4707c30540b727376e869a30673b2fb01c1a71958444bbc05bdd869b88163f57

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 12:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

deb62db28e162a962f292f7720336340_NeikiAnalytics.exe
Size

62KB
MD5

deb62db28e162a962f292f7720336340
SHA1

532096546c392679cab80b9d7c2b9c55cf7fb2d4
SHA256

4707c30540b727376e869a30673b2fb01c1a71958444bbc05bdd869b88163f57
SHA512

8f374f4b38c566ebbc1b913f2b891d236ad30eb7a5ab6c16d6ed5b24cc5431a4a7a468adfe9645459dff7be721f89ae65a65341dffc8ec998c5b32d170fa3110
SSDEEP

1536:stYAtVpVubSJvQAgMdTjVnKMF8YW41Y+xVfmDSwzDxA08Ahyive8Cy:GVPub4K3ZSIDG0Vrve8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gangic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gelppaof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	deb62db28e162a962f292f7720336340_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gangic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Filldb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmekoalh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	deb62db28e162a962f292f7720336340_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmjejphb.exe

Executes dropped EXE 29 IoCs

pid	Process
2232	Fmekoalh.exe
2588	Fjilieka.exe
3068	Filldb32.exe
2772	Fjlhneio.exe
2464	Fmjejphb.exe
2544	Feeiob32.exe
2500	Fmlapp32.exe
2944	Gbijhg32.exe
1548	Ghfbqn32.exe
268	Gangic32.exe
2004	Gieojq32.exe
2432	Gbnccfpb.exe
476	Gelppaof.exe
1348	Gkihhhnm.exe
2836	Gacpdbej.exe
1284	Gddifnbk.exe
1468	Hknach32.exe
2456	Hdfflm32.exe
772	Hkpnhgge.exe
296	Hdhbam32.exe
1780	Hejoiedd.exe
1272	Hlcgeo32.exe
2148	Hcnpbi32.exe
2236	Hellne32.exe
1684	Henidd32.exe
1688	Hhmepp32.exe
1716	Hogmmjfo.exe
2660	Ioijbj32.exe
2628	Iagfoe32.exe

Loads dropped DLL 62 IoCs

pid	Process
2240	deb62db28e162a962f292f7720336340_NeikiAnalytics.exe
2240	deb62db28e162a962f292f7720336340_NeikiAnalytics.exe
2232	Fmekoalh.exe
2232	Fmekoalh.exe
2588	Fjilieka.exe
2588	Fjilieka.exe
3068	Filldb32.exe
3068	Filldb32.exe
2772	Fjlhneio.exe
2772	Fjlhneio.exe
2464	Fmjejphb.exe
2464	Fmjejphb.exe
2544	Feeiob32.exe
2544	Feeiob32.exe
2500	Fmlapp32.exe
2500	Fmlapp32.exe
2944	Gbijhg32.exe
2944	Gbijhg32.exe
1548	Ghfbqn32.exe
1548	Ghfbqn32.exe
268	Gangic32.exe
268	Gangic32.exe
2004	Gieojq32.exe
2004	Gieojq32.exe
2432	Gbnccfpb.exe
2432	Gbnccfpb.exe
476	Gelppaof.exe
476	Gelppaof.exe
1348	Gkihhhnm.exe
1348	Gkihhhnm.exe
2836	Gacpdbej.exe
2836	Gacpdbej.exe
1284	Gddifnbk.exe
1284	Gddifnbk.exe
1468	Hknach32.exe
1468	Hknach32.exe
2456	Hdfflm32.exe
2456	Hdfflm32.exe
772	Hkpnhgge.exe
772	Hkpnhgge.exe
296	Hdhbam32.exe
296	Hdhbam32.exe
1780	Hejoiedd.exe
1780	Hejoiedd.exe
1272	Hlcgeo32.exe
1272	Hlcgeo32.exe
2148	Hcnpbi32.exe
2148	Hcnpbi32.exe
2236	Hellne32.exe
2236	Hellne32.exe
1684	Henidd32.exe
1684	Henidd32.exe
1688	Hhmepp32.exe
1688	Hhmepp32.exe
1716	Hogmmjfo.exe
1716	Hogmmjfo.exe
2660	Ioijbj32.exe
2660	Ioijbj32.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lkoabpeg.dll	Gangic32.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Fjilieka.exe	Fmekoalh.exe
File created	C:\Windows\SysWOW64\Cakqnc32.dll	Fjlhneio.exe
File opened for modification	C:\Windows\SysWOW64\Gangic32.exe	Ghfbqn32.exe
File opened for modification	C:\Windows\SysWOW64\Gieojq32.exe	Gangic32.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Gangic32.exe	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Pabfdklg.dll	Gieojq32.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Ghfbqn32.exe	Gbijhg32.exe
File opened for modification	C:\Windows\SysWOW64\Fmlapp32.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Gbijhg32.exe	Fmlapp32.exe
File opened for modification	C:\Windows\SysWOW64\Ghfbqn32.exe	Gbijhg32.exe
File opened for modification	C:\Windows\SysWOW64\Gelppaof.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Fmekoalh.exe	deb62db28e162a962f292f7720336340_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ongbcmlc.dll	deb62db28e162a962f292f7720336340_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Filldb32.exe	Fjilieka.exe
File opened for modification	C:\Windows\SysWOW64\Fjlhneio.exe	Filldb32.exe
File created	C:\Windows\SysWOW64\Hknach32.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Gbnccfpb.exe	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Gbnccfpb.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Pabakh32.dll	Gbnccfpb.exe
File opened for modification	C:\Windows\SysWOW64\Hknach32.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Fmjejphb.exe	Fjlhneio.exe
File opened for modification	C:\Windows\SysWOW64\Feeiob32.exe	Fmjejphb.exe
File created	C:\Windows\SysWOW64\Fmlapp32.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Gelppaof.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Hogmmjfo.exe
File opened for modification	C:\Windows\SysWOW64\Gbijhg32.exe	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Mncnkh32.dll	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Kjpfgi32.dll	Gbijhg32.exe
File created	C:\Windows\SysWOW64\Gddifnbk.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Hdfflm32.exe	Hknach32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Bnkajj32.dll	Fmekoalh.exe
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Henidd32.exe
File created	C:\Windows\SysWOW64\Dhggeddb.dll	Fjilieka.exe
File opened for modification	C:\Windows\SysWOW64\Gddifnbk.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Hogmmjfo.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Fmjejphb.exe	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Kifjcn32.dll	Fmjejphb.exe
File created	C:\Windows\SysWOW64\Jpajnpao.dll	Gddifnbk.exe
File opened for modification	C:\Windows\SysWOW64\Hdhbam32.exe	Hkpnhgge.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2696	2628	WerFault.exe	56

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbijhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkajj32.dll"	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Filldb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	deb62db28e162a962f292f7720336340_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gangic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll"	Filldb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll"	Hknach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakqnc32.dll"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll"	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Filldb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll"	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpfgi32.dll"	Gbijhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gieojq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll"	Gelppaof.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2232	2240	deb62db28e162a962f292f7720336340_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 2232	2240	deb62db28e162a962f292f7720336340_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 2232	2240	deb62db28e162a962f292f7720336340_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 2232	2240	deb62db28e162a962f292f7720336340_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2588	2232	Fmekoalh.exe	29
PID 2232 wrote to memory of 2588	2232	Fmekoalh.exe	29
PID 2232 wrote to memory of 2588	2232	Fmekoalh.exe	29
PID 2232 wrote to memory of 2588	2232	Fmekoalh.exe	29
PID 2588 wrote to memory of 3068	2588	Fjilieka.exe	30
PID 2588 wrote to memory of 3068	2588	Fjilieka.exe	30
PID 2588 wrote to memory of 3068	2588	Fjilieka.exe	30
PID 2588 wrote to memory of 3068	2588	Fjilieka.exe	30
PID 3068 wrote to memory of 2772	3068	Filldb32.exe	31
PID 3068 wrote to memory of 2772	3068	Filldb32.exe	31
PID 3068 wrote to memory of 2772	3068	Filldb32.exe	31
PID 3068 wrote to memory of 2772	3068	Filldb32.exe	31
PID 2772 wrote to memory of 2464	2772	Fjlhneio.exe	32
PID 2772 wrote to memory of 2464	2772	Fjlhneio.exe	32
PID 2772 wrote to memory of 2464	2772	Fjlhneio.exe	32
PID 2772 wrote to memory of 2464	2772	Fjlhneio.exe	32
PID 2464 wrote to memory of 2544	2464	Fmjejphb.exe	33
PID 2464 wrote to memory of 2544	2464	Fmjejphb.exe	33
PID 2464 wrote to memory of 2544	2464	Fmjejphb.exe	33
PID 2464 wrote to memory of 2544	2464	Fmjejphb.exe	33
PID 2544 wrote to memory of 2500	2544	Feeiob32.exe	34
PID 2544 wrote to memory of 2500	2544	Feeiob32.exe	34
PID 2544 wrote to memory of 2500	2544	Feeiob32.exe	34
PID 2544 wrote to memory of 2500	2544	Feeiob32.exe	34
PID 2500 wrote to memory of 2944	2500	Fmlapp32.exe	35
PID 2500 wrote to memory of 2944	2500	Fmlapp32.exe	35
PID 2500 wrote to memory of 2944	2500	Fmlapp32.exe	35
PID 2500 wrote to memory of 2944	2500	Fmlapp32.exe	35
PID 2944 wrote to memory of 1548	2944	Gbijhg32.exe	36
PID 2944 wrote to memory of 1548	2944	Gbijhg32.exe	36
PID 2944 wrote to memory of 1548	2944	Gbijhg32.exe	36
PID 2944 wrote to memory of 1548	2944	Gbijhg32.exe	36
PID 1548 wrote to memory of 268	1548	Ghfbqn32.exe	37
PID 1548 wrote to memory of 268	1548	Ghfbqn32.exe	37
PID 1548 wrote to memory of 268	1548	Ghfbqn32.exe	37
PID 1548 wrote to memory of 268	1548	Ghfbqn32.exe	37
PID 268 wrote to memory of 2004	268	Gangic32.exe	38
PID 268 wrote to memory of 2004	268	Gangic32.exe	38
PID 268 wrote to memory of 2004	268	Gangic32.exe	38
PID 268 wrote to memory of 2004	268	Gangic32.exe	38
PID 2004 wrote to memory of 2432	2004	Gieojq32.exe	39
PID 2004 wrote to memory of 2432	2004	Gieojq32.exe	39
PID 2004 wrote to memory of 2432	2004	Gieojq32.exe	39
PID 2004 wrote to memory of 2432	2004	Gieojq32.exe	39
PID 2432 wrote to memory of 476	2432	Gbnccfpb.exe	40
PID 2432 wrote to memory of 476	2432	Gbnccfpb.exe	40
PID 2432 wrote to memory of 476	2432	Gbnccfpb.exe	40
PID 2432 wrote to memory of 476	2432	Gbnccfpb.exe	40
PID 476 wrote to memory of 1348	476	Gelppaof.exe	41
PID 476 wrote to memory of 1348	476	Gelppaof.exe	41
PID 476 wrote to memory of 1348	476	Gelppaof.exe	41
PID 476 wrote to memory of 1348	476	Gelppaof.exe	41
PID 1348 wrote to memory of 2836	1348	Gkihhhnm.exe	42
PID 1348 wrote to memory of 2836	1348	Gkihhhnm.exe	42
PID 1348 wrote to memory of 2836	1348	Gkihhhnm.exe	42
PID 1348 wrote to memory of 2836	1348	Gkihhhnm.exe	42
PID 2836 wrote to memory of 1284	2836	Gacpdbej.exe	43
PID 2836 wrote to memory of 1284	2836	Gacpdbej.exe	43
PID 2836 wrote to memory of 1284	2836	Gacpdbej.exe	43
PID 2836 wrote to memory of 1284	2836	Gacpdbej.exe	43

C:\Users\Admin\AppData\Local\Temp\deb62db28e162a962f292f7720336340_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\deb62db28e162a962f292f7720336340_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\Fmekoalh.exe
  C:\Windows\system32\Fmekoalh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\Fjilieka.exe
    C:\Windows\system32\Fjilieka.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\Filldb32.exe
      C:\Windows\system32\Filldb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\SysWOW64\Fjlhneio.exe
        
        C:\Windows\system32\Fjlhneio.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\SysWOW64\Fmjejphb.exe
        
        C:\Windows\system32\Fmjejphb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Fmlapp32.exe
        
        C:\Windows\system32\Fmlapp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Gbijhg32.exe
        
        C:\Windows\system32\Gbijhg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Ghfbqn32.exe
        
        C:\Windows\system32\Ghfbqn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Gangic32.exe
        
        C:\Windows\system32\Gangic32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\SysWOW64\Gieojq32.exe
        
        C:\Windows\system32\Gieojq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Gbnccfpb.exe
        
        C:\Windows\system32\Gbnccfpb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Gelppaof.exe
        
        C:\Windows\system32\Gelppaof.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Windows\SysWOW64\Gkihhhnm.exe
        
        C:\Windows\system32\Gkihhhnm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Gddifnbk.exe
        
        C:\Windows\system32\Gddifnbk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Hknach32.exe
        
        C:\Windows\system32\Hknach32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:296
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        30⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 140
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Filldb32.exe

Filesize
62KB

MD5
7176de62fa94ed49164d059e74fcb9f7

SHA1
6508f3e36ebbe75bef7d80e720f632b976c5c0e7

SHA256
2c5677835a52b3b24c5c60a3ec80be1932392af9db6686cc9253323f42ba5920

SHA512
b6cb2f52eacad3bc5b512b0d06aa9f613569aded5b59941d0e3269bfb7d1b7a483fab0d8abda84b6936e90022a870bb7dbfadd614bf9b192ad6dfd9d9196d373

Download Submit
C:\Windows\SysWOW64\Fjilieka.exe

Filesize
62KB

MD5
70942434672689c5fa80e9d303ed7ef0

SHA1
5787e688b36d452cbe268b3086c6686f358d1939

SHA256
bfec918151f50087be4e818ad017f4f4cba14f270c97837d8b3484684842df84

SHA512
bab108df82535fd88ef51a0d0c311dcebb8af0498833069582e3f50fcaf3a1e1fd008ce03feaebbbbb99f77d03bc746981fb32d6f73bfad9ef79e5db7218cbaf

Download Submit
C:\Windows\SysWOW64\Fmjejphb.exe

Filesize
62KB

MD5
fda03adba22e54024ec38f7c6c8d5a30

SHA1
319cd6a3ae30b983674c5de1f81584808a79bb57

SHA256
9aa19dd13cb437cfa18e8710db124c02f324b5ff0db2225a006825afc441f3ab

SHA512
6086a1a04ac7769ec2542eab3a709a7ac46af7a7ef0fd1297be11258cd4ca02d0b28043758bbcc1903520b3b4b0d9209c8a7dfd0b47cee4c8c927c5f6f06081b

Download Submit
C:\Windows\SysWOW64\Fmlapp32.exe

Filesize
62KB

MD5
90d366adb879eb717d13977120353fcb

SHA1
0da706687061d825e602dd6eb4aaddc296db8b5f

SHA256
1ac5f3110f7a140b52ab0c02aff1d887247469914c419c0048c7f3bebbbe45d8

SHA512
d50d70928adfee24cb67394da54436fe1e3feff577bf8191b8246d8df962fbcf13622f4e10dcbccb9100cbf9d08626d611bd36cf5d247496753fee08b4c85395

Download Submit
C:\Windows\SysWOW64\Gacpdbej.exe

Filesize
62KB

MD5
0e3d5e81893d454e38d20c4e3d5f35aa

SHA1
8038f3fc3f175f6d97a7f062b5c60244cde3dde0

SHA256
4379a748631678afa05e5e120bb16a04f824760a9869e203ab4c05dc43e1f97c

SHA512
123cfb7a42b309796f817f4fa07c8caf950b6558d1daa4fb205981fa2aa2b5c69ce6ca4def1ed225850f48f7fdd39c9661970551fcd612684bd14dd4655c892f

Download Submit
C:\Windows\SysWOW64\Gelppaof.exe

Filesize
62KB

MD5
95ae7d6fedea45bb25aa3339b3fb5d67

SHA1
1a48ed5bd578872bba5094ae820bd8def139a8b1

SHA256
cfe638dcb478794121b73b93d3e6bbed5456175b742295fc49e1c38006d83b70

SHA512
a9cff1fdc02687d2ab8dc343dffe6edd93c05eb101353f860f7221c5994482850839a59da1d2df10c68cde72798d7b5d0bb2c5d88d3553f343a9be6dbaaa678e

Download Submit
C:\Windows\SysWOW64\Ghfbqn32.exe

Filesize
62KB

MD5
77091c2ba5c4f94777fe3a2e2cb38874

SHA1
0658827ee22981c9849e74514fe2ff3aeecf7c4e

SHA256
feb1b29361e3cebb8adc84019fb56af10a0716582335b227e00dbc4a2db5288f

SHA512
2b86ee35d8ed167647beca706af4f0b8fe2b18b7ad36764fd3556d47b36df8a97825be13bfc3c0d234054bb1d72309805d58dd19617d38bfbe53a06f79abcfa8

Download Submit
C:\Windows\SysWOW64\Gieojq32.exe

Filesize
62KB

MD5
8328bdda3f0d1236252d9ec6f674562c

SHA1
8db2a77d8b40532d32a7ae6020830988efb86a81

SHA256
77bf3fb25b0b036b81455e427928866865c49b727a9affd53b73d06821286561

SHA512
f4ae880376bd180c7c3ffd15e21e99729b11599e876f47bd1df7d429576e4a2fa3fafa7cab099f9a6c70b28c12ed75859f28f3ff3b37801f3e9f7720d15d5b3e

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
62KB

MD5
2d7759dcf5c9c70c3fc9ebe1225b81da

SHA1
29e19395c7348502f172ceadbb95871bb7194c7e

SHA256
61b0815789573d9b0e74490ddbcd3f0371a4a084fa37a43cbe721dcd9587acc4

SHA512
398d94fb2b7e691f74245313c358fe1e8593261b0e4bf643e7b5e7eb463bf00334da87c272713565a117a615f5509e01e4276d33a2b15554e439685b525e4b6d

Download Submit
C:\Windows\SysWOW64\Hdfflm32.exe

Filesize
62KB

MD5
d4d0f86551b2f1e17b880958fe7c7f98

SHA1
f2bdc01884f48d59a5f48973f0c15ef48c29b4ca

SHA256
6f3efffb1bb64712c2299e434fc07ac9762800e21bd8ccd2bc6c3285a1eea1e1

SHA512
2adfe6cf4b7f7ce33744d3f6f4c4a7173f559df58e5a30cd1d121b89f5ed2df76b4b7c6a88b237712f4e36b251821f4eab3281073d5030697e22fc9a22b64cbc

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
62KB

MD5
7d4fc19635e66970974a9147fb4ec877

SHA1
0b36b628995aa5c4e6044ed9d04f00fd77983dd5

SHA256
da8c98b036c4b908136aa53e3906bfe9b2ecfe1a63f2689fa695bed6bb28d89e

SHA512
7e696a5afc58746f050fa5cf09d788d584c6c90c9315d37b6c70d2980732e2a5736f6acdad8ee717ef867126b1a81b5219d4ea81c00d8aa052f2fd5bcdbd7a8c

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
62KB

MD5
7e079bc013ba95cf04b269634e815a2c

SHA1
7dc25339ab58f5fff8ef98b97c3d025e086d5778

SHA256
8a6283d0d6df55f3708f904e009cb9fa62d8bf6867107041c5a4a2b6b0e055b0

SHA512
f672ebb4ae982cb85c5355a60b33acaaf281aabc5e2e0f68b5a34feb57926a09960d9ce0a6f7b44f28cfe8deee7ae44e7a6cef7b76e0aef73effa56798f49d72

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
62KB

MD5
239ccabfa5b6b32602602b8b781fb098

SHA1
d2e0183097b9d606d352c43d2c4e219ef9572e7b

SHA256
2ad740aaf1b6a719f3cd93f32c1edc24e40cfeb67c27c1f4eea403abc284a451

SHA512
78790454d83f7b0c3dabadcddcec1a36b4639104000f904872fac0e474e39f962fe0f5fdf7b26261335ed5b2aae731f3ec5a141cc7fab780fc14c254ef8714fa

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
62KB

MD5
f711f64b19be54457760a262aa968b23

SHA1
cb0caf671e69250c06f6995ec18c1c80a8b78ce8

SHA256
7dbe4636e9a17405da589fd41f81b4494b0d12ead094c876a2fe13468137ff9f

SHA512
d04886e59603364e8d6a701dbbc7d02eb18454753f6898a6dd77eae6ddbf6c3eadc16cd5bb52e3e665f68f5bd8f9e175909bc0f83ae8023718072fc5181cf238

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
62KB

MD5
88da0044b6fb8df207c5ba9fe2384ab2

SHA1
270b865deca3d6a657bc762f2fb13ab3dd7cf6f5

SHA256
714e0e5a9951fd4ebc684204b9e2499e3b69d5aabfa80cd55d2b0d8c34d03e79

SHA512
e7117e8c6de6e93f443ae7ebdc6c879be6a27cc00089a9642a888362eaf8b0affae3bfcb2048888000d583324e3516f1d2ecd270a06cf9d55e679746b674b9aa

Download Submit
C:\Windows\SysWOW64\Hknach32.exe

Filesize
62KB

MD5
77a20b1dec0d5d5b5485d26e14c9c283

SHA1
e857aa5547977002dc918a972a3bd0ed70e90d52

SHA256
948fb611dd87b4fd1927374a21508f6ac9b6ffda2a81b8ef00aed6359d5cba8f

SHA512
7fca8a619c24d025af39b0fc0c6d1907ead60f10147926645b22981dd88433c00d68299373ccb927e40752f4eb759a34df9acdfbfe252a4a3f303bc7d546589d

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
62KB

MD5
08c3d80af1992c5c73f2142433024e5e

SHA1
fddf2be563eccc1574e29e9ccad56065f4e91480

SHA256
96a1a35603858cfa0146ed39ba22a86de2641d81985b0293939ed55e4adcb64f

SHA512
091eb4357e80a6be36b04d75cb6ee6a99ab74e530755a120804f09b0a7a22c332226f574e8a24bf38d07fc221faf9c17401d6c4948adea35943bb5e8f1408860

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
62KB

MD5
d435b6e38a3da133c9744e53334805e4

SHA1
e1fdc30d0dbc5e440f88cba37485c162d9339594

SHA256
f9618440bc83070ff7087fabf2637ea0b7a08cf1506694c2aa2c1f4a16e4c3f3

SHA512
a14f028fd64b24d7388f5f3537d9695c39a05192723682370dbab895522494d17a857807078cfd015de73a7a9b477eee02e88c7bc38bf53dce0a8c25f0c49419

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
62KB

MD5
48e9ab9225b4f9093692780195f71b59

SHA1
ffc5b9e196bdcd94639d6bb01cda6087cc765518

SHA256
c6536de886d28ed3df6b02b7cb468846b03b547c9074cc8166d047972a896447

SHA512
1fa5dd2d408a1f567e2537e926fc52ab074becf6e117d1a9ebd84500f9d679f1233fd001766bb793f0bd9c565d73a32f393a8eb8e1c94ca81aa222881dad9d05

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
62KB

MD5
886c98997085cb59fe0c47c84f16dc58

SHA1
9acecef2007523a734076158896388215fcb8798

SHA256
08fff29c7c087c4f99f96f54786f82e1660ae7b97d6eb754cdb3c770cc1b8365

SHA512
0bda915c07a0015e110cfe54cecf9db18aba8df9e616350d00ed199bde7b72b2d4833cd88ea94efbbe3afb30f2facd923d0b175b6d29ff5132b1a10f7efba340

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
62KB

MD5
f1c3eaea12eee3e935857a21be8d913d

SHA1
cbff2a142a0435b398523d3c1fcdb9c96f737259

SHA256
5ec5fa62eaf43e7063d172ad7370c9bfd90e289b40e74aa47819d71c659c8d2a

SHA512
471dd5b59de94b1f6acb19e3833180778d6899fe824e3d829bec14efd902f60ba9e88cacdbf1f9516430b5cb02683cac9bca96a853fb250de50ae3a7150593c8

Download Submit
\Windows\SysWOW64\Feeiob32.exe

Filesize
62KB

MD5
c5112ec9edab27a3d682e4f823da4856

SHA1
052ab3ebc649cafedd6312a68cb2e9d7baa9b46b

SHA256
c7d727bdbcc6335ad0cef02d40fd6fcbe9634d7aa8bcf56b2e4836e53c4ae294

SHA512
247ac3c8cc3b53e7f77aab6bbbdc625a6a86afded8f838a296ce783a7ff91f1e6a9ad768109b3f5f208f30e962881397e3f7c57569ae0467d469d297cd554766

Download Submit
\Windows\SysWOW64\Fjlhneio.exe

Filesize
62KB

MD5
498b0c4cc54bd7ed9dfeef3b77c3c4d3

SHA1
3a3ad12e40c9e84200f6616f8a1e241226a967cf

SHA256
421585af0ddf754d5167a289dc9eeb5db5d0fc8c618deb91eded8696e7d6929d

SHA512
7f4d593d0745c31e6051238fab66e3921175d5d940c0b9b70dddb4c079e67bc16a5d15f15d1a940850a540370f614c4b0262e3adc11de0d8774c96089b3d014c

Download Submit
\Windows\SysWOW64\Fmekoalh.exe

Filesize
62KB

MD5
4d587d20de6c3975865aefbdedae7116

SHA1
ea7e624a9897a4d109631890c35261567afa1b0a

SHA256
704129c0e2b43fd093a6734dc0dc9e608705ff0448ca38e66700ede2971de8b5

SHA512
1b610d1aa8bb651521515c219a3127289138216117f2c7599b3f52b0a646956d40440ca4e43ae5a79f85d89e6a80dc74688db8ea1f190b18b323ed7693f1510f

Download Submit
\Windows\SysWOW64\Gangic32.exe

Filesize
62KB

MD5
589ea9a5fe1f9a08a2cb043292907131

SHA1
635b932c67de4e43545f6242690ce61aec994ad6

SHA256
40dbb1682c3c3b3a08e6452cbbac8bcf4a7124fe1e43e2ab2f0968896755bdd5

SHA512
1742b4abd3efd621624095f5bdc742147203fad107eab9e6a6a8e251b442c625ed45ca6624d61332d5a648e88f6980637a89c37a65d3c528422de73476e6c9f9

Download Submit
\Windows\SysWOW64\Gbijhg32.exe

Filesize
62KB

MD5
b5ab90122a6b307b6b6537a3c80bc77c

SHA1
9866f6b8e5df3201f5447e0e94c32657ee8895b4

SHA256
9f7f4707f1c1a9f6dfbb98b8f86a0012cd26aac7f93517f8b45e3f3e665b6f8c

SHA512
4c432fe087022f22079ca6eb5868a70e48fe4936a50787b6f956548a0d8af9e5c1a690318a26dc2d300ed51c3e0aef029b8877fcbbfeea0292886f156b711f7a

Download Submit
\Windows\SysWOW64\Gbnccfpb.exe

Filesize
62KB

MD5
b87dc56524cbba21ffe4080ef1a5b81c

SHA1
62ecdcfb6873b5509be0b3bc2cb3c095ca1a5320

SHA256
0489fe8dd6b57b98bdcc397385800234649c40133b407cb312048d8bf0a4d1f1

SHA512
8b3c3cf9145a62dda49444de7e9c88eeb4caf4940d93f7c5801e6ec7abd4d0e92c74357cdeee8e4894a927cd6dd16c3c6348e753ceae5d0f943ddb645b58c592

Download Submit
\Windows\SysWOW64\Gddifnbk.exe

Filesize
62KB

MD5
5d203b709871166b9b0597ab89eac368

SHA1
7a3f14821f6064b814da63751826f0b6abb42e8d

SHA256
2a54999e281673563b0928b11df5a2feadb435b2b872e86ca0e716fc316bdd6d

SHA512
563d7b4cefa6e36847ce81efd9269ee9cf90c1b3b32ae35742f1915277c3e98ac74be51fa1842eed81bb3f4f386dd1462254aabaebe0a90b86090188974c209a

Download Submit
\Windows\SysWOW64\Gkihhhnm.exe

Filesize
62KB

MD5
22d42717564019ddc1694512df34c525

SHA1
14c88c42ddb3fad78c2d5121d30a7233b56738cd

SHA256
2448c641bdda22ea84d1d8b838bdfa55756f4ac0c2e687505c3dad4b3a263014

SHA512
953fc8c1495534038a1b216349425fb58daad922c497fa5f48a87d7f913c44b467ce6fab05acae2c9ca5974b0b2d04611f1110f99312df3b972a9829d32c6515

Download Submit
memory/268-151-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/268-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/296-276-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/296-339-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/476-245-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/476-191-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/476-178-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/476-257-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/772-324-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/772-265-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/772-259-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1272-358-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/1272-354-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/1272-300-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1272-302-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/1284-226-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1284-236-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1284-299-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1284-237-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1284-301-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1348-270-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1348-200-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1348-210-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1348-268-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1468-238-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1468-308-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1548-223-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/1548-124-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1548-209-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1684-375-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1684-331-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/1684-325-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1684-340-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/1688-347-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1688-342-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1716-376-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1716-348-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1716-377-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1780-346-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1780-281-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1780-290-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2004-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2148-310-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2148-370-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2148-303-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2148-363-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2148-359-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2232-30-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download
memory/2232-94-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2236-371-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2236-315-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2236-374-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2240-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2240-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2240-6-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/2432-177-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2432-171-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2456-258-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2456-314-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2456-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2464-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2464-145-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2500-95-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2500-107-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2500-190-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2500-192-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2544-86-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2588-37-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2628-373-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2628-380-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2660-372-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2660-379-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2660-378-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2660-364-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2772-61-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2836-211-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2836-271-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2944-208-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2944-113-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2944-195-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3068-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3068-59-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/3068-57-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/3068-122-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3068-123-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads