6e93e7b15b4ff6245c5c6e62f13aa13bf6a059a331db712082c17e8da46ef97e

Analysis

max time kernel
143s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 16:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe
Size

386KB
MD5

be7a8bfa23f12e5ec17c192c9cf553b0
SHA1

e02d1e69fca012921232c20d7bbe715456f7fa48
SHA256

6e93e7b15b4ff6245c5c6e62f13aa13bf6a059a331db712082c17e8da46ef97e
SHA512

1b89ebd23fde8890363f70f1f47219c8a20e6e746445ea76235d04a7c728b8dd6eff0e875f8322e6f90c25bb4362feb0e5db579bd1e4cb041301ee87047bb273
SSDEEP

12288:aSRvO7MbCwQZ7287xmPFRkfJg9qwQZ7287xmP:b8MbCZZ/aFKm9qZZ/a

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flabbihl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epfhbign.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkmmhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnneja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epfhbign.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfgmhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnneja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmhheqje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Globlmmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfgmhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emhlfmgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doobajme.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flabbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doobajme.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe

Executes dropped EXE 26 IoCs

pid	Process
2984	Dkmmhf32.exe
2700	Dfgmhd32.exe
2588	Dnneja32.exe
2484	Doobajme.exe
2456	Emhlfmgj.exe
2912	Epfhbign.exe
2176	Elmigj32.exe
1360	Fehjeo32.exe
1592	Flabbihl.exe
352	Fhkpmjln.exe
1520	Fmhheqje.exe
1664	Flmefm32.exe
2780	Fbgmbg32.exe
2304	Feeiob32.exe
1132	Globlmmj.exe
1936	Gfefiemq.exe
2312	Hgbebiao.exe
2408	Hmlnoc32.exe
376	Hicodd32.exe
792	Hckcmjep.exe
1684	Hellne32.exe
2288	Hlhaqogk.exe
1988	Hogmmjfo.exe
1680	Ilknfn32.exe
884	Inljnfkg.exe
2008	Iagfoe32.exe

Loads dropped DLL 56 IoCs

pid	Process
1844	be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe
1844	be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe
2984	Dkmmhf32.exe
2984	Dkmmhf32.exe
2700	Dfgmhd32.exe
2700	Dfgmhd32.exe
2588	Dnneja32.exe
2588	Dnneja32.exe
2484	Doobajme.exe
2484	Doobajme.exe
2456	Emhlfmgj.exe
2456	Emhlfmgj.exe
2912	Epfhbign.exe
2912	Epfhbign.exe
2176	Elmigj32.exe
2176	Elmigj32.exe
1360	Fehjeo32.exe
1360	Fehjeo32.exe
1592	Flabbihl.exe
1592	Flabbihl.exe
352	Fhkpmjln.exe
352	Fhkpmjln.exe
1520	Fmhheqje.exe
1520	Fmhheqje.exe
1664	Flmefm32.exe
1664	Flmefm32.exe
2780	Fbgmbg32.exe
2780	Fbgmbg32.exe
2304	Feeiob32.exe
2304	Feeiob32.exe
1132	Globlmmj.exe
1132	Globlmmj.exe
1936	Gfefiemq.exe
1936	Gfefiemq.exe
2312	Hgbebiao.exe
2312	Hgbebiao.exe
2408	Hmlnoc32.exe
2408	Hmlnoc32.exe
376	Hicodd32.exe
376	Hicodd32.exe
792	Hckcmjep.exe
792	Hckcmjep.exe
1684	Hellne32.exe
1684	Hellne32.exe
2288	Hlhaqogk.exe
2288	Hlhaqogk.exe
1988	Hogmmjfo.exe
1988	Hogmmjfo.exe
1680	Ilknfn32.exe
1680	Ilknfn32.exe
884	Inljnfkg.exe
884	Inljnfkg.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ikkbnm32.dll	Flabbihl.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Inljnfkg.exe
File created	C:\Windows\SysWOW64\Flabbihl.exe	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Jeccgbbh.dll	Fhkpmjln.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	Hellne32.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Epgnljad.dll	be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Dfgmhd32.exe	Dkmmhf32.exe
File opened for modification	C:\Windows\SysWOW64\Flabbihl.exe	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Kifjcn32.dll	Fbgmbg32.exe
File opened for modification	C:\Windows\SysWOW64\Feeiob32.exe	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Globlmmj.exe	Feeiob32.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hicodd32.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Gfedefbi.dll	Dkmmhf32.exe
File created	C:\Windows\SysWOW64\Doobajme.exe	Dnneja32.exe
File opened for modification	C:\Windows\SysWOW64\Fmhheqje.exe	Fhkpmjln.exe
File created	C:\Windows\SysWOW64\Hghmjpap.dll	Globlmmj.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Epfhbign.exe	Emhlfmgj.exe
File opened for modification	C:\Windows\SysWOW64\Fhkpmjln.exe	Flabbihl.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	Globlmmj.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Inljnfkg.exe
File created	C:\Windows\SysWOW64\Cillgpen.dll	Dnneja32.exe
File created	C:\Windows\SysWOW64\Elmigj32.exe	Epfhbign.exe
File opened for modification	C:\Windows\SysWOW64\Flmefm32.exe	Fmhheqje.exe
File opened for modification	C:\Windows\SysWOW64\Hgbebiao.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Jjcpjl32.dll	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Elmigj32.exe	Epfhbign.exe
File created	C:\Windows\SysWOW64\Gfefiemq.exe	Globlmmj.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Kgcampld.dll	Doobajme.exe
File created	C:\Windows\SysWOW64\Ogjbla32.dll	Epfhbign.exe
File created	C:\Windows\SysWOW64\Ajlppdeb.dll	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Hicodd32.exe
File created	C:\Windows\SysWOW64\Inljnfkg.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Flmefm32.exe	Fmhheqje.exe
File created	C:\Windows\SysWOW64\Fbgmbg32.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Hellne32.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Bfekgp32.dll	Flmefm32.exe
File created	C:\Windows\SysWOW64\Hpqpdnop.dll	Feeiob32.exe
File created	C:\Windows\SysWOW64\Jdnaob32.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Dfgmhd32.exe	Dkmmhf32.exe
File created	C:\Windows\SysWOW64\Ebagmn32.dll	Dfgmhd32.exe
File created	C:\Windows\SysWOW64\Fehjeo32.exe	Elmigj32.exe
File opened for modification	C:\Windows\SysWOW64\Fehjeo32.exe	Elmigj32.exe
File created	C:\Windows\SysWOW64\Jnmgmhmc.dll	Fmhheqje.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Inljnfkg.exe
File opened for modification	C:\Windows\SysWOW64\Dnneja32.exe	Dfgmhd32.exe
File created	C:\Windows\SysWOW64\Chcphm32.dll	Emhlfmgj.exe
File created	C:\Windows\SysWOW64\Fhkpmjln.exe	Flabbihl.exe
File created	C:\Windows\SysWOW64\Fmhheqje.exe	Fhkpmjln.exe
File opened for modification	C:\Windows\SysWOW64\Globlmmj.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Hgbebiao.exe	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Hkkmeglp.dll	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hicodd32.exe
File opened for modification	C:\Windows\SysWOW64\Inljnfkg.exe	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Dkmmhf32.exe	be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2236	2008	WerFault.exe	53

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillgpen.dll"	Dnneja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emhlfmgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfgmhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Elmigj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll"	Globlmmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Doobajme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfgmhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkmmhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqpdnop.dll"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebagmn32.dll"	Dfgmhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll"	Flabbihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epfhbign.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Flabbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgnljad.dll"	be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll"	Epfhbign.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll"	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeccgbbh.dll"	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfedefbi.dll"	Dkmmhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll"	Doobajme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Flabbihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2984	1844	be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe	28
PID 1844 wrote to memory of 2984	1844	be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe	28
PID 1844 wrote to memory of 2984	1844	be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe	28
PID 1844 wrote to memory of 2984	1844	be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe	28
PID 2984 wrote to memory of 2700	2984	Dkmmhf32.exe	29
PID 2984 wrote to memory of 2700	2984	Dkmmhf32.exe	29
PID 2984 wrote to memory of 2700	2984	Dkmmhf32.exe	29
PID 2984 wrote to memory of 2700	2984	Dkmmhf32.exe	29
PID 2700 wrote to memory of 2588	2700	Dfgmhd32.exe	30
PID 2700 wrote to memory of 2588	2700	Dfgmhd32.exe	30
PID 2700 wrote to memory of 2588	2700	Dfgmhd32.exe	30
PID 2700 wrote to memory of 2588	2700	Dfgmhd32.exe	30
PID 2588 wrote to memory of 2484	2588	Dnneja32.exe	31
PID 2588 wrote to memory of 2484	2588	Dnneja32.exe	31
PID 2588 wrote to memory of 2484	2588	Dnneja32.exe	31
PID 2588 wrote to memory of 2484	2588	Dnneja32.exe	31
PID 2484 wrote to memory of 2456	2484	Doobajme.exe	32
PID 2484 wrote to memory of 2456	2484	Doobajme.exe	32
PID 2484 wrote to memory of 2456	2484	Doobajme.exe	32
PID 2484 wrote to memory of 2456	2484	Doobajme.exe	32
PID 2456 wrote to memory of 2912	2456	Emhlfmgj.exe	33
PID 2456 wrote to memory of 2912	2456	Emhlfmgj.exe	33
PID 2456 wrote to memory of 2912	2456	Emhlfmgj.exe	33
PID 2456 wrote to memory of 2912	2456	Emhlfmgj.exe	33
PID 2912 wrote to memory of 2176	2912	Epfhbign.exe	34
PID 2912 wrote to memory of 2176	2912	Epfhbign.exe	34
PID 2912 wrote to memory of 2176	2912	Epfhbign.exe	34
PID 2912 wrote to memory of 2176	2912	Epfhbign.exe	34
PID 2176 wrote to memory of 1360	2176	Elmigj32.exe	35
PID 2176 wrote to memory of 1360	2176	Elmigj32.exe	35
PID 2176 wrote to memory of 1360	2176	Elmigj32.exe	35
PID 2176 wrote to memory of 1360	2176	Elmigj32.exe	35
PID 1360 wrote to memory of 1592	1360	Fehjeo32.exe	36
PID 1360 wrote to memory of 1592	1360	Fehjeo32.exe	36
PID 1360 wrote to memory of 1592	1360	Fehjeo32.exe	36
PID 1360 wrote to memory of 1592	1360	Fehjeo32.exe	36
PID 1592 wrote to memory of 352	1592	Flabbihl.exe	37
PID 1592 wrote to memory of 352	1592	Flabbihl.exe	37
PID 1592 wrote to memory of 352	1592	Flabbihl.exe	37
PID 1592 wrote to memory of 352	1592	Flabbihl.exe	37
PID 352 wrote to memory of 1520	352	Fhkpmjln.exe	38
PID 352 wrote to memory of 1520	352	Fhkpmjln.exe	38
PID 352 wrote to memory of 1520	352	Fhkpmjln.exe	38
PID 352 wrote to memory of 1520	352	Fhkpmjln.exe	38
PID 1520 wrote to memory of 1664	1520	Fmhheqje.exe	39
PID 1520 wrote to memory of 1664	1520	Fmhheqje.exe	39
PID 1520 wrote to memory of 1664	1520	Fmhheqje.exe	39
PID 1520 wrote to memory of 1664	1520	Fmhheqje.exe	39
PID 1664 wrote to memory of 2780	1664	Flmefm32.exe	40
PID 1664 wrote to memory of 2780	1664	Flmefm32.exe	40
PID 1664 wrote to memory of 2780	1664	Flmefm32.exe	40
PID 1664 wrote to memory of 2780	1664	Flmefm32.exe	40
PID 2780 wrote to memory of 2304	2780	Fbgmbg32.exe	41
PID 2780 wrote to memory of 2304	2780	Fbgmbg32.exe	41
PID 2780 wrote to memory of 2304	2780	Fbgmbg32.exe	41
PID 2780 wrote to memory of 2304	2780	Fbgmbg32.exe	41
PID 2304 wrote to memory of 1132	2304	Feeiob32.exe	42
PID 2304 wrote to memory of 1132	2304	Feeiob32.exe	42
PID 2304 wrote to memory of 1132	2304	Feeiob32.exe	42
PID 2304 wrote to memory of 1132	2304	Feeiob32.exe	42
PID 1132 wrote to memory of 1936	1132	Globlmmj.exe	43
PID 1132 wrote to memory of 1936	1132	Globlmmj.exe	43
PID 1132 wrote to memory of 1936	1132	Globlmmj.exe	43
PID 1132 wrote to memory of 1936	1132	Globlmmj.exe	43

C:\Users\Admin\AppData\Local\Temp\be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\be7a8bfa23f12e5ec17c192c9cf553b0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\SysWOW64\Dkmmhf32.exe
  C:\Windows\system32\Dkmmhf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\Dfgmhd32.exe
    C:\Windows\system32\Dfgmhd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\Dnneja32.exe
      C:\Windows\system32\Dnneja32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\Doobajme.exe
        
        C:\Windows\system32\Doobajme.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\SysWOW64\Emhlfmgj.exe
        
        C:\Windows\system32\Emhlfmgj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Epfhbign.exe
        
        C:\Windows\system32\Epfhbign.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Elmigj32.exe
        
        C:\Windows\system32\Elmigj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Fehjeo32.exe
        
        C:\Windows\system32\Fehjeo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Flabbihl.exe
        
        C:\Windows\system32\Flabbihl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Fhkpmjln.exe
        
        C:\Windows\system32\Fhkpmjln.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Windows\SysWOW64\Fmhheqje.exe
        
        C:\Windows\system32\Fmhheqje.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Fbgmbg32.exe
        
        C:\Windows\system32\Fbgmbg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Globlmmj.exe
        
        C:\Windows\system32\Globlmmj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:792
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Inljnfkg.exe
        
        C:\Windows\system32\Inljnfkg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        27⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 140
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dfgmhd32.exe

Filesize
386KB

MD5
98b46ca08166465534edefc64558868b

SHA1
808a173e7f72d994ee7883e4442592bc51d3fc69

SHA256
1bab5190ef7b0057b55bdf0f364201b5511e62c4fe07435c645136f8b640f34a

SHA512
3e6ef8bf1b432a85bc7b1b021f488ddcddd8f65b5a1514f6ab998168d07bfda6d8617d13c6a28f7da4b57671ced9dd4ecf1556c71d5aa02fbeac3097940ac843

Download Submit
C:\Windows\SysWOW64\Dnneja32.exe

Filesize
386KB

MD5
b29f1cde527712d6b90ee3140ad3ee90

SHA1
6ff2ff67bcf839c18086d41d407a370633c40b22

SHA256
44a3ae4b80737c8eb6fa13aa535be4a8e549d7ac9d459d9ae1985c47e44c6a7e

SHA512
a1ac1f10b54c02c94c5f257bbef719575d1dbc1b54745d7b737a09ea743e537fc84e902e337c99ff51bae4499f46b3190104cb0916826f6a02c0b410f7af3d38

Download Submit
C:\Windows\SysWOW64\Elmigj32.exe

Filesize
386KB

MD5
d60615d597acf4620a85eaf7723582cc

SHA1
ce65713a4d743c77eddab93564ce83c0cd2059ed

SHA256
f9d13b53f97f38c9222f868c96d8ee157ff4b3b2079342ddf66fa84b62276422

SHA512
e9ac7ba40a8bbcf21bbfcb6a50790b2a7860a8da9242c5197fbc1fc83af299d6a1de94ca362c62130313673a847b68df439b3532c69df573df36efea98f15530

Download Submit
C:\Windows\SysWOW64\Fbgmbg32.exe

Filesize
386KB

MD5
8321676177febabc1694eb88ff96dc8d

SHA1
76edb1b3e502482376f0215527cd146c5e64fbe8

SHA256
05eda566b420834c0d3e0c5aadc02cfba006d1ded00a99f362881694e62cab50

SHA512
189cc4731437ff703461d13fe9fd1ffa6c1b2d4e0759fa5e4338fdfd9af7b82e54eddc002205953f06c8ef5b2fe874e19eb3bddd678b8fab1ff93d1ebad47698

Download Submit
C:\Windows\SysWOW64\Feeiob32.exe

Filesize
386KB

MD5
85c11caad84137c82f085f7de3f36a2c

SHA1
268416f50edff89562141ae3d2c74f38eeb2f1bc

SHA256
ac365253036f8d259eff6cc63a52f5599ed6c04c10289814d033ebb01c34a590

SHA512
cd8ae1eeeb45a42cbc04796a21535cc3d7a6b45748ce685fc2fe3cf37d41676c37005f90c388e9ca317270c644ab10c3e22fbf4231e47ac5a9dbc844baaa71e0

Download Submit
C:\Windows\SysWOW64\Flmefm32.exe

Filesize
386KB

MD5
20601b4dbb2eae47facb6b6f72cfe1ac

SHA1
e8fa24b7d36c7e91d6a432f8dafe28e4e4461b6c

SHA256
5a7b01ff72a3b234e032037d52a3d771ce9f18cf22aabc3329a01abd1912c9f9

SHA512
c1b5e80ae814faad1689f9eaecd5b0ea665494b4fb7f14f77e574b318a675103ba3b2104e2b08f01a54602facf4086c2dba8aeecc7be23688958f807913da957

Download Submit
C:\Windows\SysWOW64\Fmhheqje.exe

Filesize
386KB

MD5
3b3b28db8011e251fe2d3fb33c1245fe

SHA1
f7c08f979f5b72e5ef56db3c72ea60703a1e44ac

SHA256
653d2036f253bf837c488b7cb102dbbdfd35c49e4b8997d81739283c33795689

SHA512
b58e2e8278c04efcd6d953b1c47deacea464722c187e0c0232bd82cac3b7ca245112c8c370a874d35769246c387a0d2c17ed16d5ad460e1168ceff83e43b17cc

Download Submit
C:\Windows\SysWOW64\Gfefiemq.exe

Filesize
386KB

MD5
105a5441d6b4632905eabe8311d3ff3a

SHA1
07b1aed0409593341f95f6c198ef2106fda764a8

SHA256
f97694f6a5a2a0ffe4f0cd037ce00bccb0b48cc644513fcdadd45ffefdb42e8e

SHA512
075183b150d58752c0c2a9f65b50c6cb83cde37c240edb2ec43a50eb20a3ceacce73137128b270f64f31aa8ff776b62e7e0f49cdb4014998db53a883f44fd23b

Download Submit
C:\Windows\SysWOW64\Globlmmj.exe

Filesize
386KB

MD5
a42308194dc40797d75a3ebf3ad523d8

SHA1
a63781741614425b83cec1c5dcb1712e8ba18518

SHA256
b64d8b4d38d2276005cc71a69ef0043ca2063651e4d8739864d1ad57731978f8

SHA512
feb62b51bd61fc1f7944c749647bc3cdd7ff48cea5d94e90f8cec4182b76954fbd1304085f8c274c84c82c747ac6116e45e2319180cb0e404b5e488ca1966eb6

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
386KB

MD5
8b6777e90ef6bc6f0cf63cfdbd4a2d2d

SHA1
5e8d31bcdb4d65b470978076786043610facff23

SHA256
8fce9fa356abb40af4173a383aac43e4bb313c26507195093c47b883aaa45e97

SHA512
f85c7b9e0e3c3dc97a75f762b1b33e27afaa43a99b9fb1ff40a8474378f3e3cf88e376b3873b1c6e55b29c79e4798105f5702b15b7d2d8cf14c91da2de707b0a

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
386KB

MD5
1e3b63a3716b2ef82754c0bb44279c5a

SHA1
9a7cc1c14e88908ad5c308778f85821104573b76

SHA256
74db770c5f920083a8574e7fcd8c98b87df6560b5c88682f260d71ffe3b36d5c

SHA512
6ffcba2c185d40ccd30493d50453c6ecaef125c073b4368fcadeb4886282fe5e0c26592abaefb4b64333d56d2b876f68b5eaa09cf34973579bb90af3578d709f

Download Submit
C:\Windows\SysWOW64\Hgbebiao.exe

Filesize
386KB

MD5
e2234cd46b6b7cd619b5b5a003ef5957

SHA1
201493ef8e5a4177d60ba036c20842706e6df8ae

SHA256
5c5d69aca37fd788c7159e85adbb31dce60737f3589b3867e01d6f04981b9b41

SHA512
3e7830ca7daff06851b92f5b609a13736c7ac5fa0328a685f16995b69feb638e873ce70588c6150c8d6c78111f293db87b978148247fe14abff78f6eb3adcb41

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
386KB

MD5
d9824d5e127d606e621433c7b303dc4e

SHA1
959d21e507651d41001661b4d0cb2c54f7292f5c

SHA256
e36e8adca20416ec247bf0122b7bc4ecbf2488e449540d51fdb7dba23b1a8480

SHA512
4352ccc9982a560b33e63bf9cdd1959f2371da75118dd827a9e5e5d025a66d09d538755c2bd08ba06256ed9eec82af6d0ce35350cb621471df36c304b0f88ab8

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
386KB

MD5
02fd886f9801f3a0e7a53c71f5dca9c1

SHA1
59f3c832c16f20802ca6fe175b784a321d482e78

SHA256
fb29b6ad2f0b62d2389612c655ca2e8f6d8b01d1cb3cb702d6cc02b0be46f96b

SHA512
ca300fa54eb56ec3b8a8a803f33b35e6b6d6337d854044d6a7ff467ecb558985d2b498a9edb14a87b6ae7774430925ac82f51b65a6450f588b589c4460e10e4a

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
386KB

MD5
a2e87a7d250dbe6363859e075901d212

SHA1
c47659e1a9a588f3d3f0c62ce0efc8c2170b40a6

SHA256
632c205eee7e3c5d49543c2e5d79b3f627b13b5e776f2c71124ffa176e2667b2

SHA512
98f8f37f11efcdfeae87c90500807a0b8d9cb74f772abe446908b174845f802cc403dcc7a85a368d180d99085f91146632039b94ae4a66f2f6fae8fab4152acc

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
386KB

MD5
cf038809ff613589d06c640071a1e9a1

SHA1
5acf32f92da00fdfd6df9358eee06acf2e8c2989

SHA256
4136715662305a2103c43a7a4f9897f99028f5fc610ece65a4160bc8680b0048

SHA512
ed83ebd88335b0e5bc9a4e88b6d3ddf8e92a0cebc52fa77f2c60098c8bb1b02e3ce265ab6ce47d070d9d1c372837b8f48042ff2547c0100436a8fd8bf037ac62

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
386KB

MD5
d661e08ba8b797901a15068e46effdd0

SHA1
34b8866e748714bcb7f4cc0b642a20acb45a9ae1

SHA256
8a688672e279e20f4d5a2cf424985bfc0c65f010aaa9e7dc82f5bf491a981b14

SHA512
e16566566e43d06218724982338646edd422223ae6d63e24fc007c1316674b8c775aa2f77621b75c2dec4ba103da72ec621214ace6086777fad88ef711d5253a

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
386KB

MD5
46eb29e9310e4cf557bd73531666ac3a

SHA1
55c35c30c8b9b3b03577cd4c3fe306e527bec55b

SHA256
0f32f66af7d4fd26ab8f907c1d7601d882db241a32db5187deb89c9aee3dd78b

SHA512
072817d48efb7a574e2d0cd52a06248be396119c088a3e0d68f97daffd7eed38f6be6b05ea8d161c4a569076d56433bddd9987f315380f3a7512534aae76f28a

Download Submit
C:\Windows\SysWOW64\Inljnfkg.exe

Filesize
386KB

MD5
35226988c82f126801b7b62723e51f69

SHA1
2558dc4f21760a0c96f7c2c679bdd12d0acfe40e

SHA256
7390c58a0c66ee51535ad79ca8757166063c26464cd8233f5c05280f55a5c644

SHA512
2b543f4b2b9d54d789aad48a920fa0b77afbe8c11514d9353fa69b284c8491cca108f215883ff2c5a2200f689c0e6e4a66590346ddfb8ba4a25739d1003676e2

Download Submit
C:\Windows\SysWOW64\Kgcampld.dll

Filesize
7KB

MD5
4d88155d91146492bc4e38f9ea84d13b

SHA1
0c12b948f6352381d5cc93b65ead8c5f4c3be7a6

SHA256
7afaff543021b3ee812f1cc0b6c86ab6a3091cc6febcbfb7e0aaae21542b13d0

SHA512
e1e0b5e34d131f6d1882fee2f0f9af689dad6244fbbfbe8eb9ea2a44e1ebd93ca185024ed2c84e2cd48d1fc8334211060d824fea8688e19a5a62a92832f50fa5

Download Submit
\Windows\SysWOW64\Dkmmhf32.exe

Filesize
386KB

MD5
c469c02df8ea6a74d13d59eb6e9205b4

SHA1
4d843ddb7cf1eed5351a9629cc1319759cccbbef

SHA256
1c471e693422cf5650f52c9252520291aa9dd4543f1a5562079b8b9a8e8014e1

SHA512
b9b4938ad4b79ed6adfdc5af26925acd243da1eb58563e6208d2ddd1585c0e4bbfef3e17eddfdf4d250369b344a85423c124d70c6106a3b47bb1bc7660d9d22e

Download Submit
\Windows\SysWOW64\Doobajme.exe

Filesize
386KB

MD5
215c528d0e9d68a35a0ff86193d88a8f

SHA1
2423e3543f4cb4e20e7137a660b40d5bf07b4dad

SHA256
62b2e73d3d9fa822b842db3e944a45224fd9dc473ba79efe292848550d447e9c

SHA512
b4192f45e6ce3f916c293edf6f1746fbc7f5b583ae750074d0545ddcd767a08017b319446a771135fe5b585626a291826a5b68edd67199bbb37502fea52b757f

Download Submit
\Windows\SysWOW64\Emhlfmgj.exe

Filesize
386KB

MD5
ee51f5597cdc2bb9925aff99f32f1b01

SHA1
51aa1e1fc4b4e275993fea016f073c25396392e8

SHA256
0bee062879fbd985c3c350802226e2dc82dc974e148b66a3f39665b0620bbefd

SHA512
e9e2deb279257253bc2a91afd9ccfc5cfdd2dceb4a349a88c3d77d19f4de2f268266fa664a97084c036fdf2eb03b131fc6e05cbe536575342f03fb2d13dbb72e

Download Submit
\Windows\SysWOW64\Epfhbign.exe

Filesize
386KB

MD5
b983987814ae3c04e1ee14911a750b7a

SHA1
7ecdd7a0ce6ead87785c97537378f0af19233f3a

SHA256
1c7b0377fdc12564e886f04a0e115baf5507e4275259e7a9ed80f15b13f36fd3

SHA512
086ffbbf37b02f1afc71d93dc6646ae96cc66b528801d124fd244926299468002a7f99c9964b3b31b28778cf04ebe11d514fd78a29fde65dee5de026fafd2ccf

Download Submit
\Windows\SysWOW64\Fehjeo32.exe

Filesize
386KB

MD5
90546a9d0eb17db049e69a3d5cac62db

SHA1
b7672ef6678be28a85bee814d9bddf28c2f71dcc

SHA256
5ede6cff604a063096dd35276d0cd7ca1e848d69a7cf70d0861c5e37e90ec32b

SHA512
2baf2f7cb6c4e53805b8d61ba834b6e5c7729c79fb6ac366e27dd1f64c49dd4df756b6e8cd82c2710d98db4ad37be870a7e86dfd49049f6b71624a8a2a000908

Download Submit
\Windows\SysWOW64\Fhkpmjln.exe

Filesize
386KB

MD5
dfb13768777419b408660d9718d91071

SHA1
e1807a446d0ee335baaf68949b33aac77763e095

SHA256
1395586202975397bd3d7746a478ec052ee033d22a803c4b44213b315e7a7094

SHA512
efa65a58d97e8b0b7c5e3634af1c0dd24e08b30bda629bcb2cea66677fa44ddba022a2e4fd271e49c1f686730d418b9da4f88191bf34f75ca5ad6545489c9dab

Download Submit
\Windows\SysWOW64\Flabbihl.exe

Filesize
386KB

MD5
3aa393558b6bddf96900a1313494a8ee

SHA1
62a129d33b046c058748d51a433465b3ef2377cb

SHA256
9821c774b5e59862946c8336862c7d97c46ccc1660ecd8b69d6c3f2b075a4ffc

SHA512
147831bc409362c3fae0723a94f47417da5a7ccd405fab8a6a62f4f93c0b3557a325f5ee50087c32ac62ce398683012e75d3e8dd55016599894e54720722dfad

Download Submit
memory/352-402-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/352-198-0x0000000000250000-0x00000000002D7000-memory.dmp

Filesize
540KB

Download
memory/352-197-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/352-201-0x0000000000250000-0x00000000002D7000-memory.dmp

Filesize
540KB

Download
memory/376-258-0x0000000000250000-0x00000000002D7000-memory.dmp

Filesize
540KB

Download
memory/376-259-0x0000000000250000-0x00000000002D7000-memory.dmp

Filesize
540KB

Download
memory/376-247-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/376-420-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/792-262-0x0000000000490000-0x0000000000517000-memory.dmp

Filesize
540KB

Download
memory/792-260-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/792-422-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/792-266-0x0000000000490000-0x0000000000517000-memory.dmp

Filesize
540KB

Download
memory/884-432-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/884-321-0x0000000002060000-0x00000000020E7000-memory.dmp

Filesize
540KB

Download
memory/884-319-0x0000000002060000-0x00000000020E7000-memory.dmp

Filesize
540KB

Download
memory/884-318-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1132-210-0x0000000000330000-0x00000000003B7000-memory.dmp

Filesize
540KB

Download
memory/1132-209-0x0000000000330000-0x00000000003B7000-memory.dmp

Filesize
540KB

Download
memory/1132-412-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1360-110-0x00000000002F0000-0x0000000000377000-memory.dmp

Filesize
540KB

Download
memory/1360-398-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1360-116-0x00000000002F0000-0x0000000000377000-memory.dmp

Filesize
540KB

Download
memory/1520-404-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1520-200-0x0000000000330000-0x00000000003B7000-memory.dmp

Filesize
540KB

Download
memory/1520-199-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1592-117-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1592-400-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1592-130-0x0000000000250000-0x00000000002D7000-memory.dmp

Filesize
540KB

Download
memory/1592-129-0x0000000000250000-0x00000000002D7000-memory.dmp

Filesize
540KB

Download
memory/1664-406-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1680-308-0x0000000002080000-0x0000000002107000-memory.dmp

Filesize
540KB

Download
memory/1680-317-0x0000000002080000-0x0000000002107000-memory.dmp

Filesize
540KB

Download
memory/1680-430-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1680-298-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1684-267-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1684-276-0x00000000002D0000-0x0000000000357000-memory.dmp

Filesize
540KB

Download
memory/1684-424-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1684-277-0x00000000002D0000-0x0000000000357000-memory.dmp

Filesize
540KB

Download
memory/1844-377-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1844-4-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1844-6-0x00000000002A0000-0x0000000000327000-memory.dmp

Filesize
540KB

Download
memory/1936-414-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1936-211-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1936-222-0x00000000002E0000-0x0000000000367000-memory.dmp

Filesize
540KB

Download
memory/1936-221-0x00000000002E0000-0x0000000000367000-memory.dmp

Filesize
540KB

Download
memory/1988-302-0x0000000001FC0000-0x0000000002047000-memory.dmp

Filesize
540KB

Download
memory/1988-297-0x0000000001FC0000-0x0000000002047000-memory.dmp

Filesize
540KB

Download
memory/1988-292-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1988-428-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2008-320-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2176-396-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2176-90-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2288-426-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2288-287-0x00000000002E0000-0x0000000000367000-memory.dmp

Filesize
540KB

Download
memory/2288-280-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2304-410-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2312-223-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2312-233-0x0000000000300000-0x0000000000387000-memory.dmp

Filesize
540KB

Download
memory/2312-232-0x0000000000300000-0x0000000000387000-memory.dmp

Filesize
540KB

Download
memory/2312-416-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2408-242-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2408-243-0x00000000002D0000-0x0000000000357000-memory.dmp

Filesize
540KB

Download
memory/2408-249-0x00000000002D0000-0x0000000000357000-memory.dmp

Filesize
540KB

Download
memory/2408-418-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2456-387-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2484-53-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2484-385-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2588-51-0x0000000000300000-0x0000000000387000-memory.dmp

Filesize
540KB

Download
memory/2588-383-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2700-32-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2700-381-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2780-408-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2912-389-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2984-379-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2984-31-0x0000000000490000-0x0000000000517000-memory.dmp

Filesize
540KB

Download
memory/2984-30-0x0000000000490000-0x0000000000517000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads