492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe
Size

1.4MB
MD5

24f1c378d2ae7676a895156bec4546c0
SHA1

fd72a919bd1a78b18a3d57511a2f3dc8798e5292
SHA256

492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367
SHA512

bac2c121a10f30604caef2851bb643ffc84b5f69506dd01e1f26b23f402ce16f38a6c42f2dd2aa85ec22deb20da83d40681bd14296f5bce6c20adc9dcbe6a4bb
SSDEEP

12288:dFFgn8YNCzXjOYpV6yYPI3cpV6yYPeHCXwpnsKvNA+XTvZHWuEo3oWL5g:aNCzXjOYWHWIpsKv2EvZHp3oWNg

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmoipopd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Emcbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baqbenep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpjiajeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baqbenep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmoipopd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekklaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bloqah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cngcjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bloqah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cciemedf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emcbkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eecqjpee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekklaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bagpopmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cngcjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eecqjpee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagpopmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpjiajeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cciemedf.exe

Executes dropped EXE 28 IoCs

pid	Process
2192	Bagpopmj.exe
1852	Bloqah32.exe
2704	Baqbenep.exe
2900	Cngcjo32.exe
2548	Cpjiajeb.exe
2572	Cciemedf.exe
3016	Dmoipopd.exe
2396	Emcbkn32.exe
2072	Ekklaj32.exe
1552	Eecqjpee.exe
2812	Fmekoalh.exe
2968	Flmefm32.exe
1416	Gegfdb32.exe
2032	Gbnccfpb.exe
2496	Hgdbhi32.exe
612	Hnojdcfi.exe
1596	Hggomh32.exe
844	Hiekid32.exe
2348	Hlcgeo32.exe
1336	Hobcak32.exe
984	Hgilchkf.exe
896	Hhjhkq32.exe
1040	Hodpgjha.exe
2228	Hacmcfge.exe
2420	Hjjddchg.exe
2904	Ieqeidnl.exe
2476	Ilknfn32.exe
3044	Iagfoe32.exe

Loads dropped DLL 60 IoCs

pid	Process
2184	492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe
2184	492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe
2192	Bagpopmj.exe
2192	Bagpopmj.exe
1852	Bloqah32.exe
1852	Bloqah32.exe
2704	Baqbenep.exe
2704	Baqbenep.exe
2900	Cngcjo32.exe
2900	Cngcjo32.exe
2548	Cpjiajeb.exe
2548	Cpjiajeb.exe
2572	Cciemedf.exe
2572	Cciemedf.exe
3016	Dmoipopd.exe
3016	Dmoipopd.exe
2396	Emcbkn32.exe
2396	Emcbkn32.exe
2072	Ekklaj32.exe
2072	Ekklaj32.exe
1552	Eecqjpee.exe
1552	Eecqjpee.exe
2812	Fmekoalh.exe
2812	Fmekoalh.exe
2968	Flmefm32.exe
2968	Flmefm32.exe
1416	Gegfdb32.exe
1416	Gegfdb32.exe
2032	Gbnccfpb.exe
2032	Gbnccfpb.exe
2496	Hgdbhi32.exe
2496	Hgdbhi32.exe
612	Hnojdcfi.exe
612	Hnojdcfi.exe
1596	Hggomh32.exe
1596	Hggomh32.exe
844	Hiekid32.exe
844	Hiekid32.exe
2348	Hlcgeo32.exe
2348	Hlcgeo32.exe
1336	Hobcak32.exe
1336	Hobcak32.exe
984	Hgilchkf.exe
984	Hgilchkf.exe
896	Hhjhkq32.exe
896	Hhjhkq32.exe
1040	Hodpgjha.exe
1040	Hodpgjha.exe
2228	Hacmcfge.exe
2228	Hacmcfge.exe
2420	Hjjddchg.exe
2420	Hjjddchg.exe
2904	Ieqeidnl.exe
2904	Ieqeidnl.exe
2476	Ilknfn32.exe
2476	Ilknfn32.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hiekid32.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Idphiplp.dll	Bagpopmj.exe
File opened for modification	C:\Windows\SysWOW64\Emcbkn32.exe	Dmoipopd.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Odpegjpg.dll	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Cngcjo32.exe	Baqbenep.exe
File opened for modification	C:\Windows\SysWOW64\Dmoipopd.exe	Cciemedf.exe
File created	C:\Windows\SysWOW64\Ocjcidbb.dll	Flmefm32.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Iklgpmjo.dll	Baqbenep.exe
File opened for modification	C:\Windows\SysWOW64\Ekklaj32.exe	Emcbkn32.exe
File created	C:\Windows\SysWOW64\Lopekk32.dll	Ekklaj32.exe
File opened for modification	C:\Windows\SysWOW64\Hiekid32.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Liqebf32.dll	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hjjddchg.exe
File opened for modification	C:\Windows\SysWOW64\Eecqjpee.exe	Ekklaj32.exe
File created	C:\Windows\SysWOW64\Gegfdb32.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hiekid32.exe
File created	C:\Windows\SysWOW64\Baqbenep.exe	Bloqah32.exe
File created	C:\Windows\SysWOW64\Cciemedf.exe	Cpjiajeb.exe
File opened for modification	C:\Windows\SysWOW64\Cciemedf.exe	Cpjiajeb.exe
File created	C:\Windows\SysWOW64\Maphhihi.dll	Emcbkn32.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hgilchkf.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Bagpopmj.exe	492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Naeqjnho.dll	Cciemedf.exe
File created	C:\Windows\SysWOW64\Fmekoalh.exe	Eecqjpee.exe
File opened for modification	C:\Windows\SysWOW64\Gbnccfpb.exe	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Pabfdklg.dll	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Ooahdmkl.dll	Bloqah32.exe
File created	C:\Windows\SysWOW64\Cpjiajeb.exe	Cngcjo32.exe
File created	C:\Windows\SysWOW64\Nejeco32.dll	Cpjiajeb.exe
File created	C:\Windows\SysWOW64\Ekklaj32.exe	Emcbkn32.exe
File created	C:\Windows\SysWOW64\Bloqah32.exe	Bagpopmj.exe
File opened for modification	C:\Windows\SysWOW64\Fmekoalh.exe	Eecqjpee.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hiekid32.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Jkdalhhc.dll	492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Baqbenep.exe	Bloqah32.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Hiekid32.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Pdmaibnf.dll	Cngcjo32.exe
File created	C:\Windows\SysWOW64\Emcbkn32.exe	Dmoipopd.exe
File created	C:\Windows\SysWOW64\Eecqjpee.exe	Ekklaj32.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Dmoipopd.exe	Cciemedf.exe
File created	C:\Windows\SysWOW64\Ongbcmlc.dll	Eecqjpee.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Nbniiffi.dll	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Gegfdb32.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Gbnccfpb.exe

Program crash 1 IoCs

pid	pid_target	Process
2248	3044	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklgpmjo.dll"	Baqbenep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cciemedf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeqjnho.dll"	Cciemedf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ekklaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmekoalh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baqbenep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baqbenep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cngcjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll"	Eecqjpee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpjiajeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cciemedf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eecqjpee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmaibnf.dll"	Cngcjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fmekoalh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idphiplp.dll"	Bagpopmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpjiajeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopekk32.dll"	Ekklaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bloqah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Emcbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Emcbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmoipopd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Flmefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bagpopmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bloqah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eecqjpee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooahdmkl.dll"	Bloqah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nejeco32.dll"	Cpjiajeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2192	2184	492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe	28
PID 2184 wrote to memory of 2192	2184	492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe	28
PID 2184 wrote to memory of 2192	2184	492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe	28
PID 2184 wrote to memory of 2192	2184	492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 1852	2192	Bagpopmj.exe	29
PID 2192 wrote to memory of 1852	2192	Bagpopmj.exe	29
PID 2192 wrote to memory of 1852	2192	Bagpopmj.exe	29
PID 2192 wrote to memory of 1852	2192	Bagpopmj.exe	29
PID 1852 wrote to memory of 2704	1852	Bloqah32.exe	30
PID 1852 wrote to memory of 2704	1852	Bloqah32.exe	30
PID 1852 wrote to memory of 2704	1852	Bloqah32.exe	30
PID 1852 wrote to memory of 2704	1852	Bloqah32.exe	30
PID 2704 wrote to memory of 2900	2704	Baqbenep.exe	31
PID 2704 wrote to memory of 2900	2704	Baqbenep.exe	31
PID 2704 wrote to memory of 2900	2704	Baqbenep.exe	31
PID 2704 wrote to memory of 2900	2704	Baqbenep.exe	31
PID 2900 wrote to memory of 2548	2900	Cngcjo32.exe	32
PID 2900 wrote to memory of 2548	2900	Cngcjo32.exe	32
PID 2900 wrote to memory of 2548	2900	Cngcjo32.exe	32
PID 2900 wrote to memory of 2548	2900	Cngcjo32.exe	32
PID 2548 wrote to memory of 2572	2548	Cpjiajeb.exe	33
PID 2548 wrote to memory of 2572	2548	Cpjiajeb.exe	33
PID 2548 wrote to memory of 2572	2548	Cpjiajeb.exe	33
PID 2548 wrote to memory of 2572	2548	Cpjiajeb.exe	33
PID 2572 wrote to memory of 3016	2572	Cciemedf.exe	34
PID 2572 wrote to memory of 3016	2572	Cciemedf.exe	34
PID 2572 wrote to memory of 3016	2572	Cciemedf.exe	34
PID 2572 wrote to memory of 3016	2572	Cciemedf.exe	34
PID 3016 wrote to memory of 2396	3016	Dmoipopd.exe	35
PID 3016 wrote to memory of 2396	3016	Dmoipopd.exe	35
PID 3016 wrote to memory of 2396	3016	Dmoipopd.exe	35
PID 3016 wrote to memory of 2396	3016	Dmoipopd.exe	35
PID 2396 wrote to memory of 2072	2396	Emcbkn32.exe	36
PID 2396 wrote to memory of 2072	2396	Emcbkn32.exe	36
PID 2396 wrote to memory of 2072	2396	Emcbkn32.exe	36
PID 2396 wrote to memory of 2072	2396	Emcbkn32.exe	36
PID 2072 wrote to memory of 1552	2072	Ekklaj32.exe	37
PID 2072 wrote to memory of 1552	2072	Ekklaj32.exe	37
PID 2072 wrote to memory of 1552	2072	Ekklaj32.exe	37
PID 2072 wrote to memory of 1552	2072	Ekklaj32.exe	37
PID 1552 wrote to memory of 2812	1552	Eecqjpee.exe	38
PID 1552 wrote to memory of 2812	1552	Eecqjpee.exe	38
PID 1552 wrote to memory of 2812	1552	Eecqjpee.exe	38
PID 1552 wrote to memory of 2812	1552	Eecqjpee.exe	38
PID 2812 wrote to memory of 2968	2812	Fmekoalh.exe	39
PID 2812 wrote to memory of 2968	2812	Fmekoalh.exe	39
PID 2812 wrote to memory of 2968	2812	Fmekoalh.exe	39
PID 2812 wrote to memory of 2968	2812	Fmekoalh.exe	39
PID 2968 wrote to memory of 1416	2968	Flmefm32.exe	40
PID 2968 wrote to memory of 1416	2968	Flmefm32.exe	40
PID 2968 wrote to memory of 1416	2968	Flmefm32.exe	40
PID 2968 wrote to memory of 1416	2968	Flmefm32.exe	40
PID 1416 wrote to memory of 2032	1416	Gegfdb32.exe	41
PID 1416 wrote to memory of 2032	1416	Gegfdb32.exe	41
PID 1416 wrote to memory of 2032	1416	Gegfdb32.exe	41
PID 1416 wrote to memory of 2032	1416	Gegfdb32.exe	41
PID 2032 wrote to memory of 2496	2032	Gbnccfpb.exe	42
PID 2032 wrote to memory of 2496	2032	Gbnccfpb.exe	42
PID 2032 wrote to memory of 2496	2032	Gbnccfpb.exe	42
PID 2032 wrote to memory of 2496	2032	Gbnccfpb.exe	42
PID 2496 wrote to memory of 612	2496	Hgdbhi32.exe	43
PID 2496 wrote to memory of 612	2496	Hgdbhi32.exe	43
PID 2496 wrote to memory of 612	2496	Hgdbhi32.exe	43
PID 2496 wrote to memory of 612	2496	Hgdbhi32.exe	43

C:\Users\Admin\AppData\Local\Temp\492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\492c1278469d940ea3267b3e8da809a59a41c9e93b68317765b94fe658d62367_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\Bagpopmj.exe
  C:\Windows\system32\Bagpopmj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\Bloqah32.exe
    C:\Windows\system32\Bloqah32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\SysWOW64\Baqbenep.exe
      C:\Windows\system32\Baqbenep.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\Cngcjo32.exe
        
        C:\Windows\system32\Cngcjo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\SysWOW64\Cpjiajeb.exe
        
        C:\Windows\system32\Cpjiajeb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Cciemedf.exe
        
        C:\Windows\system32\Cciemedf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Dmoipopd.exe
        
        C:\Windows\system32\Dmoipopd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Emcbkn32.exe
        
        C:\Windows\system32\Emcbkn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Ekklaj32.exe
        
        C:\Windows\system32\Ekklaj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Eecqjpee.exe
        
        C:\Windows\system32\Eecqjpee.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Fmekoalh.exe
        
        C:\Windows\system32\Fmekoalh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Gegfdb32.exe
        
        C:\Windows\system32\Gegfdb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Gbnccfpb.exe
        
        C:\Windows\system32\Gbnccfpb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:612
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        29⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 140
        30⤵
        Loads dropped DLL
        Program crash
        
        PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cngcjo32.exe

Filesize
1.4MB

MD5
2cedc37072cba50495bce0d83af11fd9

SHA1
ab1eec4702dd51bfd8976aad008983dbc34f8ffa

SHA256
e6c1f8b84f081114602c57bb866852da77f1c0cb91e4064d8b891b6e553253ca

SHA512
6e48ac8a3e77874a89fc916e2a2d92908c8298401881b58d8e9fdc1d6c2867a0f425beea022db69062bbc4f11ca7513957ebaedae2af894c192bdb6fddad2301

Download Submit
C:\Windows\SysWOW64\Eecqjpee.exe

Filesize
1.4MB

MD5
182aa75395356ddb6cfd2d748b1e90be

SHA1
ec3b4e26c820f7622859758064ba188e5cc2e073

SHA256
b8f84ef869ea5db6438fefe2dd3ee9e567b9ae95909deb5907ef47b58ae1114e

SHA512
4bb6a8e0056b2e3f9d830ae2945820af923bdd8c8b58677732bd9cf971666a430dda32834700c5e2209890c9ce85067b39f4f3567c56660b970bf41a4ab4b714

Download Submit
C:\Windows\SysWOW64\Fmekoalh.exe

Filesize
1.4MB

MD5
ffe45bb9d3206b4d6a58e56aabc94a79

SHA1
a671ae19930f207c71613e6b55ab9ff30f04733f

SHA256
b4a8dd0b024f44f9948957ff76b48e7b6bcdfeaca4af435d6ccfa9e9dfab40cf

SHA512
dff3b325395ab608a3176f5aa79f8778c07b6baba7595eb39959e988a37c0a5b045fc5b059c257f5a7823ba0d618137315cfdef6b9261eb4d2f26294bcdec1f3

Download Submit
C:\Windows\SysWOW64\Gbnccfpb.exe

Filesize
1.4MB

MD5
a328f9432d013d2cf14f1d37ed7b7ce6

SHA1
31317827cf85e11e470b20e4d67c1f20a7803711

SHA256
a562c188fbeeeae4a2c8f522921c7a957a2a601ca9d1e896f7b7e31c3403b975

SHA512
62c7fd430083db73d7a9dcdc002e5529c0f1cb45875bab8c4d893241e77e1982792a8ac2bab6b9ded1b1fb3f911951ed512f2833c5a243ea8a64a9857e80e1ee

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
1.4MB

MD5
cbd5b36cd1b4c13260a19a0d52de8fe3

SHA1
17d5bfddf219ea8fc0227767f2bcc3fc0d9b7150

SHA256
10bdbff9aa9adf439e2a71fa4cc5e6867c0469c2e882bb877104c3e9f2af5590

SHA512
2661087e81643dcc5bfa7bafad28afbc0f29c5cdb72a33090246835e49f116cbb65a547f6d8039a2aa9a2452dca21f2e83321b8f5d9be618ea74ab7f3506a58e

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
1.4MB

MD5
c5aa522c390575b1c95e6e359669bda8

SHA1
b21fb60fb6cd097e8c5e1aee6f15384fe87642d1

SHA256
ca7bdd086926e5ae95d41cca93fd55aa9606c73eb47a890676fcf04fae52e980

SHA512
758acc1aa3c591b61f5b9762c8b4ecd1a37e5ee25084fd892a69928a960e99027d8aec42481de24b6734ad723ae68bcae1c87b3e14d854493a2b1305337ab4ee

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
1.4MB

MD5
ca3e731dba9fc9ef04a54e3c399b56b4

SHA1
dcb64e8095c0df5be6adaf07396ced5e7192d61b

SHA256
bda0b22b73d4a019bb2802f4880b9158fda9176e30ce3bd54fe0b13b662484a0

SHA512
0f51bf85d6c3da29150dbdae30b19b33bd08e2e6159f38ac1d91d078c2547209c540e09f831b539d573d7027c4634c4e8dbb7894d8a7b25680f4f1c72eb949cd

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
1.4MB

MD5
6dbad1a6c81487f252f10e22c1a18715

SHA1
cdd0a115b8187e0c2ddc7d9e6b03a4e40ed07a9a

SHA256
40b15887ee5b2a8f58ba54d004692a06b57e15ee525092c0c30054ad84f810fc

SHA512
7f29068f210b17b7d8068c1d9027b4403533b62b4d1cfba3b74a7d5285f4be507f8728e3b2ecfee97d93b4054ca6eb93da274017d14509a147f57183ccd8f127

Download Submit
C:\Windows\SysWOW64\Hiekid32.exe

Filesize
1.4MB

MD5
38fc0d92fdc5fbc3ec7e69799b776113

SHA1
66788a0861ce3498747fd5256d3c29e898a66fda

SHA256
08ff5d0c92ffdb5929671e31e34263d883237c3fe2d866ec7d1899958e00f0e6

SHA512
95924836931bdda63067ec6355b4a3333c9bb069d3b8c174d49ee88bed3f2201c76b56139d76fd5c26efea491e2beefd09c30926bbd577f82c13981b6c7f06ac

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
1.4MB

MD5
55918c46922525f85e03455411914709

SHA1
d3f27e0ea162e6e203f1ccea3d50732119f39ef4

SHA256
4ebe473d5c4d8ceaed18a65af0cbf121f3fe7d267ce93f299c2119f7f6000234

SHA512
3eafd2290ec68a42db31bcab28c248e0530024292dad5c379bd4083b958995611ffa15abb55721e89f4ca651a817d4050aa628ef0031aa08aa66d8a227dd1ef6

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
1.4MB

MD5
f75ed1b4648756b0d721077cbfcc3ded

SHA1
1f4e994e3802dc0a7eb9412f391cccd06d407678

SHA256
9c3e1e2b97499cc1cafcf4123f97339dbe47f412f047dc0555ab125437206b3a

SHA512
576d8df28b42e9c3ab9586d2174d12876e4877282a17818afd5e97245d6532244cc620d76b8c93da467bc12ace428af1b808a88f5e73b6de79f55aa8cdd4715d

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
1.4MB

MD5
5844579f340df37cb526735375c1c9a1

SHA1
6d799e2c5a9c3fb1ba8d8412cf7e5d9069f2c1ab

SHA256
5a9c496cc6d8762ad4b3d1e96d51e5385b85c8aa1bbfbc6a7dab5acceb2a6c85

SHA512
9bd45bee5d29a574c28fba7b96ab4e563a0c30c5b36c2e058656d47408ae2c84fc087cff2ff2e72f730a91b72cb1ec0d4cfc5b69d25bf62316d5f62fc37fe16b

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
1.4MB

MD5
274c497979150217dfd8347512003910

SHA1
c49742766696e3362393ed055128d5a26d93e9a1

SHA256
a162a654fbbc7c2f228c9dce79d3a4bf0844aaaa3ce8d7c95cecda027bb374d1

SHA512
2bcf285557ea302077eac642565ef81920ffcc077fd0fabc071739e5e38b6917cd5ef199754ced979940a4a951f8ac1ed64f94a80519967f03cad12897e0896e

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
1.4MB

MD5
8e37981bca07b4cbbec3f520df192a01

SHA1
e02ea091033a98ab3361516e894ab44c2b5ba440

SHA256
3dbd7241134d643ded9a2ca22a38a02c27c82ac5ff231709c02918ce62789533

SHA512
b55dc124b4ab0be92fe6cddee6ca72e8bf7c0ab78a449ab6e07ce45c9286806d4f97c8f80e630cf4fffc40c84fa7277dac9c157099df0411f0c027b99f09d79b

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
1.4MB

MD5
abd195354a0c5790823880eab58d5541

SHA1
da4cb81d541499841712e8bb835e8acb48eeba1e

SHA256
8893042c9b3e77f4c17b80cd4d1866ec9da9795d82fdcae5b5282bec20c3e848

SHA512
219e988a66d5c8b18f0cbaa49b5b52ed92cbe41e3a8a44929cd0cc4deed595f6b6458e57bfdcc8b7deb45dbac9acc7ce0d85b60eb6198b7c75785d088d7d8892

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
1.4MB

MD5
ac32fceb31aa0b20281998901a2a1ef0

SHA1
03eda122bb9af3f0a82307f1541e2e422f9cfcd4

SHA256
0b2c4304e104856d50e546eff0b916f92ee48d82770aa39191e067ba4f8d56e7

SHA512
8542458eba0988724d68888ea507e24e3d8d9a7da5d915a01437bff17791d1377a22f571a20801b98da4cb97c9824f858ef665a68f8f84565f87456f67fa9ed7

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
1.4MB

MD5
c2f9e026a163f7e01f34ccd9e4601b9e

SHA1
54732376ccbb8f04519deaaaf366a6884bbc2f82

SHA256
f3f748dce9434a06300b25dd76559f1edbf95c1e459563eca035398b822a119d

SHA512
5f1e35d9127031703570a4676dd1cc0d35a790b80466556ce280cf9d90eca39d0711fd1df0599e8560991530550d95df2b1fcb996ed9e0e140c0700f1b5a9be8

Download Submit
C:\Windows\SysWOW64\Pdmaibnf.dll

Filesize
7KB

MD5
bb1c1c2425baee1c254ce3c01bb27a4f

SHA1
e323f44a88bdca515578b3295e39c9d33f2faffd

SHA256
4bd48a3c30358b68c8facb25162f5b983c9745b9ab470b1490bceea243f2c513

SHA512
0beb81dfb43375db496a195c2565266e92fccbcae3d1caa05d9fa628e2e8fac41cd48de69788e9022ca1fe2bc6fb2c76721467e14f53e77378d9ce9c89667d1e

Download Submit
\Windows\SysWOW64\Bagpopmj.exe

Filesize
1.4MB

MD5
26a73a3a560341e6e21ea3be343b7a5e

SHA1
67b250d27258bbb5c4760f8bb8b607a96ebb6ded

SHA256
b89b9ad93a23f389175574ce1038adf607cedea3e714d254fb6dadc2540b5de4

SHA512
dee3a1da07f89a4b21a357c644ed786e5be801e01f2bb8960460b2e3cf36a9504873c31159a33b953976341c0f00a5378c0cc4149af11f01ce7c994ffdf5627e

Download Submit
\Windows\SysWOW64\Baqbenep.exe

Filesize
1.4MB

MD5
94e1285ba306291991348111a82b27b4

SHA1
1ef686f880036ea07d4ef2ba1823d904f3bba8a7

SHA256
9d78e99642c63c199f1c17cc61538b13967d2da70a62d7ec1be355c3a2230f48

SHA512
0d57d5c7df12b08fc57a25ed4361e5f291752167cd4ecf5bfd1bef7cc10d3f391156de7bba580d97fd177eb2d14729231723f3e085a471707068444fb5be73e5

Download Submit
\Windows\SysWOW64\Bloqah32.exe

Filesize
1.4MB

MD5
f548d19fe77e5d67d2f47fb3567a8e1a

SHA1
79091869330eeb504f7cd3c45a19bd0a61c29074

SHA256
559f5dc9c4da974c8905345761dd1ebed422717b884a8445fcfb81f82ca7d7ed

SHA512
7724f35094dea452680e0aaa0b65250045c0aed5b0666a9ee9e4e51da1d4a442bde0ee1c306c28ee8a5cfe619d6ca74d9e2bbd34c4b07509385ab84b38f3d72d

Download Submit
\Windows\SysWOW64\Cciemedf.exe

Filesize
1.4MB

MD5
19fc6194d86fdc572c3c7315ee107e49

SHA1
f7e36813ffadda39d2e3823b3733c857f0426e68

SHA256
7df4c66116dc3e23c38544e52a97165818e299d05d89815d272b8372e75653c8

SHA512
ac64b8caee38ebcdea0c22cc53780f114cb7816fe94b51c929a7a4bf5135584b860212594839f965bb89111ec716697e5a8742cee2bccba0e13157eaeebb1b44

Download Submit
\Windows\SysWOW64\Cpjiajeb.exe

Filesize
1.4MB

MD5
1835560b6a5c070134ad392d4a35f342

SHA1
ed83611eefd348ff1c7677cd736e9a52e30bb256

SHA256
06ea84dc1d0bc2c03115baf5c81b93a3ab2bad68d9cf1aad7982f3c314acee95

SHA512
c34a60da702f0244493e7a8e779cf0b22b586f2a3f3a3ff56f7ad276611df38c0f5ee285f28213525d778a932003bd79ed6b354fc1b1f891ac94db39270bca21

Download Submit
\Windows\SysWOW64\Dmoipopd.exe

Filesize
1.4MB

MD5
3d4e6a0a130be1b93cb0888fde351677

SHA1
97745a5e5961222be20d5257302010406a3abf13

SHA256
719b1b68411a7269a655c854417d5c84a1d8039e6db637ca64cac41749f6ec05

SHA512
5b107a9a6eeca55395dea8070cde1693fd63bbb60de00a105835c569fca426277e8239224e0d4dc540caac91d02b7494e0d9abbec530f41bc2a2a7eb143964b7

Download Submit
\Windows\SysWOW64\Ekklaj32.exe

Filesize
1.4MB

MD5
767730227dbad5ce907f36f0191b1c2a

SHA1
3584769615f90efbbafae5a47bce0560261f1ae6

SHA256
3d5451e0caf820b5d3e1f60de5b5b1ee0cfd7076e9894c900dfc1ee28f266530

SHA512
8f147ff160a700e61406496a4a4deba9da7681c2d8457b65429de85766c8853b5c010cee643a8d9e590d3ceb869f16e2bc57de930033b20dfbbcf8c3d6d1d987

Download Submit
\Windows\SysWOW64\Emcbkn32.exe

Filesize
1.4MB

MD5
ad50ab9f42c02c6daf0edda2a2afe7c9

SHA1
5c229ecbd522a13af768a482842bd688c20db295

SHA256
9d9d764f3bfb8493492e76dfc1d42d9390a80703541b278be6429d209f20f1a7

SHA512
c348d3cf911f058d9d93be58defdb622bc879c113026eb8907fb57bc27e508ff4d5a99a363f03118ed94d50440f1e47cf811a3a1762c53308ebbedfd6208bf3c

Download Submit
\Windows\SysWOW64\Flmefm32.exe

Filesize
1.4MB

MD5
ff5d8cc5baeddaf7cee1cc104b00bc41

SHA1
fd27dfbf1c9ae29792b4a5db8bed3996e4403621

SHA256
6818866da15eb3af3df11c6f6a321af7c74f0cca9310f1b5dff81e288770e3bc

SHA512
52e725e26b560d2b4a8a39c20c67b56dfc5c72e4495e41b0477420c96b09c8e217e8a75b037e5564824d81a385fd9f59f911aa0f50825a75d70a47857d44300d

Download Submit
\Windows\SysWOW64\Gegfdb32.exe

Filesize
1.4MB

MD5
2ff30ed56b700e8196c155ba6162ffd6

SHA1
b7d76f6a5379af5893e79d6011d0390dbe5312bc

SHA256
0fc9f647635eb6bdb0b21da561931bddfddf668758a7f5c5f80ec4d5ab30648b

SHA512
f6e75c61a2f64b58ea0448ca3c01b0fbcba47a8e1f9ae84eb0229cae6c9ddabf13fe4b3c745838d190d6d7d13a71360c6a8c9ea4e3999a3ca54cfe5c76eda8b7

Download Submit
\Windows\SysWOW64\Hgdbhi32.exe

Filesize
1.4MB

MD5
26b37bf0e63cd577b007a43c0bb278c6

SHA1
5a12afb6928e45999da621afebef5d8f3645f99d

SHA256
500ff70deed7322c37c3c3ebfdf03de09f51048bc246136aa18f1bdcb15014b4

SHA512
0481cb4233a6eb412cf2eeea1b3ac835a1ade44b15f506cdf44597dabc161f4e34ddf404f9a3cb26234bf178cb4b52655eae7f9df2cdc4001f0862416c52f8d6

Download Submit
memory/612-312-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/612-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/612-239-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/612-303-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/844-317-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/844-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/896-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/896-289-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/984-350-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/984-283-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1040-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1336-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1336-337-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1416-180-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1416-193-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1416-281-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1416-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1552-246-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download
memory/1552-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1552-237-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1552-156-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download
memory/1596-247-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1596-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1852-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1852-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1852-34-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2032-295-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2032-194-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2032-282-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2072-254-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2072-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2072-159-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2184-53-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2184-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2184-6-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2192-20-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2192-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2228-354-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2228-313-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2348-330-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2348-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2396-245-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/2396-236-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2396-122-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/2396-109-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2420-355-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2420-356-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2420-321-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2476-344-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2476-359-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/2476-351-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/2476-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2496-296-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2496-213-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-179-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-67-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2572-91-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2572-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2572-212-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2572-202-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2704-45-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2812-158-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2812-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2900-171-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2900-54-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2904-357-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2904-331-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2968-172-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/2968-261-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3016-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3016-222-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads