690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe
Size

224KB
MD5

f8890e9e33555f3d2ff7b2f8086079b0
SHA1

6d7b192a4a628d14757d299fa316f9f0a2655ed5
SHA256

690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832
SHA512

670e989172c49cab7d732bb5005c1f940e22998c685676e612d3372c7e08417bfcaa384d6e84361301001b3d9eac09b7492b728a6a15a625949e01667c9df5bb
SSDEEP

6144:oEfffhnl0vbbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQcv:NXfhl4bWGRdA6sQhPbWGRdA6sQc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjdbnf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gopkmhjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpdhklkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpdhklkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fioija32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fddmgjpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjdbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe

Executes dropped EXE 26 IoCs

pid	Process
2216	Fjdbnf32.exe
2352	Fhhcgj32.exe
2832	Fpdhklkl.exe
2820	Filldb32.exe
2544	Fbdqmghm.exe
2516	Fioija32.exe
1804	Fddmgjpo.exe
1684	Gfefiemq.exe
2712	Gopkmhjk.exe
2240	Gldkfl32.exe
1996	Gdopkn32.exe
1676	Gacpdbej.exe
1092	Gogangdc.exe
1544	Ghoegl32.exe
2328	Hmlnoc32.exe
3056	Hnojdcfi.exe
1872	Hiekid32.exe
2476	Hcnpbi32.exe
2396	Hellne32.exe
1656	Hhjhkq32.exe
1104	Hcplhi32.exe
1980	Henidd32.exe
1252	Hogmmjfo.exe
2260	Iaeiieeb.exe
1572	Ihoafpmp.exe
2904	Iagfoe32.exe

Loads dropped DLL 56 IoCs

pid	Process
1712	690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe
1712	690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe
2216	Fjdbnf32.exe
2216	Fjdbnf32.exe
2352	Fhhcgj32.exe
2352	Fhhcgj32.exe
2832	Fpdhklkl.exe
2832	Fpdhklkl.exe
2820	Filldb32.exe
2820	Filldb32.exe
2544	Fbdqmghm.exe
2544	Fbdqmghm.exe
2516	Fioija32.exe
2516	Fioija32.exe
1804	Fddmgjpo.exe
1804	Fddmgjpo.exe
1684	Gfefiemq.exe
1684	Gfefiemq.exe
2712	Gopkmhjk.exe
2712	Gopkmhjk.exe
2240	Gldkfl32.exe
2240	Gldkfl32.exe
1996	Gdopkn32.exe
1996	Gdopkn32.exe
1676	Gacpdbej.exe
1676	Gacpdbej.exe
1092	Gogangdc.exe
1092	Gogangdc.exe
1544	Ghoegl32.exe
1544	Ghoegl32.exe
2328	Hmlnoc32.exe
2328	Hmlnoc32.exe
3056	Hnojdcfi.exe
3056	Hnojdcfi.exe
1872	Hiekid32.exe
1872	Hiekid32.exe
2476	Hcnpbi32.exe
2476	Hcnpbi32.exe
2396	Hellne32.exe
2396	Hellne32.exe
1656	Hhjhkq32.exe
1656	Hhjhkq32.exe
1104	Hcplhi32.exe
1104	Hcplhi32.exe
1980	Henidd32.exe
1980	Henidd32.exe
1252	Hogmmjfo.exe
1252	Hogmmjfo.exe
2260	Iaeiieeb.exe
2260	Iaeiieeb.exe
1572	Ihoafpmp.exe
1572	Ihoafpmp.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fhhcgj32.exe	Fjdbnf32.exe
File created	C:\Windows\SysWOW64\Bccnbmal.dll	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Gopkmhjk.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Pnnclg32.dll	Gopkmhjk.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Filldb32.exe	Fpdhklkl.exe
File created	C:\Windows\SysWOW64\Jgdmei32.dll	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Gfefiemq.exe	Fddmgjpo.exe
File opened for modification	C:\Windows\SysWOW64\Gopkmhjk.exe	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Henidd32.exe
File created	C:\Windows\SysWOW64\Egadpgfp.dll	Fjdbnf32.exe
File created	C:\Windows\SysWOW64\Dhggeddb.dll	Fpdhklkl.exe
File created	C:\Windows\SysWOW64\Fbdqmghm.exe	Filldb32.exe
File created	C:\Windows\SysWOW64\Gknfklng.dll	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hellne32.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Fhhcgj32.exe	Fjdbnf32.exe
File created	C:\Windows\SysWOW64\Blnhfb32.dll	Gldkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Filldb32.exe	Fpdhklkl.exe
File created	C:\Windows\SysWOW64\Fddmgjpo.exe	Fioija32.exe
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hiekid32.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Fjdbnf32.exe	690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Fpdhklkl.exe	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Hellne32.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Dchfknpg.dll	690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Fbdqmghm.exe	Filldb32.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Qlidlf32.dll	Fioija32.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Ghoegl32.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hiekid32.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Fioija32.exe	Fbdqmghm.exe
File created	C:\Windows\SysWOW64\Ghqknigk.dll	Fbdqmghm.exe
File created	C:\Windows\SysWOW64\Gdopkn32.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Ghoegl32.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Gpekfank.dll	Gogangdc.exe
File created	C:\Windows\SysWOW64\Hiekid32.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Fpdhklkl.exe	Fhhcgj32.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Fjdbnf32.exe	690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Clphjpmh.dll	Filldb32.exe
File created	C:\Windows\SysWOW64\Fioija32.exe	Fbdqmghm.exe
File opened for modification	C:\Windows\SysWOW64\Fddmgjpo.exe	Fioija32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hiekid32.exe
File created	C:\Windows\SysWOW64\Hogmmjfo.exe	Henidd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2400	2904	WerFault.exe	53

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll"	690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll"	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fioija32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll"	Fpdhklkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpdhklkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gopkmhjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjdbnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccnbmal.dll"	Fhhcgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfefiemq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll"	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll"	Fioija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll"	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll"	Fjdbnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fddmgjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll"	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhhcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2216	1712	690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe	28
PID 1712 wrote to memory of 2216	1712	690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe	28
PID 1712 wrote to memory of 2216	1712	690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe	28
PID 1712 wrote to memory of 2216	1712	690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 2352	2216	Fjdbnf32.exe	29
PID 2216 wrote to memory of 2352	2216	Fjdbnf32.exe	29
PID 2216 wrote to memory of 2352	2216	Fjdbnf32.exe	29
PID 2216 wrote to memory of 2352	2216	Fjdbnf32.exe	29
PID 2352 wrote to memory of 2832	2352	Fhhcgj32.exe	30
PID 2352 wrote to memory of 2832	2352	Fhhcgj32.exe	30
PID 2352 wrote to memory of 2832	2352	Fhhcgj32.exe	30
PID 2352 wrote to memory of 2832	2352	Fhhcgj32.exe	30
PID 2832 wrote to memory of 2820	2832	Fpdhklkl.exe	31
PID 2832 wrote to memory of 2820	2832	Fpdhklkl.exe	31
PID 2832 wrote to memory of 2820	2832	Fpdhklkl.exe	31
PID 2832 wrote to memory of 2820	2832	Fpdhklkl.exe	31
PID 2820 wrote to memory of 2544	2820	Filldb32.exe	32
PID 2820 wrote to memory of 2544	2820	Filldb32.exe	32
PID 2820 wrote to memory of 2544	2820	Filldb32.exe	32
PID 2820 wrote to memory of 2544	2820	Filldb32.exe	32
PID 2544 wrote to memory of 2516	2544	Fbdqmghm.exe	33
PID 2544 wrote to memory of 2516	2544	Fbdqmghm.exe	33
PID 2544 wrote to memory of 2516	2544	Fbdqmghm.exe	33
PID 2544 wrote to memory of 2516	2544	Fbdqmghm.exe	33
PID 2516 wrote to memory of 1804	2516	Fioija32.exe	34
PID 2516 wrote to memory of 1804	2516	Fioija32.exe	34
PID 2516 wrote to memory of 1804	2516	Fioija32.exe	34
PID 2516 wrote to memory of 1804	2516	Fioija32.exe	34
PID 1804 wrote to memory of 1684	1804	Fddmgjpo.exe	35
PID 1804 wrote to memory of 1684	1804	Fddmgjpo.exe	35
PID 1804 wrote to memory of 1684	1804	Fddmgjpo.exe	35
PID 1804 wrote to memory of 1684	1804	Fddmgjpo.exe	35
PID 1684 wrote to memory of 2712	1684	Gfefiemq.exe	36
PID 1684 wrote to memory of 2712	1684	Gfefiemq.exe	36
PID 1684 wrote to memory of 2712	1684	Gfefiemq.exe	36
PID 1684 wrote to memory of 2712	1684	Gfefiemq.exe	36
PID 2712 wrote to memory of 2240	2712	Gopkmhjk.exe	37
PID 2712 wrote to memory of 2240	2712	Gopkmhjk.exe	37
PID 2712 wrote to memory of 2240	2712	Gopkmhjk.exe	37
PID 2712 wrote to memory of 2240	2712	Gopkmhjk.exe	37
PID 2240 wrote to memory of 1996	2240	Gldkfl32.exe	38
PID 2240 wrote to memory of 1996	2240	Gldkfl32.exe	38
PID 2240 wrote to memory of 1996	2240	Gldkfl32.exe	38
PID 2240 wrote to memory of 1996	2240	Gldkfl32.exe	38
PID 1996 wrote to memory of 1676	1996	Gdopkn32.exe	39
PID 1996 wrote to memory of 1676	1996	Gdopkn32.exe	39
PID 1996 wrote to memory of 1676	1996	Gdopkn32.exe	39
PID 1996 wrote to memory of 1676	1996	Gdopkn32.exe	39
PID 1676 wrote to memory of 1092	1676	Gacpdbej.exe	40
PID 1676 wrote to memory of 1092	1676	Gacpdbej.exe	40
PID 1676 wrote to memory of 1092	1676	Gacpdbej.exe	40
PID 1676 wrote to memory of 1092	1676	Gacpdbej.exe	40
PID 1092 wrote to memory of 1544	1092	Gogangdc.exe	41
PID 1092 wrote to memory of 1544	1092	Gogangdc.exe	41
PID 1092 wrote to memory of 1544	1092	Gogangdc.exe	41
PID 1092 wrote to memory of 1544	1092	Gogangdc.exe	41
PID 1544 wrote to memory of 2328	1544	Ghoegl32.exe	42
PID 1544 wrote to memory of 2328	1544	Ghoegl32.exe	42
PID 1544 wrote to memory of 2328	1544	Ghoegl32.exe	42
PID 1544 wrote to memory of 2328	1544	Ghoegl32.exe	42
PID 2328 wrote to memory of 3056	2328	Hmlnoc32.exe	43
PID 2328 wrote to memory of 3056	2328	Hmlnoc32.exe	43
PID 2328 wrote to memory of 3056	2328	Hmlnoc32.exe	43
PID 2328 wrote to memory of 3056	2328	Hmlnoc32.exe	43

C:\Users\Admin\AppData\Local\Temp\690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\690c509fb4dbe72dad5d9d3b51f611a3a2ec6c5cafd2175f64ead6cc51b7d832_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\Fjdbnf32.exe
  C:\Windows\system32\Fjdbnf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\Fhhcgj32.exe
    C:\Windows\system32\Fhhcgj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\Fpdhklkl.exe
      C:\Windows\system32\Fpdhklkl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\Filldb32.exe
        
        C:\Windows\system32\Filldb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\Fbdqmghm.exe
        
        C:\Windows\system32\Fbdqmghm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Fioija32.exe
        
        C:\Windows\system32\Fioija32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Fddmgjpo.exe
        
        C:\Windows\system32\Fddmgjpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Gopkmhjk.exe
        
        C:\Windows\system32\Gopkmhjk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Gldkfl32.exe
        
        C:\Windows\system32\Gldkfl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Gdopkn32.exe
        
        C:\Windows\system32\Gdopkn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Ghoegl32.exe
        
        C:\Windows\system32\Ghoegl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        27⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 140
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fddmgjpo.exe

Filesize
224KB

MD5
1ddc8f035669cd335db86d1be1c03a09

SHA1
dd8f830240612ba1e7f362f58d14d63efb24199d

SHA256
972fa02ad88114f64f900d607b1861a93f0a870da6e98be3e46ccb3f288448e6

SHA512
5cdc809c52e2b771f4b37b2d088a326ce43df968d8122d72d06cdc058db8495c17e09bf832ff9f78c74f552f8e36aadadb909220cc308f37ecf57ee5a86c3e59

Download Submit
C:\Windows\SysWOW64\Fpdhklkl.exe

Filesize
224KB

MD5
7fee1f9ce33d5421f4d58f88ff8362d1

SHA1
3dfbd54cbc259634188d72183bb2fa40ebbe0de8

SHA256
4a18267096f46e562631899d2cf56f13c956739217650f1ced3f0bf55847a122

SHA512
26eea1be7ad46ea37866b9b0604b5861a7e9bc37b75f652ff102bcc9a1275e7a7c9ca210e67bcbc7e55a66cbf4f5ce917336eb9c520cbf7475d8f970631174a4

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
224KB

MD5
7ac2b64add9a3efbfead9328f6948645

SHA1
bc9cfd3f34d00973563e456960bf1ecdb759e878

SHA256
20008a13846f5145ab63e5e8564e8e228020166c99e3fc667c4b83fc919747f5

SHA512
e771ff56ec4eaacbca5cd5b6b4c31bc77cc079887574352122d04f09638b24f060d7944b53de2bf50e6faa4e2d167c042d57516269cd9630a508e2c63e187e79

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
224KB

MD5
198200f05f3b433ecc171a6ff5c6f926

SHA1
cbd5b061b06b1481311383afbb3cca2c2675b3d6

SHA256
53a0d2b6ae9c81cbec2c01f937fe55768f13c6b9df9d658788ed3a14820942e0

SHA512
580426a6b82827273180e72a574803e1b8de6f1e84daee8c09b01e6eed9cf1fe56b64a54c4a36ad290dcf04bffa609e5ee55878180db7a29c6ebbcb627595867

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
224KB

MD5
9c52217167b4b5c473582cce69f5e84b

SHA1
7b4e9028c864aaad1ea27225028b1ebd719309cd

SHA256
12cb7e0568ab7cf3a7f9c9836f3b41c687f80c8f45fa81ae95e5c4eeeea60b16

SHA512
eff56cd8183d157c740a8f6318ac3341e7a16cc0c96cea7be5c8910bd677875d67edabdfb035b21d7690c4534c22b886d533c7a7d13063d0d59e6fa45635205c

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
224KB

MD5
f25e9b2e5aa6005147b8306c4075f4a5

SHA1
97d02b313199eb1b186956f7e0eb56f89b0ab8a9

SHA256
8a2887cb8b10a15f8cdcfaba4f0e80086aea24e36e35266b4d7437044f5a382f

SHA512
b0f324ce1abe78a82cf5d464397e2222ad633bbe3ff9c9a247fac688c3779123066b48fc54fd171d0f6dbed48afa0662864a2f35474a9a748df57da80c25c6a1

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
224KB

MD5
cdd8967eab9a78eed3bb2fa2078a2ae4

SHA1
86f22ea1a9b3cb7f854717416f42261cf645ebb8

SHA256
649a08a2741a52f9628db75c8342199621335e3f5d277a5e52ecde9482c8ce75

SHA512
80a42ce2ccca71ed0cd40126a68aba6358decdfd969fc1f86466aaa3a6bed85d175683cc55df90ae155bee5944ef6445646611875d41171c03a7859d41ba7fee

Download Submit
C:\Windows\SysWOW64\Hiekid32.exe

Filesize
224KB

MD5
d7672d34d2c3f156ab4d5052383ea6f3

SHA1
865aaff90ece76bfbd0caf95638b926a400e72ad

SHA256
049ec5428af0534b9127232b978a9721ea0f4d89b847d3aa71b445c9bcaea6ff

SHA512
d9858dcbf413d31bfe578148c291675d4df338c0b9e5f1c9583d3fe971d20395412e952063279b4ffa1eb6bab86f5e5d056dbca39a9a3f164243fbb29ac8c8c1

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
224KB

MD5
be55aead54cd8ef3199b48071185d9dd

SHA1
e102121476d31db11aa9f8194adb3ff07d16c903

SHA256
431415e4451d135141e2cad9f07b31313878f4ee800aa2de896bb9ac350d1413

SHA512
dfd159eccf31ed333a46b284583b9dd184c1f4c00492623968c110322139178f2f0ac51ccd8241f47d1f54d73d1dbfcbb5868f4a921b52416f462e19b46f7fa0

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
224KB

MD5
c3e7f726aecc2a4d6ad46ceb774238c2

SHA1
3b5fbc8ec63d41c66a97945cdd661c42c56e9883

SHA256
4ae0839877ffefd89dda18a718835269a9ad6de08fa642a127498dfa055c12a3

SHA512
078dce4284b72b17080447c0e5ed16d4749d7da08aa1c888c43e6d6754b255702e82065662ed9f95194bc227b3159c8621f19907476bc34c527dd2e60e2c1b43

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
224KB

MD5
49276ee2fe09022a8041de74151a3ba5

SHA1
4adeb71d6263b4c265e677a505433d8cca5b505b

SHA256
d337abb1eb6b68b5157b6a10b0172f5eaa606051754b7fdcd52fc10b495252f7

SHA512
e4143ed62e0820349ded5f342e7685760921f249d6b6ac9f6a5b743930ad0303055698e50d21db52da6cde0c43d5b47bcfacbc9d036e4ca7cffc90bad29b4a53

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
224KB

MD5
e3fb03d4fa68caf1a9c7b7147f18c90b

SHA1
20bb95136290b0150fb8294969d839a1575c5460

SHA256
1b18add5a62754c1299cc4dfe7f6f6f7cb9020c9bdccdd9333fcb6689d907ed0

SHA512
680939fdb6a543fb9389dd90715596f05f0fb2dc74806280736e7519a81ac47c2fd9854a7a5bfc372190a3fec3f1964f5e767e1f13612d4e2b6c8336f68d7ef0

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
224KB

MD5
f51401cb6fb7e1105c34e2910820ac88

SHA1
957f87b0517477cc13c51b7414cc15162cb60521

SHA256
505f88d0bbe159bf94554a027d6640059da989e715309625f66daa2d67857b29

SHA512
96b7a0d1a3554f49332604a3cfd9e8ee4267f2dfcb40e089cc276bf7494d38ed2317d275598701e61e85a95f8d2e77b81877d2eaaa708803032a89332017a1d6

Download Submit
\Windows\SysWOW64\Fbdqmghm.exe

Filesize
224KB

MD5
c0b30131f039e30a8b2aaea3c628d2d0

SHA1
303dec03f3cdf88a15903b42bde574a28cfcccae

SHA256
8ce1f14654f4ab2947e68aef1c0f0455b820721a263b6819bc572ebfd908b305

SHA512
5db915c7b6086c6c40d5177b50a4031697649d1a2c899b834e3aa3d746aea45df8f0d6520d2ec8aa01aa0825af5bba681ca201c7fe7e0a9513753457ee49a04e

Download Submit
\Windows\SysWOW64\Fhhcgj32.exe

Filesize
224KB

MD5
288dee6492176ab3f39ab9fe4a54297f

SHA1
9c4b8ecb5cc7f1ae2a15171bc80eb68e31fe7da0

SHA256
1458d317414b1cd9c5a87defada67e70beb383de3c8840cdaa8068f54099e044

SHA512
d49a7ff90972ab88670fb7bd38fecd54acb3c30d5afdf06d3c1cc0454886b5932fe4fec5f15250eb47dcb969eced851730cc214b361588a506b6928fb3bb44f7

Download Submit
\Windows\SysWOW64\Filldb32.exe

Filesize
224KB

MD5
5027ad861a68c76a352a3decc5323c58

SHA1
83238490370dd382e925ac56bb8217bba593966b

SHA256
1e649b345dd02bfa15cd17016c77bc0de6259d57599b94d25b8ed0fa53e9fa4c

SHA512
69ab6053a4a2138bdb7e0c409bc1ec65e1e6249c037feeb82b9922ffb6e6a9e55d02bd0ffe4ccb5d649aad6be347e176481c4ba18f45fcafc61509509d6c7443

Download Submit
\Windows\SysWOW64\Fioija32.exe

Filesize
224KB

MD5
8bd142d7a194c4ec02203643051d6f24

SHA1
5f8429a3910b0be9e32bb6aac0a27120831c92be

SHA256
a73ae1b3ba3902b93a1abc191d29cb2891f8dabc20c62144ae96e333083fa0ef

SHA512
fca2b9623a017cbb73dfa673ab66ff4239aa34bb412e69234b364e940411e6273a67a097360b5e41c61041714a992b20053937188e2f95d07cedba175a0c2682

Download Submit
\Windows\SysWOW64\Fjdbnf32.exe

Filesize
224KB

MD5
7c63cd13f163befbf6a53606e6f0f6a3

SHA1
f8e0e75c66b3f2891a2e2bc27a18235c520c69a6

SHA256
8137b959fae41d9577c30d04b7358d5c84bad8fdcc98e54e0fdf9e135cb79986

SHA512
277d28f7bdccb4c6e1211ad92b2d82d0d870c93b81737983467a111796ecff94e427c78e98bfc46405388afcb99897b8d8d96866d935de35aa753c31a21a49c6

Download Submit
\Windows\SysWOW64\Gacpdbej.exe

Filesize
224KB

MD5
825b328a37c8ac21505b0f687a74357c

SHA1
3662e0df3efefe5536ebc2a87f57c2ab1fea027b

SHA256
c3ac48d72756c3518b880749a6f8ee38993f8095d0eb13f97498923f41240086

SHA512
d04f347a4710b6a29f656b2a4c96f48874c84483721ab8a75dc6ae534fb4be4039ee75508d9d5d743be1faf796e268058c32ba636c1bd752a991000f5511a306

Download Submit
\Windows\SysWOW64\Gdopkn32.exe

Filesize
224KB

MD5
0c33e1e6d6e0e73c21f4514dd08a262c

SHA1
58249fbb1352cd4abcee8b3c0827563080025bf2

SHA256
0f10e6a8541bef5bf39875884d2500eb72f647b83c2fde7433cc0f04ecf89b9b

SHA512
816854cb7f86d8178d0977216c6d3a82bd6e3ab7512ab0b70f964a6609c0ab3ae9e5b9db9c00821c5e07e341c3c9e763e8ea9c1539cf16177e2ff2feae9b588e

Download Submit
\Windows\SysWOW64\Gfefiemq.exe

Filesize
224KB

MD5
79f830b2c2898950a06034788e658ced

SHA1
ef3aa01a84571f77d820ee10c20abf53ae92f67c

SHA256
9fd7ef0559e7a2d56e26745b238e28b6ca08809c6edfe03f22a6ce3d6801c96b

SHA512
ccc1efa93437fdabe224f361bd4b3f6e100e25a96e44503e462f02f38917c5ebb023007fd47998fad7289befcb3aae92b2d9a08fcec0f9c24f351485782a4e6f

Download Submit
\Windows\SysWOW64\Ghoegl32.exe

Filesize
224KB

MD5
f0e371d5c98f7ecaf4d0de36d1d3b933

SHA1
2f75e69f561f2287419bc71efb9f4b31801c9e08

SHA256
019f27568b3b38fee48855e997c354f4d36bcadff31a4502fd5aad29637f027e

SHA512
81e12192af0a0338e1db14ed77442895ac8772f184ddcc629c66aa721ea642833bd739a4c7142a1cfa3526caf78357ebb3b4631be5e45b99e98b78e662b3c67a

Download Submit
\Windows\SysWOW64\Gldkfl32.exe

Filesize
224KB

MD5
ebb1efe4f5e905157740c6e7678edfcf

SHA1
80d5c5de5c8a2acf25e7ea37027f01d7d644dff2

SHA256
23d96e1b9e44d861dc0e3e0c7f43a1af19283e775d15307729d8565a695d0af6

SHA512
c63b8f19f74338ef2acedb9e27267804ac0bd3f5ec3ad5c912510ac8ee791f5f8dd2d97e6f2fd30ea27909c815b4310f827c6bcad3dab0db887d31e52b137f78

Download Submit
\Windows\SysWOW64\Gogangdc.exe

Filesize
224KB

MD5
4b56d5e3048310d9781b629b682fd372

SHA1
106b07260e4a4203b3af8eed4bfb1928034eac4e

SHA256
f32787a2f6b343bdcffcbe5863f96028cc2a2062542a93660355f19894601862

SHA512
eb7ee4b35156c3742b1d527301453190791b47922a0e31c9b5f96408aa2f69741f1f023982b927c7db8123d3b3ee00c05084302768ab4817ef95b9247baa6825

Download Submit
\Windows\SysWOW64\Gopkmhjk.exe

Filesize
224KB

MD5
54ab4745a0e2f6a02fd08dc01de4ffd9

SHA1
2630608b21b3c37e29a34066b2ee3629103198c3

SHA256
f65f4981949f19d21f33b859eb5e8fef21d78e868bb9eaf8092f848e400e2a70

SHA512
f1dbee2414dfb689bd9df68f41ac3271d920911325a88a44800a6ffc018bd00657657ddc2cf27b3b529138d4fecaacf2cbbd1fa23e92a5318d3580f31f994e11

Download Submit
\Windows\SysWOW64\Hnojdcfi.exe

Filesize
224KB

MD5
d813e4c1d4d059fb9cf565cec5c1a673

SHA1
51ad4eb6214ff02cc630b367a98d841adeec7c73

SHA256
bcdbb9fbab1668c8e95f60af06e40a88f293381932dd69a46f87e945e330d808

SHA512
07a56c090fdb21f5ff5dff8afa300c1732e800c3742b523bf95a081fe99e362b2c9b06d19400b7b712168ea66ac435fa844d3d7cf71103ad8069259dd60f005c

Download Submit
memory/1092-197-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/1092-188-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1092-265-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1104-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1252-308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1252-317-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1252-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1544-279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1544-210-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1544-219-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/1544-286-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/1572-339-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1572-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1572-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1572-348-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1656-344-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1656-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1656-342-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1656-288-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1656-282-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1676-174-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1676-187-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1676-255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-195-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-203-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1684-127-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1684-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1712-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1712-6-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1712-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1804-98-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1804-173-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1804-108-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1872-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1872-246-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-307-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1980-301-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1996-158-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1996-235-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1996-170-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2216-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-19-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2240-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-157-0x0000000000310000-0x000000000034E000-memory.dmp

Filesize
248KB

Download
memory/2260-318-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-232-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2328-220-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-39-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2352-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-40-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2396-266-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-341-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2396-338-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2476-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2476-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2516-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2516-97-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2516-171-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2544-80-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2544-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2544-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2712-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2712-205-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2712-140-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2712-218-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2820-67-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2820-141-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2832-48-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2832-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2832-126-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2904-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3056-306-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3056-245-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads