243ab8442cda6980db02e4e2c23101d5bb891388157008edbe0b7cb3b1ad65d2

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 11:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe
Size

176KB
MD5

dd423326285f5a81f7491b1897975580
SHA1

b9968303c72c51b1747050aacc1218c220f0e938
SHA256

243ab8442cda6980db02e4e2c23101d5bb891388157008edbe0b7cb3b1ad65d2
SHA512

85e216f6d35b552a47af353e14c83ab1ecfbd8b0d1ae28a80976a873f2ab8fc15ffb2a1d73b352afec4c70369b7628bf6a2252ee7e7f70b804d4f4c445555382
SSDEEP

3072:Ml/n/KG5HZBbUHePEy032yaCMMq9FIUPv9XOVw1FaX6lwzmOJfYerMMq9FIUvw3:MxnCGNZBPPE4f9FIUpOVw86CmOJfTo94

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghkllmoi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fpdhklkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghkllmoi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffpmnf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Facdeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpdhklkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ffpmnf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcmgfkeg.exe

Executes dropped EXE 28 IoCs

pid	Process
2216	Fcmgfkeg.exe
2344	Fpdhklkl.exe
2800	Fhkpmjln.exe
2896	Facdeo32.exe
2876	Ffpmnf32.exe
2520	Flmefm32.exe
2972	Fbgmbg32.exe
2204	Gegfdb32.exe
2772	Glaoalkh.exe
2736	Ghhofmql.exe
1232	Gbnccfpb.exe
1992	Ghkllmoi.exe
536	Gdamqndn.exe
1036	Gogangdc.exe
1512	Ghoegl32.exe
2872	Hdfflm32.exe
3028	Hkpnhgge.exe
1632	Hckcmjep.exe
852	Hejoiedd.exe
2480	Hnagjbdf.exe
2396	Hpocfncj.exe
300	Hcnpbi32.exe
968	Hhjhkq32.exe
1716	Hodpgjha.exe
1252	Hhmepp32.exe
2044	Idceea32.exe
1592	Ihoafpmp.exe
2864	Iagfoe32.exe

Loads dropped DLL 60 IoCs

pid	Process
2020	dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe
2020	dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe
2216	Fcmgfkeg.exe
2216	Fcmgfkeg.exe
2344	Fpdhklkl.exe
2344	Fpdhklkl.exe
2800	Fhkpmjln.exe
2800	Fhkpmjln.exe
2896	Facdeo32.exe
2896	Facdeo32.exe
2876	Ffpmnf32.exe
2876	Ffpmnf32.exe
2520	Flmefm32.exe
2520	Flmefm32.exe
2972	Fbgmbg32.exe
2972	Fbgmbg32.exe
2204	Gegfdb32.exe
2204	Gegfdb32.exe
2772	Glaoalkh.exe
2772	Glaoalkh.exe
2736	Ghhofmql.exe
2736	Ghhofmql.exe
1232	Gbnccfpb.exe
1232	Gbnccfpb.exe
1992	Ghkllmoi.exe
1992	Ghkllmoi.exe
536	Gdamqndn.exe
536	Gdamqndn.exe
1036	Gogangdc.exe
1036	Gogangdc.exe
1512	Ghoegl32.exe
1512	Ghoegl32.exe
2872	Hdfflm32.exe
2872	Hdfflm32.exe
3028	Hkpnhgge.exe
3028	Hkpnhgge.exe
1632	Hckcmjep.exe
1632	Hckcmjep.exe
852	Hejoiedd.exe
852	Hejoiedd.exe
2480	Hnagjbdf.exe
2480	Hnagjbdf.exe
2396	Hpocfncj.exe
2396	Hpocfncj.exe
300	Hcnpbi32.exe
300	Hcnpbi32.exe
968	Hhjhkq32.exe
968	Hhjhkq32.exe
1716	Hodpgjha.exe
1716	Hodpgjha.exe
1252	Hhmepp32.exe
1252	Hhmepp32.exe
2044	Idceea32.exe
2044	Idceea32.exe
1592	Ihoafpmp.exe
1592	Ihoafpmp.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fpdhklkl.exe	Fcmgfkeg.exe
File created	C:\Windows\SysWOW64\Flmefm32.exe	Ffpmnf32.exe
File created	C:\Windows\SysWOW64\Glaoalkh.exe	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Bccnbmal.dll	Fcmgfkeg.exe
File opened for modification	C:\Windows\SysWOW64\Gegfdb32.exe	Fbgmbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ghoegl32.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Facklcaq.dll	dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Fpdhklkl.exe	Fcmgfkeg.exe
File created	C:\Windows\SysWOW64\Facdeo32.exe	Fhkpmjln.exe
File opened for modification	C:\Windows\SysWOW64\Facdeo32.exe	Fhkpmjln.exe
File created	C:\Windows\SysWOW64\Jondlhmp.dll	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Gdamqndn.exe
File opened for modification	C:\Windows\SysWOW64\Hdfflm32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Fbgmbg32.exe	Flmefm32.exe
File opened for modification	C:\Windows\SysWOW64\Gbnccfpb.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Ocjcidbb.dll	Fbgmbg32.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hpocfncj.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Fhkpmjln.exe	Fpdhklkl.exe
File created	C:\Windows\SysWOW64\Addnil32.dll	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Pabfdklg.dll	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Ghkllmoi.exe	Gbnccfpb.exe
File opened for modification	C:\Windows\SysWOW64\Ghkllmoi.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Phofkg32.dll	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Ffpmnf32.exe	Facdeo32.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Ghhofmql.exe	Glaoalkh.exe
File opened for modification	C:\Windows\SysWOW64\Ghhofmql.exe	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Gdamqndn.exe	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Hpocfncj.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Ffpmnf32.exe	Facdeo32.exe
File created	C:\Windows\SysWOW64\Jnmgmhmc.dll	Ffpmnf32.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Hdfflm32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Fcmgfkeg.exe	dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gegfdb32.exe	Fbgmbg32.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Fhkpmjln.exe	Fpdhklkl.exe
File created	C:\Windows\SysWOW64\Jkamkfgh.dll	Fhkpmjln.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Fcmgfkeg.exe	dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Dcdooi32.dll	Facdeo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2624	2864	WerFault.exe	55

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll"	Ffpmnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll"	Facdeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll"	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fpdhklkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fcmgfkeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ffpmnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccnbmal.dll"	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbnccfpb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2216	2020	dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2216	2020	dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2216	2020	dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2216	2020	dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 2344	2216	Fcmgfkeg.exe	29
PID 2216 wrote to memory of 2344	2216	Fcmgfkeg.exe	29
PID 2216 wrote to memory of 2344	2216	Fcmgfkeg.exe	29
PID 2216 wrote to memory of 2344	2216	Fcmgfkeg.exe	29
PID 2344 wrote to memory of 2800	2344	Fpdhklkl.exe	30
PID 2344 wrote to memory of 2800	2344	Fpdhklkl.exe	30
PID 2344 wrote to memory of 2800	2344	Fpdhklkl.exe	30
PID 2344 wrote to memory of 2800	2344	Fpdhklkl.exe	30
PID 2800 wrote to memory of 2896	2800	Fhkpmjln.exe	31
PID 2800 wrote to memory of 2896	2800	Fhkpmjln.exe	31
PID 2800 wrote to memory of 2896	2800	Fhkpmjln.exe	31
PID 2800 wrote to memory of 2896	2800	Fhkpmjln.exe	31
PID 2896 wrote to memory of 2876	2896	Facdeo32.exe	32
PID 2896 wrote to memory of 2876	2896	Facdeo32.exe	32
PID 2896 wrote to memory of 2876	2896	Facdeo32.exe	32
PID 2896 wrote to memory of 2876	2896	Facdeo32.exe	32
PID 2876 wrote to memory of 2520	2876	Ffpmnf32.exe	33
PID 2876 wrote to memory of 2520	2876	Ffpmnf32.exe	33
PID 2876 wrote to memory of 2520	2876	Ffpmnf32.exe	33
PID 2876 wrote to memory of 2520	2876	Ffpmnf32.exe	33
PID 2520 wrote to memory of 2972	2520	Flmefm32.exe	34
PID 2520 wrote to memory of 2972	2520	Flmefm32.exe	34
PID 2520 wrote to memory of 2972	2520	Flmefm32.exe	34
PID 2520 wrote to memory of 2972	2520	Flmefm32.exe	34
PID 2972 wrote to memory of 2204	2972	Fbgmbg32.exe	35
PID 2972 wrote to memory of 2204	2972	Fbgmbg32.exe	35
PID 2972 wrote to memory of 2204	2972	Fbgmbg32.exe	35
PID 2972 wrote to memory of 2204	2972	Fbgmbg32.exe	35
PID 2204 wrote to memory of 2772	2204	Gegfdb32.exe	36
PID 2204 wrote to memory of 2772	2204	Gegfdb32.exe	36
PID 2204 wrote to memory of 2772	2204	Gegfdb32.exe	36
PID 2204 wrote to memory of 2772	2204	Gegfdb32.exe	36
PID 2772 wrote to memory of 2736	2772	Glaoalkh.exe	37
PID 2772 wrote to memory of 2736	2772	Glaoalkh.exe	37
PID 2772 wrote to memory of 2736	2772	Glaoalkh.exe	37
PID 2772 wrote to memory of 2736	2772	Glaoalkh.exe	37
PID 2736 wrote to memory of 1232	2736	Ghhofmql.exe	38
PID 2736 wrote to memory of 1232	2736	Ghhofmql.exe	38
PID 2736 wrote to memory of 1232	2736	Ghhofmql.exe	38
PID 2736 wrote to memory of 1232	2736	Ghhofmql.exe	38
PID 1232 wrote to memory of 1992	1232	Gbnccfpb.exe	39
PID 1232 wrote to memory of 1992	1232	Gbnccfpb.exe	39
PID 1232 wrote to memory of 1992	1232	Gbnccfpb.exe	39
PID 1232 wrote to memory of 1992	1232	Gbnccfpb.exe	39
PID 1992 wrote to memory of 536	1992	Ghkllmoi.exe	40
PID 1992 wrote to memory of 536	1992	Ghkllmoi.exe	40
PID 1992 wrote to memory of 536	1992	Ghkllmoi.exe	40
PID 1992 wrote to memory of 536	1992	Ghkllmoi.exe	40
PID 536 wrote to memory of 1036	536	Gdamqndn.exe	41
PID 536 wrote to memory of 1036	536	Gdamqndn.exe	41
PID 536 wrote to memory of 1036	536	Gdamqndn.exe	41
PID 536 wrote to memory of 1036	536	Gdamqndn.exe	41
PID 1036 wrote to memory of 1512	1036	Gogangdc.exe	42
PID 1036 wrote to memory of 1512	1036	Gogangdc.exe	42
PID 1036 wrote to memory of 1512	1036	Gogangdc.exe	42
PID 1036 wrote to memory of 1512	1036	Gogangdc.exe	42
PID 1512 wrote to memory of 2872	1512	Ghoegl32.exe	43
PID 1512 wrote to memory of 2872	1512	Ghoegl32.exe	43
PID 1512 wrote to memory of 2872	1512	Ghoegl32.exe	43
PID 1512 wrote to memory of 2872	1512	Ghoegl32.exe	43

C:\Users\Admin\AppData\Local\Temp\dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dd423326285f5a81f7491b1897975580_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\Fcmgfkeg.exe
  C:\Windows\system32\Fcmgfkeg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\Fpdhklkl.exe
    C:\Windows\system32\Fpdhklkl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\SysWOW64\Fhkpmjln.exe
      C:\Windows\system32\Fhkpmjln.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\Facdeo32.exe
        
        C:\Windows\system32\Facdeo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\SysWOW64\Ffpmnf32.exe
        
        C:\Windows\system32\Ffpmnf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Fbgmbg32.exe
        
        C:\Windows\system32\Fbgmbg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Gegfdb32.exe
        
        C:\Windows\system32\Gegfdb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Glaoalkh.exe
        
        C:\Windows\system32\Glaoalkh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Ghhofmql.exe
        
        C:\Windows\system32\Ghhofmql.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Gbnccfpb.exe
        
        C:\Windows\system32\Gbnccfpb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Ghkllmoi.exe
        
        C:\Windows\system32\Ghkllmoi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Ghoegl32.exe
        
        C:\Windows\system32\Ghoegl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:300
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        29⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 140
        30⤵
        Loads dropped DLL
        Program crash
        
        PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcdooi32.dll

Filesize
7KB

MD5
ea8f39fda9cd44f760b5642f002d3187

SHA1
be48fadf89bc946a165de1baf506b22c6fb11476

SHA256
9db089c4305658f7bc978cc63c8f9ef7db5dcef162e0c107f21560a9cc579dd7

SHA512
845ddbe4ba50eacdc46fa40811966a91f3698c01ceac325dc0ddfddef87331587855bf63d8ddde9e2d3f87bcea492112589aff71e636c30b9b4d7a49eb3b7123

Download Submit
C:\Windows\SysWOW64\Fbgmbg32.exe

Filesize
176KB

MD5
0453bc780e99b4158ee073614b3c9de2

SHA1
4e437d12edcb5b5714bc8556c628e7b58302e7a0

SHA256
cfcefe28d3ba5b9d889741719c9410f835be81d70e0988f2578877ce045895e7

SHA512
ad56a4d12e8fa20de43435e347492c8e161382b0d14ae460137d2fb5c275848704583740d6a8e041168cac42bcd40ce39ebb82f678df298959a8176a701077cd

Download Submit
C:\Windows\SysWOW64\Fcmgfkeg.exe

Filesize
176KB

MD5
41b13c174ff11a1301e14879c45783d9

SHA1
0eb1c79cad2354b5de4446b895fc994e59a18247

SHA256
ab0d837eda1bfc078a335f9ed3ce498b1fe6084316f1232bd9bfdcf74b730429

SHA512
e8e420af7b7660f61dc28dcb9e1ee6d8b828cb287c64a42aa5508194a0bde67c9449c9dc863debf359a921556a225096280e2184ce45c9382aa8db6401018c22

Download Submit
C:\Windows\SysWOW64\Fhkpmjln.exe

Filesize
176KB

MD5
e4f016f6f12459d154a7bab0c19b9ecf

SHA1
bd00cb569766c213d93a84f37ec258244a6962a6

SHA256
b7b347f0fd96c60142925c1fd99aa5ba6bc9bbc6c4efae8c4921216d62b4670d

SHA512
b23e45e7ba26b6442b6dbd7f7ccf3941b8863444549544a4689817bf12c1feba517aded84a6f58508ac764079a7ff4ca559bbf40c5eee066b1833197d1805802

Download Submit
C:\Windows\SysWOW64\Ghoegl32.exe

Filesize
176KB

MD5
d33d0471780fc2896b2e245cb013d94e

SHA1
e8f0d89ed2d711f29a0ba775cf40c8c131b36603

SHA256
f046598fc4694f6d8e34018ed9f274b4af0a0a5d927c50970e06f9a9694692e8

SHA512
66fe904903af1b2b1ed45df79f33d2425b6c3459b576f67b7385dff9745e95d6b4ea3a4f21728bbb5038b4a6fed3353191e53d721cdb9d8fa2eeaa2c6fa7d31f

Download Submit
C:\Windows\SysWOW64\Glaoalkh.exe

Filesize
176KB

MD5
3233770f7fb45c3b3c2b1970c1a201db

SHA1
4309ab70fb7568bf454fbdf7149fc2e30447f542

SHA256
d520ca7b07dcebd3e6ab5c0c959d1e5b2f62278823df19579808eabb52beda93

SHA512
b5346e8a14df422f5f87c19d45e2c5dd2708039428e292b726cd508e34bf0a41c5f19ea66a46516c5235377a247887b1d2cb5053e61fc957c83553c38637bede

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
176KB

MD5
ba58beb0f63679521069970507122df2

SHA1
007f4a45da88d5c1320b309faf850ae0333219c4

SHA256
191f524525177b751b0fb2bad43c30a0bdbcd9e3590166e61e637ec665e9f29b

SHA512
d8a638b8307cec64c68ab4145fb1c2aa25a864add1e16000ac139f90bcfca492d580d65194f52205b5720a401cbc044ce2b7c62595cee36af085762d0db97a25

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
176KB

MD5
56195119ec80a5989000e50f9676fc09

SHA1
7fc08613bb21a69044da40e9cc30d91306416655

SHA256
a22499f2853a83ee55b5ab423d43e6f8afae17a00e867b8565fd31a6a970c19f

SHA512
4b3a97b034647560363aafa922407c82952151786953fc87ee0a8cc65e2420ba67606b65161fe4f46eac7d3d9d9bf507483de448787a2368726b7be598ae77f3

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
176KB

MD5
ba12999b49fda09e83b4aaaf24a1efa9

SHA1
849c3d58d318d16e62476b9965a74a6db44df2c0

SHA256
c35f430e923856d05db3d6fe46cfecd2afd583d233c41247dd29fda185ee6d46

SHA512
f475a47141e92b7a86350c8596a670d6023b18d8601171b7db53ba372cd5c5172224f24a0b0525704dd022f2a2464dfcc19961060845d71d7968bbd95dffd83b

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
176KB

MD5
8ed40b7524e5db736019c9a25ee6059c

SHA1
49bc5c809e72ea99dca7b42ba80b7a0821897f1d

SHA256
19360e5b0787af3ae3be515f361e9e3bebd3d175c0ebb2634530c9e87fea01a4

SHA512
3b95745486cb82f53f2e5cd7e3ea330ff3d228420e4b4772bb6d0d0530938de6357a4fe38d3c2871a312844ee32f3571cada378ac843bb533fd47b29b4a3d763

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
176KB

MD5
57a7c4f5c33688e9defb8251c90036de

SHA1
bda492333ccad05dd636741aff363dab06901dcb

SHA256
6c0479beb6a941a1e1af9a0f5fc230145995d8ce0dd6e44f9c8536633d48da8c

SHA512
622a14b10a43a3232e00fc18689d5bc028fde067e5c4761158a8c9ace04bdc6536c01a29151616fdbbb93b390498cd839ea1ae7bc35969605262fe04185b7f38

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
176KB

MD5
7048db7b21612ce47ee11a0c7b7da141

SHA1
6a2bd0b7fc8981c5621e89a16f10dff9936496b8

SHA256
18838b70f4d43ad9e422f58fd57731f019f04b174bb72dedb265b72cdcec19ef

SHA512
4463bf77cd646d5f4dd9bdcb89cc2dcaf2c065b2b6667f541130a55d68f5d8f20897289239ee14f2102a0ee17ae20cc8e6a53cd9a91bf0c9c8cd060f1f05ccde

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
176KB

MD5
ed6e828dbde956f95d19bf649e3e81ad

SHA1
e87b024b19752ac49310add56b8f577cd8f29d16

SHA256
01257516b6fc535da130dc3241edf5d3bdd09917a07c1b38c19b759cfc0be42b

SHA512
ddf6136d4831cc17838e1b723dd99fe244e6f3e8eecd5a51b1dcc117b02342bc04c461271c457ccade51fefdeebe481ee6896d97957b8c411d48241d80f08e0e

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
176KB

MD5
35771973e8a57d33b30aa5a9d1d8b655

SHA1
bdee3a2bf005c49a13114c2e0de80b9def7363e3

SHA256
c504775180df8f8d6d43d0b9fe074f0d4ef98f004e8632e854aee33882566d1c

SHA512
51b0310dbdcae1c51c2008af7e04e1fa20867eb252a027d5864041452cab4246d9286a5bd8d5e4ad69a5e167ab851ff7e022a1b35b36f5a5e92fdc590a23d08f

Download Submit
C:\Windows\SysWOW64\Hpocfncj.exe

Filesize
176KB

MD5
1cacbc21bd73b7639a5c59aa164d6a76

SHA1
915cb5b4d5ca45d2afc13de63549170f9ead77ad

SHA256
d8a22579a16e713c3a0d2ce341589573ce601fcea2892141e6a5902e8df8b85d

SHA512
aa67da3e8b620ec6f4540f3fc34fba871637a8da7042005eb8fa3c56b6fe69b97d012ca9fee1f012d9b243245464c83d87699df17a1bc0b7c978289dda00ae85

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
176KB

MD5
86fd4bfb4fc895256fac3341078bc099

SHA1
f1f1f42139e6b904bb46ee325ddec2ea6201f92b

SHA256
cc8245c29abb15974653f89c9c6e65e27a292561b0df4ec65c9fd6ae7b67bd53

SHA512
f36de3b98e9d47e45a8f0b538f87653a11b72be0a989bef85305248f1446ddbd11624487cd4a662b3424bda44b05deee8ee2c0e4cabcaae180f994f191d8c23f

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
176KB

MD5
420a58725138494e554761b1163ccbb4

SHA1
a169fcbf55882f6887798283184d1c11c687006f

SHA256
e85eec8085040ab2714d34ad60ce9377e0910eda0915d6f69dd1d6838e3e2d5f

SHA512
7504a3c552b40cb3222df5bbd529c3d836d88faf70c4b45886c49e88dce49f278562f444eff5e4a5e6ad6d97fd128fe0ac6aede5454f2bf64c8a982d14ae4357

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
176KB

MD5
6ba8d23b069bdb07d9ddc0d8fb90acf4

SHA1
a663e9e11f614dc1fd532eb5521f64992312063d

SHA256
7e4060b01417b59792f35d0ec9f04862104065af393c82fabacd5b3c8032fe28

SHA512
40990bbddeea88de330d308efa389ab735f047b106305488ab13bcbc47a38d9532ce182f20d390f8c02ef1e106027c0909cbbe6c162c1ff0811ed6f69e6a56e0

Download Submit
\Windows\SysWOW64\Facdeo32.exe

Filesize
176KB

MD5
c9476e2b78b9a758a11bc60d03b8fb62

SHA1
1e0a7f57dd49f47c5f86f9a870a732754feef8c0

SHA256
a68c539625ab69d04333e4412e76efe4bb7ee29cdb22b893fafc765b910da7b6

SHA512
d0d5cc923c2c00ec983d9a53aafe5699d41936930cc952f6aad385c9ea6b2522773069a730deb59b6fe890b0c85c6b2e653729245940a6af488fbefc1dba8cba

Download Submit
\Windows\SysWOW64\Ffpmnf32.exe

Filesize
176KB

MD5
9149dce8853d3cdcdbc286a41a9290b7

SHA1
a5417a24b4baba1862f4287078f45fa5dede7f93

SHA256
3f00e0801bfc870724d12f22ca0d367fc0235551f2765c3c15a884e2dde398b0

SHA512
8f074a74030ff8ed98196ca69c91e6241a84fb39f331946f185010a023800cdfe909619a7df38c9a4a59c80ff1dc8a86358a184edd42f6c6d294ca201bfd0ac1

Download Submit
\Windows\SysWOW64\Flmefm32.exe

Filesize
176KB

MD5
4752c9a16e5d0d6a11401aea3db57ba3

SHA1
9d4e6b7803b161524f5a5af719f43d70c436df5a

SHA256
a03efdac04b7e35df9d58ee2e39327fd501ad7b2493ec1a9b8b88862ccebe659

SHA512
dcd7be83f560ffd65ac2c15d32a2bc33b358fc5914155435bc26f997b5814ba32591919c5d0dd9275dcf3e37d708eb0ecb9f041badc8b773322d4cf50379b3ef

Download Submit
\Windows\SysWOW64\Fpdhklkl.exe

Filesize
176KB

MD5
9e31463e0699fdbdb5acfa613a5f9540

SHA1
a01cab73580d460d736c73d1e43109c04da556d8

SHA256
15670d0752aee2df614190ee820e4acd63d29a87aeb20055aeddb884ed892a62

SHA512
c2c16c346efa21295a6b79b907bf56d89aaffd046aece43a74da6fd09dcf0899a150eb60693457fc7048df3cb3176823a5dec63bfa359f9d1b82f4f2e60c30e0

Download Submit
\Windows\SysWOW64\Gbnccfpb.exe

Filesize
176KB

MD5
6ff151d4e2546a8888ec6878d4fa80b1

SHA1
acb0fc89f33cd3006a1e91bcd0fb05cbea6a1db2

SHA256
a17fb0fc75864dfa7a47561568984361ad3da05214155568539287a544bf007b

SHA512
debe3462a8b088b238039491a9e97ca6342377abb69cf4bfdd1d373de7052b380aba9032cb70051ccbaccba85d91115972e5c7008c14f130a18985ecdd3cfaf4

Download Submit
\Windows\SysWOW64\Gdamqndn.exe

Filesize
176KB

MD5
62d6219f0c93030276fa77dcc288b08e

SHA1
86e878bd3212d795ccdb534619e57af53abb83a4

SHA256
f4eccf91941bc8c3a9bd61663f283b208c6e0cad36e2ca4081c8b2bfd4e77323

SHA512
93b3d1f80ec06760018d40518d8ec3bf96a7bb46a50dfde15a298ac3dfdd6a1423dd108f0488879533123c4445e36b1cde428c512a31f188dac06a645a11b905

Download Submit
\Windows\SysWOW64\Gegfdb32.exe

Filesize
176KB

MD5
e1b8a469c2dc4e3a65aad52b24bc7efb

SHA1
ca61e53d82968ec29a158df17d9a8dee26a197e5

SHA256
15243739d57a52289d28ab8a401d9c7f81cc09fd842d2bda041dc3971e911b0c

SHA512
6dc58ece7b50b56818c48a1a59a9cb2369b24dd823d091365b8b8db2e0594d14de5bddd615cd3ea56d1cbf06cbda0ec85c70139db063126add76e69ab5fd7ded

Download Submit
\Windows\SysWOW64\Ghhofmql.exe

Filesize
176KB

MD5
40f152110a79aea90036f0f0c5242cae

SHA1
f0f444c3dd385e28cf339f21ec8a07184d1c669a

SHA256
6ad540e28910b791d7981ba9b8dfc9e3e9d0ce1780bb755ffa9dd0affdb8ffde

SHA512
7747483deabdb460dc1e2a03130ad376da27846fc76971534ed64e7c463c10ce6fed143f6fc51564f1fc6d89147f3eff422e9be2fda66344912c083e0c7043c2

Download Submit
\Windows\SysWOW64\Ghkllmoi.exe

Filesize
176KB

MD5
643029d46af3a87d58dbcd7589e8ee9b

SHA1
7e2cd7c090466e1c8f3675e0ac54e2ba5d7bacb7

SHA256
ac1ebbc9cbdb346492cb9924da6cbf021e94be64909ec440a09407a49b3bf6cd

SHA512
b00a9275c779dc760ec53fecbfcd46b6b4042a26e11acf6d094343393fe472228c7304c659ce69287cf20651b7342b3451f840ccddefd8fd77c9c051c218833d

Download Submit
\Windows\SysWOW64\Gogangdc.exe

Filesize
176KB

MD5
4f86ab845e787b4c17260be5dc3ded94

SHA1
16cd921517ea5d18cbb42552165ea01353c91a2e

SHA256
deb70ac89cb6f2f37c36779fde8989e7e467226f7f2235dc8d95aab89044d441

SHA512
b0f0530367bacd930183f17e21bdd53688365a09e72cd9bf9ba58a0aec58a78be31e11d29148c1dcad664711bd06f74a3244acb3df3a26b6993afe41edd4cd05

Download Submit
\Windows\SysWOW64\Hdfflm32.exe

Filesize
176KB

MD5
7c8730e44db3b46f472d28334db0e73f

SHA1
dc2e08492603b28c7e970d771ca9a0a2c60f7c5f

SHA256
48226ff336669adfe8ff300ab2365d8986525bf04035d98d51e2a2920d9cf823

SHA512
c88e361953c28360e2f5bdc4bd0d005136de43bde901db7391e67b98a8587492bf7cad1419a639434c3a2c6cc03e0a1f3cb6ed606b1c3008333530f36994ac4d

Download Submit
memory/300-285-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/300-272-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/300-286-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/300-356-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/536-192-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/536-180-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/536-173-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/536-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/852-242-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/852-354-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/968-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/968-297-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/968-296-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1036-193-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-156-0x0000000001FD0000-0x0000000002009000-memory.dmp

Filesize
228KB

Download
memory/1232-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1252-318-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1252-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1252-319-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1252-357-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1512-201-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1512-351-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1512-211-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1592-336-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1592-337-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1592-327-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1592-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1632-237-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1716-303-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1716-299-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1716-304-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1992-349-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2020-339-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2020-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2020-11-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/2044-326-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2044-320-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2044-325-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2204-346-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2204-112-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2216-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2216-13-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2344-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2396-271-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2396-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2396-355-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2396-270-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2480-260-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/2480-255-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2520-93-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2520-84-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2520-344-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2736-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2736-348-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2772-121-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2772-347-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2800-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2800-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2864-338-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2872-352-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2876-74-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2876-78-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2876-65-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2876-343-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2896-52-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2896-342-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-345-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-94-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-106-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/3028-353-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3028-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads