7f0e00a67e3309f925067af47ead11f5423a4927221eb7b10d3fc4d72af354e0

Analysis

max time kernel
143s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe
Size

448KB
MD5

0bd25e098936fcb9d975138575bc2210
SHA1

afff1801af0c163e6e4876a0d7cd7314dc1077e4
SHA256

7f0e00a67e3309f925067af47ead11f5423a4927221eb7b10d3fc4d72af354e0
SHA512

1fc996a9e5b32460c17d47767fbde4a1def9f1d7c6ec81a0634969d7271c1952ada9991fdf1244c41301cb2131e1ab39fd08bda5cef650e5d563cb7e471ebe02
SSDEEP

6144:TMHQXTZ26+8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrlo9:fXTZ2l87g7/VycgE81lm

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djbiicon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djbiicon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Egdilkbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhffaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geolea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eihfjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fhffaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eilpeooq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eiomkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiomkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egdilkbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eilpeooq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djpmccqq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejgcdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eihfjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgcdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djpmccqq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hgdbhi32.exe

Executes dropped EXE 28 IoCs

pid	Process
1752	Djpmccqq.exe
1156	Djbiicon.exe
2744	Eihfjo32.exe
2664	Ejgcdb32.exe
2876	Eilpeooq.exe
2532	Eiomkn32.exe
3012	Egdilkbf.exe
2824	Fhffaj32.exe
3000	Fjgoce32.exe
1948	Fjilieka.exe
1680	Fjlhneio.exe
1860	Feeiob32.exe
1160	Gegfdb32.exe
2940	Gopkmhjk.exe
712	Glfhll32.exe
588	Geolea32.exe
1668	Hknach32.exe
2156	Hpkjko32.exe
1140	Hgdbhi32.exe
1556	Hckcmjep.exe
1748	Hlcgeo32.exe
1988	Hobcak32.exe
2264	Hellne32.exe
1200	Hpapln32.exe
1520	Hacmcfge.exe
1432	Icbimi32.exe
1604	Ilknfn32.exe
2184	Iagfoe32.exe

Loads dropped DLL 60 IoCs

pid	Process
2964	0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe
2964	0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe
1752	Djpmccqq.exe
1752	Djpmccqq.exe
1156	Djbiicon.exe
1156	Djbiicon.exe
2744	Eihfjo32.exe
2744	Eihfjo32.exe
2664	Ejgcdb32.exe
2664	Ejgcdb32.exe
2876	Eilpeooq.exe
2876	Eilpeooq.exe
2532	Eiomkn32.exe
2532	Eiomkn32.exe
3012	Egdilkbf.exe
3012	Egdilkbf.exe
2824	Fhffaj32.exe
2824	Fhffaj32.exe
3000	Fjgoce32.exe
3000	Fjgoce32.exe
1948	Fjilieka.exe
1948	Fjilieka.exe
1680	Fjlhneio.exe
1680	Fjlhneio.exe
1860	Feeiob32.exe
1860	Feeiob32.exe
1160	Gegfdb32.exe
1160	Gegfdb32.exe
2940	Gopkmhjk.exe
2940	Gopkmhjk.exe
712	Glfhll32.exe
712	Glfhll32.exe
588	Geolea32.exe
588	Geolea32.exe
1668	Hknach32.exe
1668	Hknach32.exe
2156	Hpkjko32.exe
2156	Hpkjko32.exe
1140	Hgdbhi32.exe
1140	Hgdbhi32.exe
1556	Hckcmjep.exe
1556	Hckcmjep.exe
1748	Hlcgeo32.exe
1748	Hlcgeo32.exe
1988	Hobcak32.exe
1988	Hobcak32.exe
2264	Hellne32.exe
2264	Hellne32.exe
1200	Hpapln32.exe
1200	Hpapln32.exe
1520	Hacmcfge.exe
1520	Hacmcfge.exe
1432	Icbimi32.exe
1432	Icbimi32.exe
1604	Ilknfn32.exe
1604	Ilknfn32.exe
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ejgcdb32.exe	Eihfjo32.exe
File created	C:\Windows\SysWOW64\Fjlhneio.exe	Fjilieka.exe
File opened for modification	C:\Windows\SysWOW64\Fjlhneio.exe	Fjilieka.exe
File created	C:\Windows\SysWOW64\Aloeodfi.dll	Fjilieka.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Djbiicon.exe	Djpmccqq.exe
File created	C:\Windows\SysWOW64\Fhffaj32.exe	Egdilkbf.exe
File created	C:\Windows\SysWOW64\Bnkajj32.dll	Fjgoce32.exe
File opened for modification	C:\Windows\SysWOW64\Feeiob32.exe	Fjlhneio.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hobcak32.exe
File created	C:\Windows\SysWOW64\Ejgcdb32.exe	Eihfjo32.exe
File created	C:\Windows\SysWOW64\Kifjcn32.dll	Fjlhneio.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hellne32.exe	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Eiomkn32.exe	Eilpeooq.exe
File opened for modification	C:\Windows\SysWOW64\Eiomkn32.exe	Eilpeooq.exe
File created	C:\Windows\SysWOW64\Gegfdb32.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Gopkmhjk.exe	Gegfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Geolea32.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Codpklfq.dll	Hknach32.exe
File opened for modification	C:\Windows\SysWOW64\Egdilkbf.exe	Eiomkn32.exe
File opened for modification	C:\Windows\SysWOW64\Fjilieka.exe	Fjgoce32.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Hknach32.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hellne32.exe
File created	C:\Windows\SysWOW64\Djpmccqq.exe	0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Icbimi32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Egdilkbf.exe	Eiomkn32.exe
File created	C:\Windows\SysWOW64\Jgdmei32.dll	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Jpajnpao.dll	Geolea32.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Hpkjko32.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Djbiicon.exe	Djpmccqq.exe
File created	C:\Windows\SysWOW64\Midahn32.dll	Eiomkn32.exe
File opened for modification	C:\Windows\SysWOW64\Fjgoce32.exe	Fhffaj32.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Eihfjo32.exe	Djbiicon.exe
File opened for modification	C:\Windows\SysWOW64\Eilpeooq.exe	Ejgcdb32.exe
File created	C:\Windows\SysWOW64\Lanfmb32.dll	Eilpeooq.exe
File opened for modification	C:\Windows\SysWOW64\Gegfdb32.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Ooghhh32.dll	Gopkmhjk.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Njqaac32.dll	Eihfjo32.exe
File opened for modification	C:\Windows\SysWOW64\Fhffaj32.exe	Egdilkbf.exe
File opened for modification	C:\Windows\SysWOW64\Glfhll32.exe	Gopkmhjk.exe
File created	C:\Windows\SysWOW64\Geolea32.exe	Glfhll32.exe
File opened for modification	C:\Windows\SysWOW64\Hpkjko32.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Klidkobf.dll	0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1196	2184	WerFault.exe	55

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eihfjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjlhneio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll"	Eihfjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll"	Hknach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klidkobf.dll"	0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcnijgi.dll"	Djpmccqq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll"	Geolea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclomp32.dll"	Djbiicon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eilpeooq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djpmccqq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Egdilkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkajj32.dll"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll"	Fjlhneio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djbiicon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eihfjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll"	Fhffaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midahn32.dll"	Eiomkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fhffaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eilpeooq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eiomkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fhffaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjilieka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Glfhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnoillim.dll"	Ejgcdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll"	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkgl32.dll"	Egdilkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hknach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Egdilkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Geolea32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 1752	2964	0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 1752	2964	0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 1752	2964	0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 1752	2964	0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe	28
PID 1752 wrote to memory of 1156	1752	Djpmccqq.exe	29
PID 1752 wrote to memory of 1156	1752	Djpmccqq.exe	29
PID 1752 wrote to memory of 1156	1752	Djpmccqq.exe	29
PID 1752 wrote to memory of 1156	1752	Djpmccqq.exe	29
PID 1156 wrote to memory of 2744	1156	Djbiicon.exe	30
PID 1156 wrote to memory of 2744	1156	Djbiicon.exe	30
PID 1156 wrote to memory of 2744	1156	Djbiicon.exe	30
PID 1156 wrote to memory of 2744	1156	Djbiicon.exe	30
PID 2744 wrote to memory of 2664	2744	Eihfjo32.exe	31
PID 2744 wrote to memory of 2664	2744	Eihfjo32.exe	31
PID 2744 wrote to memory of 2664	2744	Eihfjo32.exe	31
PID 2744 wrote to memory of 2664	2744	Eihfjo32.exe	31
PID 2664 wrote to memory of 2876	2664	Ejgcdb32.exe	32
PID 2664 wrote to memory of 2876	2664	Ejgcdb32.exe	32
PID 2664 wrote to memory of 2876	2664	Ejgcdb32.exe	32
PID 2664 wrote to memory of 2876	2664	Ejgcdb32.exe	32
PID 2876 wrote to memory of 2532	2876	Eilpeooq.exe	33
PID 2876 wrote to memory of 2532	2876	Eilpeooq.exe	33
PID 2876 wrote to memory of 2532	2876	Eilpeooq.exe	33
PID 2876 wrote to memory of 2532	2876	Eilpeooq.exe	33
PID 2532 wrote to memory of 3012	2532	Eiomkn32.exe	34
PID 2532 wrote to memory of 3012	2532	Eiomkn32.exe	34
PID 2532 wrote to memory of 3012	2532	Eiomkn32.exe	34
PID 2532 wrote to memory of 3012	2532	Eiomkn32.exe	34
PID 3012 wrote to memory of 2824	3012	Egdilkbf.exe	35
PID 3012 wrote to memory of 2824	3012	Egdilkbf.exe	35
PID 3012 wrote to memory of 2824	3012	Egdilkbf.exe	35
PID 3012 wrote to memory of 2824	3012	Egdilkbf.exe	35
PID 2824 wrote to memory of 3000	2824	Fhffaj32.exe	36
PID 2824 wrote to memory of 3000	2824	Fhffaj32.exe	36
PID 2824 wrote to memory of 3000	2824	Fhffaj32.exe	36
PID 2824 wrote to memory of 3000	2824	Fhffaj32.exe	36
PID 3000 wrote to memory of 1948	3000	Fjgoce32.exe	37
PID 3000 wrote to memory of 1948	3000	Fjgoce32.exe	37
PID 3000 wrote to memory of 1948	3000	Fjgoce32.exe	37
PID 3000 wrote to memory of 1948	3000	Fjgoce32.exe	37
PID 1948 wrote to memory of 1680	1948	Fjilieka.exe	38
PID 1948 wrote to memory of 1680	1948	Fjilieka.exe	38
PID 1948 wrote to memory of 1680	1948	Fjilieka.exe	38
PID 1948 wrote to memory of 1680	1948	Fjilieka.exe	38
PID 1680 wrote to memory of 1860	1680	Fjlhneio.exe	39
PID 1680 wrote to memory of 1860	1680	Fjlhneio.exe	39
PID 1680 wrote to memory of 1860	1680	Fjlhneio.exe	39
PID 1680 wrote to memory of 1860	1680	Fjlhneio.exe	39
PID 1860 wrote to memory of 1160	1860	Feeiob32.exe	40
PID 1860 wrote to memory of 1160	1860	Feeiob32.exe	40
PID 1860 wrote to memory of 1160	1860	Feeiob32.exe	40
PID 1860 wrote to memory of 1160	1860	Feeiob32.exe	40
PID 1160 wrote to memory of 2940	1160	Gegfdb32.exe	41
PID 1160 wrote to memory of 2940	1160	Gegfdb32.exe	41
PID 1160 wrote to memory of 2940	1160	Gegfdb32.exe	41
PID 1160 wrote to memory of 2940	1160	Gegfdb32.exe	41
PID 2940 wrote to memory of 712	2940	Gopkmhjk.exe	42
PID 2940 wrote to memory of 712	2940	Gopkmhjk.exe	42
PID 2940 wrote to memory of 712	2940	Gopkmhjk.exe	42
PID 2940 wrote to memory of 712	2940	Gopkmhjk.exe	42
PID 712 wrote to memory of 588	712	Glfhll32.exe	43
PID 712 wrote to memory of 588	712	Glfhll32.exe	43
PID 712 wrote to memory of 588	712	Glfhll32.exe	43
PID 712 wrote to memory of 588	712	Glfhll32.exe	43

C:\Users\Admin\AppData\Local\Temp\0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0bd25e098936fcb9d975138575bc2210_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\Djpmccqq.exe
  C:\Windows\system32\Djpmccqq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\Djbiicon.exe
    C:\Windows\system32\Djbiicon.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\SysWOW64\Eihfjo32.exe
      C:\Windows\system32\Eihfjo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\Ejgcdb32.exe
        
        C:\Windows\system32\Ejgcdb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\Eilpeooq.exe
        
        C:\Windows\system32\Eilpeooq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Eiomkn32.exe
        
        C:\Windows\system32\Eiomkn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Egdilkbf.exe
        
        C:\Windows\system32\Egdilkbf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Fhffaj32.exe
        
        C:\Windows\system32\Fhffaj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Fjgoce32.exe
        
        C:\Windows\system32\Fjgoce32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Fjilieka.exe
        
        C:\Windows\system32\Fjilieka.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Fjlhneio.exe
        
        C:\Windows\system32\Fjlhneio.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Gegfdb32.exe
        
        C:\Windows\system32\Gegfdb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Gopkmhjk.exe
        
        C:\Windows\system32\Gopkmhjk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Geolea32.exe
        
        C:\Windows\system32\Geolea32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:588
        
        C:\Windows\SysWOW64\Hknach32.exe
        
        C:\Windows\system32\Hknach32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Hckcmjep.exe
        
        C:\Windows\system32\Hckcmjep.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        29⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 140
        30⤵
        Loads dropped DLL
        Program crash
        
        PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dnoillim.dll

Filesize
7KB

MD5
47206c6c8ab690fa4328251753a13dbc

SHA1
08b4a3a437b59b24c953fb6d60707472cb8d9512

SHA256
c14297452b998c50adec8569205513264227d107b63e4aecc31681aba4642ee5

SHA512
b4fc51c7b812cf28425bc8fc14e936de3df250c18214dd8de3ca27488a07986a648ecf4d8cd98c093c4633bc6704c4192d338697e677b3591dd44e713544ebb0

Download Submit
C:\Windows\SysWOW64\Eiomkn32.exe

Filesize
448KB

MD5
9d6c75d4c912398db62a5e1708408153

SHA1
6245fbd987ce17e9d2f2a60d112cffc499d3bcb5

SHA256
5a2e705262dd8f27090b82ff72da0300523f18fa0ce413e3a700568553566d4e

SHA512
18a8aed6c2a7ecd3250bbf94fad939b88d8ee2cad988b95ec468bc3a7cede1ad9a3a06e3192ec2890b48d12b4f4227ff3123b250f0328420f0665b123f82e8bd

Download Submit
C:\Windows\SysWOW64\Fhffaj32.exe

Filesize
448KB

MD5
e5a17b4a93feb2965cfa05c10d5f3a6c

SHA1
a13da8e2e8da2087c4b1288731eede13c691c684

SHA256
669cc8da66e2b8d61956e6aff1280511fd2ed60a10bdb3ac2ae4870488819456

SHA512
f23730eb6fa6354218c06296ff9d87f59865047be1a9a330e2a3ffe8a53119f3f33aa8e20d7ef58aeb1114aa24dfb9e9ea68c718a1180949332c905a65184609

Download Submit
C:\Windows\SysWOW64\Gopkmhjk.exe

Filesize
448KB

MD5
06478bba5745aa7a28fa81954066cb89

SHA1
c02a25378a834d177ae023c9318bdbde0e52c7eb

SHA256
fb798c40e4fe1a382d6776b51e6f6e581296cca1c7a416f90d07356adf57db67

SHA512
1cfa7074ce3b5f3647f68a226cdba85ce12cfb630c2b8f6f2ef37b28a1441961e415c423387c9646bb7456dd3d176b6c7a6b537bd8ceb95abc6a7df3a2552433

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
448KB

MD5
603e224d5b6c4dc39800ff35a7ad3689

SHA1
24d8949b256747fc5efe3ac267253224acf1fbe9

SHA256
dd47dd830c665751139e2935dd81b5da098b6593bd81c21c646d0e7338149874

SHA512
05f2c365e0fce38137500314b375bb9766011e8ef982dc5b58deede1ab29ef2a6e1ea7e05fc90e5fa584bc03cef31ac057e45b76a18a49134c1130a153fa13f8

Download Submit
C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
448KB

MD5
637b2f2e06609f9f229d84f737c56a7b

SHA1
e9bb652381247356ef7dafc35b18632c8ba097a7

SHA256
6ac92491c0971884eb3874bf9df28496cf276783b96497a372bb6ecad67afe09

SHA512
83724859aa1c023ad70907b1adbc937eb48bba5a11c5ef137c83dfcbeb518559c505f0ca14f7c913baf0aeb5d0af8784fddfbca54b4817ff6eb6a70c211bb95a

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
448KB

MD5
336e95b81456c6dfcd18d19ac0860a15

SHA1
950e216d44bcc3d6a582ebb6659d57fd1da6fbd9

SHA256
3b523ab03cd29fb26c9c284c6e3378a9e22bcea72402d178976113468830f2db

SHA512
465c87e34c57845f6738653afa77ecbf88472f6e47a6ce80d1e617be759c1d67fe9820901aaa7a6a6a793b26f80d6fdb5d95461e3644dcd5fa203e2231d9e5b2

Download Submit
C:\Windows\SysWOW64\Hgdbhi32.exe

Filesize
448KB

MD5
f2874f92d0c08425184ed7839a122ffe

SHA1
602a38108480a0001b2efc016b8773e970c4bce1

SHA256
219e1ce36451f9686bef3c45914cec2c7047e14c6d19b976d10ced2cf5f0af62

SHA512
bcf7af62da2eb8845de0630f289b24fc3d162a912e77b3a454fd69d8277ae5d168389326c48740ae9b447e22215caa4908fb27dca6507d0608b1ce34206917e0

Download Submit
C:\Windows\SysWOW64\Hknach32.exe

Filesize
448KB

MD5
25e8e369ec0c0005925e3ae2392641f3

SHA1
d5a8a103715a4da819b864e4d4e57015338357e4

SHA256
c19d6c2a764d44688db746b104205a1f08a8f775470b8957d443beff020bd26d

SHA512
3871069a4ed13db14c3f77bede86bac3c03405daab44bf94c906cf4dfe5b1d2727e5ca706484824e28d9162c6ef992e57af7d2151654f2ec1b8de0c98e5bbda4

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
448KB

MD5
e8f7f9d9e63b1f114141dbde76e7db06

SHA1
b34e248d0a931bc19b9cd19d43a0216904cfbcf4

SHA256
c4bddee4b589a46a119dc821103ee3f07fabe6b88855c4b1841da018f1c0fe10

SHA512
5652857579538fc52d3f3dcee37283446c8807c74a4c733b4500a792059126c73c1905c3ba89c680f2e9016cb33530ee334bd5225f4855a31811a1da1ceb0499

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
448KB

MD5
6b4bae48b969835efcc21a4cbb2a9d03

SHA1
9bb619e21eb7d59b00196cb4e561cae81892640d

SHA256
9b68fa320eaa2e5161f7f3e7894d5e7ab1a7274ffd7fa3a4f92b6fb2e10c71eb

SHA512
dc82880643c5b9bad3c78a833d52ad7f191194b3701af785be47884f6ec4289561debd8fae542b5ee3ab3ec8d60ff89e0166ea98a148db7a0aaa3e6b2e79f56f

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
448KB

MD5
deae32ad53632b3a6c6d410f121e1848

SHA1
c8dcf0c45ba910e678c4335cc737c36da75f19bd

SHA256
8d357543ef9f2e19f17ca877186906b5240a546f7b13c97f691792787883dc3a

SHA512
94be85129965ae1310272ddb3326b686ed4c45601fed9c8d5c179aab3055c70374a7d2ddd8f77c81b1182224bf0d2d2163bc827510bf34df9729be66477a4172

Download Submit
C:\Windows\SysWOW64\Hpkjko32.exe

Filesize
448KB

MD5
14c518b332555f89a05d35d129ad1d24

SHA1
4e62b79919521b9348d449a08504afe57742186d

SHA256
f785fdb354be470eed8966efa93b7c665c7df9d22ea808402bfcaa80172710f6

SHA512
d037f2a356a2fe1c5821ec72229a0922409487db5c5e7e7c6b69a4f422d4bd72e22b066e1ab6d6ee86da451655570e16c7f3de755826d8471cacff3d1e214781

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
448KB

MD5
db2a9f3716b74ede437a60d73b528a26

SHA1
fb2bf4ded51182f86ee1daa4bb0efb91191cea39

SHA256
92cd70b4cc8335a4d30005a2f4c104cd1ee8b01b114eaef82b638a68f0aea413

SHA512
90fbd20630806de2c8da913e357b17e24a22c6f32c7c4dbcaa5941a45b34348d2db84423fc6647d08913812f34caa0af201c185c8f818b6f210de3cc0d280382

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
448KB

MD5
859571d09063bcfcb971691e2e7b676a

SHA1
7405f90a965c2aab610f2c29524770704e2c1c5e

SHA256
fa0fe879ecfd55c4771f76127aabc795ef3a64cd6534de0f8dd222104ff4798c

SHA512
08b019c23a3b9262c72f3411048a8bba01226eac18b9267e15d19db533bb55b46e484ea3bd88bb8830f535ecb04560fdd66d4692a0cb313ab08fb8e6fd867772

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
448KB

MD5
06d40735b25ae113ec3ec9423e8edd38

SHA1
18e275808ced53894551e3fff97f84d67cb5ac1e

SHA256
3c0c35493f0016c78e72805ff9348619cb2a4278a0dccce05c27046cd436c312

SHA512
2ec644afdf92b55afad818bc1ee53db5216eb160faf5370e75686ae9cb7efe67a925f0db1fc0ec88d236494edc99be15a6f363f9089b8d748b0da179e678a955

Download Submit
\Windows\SysWOW64\Djbiicon.exe

Filesize
448KB

MD5
ff4ea35c0a019f50df3ea88225cdd39d

SHA1
d0b96efcdcf6a81d9beba0994a83874d12af8acf

SHA256
c5d579b058e52da20db99aca31934ddb7b035884864a8416d1a356efd8f72fdf

SHA512
105cfcec130cddbb9177659edac5a05fcb8e5edfef65c430af757bde20123e0a97c0ef39e97e7d12421d69ab96d0ee880065de406db9d3a9c581b556e7a1a48f

Download Submit
\Windows\SysWOW64\Djpmccqq.exe

Filesize
448KB

MD5
54e822cf3065edd11d800eacccdc0d02

SHA1
cab86f606c6cd888e835d452fde84d773db44049

SHA256
ca0909dc7b2b560b61f6678e4eee0d10015eff5a786d91da4b842b7aa402ccd1

SHA512
e86d9b8228f64fea2184f2c7f1eb4a3068e710f0c40a9639bbbc9834fb2567dd789f1c2fd69052a5fddb6c9ff3f5c63d807587a77056fc69b4795ab100086e3c

Download Submit
\Windows\SysWOW64\Egdilkbf.exe

Filesize
448KB

MD5
d67dfc3885a3328e5642453b30695061

SHA1
d93b53e53fb37cb4cc1bbae4cbce7bb68eb39634

SHA256
d11a84fca5fab26cefc23c5842d72144ed02280bc402946bb752f7fee9ff5f3d

SHA512
8108d1963d9a34536bd18354043396419b4b5c1bbea4679842c1ab2884c6423e9e8fffde86ecd80d4018487184c48ca38c8e64d8c9296e16f4d47f76ef54706d

Download Submit
\Windows\SysWOW64\Eihfjo32.exe

Filesize
448KB

MD5
c5cd53ce8ae6cb11081c798769a353f9

SHA1
06e90c24eaa4410841c43c16420a94ef3fa8f022

SHA256
fbade7cdd586c86f25fe88d1f061f8b1b26a615094d6e1bff4ba285e796423e2

SHA512
ec986fec2984a2ed3d0fce88b4e3b70b39b14597956f5718ebd1e48aedda48695aff0d9549c9e4b7aaf71e55291e539f7b3a042a5dda80c675ba7f6f055f19ba

Download Submit
\Windows\SysWOW64\Eilpeooq.exe

Filesize
448KB

MD5
08dd582806a2712697889286265e3bf2

SHA1
eabaab01d209ecae11e108c56c759212bef19f79

SHA256
736d9836ef1fe19e0e1005189e5504e737e3ad5e2ec485bcbdd74756738134d2

SHA512
388c73822d7cbd7ec15fd53b76d9748dcba26452a825a89574aedc077609d8a1d51731f4993ec1a024b0ec145434184eeae8957ef0003875ae4bb26795b51e8f

Download Submit
\Windows\SysWOW64\Ejgcdb32.exe

Filesize
448KB

MD5
ecfc5e9c3f693f56ce7f8674168bdc8a

SHA1
d493c0eea65b00aa38e810872fef01cb75938caf

SHA256
ef4945d19fe20254a8735c916ca2bd62c6b1abd441a2c4827852897985ac716d

SHA512
d578383a42887d77a3bc2188f5fa73ad535d43b1a2d2b549cf4eea44327299cfd7a42bf152abfdfb3965a37bdda84b222f399e3f1ff2fc814d8e1355f4341205

Download Submit
\Windows\SysWOW64\Feeiob32.exe

Filesize
448KB

MD5
1b9ec7ba04e3b66d8c3fe5f854d69f94

SHA1
36362f32dd8aef4cf7589c3193b6f54112539601

SHA256
74136af27f5f8a44d30df8adccf8b465d9e8f1a84ceecaf17e15fee20ba4b4dc

SHA512
b4243d5e85a11f63d66021673db38339cb13eccbfbbf2c4a163ae22d4a7958dfffcfce22e84d4cde1dc8a665fa1fe3fbf64534b1fb9de54d41cc35f86e2cff0e

Download Submit
\Windows\SysWOW64\Fjgoce32.exe

Filesize
448KB

MD5
bb7bb1d84cf167ac78ea587f66b021ec

SHA1
9b64e64f581a3c66416a90faef31af6ea16978e5

SHA256
ad7f405bd60f0189d56a74121360eb3d7c8bbb5865a319ddbef5a9ed06787810

SHA512
0d35ef804028b047443994fac8ad4cc767531bfa4fd0bcd8911006627535151c28d9a2e0713b23654a2bb7497788f5aca090419a915ee62d5bcafc1f71489e9e

Download Submit
\Windows\SysWOW64\Fjilieka.exe

Filesize
448KB

MD5
f560e67017407589c4aa3e8f7bc96358

SHA1
590761c84a0ab0074bb82139e3e52b1fed40a24c

SHA256
7b4ba07bc56a88f844a881ab6dc34ee8218f8ac9608a2b52ccc76d798885379e

SHA512
9a7195fef21c65ee9f5eab364929862de58bc4f349a7fc7571196b79218d800676b498883e5b560ba8986b2c8ecfd87495fb24b9232424c5cce1d42e67d39017

Download Submit
\Windows\SysWOW64\Fjlhneio.exe

Filesize
448KB

MD5
ea9d2012dca24cb474516c3a66ec36ed

SHA1
8022932b8e422470b9faeaf5b65033416c7df5f1

SHA256
251cc7c5ff28d00c7a0f07721b7b64f4e86cf4181b4cc8c7988a42f387db6d29

SHA512
295503658e6e3ae91c41cf970a6ddac856c4035a69da4bc4f512f681efb69e83880987363d8c3c4d99fa70be12c57298bbc4f9c6352322708a669c38506c0aa3

Download Submit
\Windows\SysWOW64\Gegfdb32.exe

Filesize
448KB

MD5
7a7f88a7b2227688007b15899af11d5f

SHA1
9e8f0d348977a388e9a29ebdbd5a72404079bbf1

SHA256
db7c0e5aacdf767d6cef9d6e2faae560db58962dacf7c7807958683ef23c978a

SHA512
ec4a3d1030992080097871d8cf292dcfb1351f07821051f9e616a110a2994cc0065e5a56a4e2aa7527fcddbfa9b1f7ea325dd968eeb28a693b3036acd8bbb320

Download Submit
\Windows\SysWOW64\Geolea32.exe

Filesize
448KB

MD5
63f8e93ee7bf149669a1c1570c825dd8

SHA1
c3ff40429e43fc5a9767bbe1f91fdbbea754eacd

SHA256
ed5d0d3846adcafd43806647c2be22ddf6fd4ca2fc290de7c400380587339cfb

SHA512
ec0c4d1ffcdc7f14704495ffec5f57326e657d2678f459e058b303401c8497a9947ab2c2611826d5d31edc83f049d91afbbb1b0205b59f012adda7c40870c601

Download Submit
\Windows\SysWOW64\Glfhll32.exe

Filesize
448KB

MD5
ae7eed4682c08899c445612998a4ee50

SHA1
a585b1a82b0546b339b6216c5dbaeaec5cf5afbc

SHA256
9a89ec96179033ed612222fc5a1237a400e3708702f08cf43b7923fb193fda11

SHA512
b04f9ad5b80eaad1d151bf9ff753d3fe0328d67b8e596eb25d4fd26070e227ee4c141e2406ab7e062dff8f8a6a8739be7006955fac2cbcfac878e532a1ec46b6

Download Submit
memory/588-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/588-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/588-223-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/712-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-210-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1140-256-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1140-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-32-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1160-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-307-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1200-304-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1200-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-326-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1432-327-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1432-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-317-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1520-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-313-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1556-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-266-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1556-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-338-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1604-337-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1604-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-236-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1680-161-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1680-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-276-0x0000000001F90000-0x0000000001FC3000-memory.dmp

Filesize
204KB

Download
memory/1748-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-19-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1860-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-169-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1948-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-143-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1988-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-246-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2156-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-295-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2264-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-296-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2532-92-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2532-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-61-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2664-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-51-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2744-52-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2824-115-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2824-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-79-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2876-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-197-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2940-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-6-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/3000-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-129-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3012-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-106-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads