1ad7e60e5ef9c0a000d760387e8e14cf3ef2958f03c05a1360b64ca1e44984b0

Analysis

max time kernel
142s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe
Size

896KB
MD5

d4348f0d83c0844463e56119ca998010
SHA1

a9b6824c55549b6713e86fddfc3d19609f9d8718
SHA256

1ad7e60e5ef9c0a000d760387e8e14cf3ef2958f03c05a1360b64ca1e44984b0
SHA512

22786a182a0ab0d8edfefea0c53f940d9564964dc6ceac5a5a8c7fa4a4ff270faa480cdeaa4cd434aef4c01ccc0e201aa22bfc0c65a13c1fa765046da1707ca3
SSDEEP

6144:C40ORLJ/J5CPXbo92ynnZMqKLDK2Q9zsyVH3imoQiRLsmAKWEnaW377a85n0R0tb:CNKFMusMH0QiRLsR4P377a20R01F50+5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe

Executes dropped EXE 15 IoCs

pid	Process
2236	Fmlapp32.exe
3060	Gbkgnfbd.exe
2792	Gdopkn32.exe
2636	Gphmeo32.exe
2768	Hkpnhgge.exe
2560	Hlcgeo32.exe
2708	Hpapln32.exe
2960	Hacmcfge.exe
1292	Hjjddchg.exe
1324	Hlhaqogk.exe
1932	Iaeiieeb.exe
1156	Idceea32.exe
2240	Ilknfn32.exe
2296	Ioijbj32.exe
2500	Iagfoe32.exe

Loads dropped DLL 34 IoCs

pid	Process
2116	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe
2116	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe
2236	Fmlapp32.exe
2236	Fmlapp32.exe
3060	Gbkgnfbd.exe
3060	Gbkgnfbd.exe
2792	Gdopkn32.exe
2792	Gdopkn32.exe
2636	Gphmeo32.exe
2636	Gphmeo32.exe
2768	Hkpnhgge.exe
2768	Hkpnhgge.exe
2560	Hlcgeo32.exe
2560	Hlcgeo32.exe
2708	Hpapln32.exe
2708	Hpapln32.exe
2960	Hacmcfge.exe
2960	Hacmcfge.exe
1292	Hjjddchg.exe
1292	Hjjddchg.exe
1324	Hlhaqogk.exe
1324	Hlhaqogk.exe
1932	Iaeiieeb.exe
1932	Iaeiieeb.exe
1156	Idceea32.exe
1156	Idceea32.exe
2240	Ilknfn32.exe
2240	Ilknfn32.exe
2296	Ioijbj32.exe
2296	Ioijbj32.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fmlapp32.exe	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Gbkgnfbd.exe	Fmlapp32.exe
File opened for modification	C:\Windows\SysWOW64\Gbkgnfbd.exe	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Gphmeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Gphmeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Mhfkbo32.dll	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Gdopkn32.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Gphmeo32.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Gphmeo32.exe	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Fmlapp32.exe	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Bcqgok32.dll	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Qahefm32.dll	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Gdopkn32.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Blnhfb32.dll	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Ilknfn32.exe

Program crash 1 IoCs

pid	pid_target	Process
3036	2500	WerFault.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbkgnfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll"	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll"	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2236	2116	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2236	2116	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2236	2116	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2236	2116	d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 3060	2236	Fmlapp32.exe	29
PID 2236 wrote to memory of 3060	2236	Fmlapp32.exe	29
PID 2236 wrote to memory of 3060	2236	Fmlapp32.exe	29
PID 2236 wrote to memory of 3060	2236	Fmlapp32.exe	29
PID 3060 wrote to memory of 2792	3060	Gbkgnfbd.exe	30
PID 3060 wrote to memory of 2792	3060	Gbkgnfbd.exe	30
PID 3060 wrote to memory of 2792	3060	Gbkgnfbd.exe	30
PID 3060 wrote to memory of 2792	3060	Gbkgnfbd.exe	30
PID 2792 wrote to memory of 2636	2792	Gdopkn32.exe	31
PID 2792 wrote to memory of 2636	2792	Gdopkn32.exe	31
PID 2792 wrote to memory of 2636	2792	Gdopkn32.exe	31
PID 2792 wrote to memory of 2636	2792	Gdopkn32.exe	31
PID 2636 wrote to memory of 2768	2636	Gphmeo32.exe	32
PID 2636 wrote to memory of 2768	2636	Gphmeo32.exe	32
PID 2636 wrote to memory of 2768	2636	Gphmeo32.exe	32
PID 2636 wrote to memory of 2768	2636	Gphmeo32.exe	32
PID 2768 wrote to memory of 2560	2768	Hkpnhgge.exe	33
PID 2768 wrote to memory of 2560	2768	Hkpnhgge.exe	33
PID 2768 wrote to memory of 2560	2768	Hkpnhgge.exe	33
PID 2768 wrote to memory of 2560	2768	Hkpnhgge.exe	33
PID 2560 wrote to memory of 2708	2560	Hlcgeo32.exe	34
PID 2560 wrote to memory of 2708	2560	Hlcgeo32.exe	34
PID 2560 wrote to memory of 2708	2560	Hlcgeo32.exe	34
PID 2560 wrote to memory of 2708	2560	Hlcgeo32.exe	34
PID 2708 wrote to memory of 2960	2708	Hpapln32.exe	35
PID 2708 wrote to memory of 2960	2708	Hpapln32.exe	35
PID 2708 wrote to memory of 2960	2708	Hpapln32.exe	35
PID 2708 wrote to memory of 2960	2708	Hpapln32.exe	35
PID 2960 wrote to memory of 1292	2960	Hacmcfge.exe	36
PID 2960 wrote to memory of 1292	2960	Hacmcfge.exe	36
PID 2960 wrote to memory of 1292	2960	Hacmcfge.exe	36
PID 2960 wrote to memory of 1292	2960	Hacmcfge.exe	36
PID 1292 wrote to memory of 1324	1292	Hjjddchg.exe	37
PID 1292 wrote to memory of 1324	1292	Hjjddchg.exe	37
PID 1292 wrote to memory of 1324	1292	Hjjddchg.exe	37
PID 1292 wrote to memory of 1324	1292	Hjjddchg.exe	37
PID 1324 wrote to memory of 1932	1324	Hlhaqogk.exe	38
PID 1324 wrote to memory of 1932	1324	Hlhaqogk.exe	38
PID 1324 wrote to memory of 1932	1324	Hlhaqogk.exe	38
PID 1324 wrote to memory of 1932	1324	Hlhaqogk.exe	38
PID 1932 wrote to memory of 1156	1932	Iaeiieeb.exe	39
PID 1932 wrote to memory of 1156	1932	Iaeiieeb.exe	39
PID 1932 wrote to memory of 1156	1932	Iaeiieeb.exe	39
PID 1932 wrote to memory of 1156	1932	Iaeiieeb.exe	39
PID 1156 wrote to memory of 2240	1156	Idceea32.exe	40
PID 1156 wrote to memory of 2240	1156	Idceea32.exe	40
PID 1156 wrote to memory of 2240	1156	Idceea32.exe	40
PID 1156 wrote to memory of 2240	1156	Idceea32.exe	40
PID 2240 wrote to memory of 2296	2240	Ilknfn32.exe	41
PID 2240 wrote to memory of 2296	2240	Ilknfn32.exe	41
PID 2240 wrote to memory of 2296	2240	Ilknfn32.exe	41
PID 2240 wrote to memory of 2296	2240	Ilknfn32.exe	41
PID 2296 wrote to memory of 2500	2296	Ioijbj32.exe	42
PID 2296 wrote to memory of 2500	2296	Ioijbj32.exe	42
PID 2296 wrote to memory of 2500	2296	Ioijbj32.exe	42
PID 2296 wrote to memory of 2500	2296	Ioijbj32.exe	42
PID 2500 wrote to memory of 3036	2500	Iagfoe32.exe	43
PID 2500 wrote to memory of 3036	2500	Iagfoe32.exe	43
PID 2500 wrote to memory of 3036	2500	Iagfoe32.exe	43
PID 2500 wrote to memory of 3036	2500	Iagfoe32.exe	43

C:\Users\Admin\AppData\Local\Temp\d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d4348f0d83c0844463e56119ca998010_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\Fmlapp32.exe
  C:\Windows\system32\Fmlapp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\Gbkgnfbd.exe
    C:\Windows\system32\Gbkgnfbd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\Gdopkn32.exe
      C:\Windows\system32\Gdopkn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 140
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gdopkn32.exe

Filesize
896KB

MD5
eed4bff76459f4d2a497b6a46c8e5b70

SHA1
7be9fbfe88b076f45e99e216bebdfb06904887e5

SHA256
d53ff9ef68b61c8d8f06eb0dc8b91347b7ca1785e1bcc86711940e8c533497c2

SHA512
6ce4822f9e8e2b21b5393dbf767956c8f3536a27749468c0a89b35d55de0132dc9e6d934d3840e3cd6dacf82d43f12d893ad80008e96163d3be39699b77c48bb

Download Submit
C:\Windows\SysWOW64\Gphmeo32.exe

Filesize
896KB

MD5
fe97b15a208b75313b68e4cfd3c4244f

SHA1
6070bb8c5fd446699f4f1f8270f99d37b3d98f42

SHA256
80b07c3bfac1793ac37c1baf3d03a65b93abb3721aba2b499facf5a8dfc5627a

SHA512
afec7fe148d2e169f1aa528d9f60a570ad669d648d45ca87e3f86470609b7cfaa79095af65d250ac92f664790cfb055651bb0cecc7099a478703a7082d542da8

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
896KB

MD5
7133bc4c45dbae87c2cf953883dfb2e0

SHA1
41c5a7482428ec9bdf1f44e88dfbc4241065c3c4

SHA256
6069b8cfbc677f4cc440fce4744c3fbb5a98d7eb2f4090088c16ca668de1ecbf

SHA512
0846a48b6a1858d8ce050262008840c19543bbb40f3226cfc04038df8a3386e41230060e5659494585c30120039451802c932809333455e565559cdd9aa45199

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
896KB

MD5
beb7d34f375588095531608bc5680f92

SHA1
f106657cb3938de4263ce0e795030fdb75edac93

SHA256
74a7540d2fa61211855e8b6e630b97d2bcbc135c18ea983a9041279a8c072700

SHA512
06341de60acf956ea66f744a150fd0c4c5f99341b2305a4850f4b146811d25fa28e917d9d6aacc3d3f1ce113e5bb9fd37686130d447c34d9b9de076c056b977f

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
896KB

MD5
d2b4d6a0575b7e73768b83c777f92a60

SHA1
c2eb38c5491fadaa1f40d4123820624e42a16815

SHA256
494d8aa0cb068794f19dbdca24f1e551c309540a27de20939106c7af5c0d400b

SHA512
0abbcf0951d0fe0aed61188d900f71c1ed0976670cbe42feef476ba6ea124d728230497293ddf7b6193f92e1fb4ed7ac5a3c04fce05d544c517d27e97c70d82f

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
896KB

MD5
5254a762ce71ba964420da750756f068

SHA1
6abc868994c40c13fad1fa62f8d66883dd3899ee

SHA256
53ae4a5837c5ca5747ed3dd14d17b42fe28c3c6413dfd28f6f182eee920e63d4

SHA512
5be3858e49e4ef6227b71390beaa00a74cd2f904af5367244ba2e371f39aae4660e21dc75942bdc2eb0b064795bb827f3a35f486f97d0bc644212e743ed8a32a

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
896KB

MD5
8e2d06d263701846cac804ab9296a514

SHA1
fea7a7eff50a93c22161cb4d8a15bbe154b1928c

SHA256
946de80bd4447d02cc7b2ecf04564e9acdbb8d0d4dfc3cb74656c63d7653306a

SHA512
0d1a0e5fbf54379a15cc18308d809d43a3a7b77ae261861f0b6612155971d1126f6afd1770e346d710dfc8d08131bc1b461b676eabf4df90bb676f3507209acd

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
896KB

MD5
2dde949d0f1bb70938f1846f2eeb44fd

SHA1
268067e8b48ab92467fd5d87079165791e2a589a

SHA256
0f9aeda01a3050233c716137183f3d1063a86fae3c1a612b37f7c4064e807558

SHA512
d105af5df76d7b53f7d1a92f47264b9b622f269328277c129a35a44930d2e17271f521f5f406751744ba5c0e80bd961e5a1545387ef43e26af9671937904e5e3

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
896KB

MD5
18299f9fa729ab6a8edfbc206a4857d3

SHA1
315a2615dae1a67e954fa29a78f641c60cb94e7c

SHA256
475e5f49dfd48a57e7e69cffeff8ab747e0adf62d20baa87c9f2385ba44164bd

SHA512
628d512f0050c3ea81d21f98461a9d2849836120fb0832e636dbec17a6bdb72c7ea4bd36dab93aac2b28c84eeecd84c39216dc7a1a8bf1329e0dbde0575ca930

Download Submit
\Windows\SysWOW64\Fmlapp32.exe

Filesize
896KB

MD5
8845c0983cd6ec3ac0cb258c158b77e3

SHA1
449032b54f2c044a498cf578eb6be66b68463bce

SHA256
6f7a055ef173217a6b3650bb13e02755d08590613dacee021f304b04f1ce9c00

SHA512
54497975b806349668815a4b231cc5028288972450b2b7f09065986233d71a97715d0b3a19f06daf3a320b2c6585634cd8ea356915992f1fabd510e6ecf0cc58

Download Submit
\Windows\SysWOW64\Gbkgnfbd.exe

Filesize
896KB

MD5
745f1f2be4251832c8a3e453103f7884

SHA1
0ff158d499e1742e986dbcc2e40bd902b00c6e5a

SHA256
8841042c7be11005c0e90230effc44920d9b06237632fa462a76da64993083e4

SHA512
61386b40e51bfec385e4a4170f3523842e6818eb7026135570cb2103f45995d8839d06b203573c7d186f865efb2f4266789ede2346a0f8eb1027a37bfd07d6dd

Download Submit
\Windows\SysWOW64\Hacmcfge.exe

Filesize
896KB

MD5
c3be904c70a78fc572e0e6458ff65f2e

SHA1
ae9daf9585e36cf9d118c7418d5e88954d48fcc0

SHA256
a42d5fad890411921545518876af3e242ec8cd87bddd65ceb4e219574042349a

SHA512
7485ab2161240d7d791bef5d57f6f0d47eed2856736d2230964696652745b9d1273b93f4d0c560513d30f96b451b1f499e8e5c1090dee4126edb3389200c23cc

Download Submit
\Windows\SysWOW64\Hkpnhgge.exe

Filesize
896KB

MD5
90cc7e16e5dfb4ee972deefd9d5aa976

SHA1
a2dd755ff5a34d6cb2df08d232656457b4336885

SHA256
31b81a90f323770b093647f56468f67765128675a0fd175a3e41846317f21d6d

SHA512
e8d4c5ba2a3b77f4f6fc381b242786169db8f4c6c0deb462062909281162849af1d0aca52e8ff709d5608e4533d47fcc240a3e22872f481acf0ec0e239715113

Download Submit
\Windows\SysWOW64\Hlcgeo32.exe

Filesize
896KB

MD5
94b9381abda291f08a4af61656a2c9f6

SHA1
4059f723413640276698a5ec123f81f83ded7bbe

SHA256
13f435a0eec28fc995433441e6716abfca324ff7ac049457dea341cf2da14fb0

SHA512
0051d8c90764250999d8149fe5a0eaf44983037b112613c1e2866b3a89bedc6bae1baee0febc29380a9eb922fb09f482090b861d91b6a2f0053c535bcdda1532

Download Submit
\Windows\SysWOW64\Hpapln32.exe

Filesize
896KB

MD5
1cf40ef1d0923697b72109e460b082dd

SHA1
f4f28e73ef6cec7fcef7a34f50f0a7adea8987f2

SHA256
f2379d6e492b1da5c664ae1a6517e5a99ac045e306650656fbf94f962e658ec0

SHA512
91f8231df28661e33cce9dab0e643f3f31a3f58a3f55e929e47ad56debaf41c94aa46270a357f1113b7d68acb56f723efc598657b6f6d439b0607bfa0786d07f

Download Submit
memory/1156-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-142-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1292-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-155-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1932-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-6-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2116-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-22-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2236-20-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2240-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-90-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2560-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-97-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2560-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-63-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2636-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-75-0x0000000001F50000-0x0000000001F83000-memory.dmp

Filesize
204KB

Download
memory/2792-54-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2792-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-124-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2960-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-40-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/3060-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads