1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191

Analysis

max time kernel
2s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30/06/2024, 20:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe
Size

264KB
MD5

f07c11cdaf3ed7814808b6d51af66bd0
SHA1

59bd127cb614402600357070bc7a35981a7a7967
SHA256

1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191
SHA512

494a145967fa1aad30b782f18804a24a4f1b612e5ea54b32d70db9b24e6ee690e4f7b143f0502e724b6f15c88be0fef07f02c8bd1e2b5d222dabb72fe3c566c3
SSDEEP

3072:BPvtYyEM9jxDRs24ho1mtye3lFDrFDHZtO8jJkiUi8ChpBhx5Zd424ho1mtye3lg:1EM9jxDRBsFj5tPNki9HZd1sFj5tw

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodonf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddagfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqonkmdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eajaoq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejbfhfaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djnpnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqonkmdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcfdgiid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcknbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekholjqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejbfhfaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djnpnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efppoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckjalhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffkcbgek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dflkdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clcflkic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcfdgiid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcknbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekholjqg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clcflkic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddagfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodonf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckjalhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dflkdp32.exe

Executes dropped EXE 18 IoCs

pid	Process
2052	Clcflkic.exe
3052	Dflkdp32.exe
2904	Dodonf32.exe
3068	Ddagfm32.exe
3008	Djnpnc32.exe
2528	Dcfdgiid.exe
1800	Dcknbh32.exe
2840	Eqonkmdh.exe
2372	Ekholjqg.exe
2164	Efppoc32.exe
1692	Eajaoq32.exe
1548	Ejbfhfaj.exe
2036	Fckjalhj.exe
2292	Ffkcbgek.exe
2268	Fdoclk32.exe
1472	Fmhheqje.exe
2612	Fbgmbg32.exe
2044	Fmlapp32.exe

Loads dropped DLL 37 IoCs

pid	Process
2416	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe
2416	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe
2052	Clcflkic.exe
2052	Clcflkic.exe
3052	Dflkdp32.exe
3052	Dflkdp32.exe
2904	Dodonf32.exe
2904	Dodonf32.exe
3068	Ddagfm32.exe
3068	Ddagfm32.exe
3008	Djnpnc32.exe
3008	Djnpnc32.exe
2528	Dcfdgiid.exe
2528	Dcfdgiid.exe
1800	Dcknbh32.exe
1800	Dcknbh32.exe
2840	Eqonkmdh.exe
2840	Eqonkmdh.exe
2372	Ekholjqg.exe
2372	Ekholjqg.exe
2164	Efppoc32.exe
2164	Efppoc32.exe
1692	Eajaoq32.exe
1692	Eajaoq32.exe
1548	Ejbfhfaj.exe
1548	Ejbfhfaj.exe
2036	Fckjalhj.exe
2036	Fckjalhj.exe
2292	Ffkcbgek.exe
2292	Ffkcbgek.exe
2268	Fdoclk32.exe
2268	Fdoclk32.exe
1472	Fmhheqje.exe
1472	Fmhheqje.exe
2612	Fbgmbg32.exe
2612	Fbgmbg32.exe
2044	Fmlapp32.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jiiegafd.dll	Ejbfhfaj.exe
File created	C:\Windows\SysWOW64\Dodonf32.exe	Dflkdp32.exe
File opened for modification	C:\Windows\SysWOW64\Eajaoq32.exe	Efppoc32.exe
File opened for modification	C:\Windows\SysWOW64\Ejbfhfaj.exe	Eajaoq32.exe
File opened for modification	C:\Windows\SysWOW64\Dflkdp32.exe	Clcflkic.exe
File opened for modification	C:\Windows\SysWOW64\Dcfdgiid.exe	Djnpnc32.exe
File created	C:\Windows\SysWOW64\Dcknbh32.exe	Dcfdgiid.exe
File created	C:\Windows\SysWOW64\Pafagk32.dll	Dcfdgiid.exe
File opened for modification	C:\Windows\SysWOW64\Fdoclk32.exe	Ffkcbgek.exe
File created	C:\Windows\SysWOW64\Memeaofm.dll	Dflkdp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddagfm32.exe	Dodonf32.exe
File created	C:\Windows\SysWOW64\Gbolehjh.dll	Ekholjqg.exe
File created	C:\Windows\SysWOW64\Ambcae32.dll	Eajaoq32.exe
File created	C:\Windows\SysWOW64\Fmhheqje.exe	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Fbgmbg32.exe	Fmhheqje.exe
File created	C:\Windows\SysWOW64\Fmlapp32.exe	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Mbiiek32.dll	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Njcbaa32.dll	Dodonf32.exe
File created	C:\Windows\SysWOW64\Djnpnc32.exe	Ddagfm32.exe
File created	C:\Windows\SysWOW64\Ekholjqg.exe	Eqonkmdh.exe
File created	C:\Windows\SysWOW64\Eqonkmdh.exe	Dcknbh32.exe
File created	C:\Windows\SysWOW64\Eajaoq32.exe	Efppoc32.exe
File created	C:\Windows\SysWOW64\Olndbg32.dll	Ffkcbgek.exe
File created	C:\Windows\SysWOW64\Gegfdb32.exe	Fmlapp32.exe
File opened for modification	C:\Windows\SysWOW64\Gegfdb32.exe	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Ddagfm32.exe	Dodonf32.exe
File created	C:\Windows\SysWOW64\Oadqjk32.dll	Ddagfm32.exe
File created	C:\Windows\SysWOW64\Fkahhbbj.dll	Djnpnc32.exe
File created	C:\Windows\SysWOW64\Fckjalhj.exe	Ejbfhfaj.exe
File created	C:\Windows\SysWOW64\Kdanej32.dll	Fckjalhj.exe
File created	C:\Windows\SysWOW64\Fdoclk32.exe	Ffkcbgek.exe
File created	C:\Windows\SysWOW64\Bfekgp32.dll	Fmhheqje.exe
File created	C:\Windows\SysWOW64\Dcfdgiid.exe	Djnpnc32.exe
File created	C:\Windows\SysWOW64\Cfeoofge.dll	Dcknbh32.exe
File created	C:\Windows\SysWOW64\Efjcibje.dll	Efppoc32.exe
File opened for modification	C:\Windows\SysWOW64\Fckjalhj.exe	Ejbfhfaj.exe
File created	C:\Windows\SysWOW64\Dflkdp32.exe	Clcflkic.exe
File created	C:\Windows\SysWOW64\Ccdcec32.dll	Clcflkic.exe
File opened for modification	C:\Windows\SysWOW64\Ekholjqg.exe	Eqonkmdh.exe
File created	C:\Windows\SysWOW64\Ejbfhfaj.exe	Eajaoq32.exe
File created	C:\Windows\SysWOW64\Efppoc32.exe	Ekholjqg.exe
File opened for modification	C:\Windows\SysWOW64\Fbgmbg32.exe	Fmhheqje.exe
File opened for modification	C:\Windows\SysWOW64\Dcknbh32.exe	Dcfdgiid.exe
File opened for modification	C:\Windows\SysWOW64\Efppoc32.exe	Ekholjqg.exe
File created	C:\Windows\SysWOW64\Bcqgok32.dll	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Clcflkic.exe	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Clcflkic.exe	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Dodonf32.exe	Dflkdp32.exe
File created	C:\Windows\SysWOW64\Ffkcbgek.exe	Fckjalhj.exe
File opened for modification	C:\Windows\SysWOW64\Djnpnc32.exe	Ddagfm32.exe
File opened for modification	C:\Windows\SysWOW64\Eqonkmdh.exe	Dcknbh32.exe
File created	C:\Windows\SysWOW64\Kcfdakpf.dll	Eqonkmdh.exe
File opened for modification	C:\Windows\SysWOW64\Ffkcbgek.exe	Fckjalhj.exe
File opened for modification	C:\Windows\SysWOW64\Fmlapp32.exe	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Ocjcidbb.dll	Fmlapp32.exe
File opened for modification	C:\Windows\SysWOW64\Fmhheqje.exe	Fdoclk32.exe
File created	C:\Windows\SysWOW64\Jeccgbbh.dll	Fdoclk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2108	376	WerFault.exe	65

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcfdgiid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcknbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djnpnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkahhbbj.dll"	Djnpnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafagk32.dll"	Dcfdgiid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdcec32.dll"	Clcflkic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dflkdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dflkdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodonf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcknbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqonkmdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memeaofm.dll"	Dflkdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfdakpf.dll"	Eqonkmdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll"	Fckjalhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddagfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfeoofge.dll"	Dcknbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekholjqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiiek32.dll"	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djnpnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjcibje.dll"	Efppoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clcflkic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadqjk32.dll"	Ddagfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcfdgiid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fckjalhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fckjalhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmhheqje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodonf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekholjqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffkcbgek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdoclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcbaa32.dll"	Dodonf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddagfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll"	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll"	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eajaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiegafd.dll"	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll"	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeccgbbh.dll"	Fdoclk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clcflkic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqonkmdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbolehjh.dll"	Ekholjqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll"	Fbgmbg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2052	2416	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe	28
PID 2416 wrote to memory of 2052	2416	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe	28
PID 2416 wrote to memory of 2052	2416	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe	28
PID 2416 wrote to memory of 2052	2416	1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe	28
PID 2052 wrote to memory of 3052	2052	Clcflkic.exe	29
PID 2052 wrote to memory of 3052	2052	Clcflkic.exe	29
PID 2052 wrote to memory of 3052	2052	Clcflkic.exe	29
PID 2052 wrote to memory of 3052	2052	Clcflkic.exe	29
PID 3052 wrote to memory of 2904	3052	Dflkdp32.exe	30
PID 3052 wrote to memory of 2904	3052	Dflkdp32.exe	30
PID 3052 wrote to memory of 2904	3052	Dflkdp32.exe	30
PID 3052 wrote to memory of 2904	3052	Dflkdp32.exe	30
PID 2904 wrote to memory of 3068	2904	Dodonf32.exe	31
PID 2904 wrote to memory of 3068	2904	Dodonf32.exe	31
PID 2904 wrote to memory of 3068	2904	Dodonf32.exe	31
PID 2904 wrote to memory of 3068	2904	Dodonf32.exe	31
PID 3068 wrote to memory of 3008	3068	Ddagfm32.exe	32
PID 3068 wrote to memory of 3008	3068	Ddagfm32.exe	32
PID 3068 wrote to memory of 3008	3068	Ddagfm32.exe	32
PID 3068 wrote to memory of 3008	3068	Ddagfm32.exe	32
PID 3008 wrote to memory of 2528	3008	Djnpnc32.exe	33
PID 3008 wrote to memory of 2528	3008	Djnpnc32.exe	33
PID 3008 wrote to memory of 2528	3008	Djnpnc32.exe	33
PID 3008 wrote to memory of 2528	3008	Djnpnc32.exe	33
PID 2528 wrote to memory of 1800	2528	Dcfdgiid.exe	34
PID 2528 wrote to memory of 1800	2528	Dcfdgiid.exe	34
PID 2528 wrote to memory of 1800	2528	Dcfdgiid.exe	34
PID 2528 wrote to memory of 1800	2528	Dcfdgiid.exe	34
PID 1800 wrote to memory of 2840	1800	Dcknbh32.exe	35
PID 1800 wrote to memory of 2840	1800	Dcknbh32.exe	35
PID 1800 wrote to memory of 2840	1800	Dcknbh32.exe	35
PID 1800 wrote to memory of 2840	1800	Dcknbh32.exe	35
PID 2840 wrote to memory of 2372	2840	Eqonkmdh.exe	36
PID 2840 wrote to memory of 2372	2840	Eqonkmdh.exe	36
PID 2840 wrote to memory of 2372	2840	Eqonkmdh.exe	36
PID 2840 wrote to memory of 2372	2840	Eqonkmdh.exe	36
PID 2372 wrote to memory of 2164	2372	Ekholjqg.exe	37
PID 2372 wrote to memory of 2164	2372	Ekholjqg.exe	37
PID 2372 wrote to memory of 2164	2372	Ekholjqg.exe	37
PID 2372 wrote to memory of 2164	2372	Ekholjqg.exe	37
PID 2164 wrote to memory of 1692	2164	Efppoc32.exe	38
PID 2164 wrote to memory of 1692	2164	Efppoc32.exe	38
PID 2164 wrote to memory of 1692	2164	Efppoc32.exe	38
PID 2164 wrote to memory of 1692	2164	Efppoc32.exe	38
PID 1692 wrote to memory of 1548	1692	Eajaoq32.exe	39
PID 1692 wrote to memory of 1548	1692	Eajaoq32.exe	39
PID 1692 wrote to memory of 1548	1692	Eajaoq32.exe	39
PID 1692 wrote to memory of 1548	1692	Eajaoq32.exe	39
PID 1548 wrote to memory of 2036	1548	Ejbfhfaj.exe	40
PID 1548 wrote to memory of 2036	1548	Ejbfhfaj.exe	40
PID 1548 wrote to memory of 2036	1548	Ejbfhfaj.exe	40
PID 1548 wrote to memory of 2036	1548	Ejbfhfaj.exe	40
PID 2036 wrote to memory of 2292	2036	Fckjalhj.exe	41
PID 2036 wrote to memory of 2292	2036	Fckjalhj.exe	41
PID 2036 wrote to memory of 2292	2036	Fckjalhj.exe	41
PID 2036 wrote to memory of 2292	2036	Fckjalhj.exe	41
PID 2292 wrote to memory of 2268	2292	Ffkcbgek.exe	42
PID 2292 wrote to memory of 2268	2292	Ffkcbgek.exe	42
PID 2292 wrote to memory of 2268	2292	Ffkcbgek.exe	42
PID 2292 wrote to memory of 2268	2292	Ffkcbgek.exe	42
PID 2268 wrote to memory of 1472	2268	Fdoclk32.exe	43
PID 2268 wrote to memory of 1472	2268	Fdoclk32.exe	43
PID 2268 wrote to memory of 1472	2268	Fdoclk32.exe	43
PID 2268 wrote to memory of 1472	2268	Fdoclk32.exe	43

C:\Users\Admin\AppData\Local\Temp\1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1800593d4b4bcd4581585a7db4f0e92fffbb17dd764f62c88c5529954e285191_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\Clcflkic.exe
  C:\Windows\system32\Clcflkic.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\Dflkdp32.exe
    C:\Windows\system32\Dflkdp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\Dodonf32.exe
      C:\Windows\system32\Dodonf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\SysWOW64\Ddagfm32.exe
        
        C:\Windows\system32\Ddagfm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\SysWOW64\Djnpnc32.exe
        
        C:\Windows\system32\Djnpnc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Dcfdgiid.exe
        
        C:\Windows\system32\Dcfdgiid.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Dcknbh32.exe
        
        C:\Windows\system32\Dcknbh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Eqonkmdh.exe
        
        C:\Windows\system32\Eqonkmdh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Ekholjqg.exe
        
        C:\Windows\system32\Ekholjqg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Efppoc32.exe
        
        C:\Windows\system32\Efppoc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Eajaoq32.exe
        
        C:\Windows\system32\Eajaoq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Ejbfhfaj.exe
        
        C:\Windows\system32\Ejbfhfaj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Fckjalhj.exe
        
        C:\Windows\system32\Fckjalhj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Ffkcbgek.exe
        
        C:\Windows\system32\Ffkcbgek.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Fdoclk32.exe
        
        C:\Windows\system32\Fdoclk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Fmhheqje.exe
        
        C:\Windows\system32\Fmhheqje.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Fbgmbg32.exe
        
        C:\Windows\system32\Fbgmbg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Fmlapp32.exe
        
        C:\Windows\system32\Fmlapp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Gegfdb32.exe
        
        C:\Windows\system32\Gegfdb32.exe
        20⤵
        
        PID:616
        
        C:\Windows\SysWOW64\Gpmjak32.exe
        
        C:\Windows\system32\Gpmjak32.exe
        21⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\Gangic32.exe
        
        C:\Windows\system32\Gangic32.exe
        22⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\Gieojq32.exe
        
        C:\Windows\system32\Gieojq32.exe
        23⤵
        
        PID:892
        
        C:\Windows\SysWOW64\Gbnccfpb.exe
        
        C:\Windows\system32\Gbnccfpb.exe
        24⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\Ghkllmoi.exe
        
        C:\Windows\system32\Ghkllmoi.exe
        25⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\Gmgdddmq.exe
        
        C:\Windows\system32\Gmgdddmq.exe
        26⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\Geolea32.exe
        
        C:\Windows\system32\Geolea32.exe
        27⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        28⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        29⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\Hiqbndpb.exe
        
        C:\Windows\system32\Hiqbndpb.exe
        30⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        31⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        32⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        33⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        34⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        35⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        36⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        37⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        38⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        39⤵
        
        PID:376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 140
        40⤵
        Program crash
        
        PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcknbh32.exe

Filesize
264KB

MD5
ffde0a95eefce0cf2c093dc9c85a5546

SHA1
60acf3e63a9864c0b56902849fa29341038ada3d

SHA256
11b9795b8328a53a96dcfa0c7ad6612486618a9a0821c38f525fed5f46c0d0c5

SHA512
2beb03cbb0e9f2b2234879a2dd318a4114c4dd97bc5e28b99d72b179464d901001857e004b26dc2e1434b2e0fdccb39ea59890add0c209d18b54805cebb99fea

Download Submit
C:\Windows\SysWOW64\Ddagfm32.exe

Filesize
264KB

MD5
d7c0e6ed3528c6f12b84b0dab0549d7a

SHA1
cadd34c5e87500280697f4fe7a73a5678c810a5d

SHA256
32f279dba37d95cbb9f7c1d1559589933d1802412ceab6b25997b7674897dee4

SHA512
88866f8e3420b537ff4b97859069d54e0e0e8cf28deebf6cd6bbeb02acc2a8e11617483c06e42409c60f5514870dd315d1d89d4ff5764ae5e83a26676379a85e

Download Submit
C:\Windows\SysWOW64\Dodonf32.exe

Filesize
264KB

MD5
7a0c8dd57b6f0ab742eb50d90392b270

SHA1
4e6b290921745fb2978d13d39c74b7501b775801

SHA256
f41d7e3c0c85c27e2efd2e6c807d05718676f94c830618e5d25b722097e2f8c1

SHA512
cb177beaca74a717d0fd45810e0ef4dc59c5b738ddf6b888578b853d7a712253246703503f4aa1060979665faf5b2d859b6b941b012b176471fda3918706c2e8

Download Submit
C:\Windows\SysWOW64\Eajaoq32.exe

Filesize
264KB

MD5
cd9efa951cfc7d6f128db1e40a5a88f4

SHA1
bac4e7c5d21f87db67a2530b344a7bfa33c5818f

SHA256
d79283603217a0d55c7da1f47125b74fdee4ca5365b14dc8aecba6fd07843f29

SHA512
b96927105a133ecb470447fb573169271b673c7712b020c3e01a92b7af4aee0f89c3bd1d9c79d0f66d5de4cebaea2cc6cdd4c4600ba27abf0869d14b10f8d1a5

Download Submit
C:\Windows\SysWOW64\Efppoc32.exe

Filesize
264KB

MD5
ed8620d8060e35f4cb8eb34b2eaabbe3

SHA1
c888f2420237501b0ac3307ad06045e8c33ecb2d

SHA256
4519782c747d890e144694e8885788818c3a4ffa4899292a63a6d398449228ac

SHA512
9346d764e8a89e0a240d4e05537c698d7e76a7975b90a6e0af735ee33a25bdec4cde3b07c8ece79e754b42f6307da9889a78773e1017bb264517ce2a93a0fd13

Download Submit
C:\Windows\SysWOW64\Ejbfhfaj.exe

Filesize
264KB

MD5
7c5ed8b82a293afecfe3ec6d5a34c309

SHA1
d2bb11e9ba7fbfbc39a8f96ac70448a92a4ed6fb

SHA256
40865d8034bd723cb427e7bf3d1d4bd19318b01f80c04958588c3dd6d244b798

SHA512
cb77bc1dcf839c17bb50e15c38219cab3913e39745e85954bfd861186534267c5ad22ddff2cf7b08902bbb2e1faf342143af64b22a6e16913865fdca3aebe0c0

Download Submit
C:\Windows\SysWOW64\Ekholjqg.exe

Filesize
264KB

MD5
839b144a1d5226779e260b980feb12b2

SHA1
32196f186cfefc2d730b18fdd67a582ff4fd1bd8

SHA256
02f1c1fe7d3d42b9df9c0e5af3859e567d72cd7669d8c541f26524f46ce92aa3

SHA512
b387ed048c912a6e966c126809e8301b49b8f720094eff4044d6711ce4363d166b8705d6bb8a36d3d5b8668287941258e626b11958a6a3d11809f70be4460016

Download Submit
C:\Windows\SysWOW64\Eqonkmdh.exe

Filesize
264KB

MD5
20129917c08187de14facbe47023902f

SHA1
f24ffbcfe944e137753022b067e58c3359f74e0e

SHA256
279a6de4b3238f4841af806e9da9022b62cd4d53dfca53d209a728ac88e2aff8

SHA512
ad8eb3aafdea6ae26898fd3fd2ecc1b97dfaa3ec9302d9645c092035e965d6acc13cf9439a76f939ac9090cd7383754f5ae439ddf053128cd1434b53bc835d52

Download Submit
C:\Windows\SysWOW64\Fbgmbg32.exe

Filesize
264KB

MD5
6030236f5cf490bd5b10d477f1364978

SHA1
759ed928c9d66cf272d61f6a701885c3d4cd58f3

SHA256
8a43da7d7c16aaedc63acbad67b40e19f6ad86ffde5c87b284ace2f3e3e58ae0

SHA512
e0d143344fe7a9e8e57bb52bbe043ddddd01e78165241576ee7fc1644f700d6f964ae6a21690cda354d19b35cbf3e621adc5694dc2c796646decbd0ffe3ce9f3

Download Submit
C:\Windows\SysWOW64\Fmhheqje.exe

Filesize
264KB

MD5
135a4e46d8fd02680e3f134fa1d408d8

SHA1
45b24d0d59fd382418200aa629197578e5164cc8

SHA256
a67062b2b423695df6ba65d8180a49584c9a5272fcc459a8c18163c12faee091

SHA512
48ea83713680d854f58b54aca17c7a87f903cb5bba3403bd742f3d30b9c14de0973123d49d501ed6f823094a997667fef13690de12dcdc463d3b046fad4d9ac1

Download Submit
C:\Windows\SysWOW64\Fmlapp32.exe

Filesize
264KB

MD5
3112d4bb1a9c93a409b0d4f377e4f876

SHA1
1748f356edb062b7f27ba1d234d2ce4fd10e831b

SHA256
9692a03c8103da1010d2dd7a338035fae1e3cb5bbc67e042e6fcde4f45e854a7

SHA512
edce4adb0ea0d198a734a0bd828d5b3c6665ae6d9cfa58a955a866957b23b9f55a8657740917f0bff8ecbf23f6362304f3b15321cd0298c0b6a34072fcd6a244

Download Submit
C:\Windows\SysWOW64\Gangic32.exe

Filesize
264KB

MD5
d411a3c39fa2fde6425206a9e6893fb8

SHA1
17e24ef24f37578df681ed400d006ab2e96b4f67

SHA256
9068032b52b490f7cee4a556346539c123162ed6b363c12fa35da7c666275229

SHA512
64c4a07bb54bd4d056aeca05a5bda9320f9eec78b4956c3a3bc8cf5a8201e5027b3115a7ee96669ab14d0e4200bacd4f5f812dfaf9ccd020726158c32126c06d

Download Submit
C:\Windows\SysWOW64\Gbnccfpb.exe

Filesize
264KB

MD5
562dfb2530237f210b15f59f2e32a6d4

SHA1
6d27de91332c843306daf701a460571f4bf1dbc1

SHA256
b1d0c4e28b24a7bedb20a041b0a6ed2413a00cc394987811e59287953bcf49d0

SHA512
1f86160014b933c451ad0d441e9d1580bab77297a87927928d4e337757b2edb5633b4d0b90d08a358fb506adcf975942a24d5af3c4d0a82d78e141f77ee9c866

Download Submit
C:\Windows\SysWOW64\Gegfdb32.exe

Filesize
264KB

MD5
260ce98a33cd60a3841e3a875b6781c7

SHA1
ee695883045a83d7ec9dfb8e64fea544b94b084f

SHA256
520509cbb5285f5d67e7fdfd4c6c3685e226536da47647ed1cde5a22f6258105

SHA512
a027933185d3971bca6ddfc85fc0b8c23ad53b25c8f10b0381ec4aec1a86ce5db9e91b84400fc71bf28d8dd8bcd918b25bba4ee1729fe3a9ad01e47480a079b2

Download Submit
C:\Windows\SysWOW64\Geolea32.exe

Filesize
264KB

MD5
2d163b77977d1b3a0677c15db933f583

SHA1
a0119d817315a4c9e1d97e2931b414ecd8fe7a70

SHA256
42d06b97e539dec62aab6a6ca944bf9d333cdffb7b37a489513e2d670e0926b0

SHA512
dba36f5ed9dd9b1c73f35f81dba01e8f46ce36bdf94b73eacdcaf5edcba8a4fb2ebf6e0fb392a47f9000f88f7049142106ccce7537f7615ecf1f7935a5b9c42f

Download Submit
C:\Windows\SysWOW64\Ghkllmoi.exe

Filesize
264KB

MD5
44df71d8d88259be82e656acee8e28d6

SHA1
8537fea4a6cfd14fd157ee4975503044a1ab2aab

SHA256
f59645f6351e2ca0c25404f24edd9d0fc2a42ec85847df659bd018fdf6517c70

SHA512
f9399c0d4abd1dc50baa5486e6fb60fb5b923818e52d5973fec7b89ce4b8e0bdfcd100863fd2099e3be449f32c6dece78ca81d92c1656af0fb2ba319d7dfadb6

Download Submit
C:\Windows\SysWOW64\Gieojq32.exe

Filesize
264KB

MD5
74b82619f8c1c4414aa06ce1ae51254d

SHA1
6b0546b5fec6e890bde659a515abdfeac179a1fc

SHA256
ce08f87cb7d2bb3d04708bb0213358e410888c3954b897d0960d88739cebfe61

SHA512
ddf6782bc5698fbb3df74eaa26bf64dd83b22a0ecb9f77902007f9b2263aa896a00f1ff81e27fd0b9b1fe2933379240a31d864332417fec0a1093e32f55b1c10

Download Submit
C:\Windows\SysWOW64\Gkkemh32.exe

Filesize
264KB

MD5
b59638c829adf3c879d2bb24ac2863c3

SHA1
f0370819bf7410448dc396492520bacaa1c0f1a7

SHA256
13b9ae1929168f4129dbe808ec4cf85337daf9881c8fa7ae2ea746afa08ac621

SHA512
3a0dc26ae94580fda31caf20e5a0d22c4f33144e0b16d6262dcaa3d293961d53e1a2aac61d7115333f7c86b1f39eb83e335422ab9343a04c9bdef5c124fa6467

Download Submit
C:\Windows\SysWOW64\Gmgdddmq.exe

Filesize
264KB

MD5
4c448c86ff424ea122ff94c366b21ba5

SHA1
57799658331d0483585391b5abe15933cb95d1e7

SHA256
4997e3191cf7b58af21a5948b625ca19a928f4e051a01c6fda8db7db7dc8c6e1

SHA512
e1f9d8033b0b888c9a3ada3e9dcc7a029d42e7df657c70e88f65b17b2856d004d411bb30b10281308cd10edb48e2f6528443dbf57949ae9dccd3afd7aa5f28f5

Download Submit
C:\Windows\SysWOW64\Gphmeo32.exe

Filesize
264KB

MD5
4a656604fd5c48a7866a303dbb0ff89b

SHA1
ac0d31f04e8bad85f859827dbe99a7ba6a008512

SHA256
22d78b97c56d6dcdf354b32eb13a0eda53bde81e80d38bc1aaf5ee8eacccd959

SHA512
9a6d7840a7e39915ea95f2998fad53f9eed3eb71bfd7c6260f751d7e482960e71e8d5d70703be4a06fae845c0a6ad2b00ddfde72bef52ce350ab3bdcc96f08ae

Download Submit
C:\Windows\SysWOW64\Gpmjak32.exe

Filesize
264KB

MD5
078aed7fa37dbbf3c55a2546da3af328

SHA1
b2b8533e34265fcc29ba367bc5a119227b7b4c33

SHA256
d738d29516635d26130cef1a6f7265ab802e8b5ae9bec595e953736984ef781a

SHA512
bd268b8998d2a2da9e096d4574ebbfb5381ee964f340684f3b74b6b64d2cf8556f9ed458a3894d38e3b37db59487451de10d65901e62034624767df2230ada11

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
264KB

MD5
3ff48995f39fe10bf3ef28d62b2388f7

SHA1
7948bc64ef8fb934dbc03ea1f5f05319a7182cc2

SHA256
27315d43b8781999e82335fc850c31e7f4d0d3eaa32b336662ae85167d6ac076

SHA512
f033f9702599c97cbd00b741926e35e99b58048152e31ef1c3fe04556bcfc131dd0c921262fbe28aa3f0e6e632e93e48cd9784d9b3dbd84124cb3d9dcb657b0a

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
264KB

MD5
ebbd4a2ae704f4942de115ed9b3b8123

SHA1
6b70e65937cd473ea1aa41d2ac6dcfa30d5a1c2e

SHA256
3355c080d6e9a1d08a7ca0a7bf4bccd9ee2e2a664e27d0a771305126f5685215

SHA512
63c824bc0cf99d724590bbc5f92f05b9c9769d100e134550cc93f230e6f9a44733eb9fb57f2b4df8b5a2841a756833dff496689ee3c8c189831b4beb761bef0d

Download Submit
C:\Windows\SysWOW64\Hiqbndpb.exe

Filesize
264KB

MD5
b7c44d07a5721f90aa207f387dcb902f

SHA1
290dacfdfdec29aa43d8ce93013bbe7c52539dfb

SHA256
8870e12ca1b432a8f4ef6c85c2d9bed308fbd2bc0aa117d0a812fe0ca30ceec4

SHA512
f772ffe2e02fa68f24a8a0554ed0d1656d9c4635ec00841faf1af51d4b0caefd76020f04f24c5949ce3f0335674e85fa75ac912bb24500075826b71d44b7dfe3

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
264KB

MD5
1a43715460765cf577dc2a48e18e9d32

SHA1
a93c7f4eb5dd3993e30c681b98e47e07245442b0

SHA256
bf7efcfe2c130bdb2908992bf71353232ce6ab0ff15774b75a4dfae5c282ffb1

SHA512
18f74d9bf5428e31c26f79af4b1d5f42760f3bdebc36db271e5b002edd749ba4aa377c1c74dbccbb9220a0d9500099504a03ec29cf74874eaa2d5aec5e9d6045

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
264KB

MD5
f8613627370c855626bbd4c004b865f8

SHA1
d54ce1d4e036e789ed87cf3bad7a258ccb0f12cf

SHA256
5835f7a3fceddbc85e47ed72c53ac0625551a8b1a06424d13c434a8ae0c57cf8

SHA512
5515573c2735b0119cc47c323c204498f90c9569fd2cb513d87e85dda6a8d54cfee2b41394b0003bc9e4354709aa3dfd931f59c29e014cce9271f97fb271e2a1

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
264KB

MD5
f33cdf0a1d0ab7a3f8edaf3602c052e8

SHA1
022d0095820e94a5a47acb3c9fc91ceca53c0b79

SHA256
a15484b31570861ea0ca9ba0eed85f132684254cbdfd988f0af0319de3661ee1

SHA512
ca4ededd8d25675f2de98c217a62faf3cd83bce28eb66369a7acf4fc64a0847b77756cf179f763f56e7244183c609c00076acfe1d2e5f51abe38aa93896cd428

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
264KB

MD5
5911057ff8237b8ee04630ac03b42662

SHA1
edcbd06faa14dac7059b382740380c044a79cf01

SHA256
1ea3ad42115b204f4e81bd40d1204050d81734792d6c3a3e77e9cd2ec390173c

SHA512
9e267a6f6201835f4447ae41721da60f1c85e86ec4377276194c9b9acfd7c6df62c42b13621178b05541afb66d3004900fe3787931b3868da8e03813ff2f2a1d

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
264KB

MD5
008c97f7d4877bd12017ab6bb5c0c82f

SHA1
9b74c906328cd0db9c2b84f0cc8d57c4b2073cb6

SHA256
1adf896dbdf953cb6350621df00a6d5cd32ba3b69c09a11a9f8727274238dc6e

SHA512
97aba832d50ea6c7db429ecbd113d7feeeac9ab0f980989797e7ba684d48e3ebf806a8657ec220635167ee43460de895e2e1c4ae8df891d0706813345d8b2819

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
264KB

MD5
c1a8baefb3e9915af27ab7c7a9b0fcc4

SHA1
6d3009dbd2d07f18eaa969c329ddf3a1a0e9695b

SHA256
e901cea67f47f2b6bbe17261e5d33743e603fedeb40e71c0200c2dc8b1453d21

SHA512
ba42d3614028b4b3ee8f4b8070475069519610fdc89d6eff92f96d5953d496b7616a4e20bf18db44d5e7205f765a6068947c23ac8aebc9626fd57b626a51f82f

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
264KB

MD5
c3379a8e61f6e6528f4d723b07f1879f

SHA1
1f98ab54acab7257ff9d535d8a7908ffc23d0a92

SHA256
b2bf36ce47d57559b0437805804ad7c57dc8907265b9200085360ba3d3a3bfe5

SHA512
7f85e8eb7ef5cd4f0ebddfac62fdf02ceb23ff1837cdd395040a9aa3bd9dbeabaa0d427483badb882bb27ed7af777fe29dbfe98fdb7967cd522bd5229efd9f1e

Download Submit
\Windows\SysWOW64\Clcflkic.exe

Filesize
264KB

MD5
f12543785fb08987bc9d376cd35fb0d0

SHA1
029567f7abbff56b68274d18e450ede80591d577

SHA256
9e4b9cb4a2f4e8657d47d94c8fe1bc4e5be0621b111489672240f721730876c3

SHA512
21ed3c2529193159310664dcad0721236e7a6ad078a2fcaa903e72f68e5b13eaef693b091ba09118f245636b3cb7861533f4e96f75fc272b4fc795c7cfd213ff

Download Submit
\Windows\SysWOW64\Dcfdgiid.exe

Filesize
264KB

MD5
4980799742933b3e970ffae10647b049

SHA1
e7a234b649ce787ab4ece0b3994b3ae7c8a36a39

SHA256
21f45a65cd9bf9e284e312d00b7998fdc1180d02b1a936e29b6c992890fdbfa0

SHA512
784d98906f25ce04f3f94252db24dd765121f17f39b3f464a3cb955b1eae8320d03bf8e99c14a39eaa8e318951d7451e680f735a3e0c978f43fe88e423532863

Download Submit
\Windows\SysWOW64\Dflkdp32.exe

Filesize
264KB

MD5
a85efca24067565a993c13ac7eed63a5

SHA1
f59b8527960ea3332830ad9f9ce6046252c3f78f

SHA256
9570bb14c54fabd11c1eb5d679e210634cfb92c0d137e14665b99b1ad02b00a6

SHA512
96e39a0c575a1aaa4ab02fa8f876cb95e02db5e994a275229d58573b1051dd4c0228dc700322d7e88d103918c48b986541cb8183a659b8efacfa503fbfcbe3ca

Download Submit
\Windows\SysWOW64\Djnpnc32.exe

Filesize
264KB

MD5
5f820ae856997064f23efb9b37136429

SHA1
f1306df4c54d3a42bf254bf496c8c1597b950f1e

SHA256
932e90095297328e6785b4a073e47a3c39da67508b52a56f2bdf53154b844fe6

SHA512
6ed7efc92676d5d4238a6d63ee83d4dc0d36a6dfe7cd29825e1ef1e71b13b9d02e10588d77e5891a9334c7f2348efa3c28eb29c3e74f1f358666766e19ab82e0

Download Submit
\Windows\SysWOW64\Fckjalhj.exe

Filesize
264KB

MD5
fc4e7bf28ce754a40ff90fe6f0d2e807

SHA1
51df23c327c49ca0dc90c467f9d1cf518adbbc6d

SHA256
aea775ccd5a5f77752add3ac0669c0994c5b0e671be94162b4fdc233f6442ed8

SHA512
27fa71684e6a4f2f059ee0407b270787f0c05e4a3c86e9a079425bb35191b08160e6f4def8956ac2a922e2e6b637198b8dbfd101d8e83af011331e4fee61c140

Download Submit
\Windows\SysWOW64\Fdoclk32.exe

Filesize
264KB

MD5
1244f14ddfb5f181cd6dcaeacc321710

SHA1
076eb5ccb855976b701e753df59f26a6fb4b2b74

SHA256
184806f6bba6361ac2345644ce31c1fc5518a291e7737f2a3af8fe0700f72a2b

SHA512
4fcea5ece68de29d81a4a6bc73000fa8f24d325196d60cb53c89dc387e711957157e393c0e787e9e4c918e49d6e1123cc7eebe99f08b7746ca82fc1f908552d1

Download Submit
\Windows\SysWOW64\Ffkcbgek.exe

Filesize
264KB

MD5
b85b2570170e62410012e3cd19f74de9

SHA1
423cf30891f81c59c314f7bfe23903d410af3a34

SHA256
24646a7471846dbdb3607e7a46c647e69aa6dbcbe9a16526b559bc02f9fb98f7

SHA512
ab7ece14bc6c802599c200f46a4e6cefc24bef53bbcfae6594fa120d52a059d6d62aeb0bfb3a33e85061aa5e6c109a58a448c25fe3622c303ee8747bde329827

Download Submit
memory/376-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/616-258-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/616-469-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/616-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/892-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/892-289-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/892-288-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/892-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-332-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/1040-333-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/1040-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-474-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-310-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1120-311-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1120-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1272-434-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/1272-428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1272-438-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/1272-575-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-427-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1300-426-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1300-417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-229-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1472-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-470-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-268-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1528-259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-462-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-171-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1592-477-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-343-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1592-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-344-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1692-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-161-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/1692-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-107-0x0000000000300000-0x000000000032F000-memory.dmp

Filesize
188KB

Download
memory/1800-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-457-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-182-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-190-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2036-463-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-248-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2044-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-451-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-147-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2164-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-218-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2268-465-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-205-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-199-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2292-464-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-350-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2308-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-450-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-13-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2416-6-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2528-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-88-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2528-456-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-373-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-481-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-382-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2588-383-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2592-568-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-384-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-390-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2592-398-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2612-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-448-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2628-447-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2628-577-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2684-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2684-372-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2684-371-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2684-480-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2728-404-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2728-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2728-405-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2804-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-121-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2840-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-300-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2932-299-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2932-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-278-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2996-415-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2996-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-416-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2996-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-78-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/3008-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-475-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-321-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3020-322-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3052-38-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/3052-26-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-53-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads