHA512
8a72c1e7c79e162274fc41834713a378333dff17952eaee2aa16acfcc520bc990b5e0e7e74cdaa093a7e91928302ae55bf75e646add6201073ec9a40d3016d24

Download Submit
\Windows\SysWOW64\Ffpmnf32.exe

Filesize
323KB

MD5
e337c49cb2ed61d419369104448148d0

SHA1
ca39cae1b44004b677e267f66baa7ad16102eef3

SHA256
e9900084ecf83dcef10699ec28ddff5e60ee0d35ade90387c9fc40fefe5fe359

SHA512
81dea78dde473ee4a70820d8cf17f843b0717c42da33d8df5923a1b4f118baee49f35f5484007913791a5d2f15bafe3740dde4a9aa9db0041d280076f00960e4

Download Submit
\Windows\SysWOW64\Fmekoalh.exe

Filesize
323KB

MD5
7d576fc01b9d554325560fe2a32bb5f9

SHA1
c0d239c76190c214684687922f7b457eb939c0d6

SHA256
ee9b520c7bbf82b99d0ff14e2da8ff615586789c079a8d934e72355161c96c30

SHA512
21c05666ce74479ef5d3b73de7e8a7b1e5156255f1a4c2a46d99a84dae26c33eae706e7d516adb88f081cef4f23c83f0d8d57f7ca9df646e3eb37c1de50271a3

Download Submit
\Windows\SysWOW64\Fmhheqje.exe

Filesize
323KB

MD5
589333f9f35adea05f74e4371af85084

SHA1
f79e569d2cd968c60460dc29b09cb3e1fee1b7b7

SHA256
0a25ac815a05ff146a75c20ffbd3a59977cd550b4413672ed16e1d34acd386a5

SHA512
a20e4b3d9202db32c44d911a5900392a3b588b0588eb9f3fa1b48199be74b383b79b0bc87477ef5789d6e439e5077d05073f0c2517c91221012f58e6190ceaa4

Download Submit
\Windows\SysWOW64\Gfefiemq.exe

Filesize
323KB

MD5
f0120a1dc6d5863bba89459e458590c7

SHA1
2c6c1b03637ed140ad9e22fbef326bf5f4218837

SHA256
d12395ce16ebe4e1cb4bf2348df4a7ada7abc2ed8d34afced100ae82f8cddef1

SHA512
33f1d469dd5a4f7a0a5081ecca208cf81cc97c953ed4e6eeca81d1d80219f4d3acf68a2afc46ea6139b3d1209b4e754ac7854f4992d2a9681be3bb54d32a7ef6

Download Submit
\Windows\SysWOW64\Gkgkbipp.exe

Filesize
323KB

MD5
fbd24a59a7e3f903d88a7744243ea427

SHA1
e57d6d7b0d245538d29d07e4c7b27314890485f3

SHA256
3e717e0aa4646414d0a9d96d4e0183e01d03bd4122a3769503d6fb1ec52198b8

SHA512
e6fbd0f6d61607524a86b9bfe0688f196de83d2489ca5bb181a0e395effd821b3d6f9360e3989741126c35cdbcefaff154ca7746c2b231fefcc3e75bc4b7571a

Download Submit
\Windows\SysWOW64\Gkkemh32.exe

Filesize
323KB

MD5
847422202332d7e140ed6f6cbe14f82f

SHA1
895d19c5d162196df346ba6c2ef09c0597791e9a

SHA256
49777c2e1b1994b2809bafd1dfe28f40069fb37dfa1087f61e73eb9d711677e9

SHA512
42201a2ad419f4dd65eab612791d64b542dde46d2e1e3c71ec25ab7e15dc87c3373ad384f5620e6f7d51dbdfb8839e1e6cec5b19550df94096677a963a6fa4fb

Download Submit
\Windows\SysWOW64\Glfhll32.exe

Filesize
323KB

MD5
1341e2862b35361369fdbd1dd498e3a9

SHA1
540b94b9dfacb847e6b7181b1fca32983f95e756

SHA256
b921608eafae06441464a75f1f5282923bec77a34f5c35ff553f270c052e0fba

SHA512
224c017da6b164dfcd0d9a8bfab4562d093f3a396fd46698fa56d62deb8e869578f5723c6568e1e8f88e544eb87e51761d43dc72cd9dda3cc71aa015e6bdda29

Download Submit
\Windows\SysWOW64\Gphmeo32.exe

Filesize
323KB

MD5
350323114214a5d366e5a858cbeace2d

SHA1
19f8aee5246eb4f09cf215e2c1652f1eb8f9076a

SHA256
1ca32f9dd6baa31cd793f6e9aef311806cb059a2d7c0e21c34fcee8653187ea8

SHA512
b83d3ec05f584d9806257eb5afd1d11ac132221e2635f67a1e736bf2acef55f739db034343d42bd3bdde01bf8e053443826ca87474aecfa0d1936535ddff18d7

Download Submit
\Windows\SysWOW64\Hdfflm32.exe

Filesize
323KB

MD5
f65b0ae201b013ef7e5614c5da9576d9

SHA1
68ff86b1d14f1b3fbff795dc2cac80b28f8f281b

SHA256
90ef3e035ddbbfeeca00e58cff852e900c1327aee7d8a0bb11d54bdbc18e9a86

SHA512
3643391ee550a738922d07401bf2e5272519a68e0f08d08d734b9742c2e59d63e3cb57b35bf28cfd6073713776da04027536d9fe640b7631e4687ae476d929c5

Download Submit
memory/596-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/596-186-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/596-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-261-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/996-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/996-251-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/996-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-119-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1064-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-223-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1668-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-77-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1688-231-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1688-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-331-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1768-330-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1788-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-25-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1808-244-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1808-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-137-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1984-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-277-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1984-278-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2008-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-190-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2104-6-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2104-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-167-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2224-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-166-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2224-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-298-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2280-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-209-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2304-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-151-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2456-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-328-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2456-327-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2548-95-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2548-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-63-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2760-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-55-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2760-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-313-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2900-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-321-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2920-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-105-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2920-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-285-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2972-305-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2972-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-306-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2980-39-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2980-40-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2980-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads