36c4f76cbd5eeb147971bead2bbcaef39b7733cf3346d41b25297a2f87df1d75

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 08:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe
Size

96KB
MD5

aa3bf22f3e0b359186077021a73d2860
SHA1

7b792041869f413f6f746eaa6cf1e7acb4ac966c
SHA256

36c4f76cbd5eeb147971bead2bbcaef39b7733cf3346d41b25297a2f87df1d75
SHA512

89ee51fe754424a14eacca8d41ec05b2e87e0862f5d8a544c22520884487fd7b45f23110011f7199de05cb2bcf768caaa5ac129bd1c7f0e330c32ddf47d999ec
SSDEEP

1536:C84dZtFiK5FGoYj0DnibKULX4UTm2MYfTfApkAaAjWbjtKBvU:C8kAK5FrYj0DnirX4um2BLf4kAVwtCU

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flabbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faokjpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebinic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flabbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efppoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbicfoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Faokjpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geolea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe

Executes dropped EXE 27 IoCs

pid	Process
2024	Efppoc32.exe
1596	Eajaoq32.exe
2684	Ebinic32.exe
2692	Flabbihl.exe
2468	Faokjpfd.exe
2464	Fnbkddem.exe
2620	Ffnphf32.exe
2920	Fpfdalii.exe
2980	Fjlhneio.exe
1644	Flmefm32.exe
356	Ffbicfoc.exe
1220	Gpknlk32.exe
2072	Gegfdb32.exe
1252	Ghhofmql.exe
488	Gelppaof.exe
2176	Geolea32.exe
1156	Gkkemh32.exe
2284	Hgbebiao.exe
2008	Hmlnoc32.exe
604	Hlakpp32.exe
2380	Hpmgqnfl.exe
1636	Hiekid32.exe
2084	Hodpgjha.exe
1744	Hacmcfge.exe
2236	Hlhaqogk.exe
1576	Ihoafpmp.exe
3056	Iagfoe32.exe

Loads dropped DLL 58 IoCs

pid	Process
3020	aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe
3020	aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe
2024	Efppoc32.exe
2024	Efppoc32.exe
1596	Eajaoq32.exe
1596	Eajaoq32.exe
2684	Ebinic32.exe
2684	Ebinic32.exe
2692	Flabbihl.exe
2692	Flabbihl.exe
2468	Faokjpfd.exe
2468	Faokjpfd.exe
2464	Fnbkddem.exe
2464	Fnbkddem.exe
2620	Ffnphf32.exe
2620	Ffnphf32.exe
2920	Fpfdalii.exe
2920	Fpfdalii.exe
2980	Fjlhneio.exe
2980	Fjlhneio.exe
1644	Flmefm32.exe
1644	Flmefm32.exe
356	Ffbicfoc.exe
356	Ffbicfoc.exe
1220	Gpknlk32.exe
1220	Gpknlk32.exe
2072	Gegfdb32.exe
2072	Gegfdb32.exe
1252	Ghhofmql.exe
1252	Ghhofmql.exe
488	Gelppaof.exe
488	Gelppaof.exe
2176	Geolea32.exe
2176	Geolea32.exe
1156	Gkkemh32.exe
1156	Gkkemh32.exe
2284	Hgbebiao.exe
2284	Hgbebiao.exe
2008	Hmlnoc32.exe
2008	Hmlnoc32.exe
604	Hlakpp32.exe
604	Hlakpp32.exe
2380	Hpmgqnfl.exe
2380	Hpmgqnfl.exe
1636	Hiekid32.exe
1636	Hiekid32.exe
2084	Hodpgjha.exe
2084	Hodpgjha.exe
1744	Hacmcfge.exe
1744	Hacmcfge.exe
2236	Hlhaqogk.exe
2236	Hlhaqogk.exe
1576	Ihoafpmp.exe
1576	Ihoafpmp.exe
3052	WerFault.exe
3052	WerFault.exe
3052	WerFault.exe
3052	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pinfim32.dll	Eajaoq32.exe
File opened for modification	C:\Windows\SysWOW64\Faokjpfd.exe	Flabbihl.exe
File created	C:\Windows\SysWOW64\Fnbkddem.exe	Faokjpfd.exe
File created	C:\Windows\SysWOW64\Kegiig32.dll	Fnbkddem.exe
File created	C:\Windows\SysWOW64\Anllbdkl.dll	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Gkkemh32.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Iaeldika.dll	Faokjpfd.exe
File created	C:\Windows\SysWOW64\Aloeodfi.dll	Fpfdalii.exe
File created	C:\Windows\SysWOW64\Ipjchc32.dll	Flmefm32.exe
File opened for modification	C:\Windows\SysWOW64\Gelppaof.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Geolea32.exe	Gelppaof.exe
File opened for modification	C:\Windows\SysWOW64\Geolea32.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Fpfdalii.exe	Ffnphf32.exe
File opened for modification	C:\Windows\SysWOW64\Fpfdalii.exe	Ffnphf32.exe
File opened for modification	C:\Windows\SysWOW64\Ghhofmql.exe	Gegfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Flabbihl.exe	Ebinic32.exe
File opened for modification	C:\Windows\SysWOW64\Fnbkddem.exe	Faokjpfd.exe
File created	C:\Windows\SysWOW64\Gkkemh32.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Eajaoq32.exe	Efppoc32.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	Ffbicfoc.exe
File created	C:\Windows\SysWOW64\Gegfdb32.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Ahpjhc32.dll	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Hlakpp32.exe	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Ajlppdeb.dll	Ebinic32.exe
File created	C:\Windows\SysWOW64\Faokjpfd.exe	Flabbihl.exe
File opened for modification	C:\Windows\SysWOW64\Flmefm32.exe	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	Ffbicfoc.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hiekid32.exe
File created	C:\Windows\SysWOW64\Liqebf32.dll	Hiekid32.exe
File created	C:\Windows\SysWOW64\Ffbicfoc.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Gelppaof.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Jjcpjl32.dll	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Hiekid32.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Efppoc32.exe	aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Efppoc32.exe	aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Flabbihl.exe	Ebinic32.exe
File created	C:\Windows\SysWOW64\Ghhofmql.exe	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Ebinic32.exe	Eajaoq32.exe
File created	C:\Windows\SysWOW64\Pabakh32.dll	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Gknfklng.dll	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Gbolehjh.dll	aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Cqmnhocj.dll	Flabbihl.exe
File opened for modification	C:\Windows\SysWOW64\Ffnphf32.exe	Fnbkddem.exe
File created	C:\Windows\SysWOW64\Kcaipkch.dll	Geolea32.exe
File opened for modification	C:\Windows\SysWOW64\Hgbebiao.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Efjcibje.dll	Efppoc32.exe
File created	C:\Windows\SysWOW64\Dbnkge32.dll	Gelppaof.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Hgbebiao.exe
File opened for modification	C:\Windows\SysWOW64\Hiekid32.exe	Hpmgqnfl.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Hacmcfge.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3052	3056	WerFault.exe	54

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Geolea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlppdeb.dll"	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll"	Faokjpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll"	Geolea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Faokjpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbepi32.dll"	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjcibje.dll"	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Faokjpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll"	Fpfdalii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Flabbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll"	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebinic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinfim32.dll"	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fpfdalii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fpfdalii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll"	Gpknlk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2024	3020	aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe	28
PID 3020 wrote to memory of 2024	3020	aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe	28
PID 3020 wrote to memory of 2024	3020	aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe	28
PID 3020 wrote to memory of 2024	3020	aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe	28
PID 2024 wrote to memory of 1596	2024	Efppoc32.exe	29
PID 2024 wrote to memory of 1596	2024	Efppoc32.exe	29
PID 2024 wrote to memory of 1596	2024	Efppoc32.exe	29
PID 2024 wrote to memory of 1596	2024	Efppoc32.exe	29
PID 1596 wrote to memory of 2684	1596	Eajaoq32.exe	30
PID 1596 wrote to memory of 2684	1596	Eajaoq32.exe	30
PID 1596 wrote to memory of 2684	1596	Eajaoq32.exe	30
PID 1596 wrote to memory of 2684	1596	Eajaoq32.exe	30
PID 2684 wrote to memory of 2692	2684	Ebinic32.exe	31
PID 2684 wrote to memory of 2692	2684	Ebinic32.exe	31
PID 2684 wrote to memory of 2692	2684	Ebinic32.exe	31
PID 2684 wrote to memory of 2692	2684	Ebinic32.exe	31
PID 2692 wrote to memory of 2468	2692	Flabbihl.exe	32
PID 2692 wrote to memory of 2468	2692	Flabbihl.exe	32
PID 2692 wrote to memory of 2468	2692	Flabbihl.exe	32
PID 2692 wrote to memory of 2468	2692	Flabbihl.exe	32
PID 2468 wrote to memory of 2464	2468	Faokjpfd.exe	33
PID 2468 wrote to memory of 2464	2468	Faokjpfd.exe	33
PID 2468 wrote to memory of 2464	2468	Faokjpfd.exe	33
PID 2468 wrote to memory of 2464	2468	Faokjpfd.exe	33
PID 2464 wrote to memory of 2620	2464	Fnbkddem.exe	34
PID 2464 wrote to memory of 2620	2464	Fnbkddem.exe	34
PID 2464 wrote to memory of 2620	2464	Fnbkddem.exe	34
PID 2464 wrote to memory of 2620	2464	Fnbkddem.exe	34
PID 2620 wrote to memory of 2920	2620	Ffnphf32.exe	35
PID 2620 wrote to memory of 2920	2620	Ffnphf32.exe	35
PID 2620 wrote to memory of 2920	2620	Ffnphf32.exe	35
PID 2620 wrote to memory of 2920	2620	Ffnphf32.exe	35
PID 2920 wrote to memory of 2980	2920	Fpfdalii.exe	36
PID 2920 wrote to memory of 2980	2920	Fpfdalii.exe	36
PID 2920 wrote to memory of 2980	2920	Fpfdalii.exe	36
PID 2920 wrote to memory of 2980	2920	Fpfdalii.exe	36
PID 2980 wrote to memory of 1644	2980	Fjlhneio.exe	37
PID 2980 wrote to memory of 1644	2980	Fjlhneio.exe	37
PID 2980 wrote to memory of 1644	2980	Fjlhneio.exe	37
PID 2980 wrote to memory of 1644	2980	Fjlhneio.exe	37
PID 1644 wrote to memory of 356	1644	Flmefm32.exe	38
PID 1644 wrote to memory of 356	1644	Flmefm32.exe	38
PID 1644 wrote to memory of 356	1644	Flmefm32.exe	38
PID 1644 wrote to memory of 356	1644	Flmefm32.exe	38
PID 356 wrote to memory of 1220	356	Ffbicfoc.exe	39
PID 356 wrote to memory of 1220	356	Ffbicfoc.exe	39
PID 356 wrote to memory of 1220	356	Ffbicfoc.exe	39
PID 356 wrote to memory of 1220	356	Ffbicfoc.exe	39
PID 1220 wrote to memory of 2072	1220	Gpknlk32.exe	40
PID 1220 wrote to memory of 2072	1220	Gpknlk32.exe	40
PID 1220 wrote to memory of 2072	1220	Gpknlk32.exe	40
PID 1220 wrote to memory of 2072	1220	Gpknlk32.exe	40
PID 2072 wrote to memory of 1252	2072	Gegfdb32.exe	41
PID 2072 wrote to memory of 1252	2072	Gegfdb32.exe	41
PID 2072 wrote to memory of 1252	2072	Gegfdb32.exe	41
PID 2072 wrote to memory of 1252	2072	Gegfdb32.exe	41
PID 1252 wrote to memory of 488	1252	Ghhofmql.exe	42
PID 1252 wrote to memory of 488	1252	Ghhofmql.exe	42
PID 1252 wrote to memory of 488	1252	Ghhofmql.exe	42
PID 1252 wrote to memory of 488	1252	Ghhofmql.exe	42
PID 488 wrote to memory of 2176	488	Gelppaof.exe	43
PID 488 wrote to memory of 2176	488	Gelppaof.exe	43
PID 488 wrote to memory of 2176	488	Gelppaof.exe	43
PID 488 wrote to memory of 2176	488	Gelppaof.exe	43

C:\Users\Admin\AppData\Local\Temp\aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aa3bf22f3e0b359186077021a73d2860_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\SysWOW64\Efppoc32.exe
  C:\Windows\system32\Efppoc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\Eajaoq32.exe
    C:\Windows\system32\Eajaoq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\SysWOW64\Ebinic32.exe
      C:\Windows\system32\Ebinic32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\Flabbihl.exe
        
        C:\Windows\system32\Flabbihl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\SysWOW64\Faokjpfd.exe
        
        C:\Windows\system32\Faokjpfd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Fnbkddem.exe
        
        C:\Windows\system32\Fnbkddem.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ffnphf32.exe
        
        C:\Windows\system32\Ffnphf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Fpfdalii.exe
        
        C:\Windows\system32\Fpfdalii.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Fjlhneio.exe
        
        C:\Windows\system32\Fjlhneio.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Ffbicfoc.exe
        
        C:\Windows\system32\Ffbicfoc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:356
        
        C:\Windows\SysWOW64\Gpknlk32.exe
        
        C:\Windows\system32\Gpknlk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Gegfdb32.exe
        
        C:\Windows\system32\Gegfdb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Ghhofmql.exe
        
        C:\Windows\system32\Ghhofmql.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Gelppaof.exe
        
        C:\Windows\system32\Gelppaof.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:488
        
        C:\Windows\SysWOW64\Geolea32.exe
        
        C:\Windows\system32\Geolea32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:604
        
        C:\Windows\SysWOW64\Hpmgqnfl.exe
        
        C:\Windows\system32\Hpmgqnfl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        28⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 140
        29⤵
        Loads dropped DLL
        Program crash
        
        PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cqmnhocj.dll

Filesize
7KB

MD5
dd20ca9a8611efc8093de5062d25e94e

SHA1
cb74eff59be20ff8d2508832d0586012facf2c68

SHA256
4f84ccde6ee977a9078e37c9b5d42a30084de616bd53403b3953dbbae6c85546

SHA512
1c7265b044ef971b3fb64d6509a347212f4e2f663fe9b59605faa87f6d49c77ec348187ba003b5f52183019474e9463a1b0992868c63ce4348d86529d6872224

Download Submit
C:\Windows\SysWOW64\Flmefm32.exe

Filesize
96KB

MD5
b300a9105655bf339b2ca79fcd237d12

SHA1
06ff533f4fdeb584548c9146e248a38ac6b5d527

SHA256
5b8b03b570b869f99674b487f653ec9e9283cabd0a475577e522334626090ebd

SHA512
9ca11dd63c936a3e50f62daa74cc6729af3aaa92b90372f2c47e73dec2c91248924a9a90b41c3d3546013a0608ad90d4b3776f4076cd3561a2a5c5b1be2f4c20

Download Submit
C:\Windows\SysWOW64\Gkkemh32.exe

Filesize
96KB

MD5
cd7e77793f77566183458e3e5fb89634

SHA1
7799698df7cbfd5b920002309277ab8608cd5cd3

SHA256
85949d3cb65daaecba5d08c19c48cdcbfc86b1a3f2bb44411643628c3002a67e

SHA512
5180ed6bac300e8f8935cc518d91bdde9fc87b993301bf168092f2626c0a8509c23e0d8b927538d9878d811143513457dfd8226a544e3377a6b9479eeb0821af

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
96KB

MD5
7e2cb7d2fc70fb128dd0922609bc766b

SHA1
ab2358cfbd2cfab1a56eb593ce48e8863191e41a

SHA256
a0212ac42c45b083845ef67e26a930a1105c0b7a27a56154eab8ccb6a8843b88

SHA512
75300bbcda8049b876e656863a85e5f756b5a75b78daa763bdfd03b616941a140cc5fb1e3f966480dfaa41d08120c402ad79d5a1d5e68deac7e877ab436797b5

Download Submit
C:\Windows\SysWOW64\Hgbebiao.exe

Filesize
96KB

MD5
060820cff586a54fdb0bad880c7d980a

SHA1
4d209ebcbcc9e69f77d420d60640c8c9b9cb6589

SHA256
7abea27c2a3b200417ed068feafd38a19bee5bb5e9ffde17b047d42a17ab39b7

SHA512
1a2cc09f366c85dd391a0dde450e2c7fbcf618f033d0dafc720c5ef693157dbfad4cd4f509cffb5bb1c9bce6bd92e31be2979577fd49960d425fa543c8e90d82

Download Submit
C:\Windows\SysWOW64\Hiekid32.exe

Filesize
96KB

MD5
1d21727aac3d3b8f25721f8bbe7745d0

SHA1
ce770b8a9401d9992766f8f8dacc0e55dcd9981a

SHA256
d9926aadfd7a2713e6d34ae97204be7ce2800d4265d50a67f63e09d12d7e85db

SHA512
88bf720c203daab891351ec77ac2acbf837575c59a3749b775658ab4cb18654bdbe2c154e953633153afca160358888383f17c8034a13af23ed5060f3a565841

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe

Filesize
96KB

MD5
e2f0a36e6196b54a5603e9c581776d17

SHA1
374e35a1f199d3b399ac38c1ae89876551a93adb

SHA256
6420a6cd5edfc812a2391c60008547f5dfaa773aee5830ba45e430bbcc314b1c

SHA512
8261bef86b71fe003e841b49c89f2150cb8bceb1bb4e51f5978df0783bcf755c6bdcfa209abcacb0c542a152dad5b258bc38763cae773319bf093cef87850ca8

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
96KB

MD5
edbda23ffb22ec4274b27aa1e8389251

SHA1
8098ba8a9e5121809e9d0bb9543fe61eea0a86dd

SHA256
db18a25424b65ae885ae4a5e6df3eade288cb2f4ae794c4f34a6466f8255ec44

SHA512
0763845e27f92d6bcd98740bd2b16ada59c195c4faf6f7ada9789a7d9f1b00bdde7f8aed2b2ca286a2f489d46f411d3db9d2156e432f94f9f57614a6350bed59

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
96KB

MD5
9e9ac45c19d557a53edf1724ef10ea0f

SHA1
2381145383333357dcc51f0a8c3d3317086b6851

SHA256
4779e08c8ffda1bf7983451e334e20e2cd7e3554e8c210f8ea43ebe4108dabc4

SHA512
6d2cea97bcd049158f140c358b23d4d0c4cbaa574d4742ff5c118f3920dfed97a9909142b9aeca7c6d9514b0778695f7800fc71b51748c31f9ccba3b5808680b

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
96KB

MD5
6cee5b931d4d8a4316fa3aab7b5641e9

SHA1
78c70ee1af547fc7a5281a9aeb97ed7c317f004e

SHA256
b410978f4c4724bd2a5a6632439a086eb1dda1958a3a5b57a286b81266489811

SHA512
34306e16cdf2dbf5891bdde721dffe10d1c2e625dc77db8a9766cf7ee67971dcfb6eb8554aed129849aed224b61cdf1be38602212fcc758c9182bc9e3d693eb0

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
96KB

MD5
7709d6f6ca44db325236911be980ec7a

SHA1
f855e3d9bb51a289975c645f2f4720ecb6ee0b8b

SHA256
b06be0ce84ac00281c824be4f8239d0cbe3eb2eb441ad5de4ebca202279ddae2

SHA512
920f0c001ae65d9f6166f68ca0afd69f7f33af5112c6a55297a37d3521690526dfe9cc4453d7096f0c2523c2ef558a7b461b7ade5db073aa4559d7e1dd0e2793

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
96KB

MD5
c484f4f431de2346508857159b3a5dbf

SHA1
eb8091e821f36a4c6629619b3f8983ae68a10dc1

SHA256
654a233bcb2c7b005ff2fb29509edfacb2db92c03bf377a095ffff72d7293018

SHA512
b81bb549e0b70f48a5d2edb7b6df18152f440688b944d051b3a35fe8ff971c8579ac9b366c71c696170de9f9c801adce02dd5644355274b179d4acad571eeb22

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
96KB

MD5
cafaa32a159839b62e99b06b4c3d7e1f

SHA1
86457c9091fa6a221af8a35cd600ff5a4357d1c3

SHA256
631aed94b12b9c843248a58b090e79faf1c524a1cb77d9a373b7d4eb3bd89829

SHA512
3e3288565e668a8fcf2c233f383a1f8e72992f97ce5027ad85d15050470875f001a2f811765dbc1a845ad89d3a2b1f36e5e94faad55699fdb88f9e062661bd04

Download Submit
\Windows\SysWOW64\Eajaoq32.exe

Filesize
96KB

MD5
8e27c8b0e026b2f939f6b4bebfad8c79

SHA1
f430d461cdefb73491ac44dfb3062c9bbb38523a

SHA256
4259f549aec5f62daeddea1316704cb184e9f6657f7bd26218ec72b90e156118

SHA512
62a950a845a3b4aa2964ea2f42078d31f36d380d9868f2df6406fbb04a0ac44ebd78a8709059bf45d93cc0b0884de2e672b91401b31558a1a64bff7c57ecb548

Download Submit
\Windows\SysWOW64\Ebinic32.exe

Filesize
96KB

MD5
226ba4be89b8aa707c791db8141003aa

SHA1
44b4ce0653622229240e4b0daaf665dd437795f7

SHA256
673bb7d610fea4c86b78f8f9db589be4d0995b52a9960fe58f95b5adcfffe8a9

SHA512
7b857049e6ba74d42e22c5e48ea552a904ccad15bc61656eded98d6fc267ea6808f3fad8b713539cca4d7e192f03433d5184a8448d63ad045e10ed4e59c4086d

Download Submit
\Windows\SysWOW64\Efppoc32.exe

Filesize
96KB

MD5
d08fea9abccc62848d2a141dd62e9462

SHA1
7f0537d356e50283fc7c87788e33d090ee1c320a

SHA256
00138f26f0b10e36fb2ea3ead421547920e0696bda614211b6fad712c5f2f087

SHA512
3ce0e45c5db967061fbaf40bbe64714c41e3800c288ffecf56786ff724dc2d25194bf94f85f9d3f2fa6a781c7d200400c1701a323cdf46a631a46a13444b03d6

Download Submit
\Windows\SysWOW64\Faokjpfd.exe

Filesize
96KB

MD5
39d1b53b1b33585b2bcdcafbdb26a74c

SHA1
a925fb8639f84fa96038c83c72ae3c8acda16f7c

SHA256
966d37cad5ecbfa562a1ad09f0c4d914f1718d3ad1ad55e1d68c9bd979153d51

SHA512
ea81795d076828f12e979230c3d00b4aef8aa83045f86ae86ed9ffebab78db2c89671391c3d4da0bacc6b08a7fa7e67ea2751a5864d74027c383dfc2e46d33ab

Download Submit
\Windows\SysWOW64\Ffbicfoc.exe

Filesize
96KB

MD5
d58313064e1c3ae313b1b715022c7396

SHA1
054e86fddd72c0934ab16885b130868942e377d0

SHA256
ac8e5ec074593409f36d1de4da5a152296822b4a6a1abfc2ab6a5d82db2d99c7

SHA512
356af5c8dc77957ff5f025e91ef76c2ca606c2f07fbf0238c35d3a4b5cc5af061079a2b5f1f9239045e3ba0ed4d271d448de88b4201078843df31d44d6dff869

Download Submit
\Windows\SysWOW64\Ffnphf32.exe

Filesize
96KB

MD5
1ab32c04ddd7e54364f528fef59e1495

SHA1
f1d13a3175347851914bbbc2ea127fef193e5c95

SHA256
c18cca8d48c7059e38ae673b1406743118b7d2ac7fb81ec17ba91fab2027ee5f

SHA512
e876dde81ff3b183a1e38b056df6589b4c19c38ab97037da65ab8edad14338327bf04c59f3f1cf1af5df2dbf67a53f12d1d8bd28263b4ec4e7f5fe1c31037250

Download Submit
\Windows\SysWOW64\Fjlhneio.exe

Filesize
96KB

MD5
33b2f74596a70265f637b8133a85d7eb

SHA1
e41f65a06ba2798dc2eefa9df0185335e7f50a12

SHA256
7936b016b55d5998d88fc0ce136ce1694d09446108bbc78fa70528ae84e680c4

SHA512
4a0ab38747a4456c02b515ef385ab94a98fe9b47edffe065ddc806d04baf6ba590eeb5a483ac38a7292f9435c6e9b0637a1224555132f696a655c2c295169506

Download Submit
\Windows\SysWOW64\Flabbihl.exe

Filesize
96KB

MD5
07a7b6f4ba73ce66fe2a5f3f4ed272d7

SHA1
8e48ad8ae8c5bd220587aeeeec1117a6f22b5df5

SHA256
f705acd0e88c039fb1e936ed077f4bfd6abce5ae1e5ff5f11c7d4a235499431e

SHA512
e31a49505b594016ff5dc03a490625da0eafc74cb3c738bd63dd01cc8346c4c0c133f413edeb2e5ae37a65849a41d0ff0096b58b63dd76a3d4f709c91384bae2

Download Submit
\Windows\SysWOW64\Fnbkddem.exe

Filesize
96KB

MD5
534e2f911d6c68d8b667229911d95f69

SHA1
a46d90a0271809d6f55c01749454ef33e49a5040

SHA256
f2a39b7826f1fc7f1d64237873a62e9ae7afa558be1fc68183f64af6486acf5d

SHA512
f2ccad7b96e793c3e41cb794d3a27dd761b672e02f56b43001cb380a168e72dd648bdc415fb240859989e1f1a85c02ef369f0d494f498002a7919a1afd6da606

Download Submit
\Windows\SysWOW64\Fpfdalii.exe

Filesize
96KB

MD5
831faaf66aadd7e3b72f9aec6c9b80a2

SHA1
bf9f36f469468ad86001d33648407ea184c23293

SHA256
e474d72bbe843a648aa6a4de2af1cda4646a4926bd716fc6c9278050c6028685

SHA512
584b0b5cf0c4e5aa30ae25763aeef1308915fc03f81a7a92f7cd91ea030a0d30a1a9bbe0bbdfaa13fb89c041a5e3dfb1188589d5507cfe9a1e66233b10cacec5

Download Submit
\Windows\SysWOW64\Gegfdb32.exe

Filesize
96KB

MD5
56bb786157a981aad46bc2cf950935f5

SHA1
7cebfc416846bf574bba1c200a8de98640ef4c2f

SHA256
9d8eb65d285bdf29d64cb6a5d4c359c1ab6e2d59ad3fcb05748cbd295cec2bb6

SHA512
54ef01e30e539651f958e0725071d2ab62d0fa683069511c5d8e4d744c2139014e669907cbe689391201db1210616cd52ebad16aed7536ef8d40cc2d65db6e98

Download Submit
\Windows\SysWOW64\Gelppaof.exe

Filesize
96KB

MD5
832fb0d4b87d08547f51eb9259c61ab3

SHA1
f6f1865972d69ac041aceb21149c684be003590f

SHA256
8dd30f1676d3bcc3cd469fbb5eaf2aeb8105cf9ed854d7e736803dd821b8b590

SHA512
c9a2211d76125deff936d9c693bbbd6a6ad5b7ea8422ca134664fa030f835b3a957c2c7ec206f7ac24820840885bd147a8405a6418b7bde83243a98e77120382

Download Submit
\Windows\SysWOW64\Geolea32.exe

Filesize
96KB

MD5
9beb05f02d05c82dce65e9589a86721a

SHA1
ffe2d5e34bc071374157af12681a0e340c98519a

SHA256
88c9162f5b1392a4fb347a8b63b799bec8362b5d67159960dc951a957293e8a1

SHA512
5297f13fc84b4317f63cab5e34f21a6a292bd86d4095b8a599c71bd3d68df318383a15f71160ab4aa736bf919de7823f6f28508dadc7ac27a0e89c56b94a8b30

Download Submit
\Windows\SysWOW64\Ghhofmql.exe

Filesize
96KB

MD5
3eeb22bada9954efe5684e61a394f5b2

SHA1
6376fc9abaa5dc2ee3eb34d8b11f04c58c10d78f

SHA256
4fe6986440f3417334ea0b46048eac05847632a615cca0d1b77011f0a20e69cb

SHA512
cb9292943869c16aa8d4a5cc9a3707ad484862f563c0a009ec93b8c8cae476e4a032d43ee4a177ac899db615e18f3b893c78228253743d106c0704c76bbff316

Download Submit
\Windows\SysWOW64\Gpknlk32.exe

Filesize
96KB

MD5
4eb18fd3436b596a2555adb2a8350531

SHA1
1f166ecba43cbbdae77f82c6f467c61164fd5965

SHA256
d9a7b3cbc119436803615b786a7f922d28499bd941090de25e6e3348873a2ca0

SHA512
527fbd102b16208f060517761b2d18befc67ab85319282fd496222223ec93a06b7d03d974c66988e29df984b4ba0c25628b72eff05cc77b817b0e79d651da431

Download Submit
memory/356-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/356-234-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/488-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/488-271-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/488-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/488-220-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/604-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/604-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1156-238-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1156-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1220-166-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1220-173-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1220-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1252-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1252-195-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1576-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1576-353-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1576-354-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1596-27-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1596-35-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/1596-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1636-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1636-348-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1636-303-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1636-304-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1636-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1644-226-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1644-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1644-137-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1744-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1744-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1744-321-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2008-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2024-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2024-25-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2072-258-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2072-194-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2072-259-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2084-315-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2084-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2084-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2084-350-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2176-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2176-227-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-352-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2284-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-292-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2284-257-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2284-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2380-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2380-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2464-165-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2468-82-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/2468-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2468-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2468-75-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/2620-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2620-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2684-121-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2692-53-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2692-123-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2920-109-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2920-193-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2980-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2980-139-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2980-219-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2980-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2980-209-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/3020-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-13-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/3020-6-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/3056-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads