description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\LUgYcYkU\\gkEcoYkg.exe,"	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\LUgYcYkU\\gkEcoYkg.exe,"	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe

pid	Process
916	HUsgoEIw.exe
1396	gkEcoYkg.exe
1480	HUsgoEIw.exe
1244	gkEcoYkg.exe
2040	TIYgkwAU.exe
836	TIYgkwAU.exe
1636	TIYgkwAU.exe
2008	TIYgkwAU.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HUsgoEIw.exe = "C:\\Users\\Admin\\hOcEMAwc\\HUsgoEIw.exe"	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gkEcoYkg.exe = "C:\\ProgramData\\LUgYcYkU\\gkEcoYkg.exe"	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gkEcoYkg.exe = "C:\\ProgramData\\LUgYcYkU\\gkEcoYkg.exe"	gkEcoYkg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HUsgoEIw.exe = "C:\\Users\\Admin\\hOcEMAwc\\HUsgoEIw.exe"	HUsgoEIw.exe

pid	Process
1428	reg.exe
2172	reg.exe
1792	reg.exe
836	reg.exe
1712	reg.exe
1960	reg.exe
984	reg.exe
320	reg.exe
1960	reg.exe
2188	reg.exe
2012	reg.exe
1656	reg.exe
1776	reg.exe
556	reg.exe
2212	reg.exe

description	pid	Process	procid_target
PID 876 wrote to memory of 1724	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	28
PID 876 wrote to memory of 1724	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	28
PID 876 wrote to memory of 1724	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	28
PID 876 wrote to memory of 1724	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	28
PID 876 wrote to memory of 916	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	29
PID 876 wrote to memory of 916	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	29
PID 876 wrote to memory of 916	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	29
PID 876 wrote to memory of 916	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	29
PID 876 wrote to memory of 1396	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	30
PID 876 wrote to memory of 1396	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	30
PID 876 wrote to memory of 1396	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	30
PID 876 wrote to memory of 1396	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	30
PID 916 wrote to memory of 1480	916	HUsgoEIw.exe	31
PID 916 wrote to memory of 1480	916	HUsgoEIw.exe	31
PID 916 wrote to memory of 1480	916	HUsgoEIw.exe	31
PID 916 wrote to memory of 1480	916	HUsgoEIw.exe	31
PID 1396 wrote to memory of 1244	1396	gkEcoYkg.exe	32
PID 1396 wrote to memory of 1244	1396	gkEcoYkg.exe	32
PID 1396 wrote to memory of 1244	1396	gkEcoYkg.exe	32
PID 1396 wrote to memory of 1244	1396	gkEcoYkg.exe	32
PID 2040 wrote to memory of 836	2040	TIYgkwAU.exe	34
PID 2040 wrote to memory of 836	2040	TIYgkwAU.exe	34
PID 2040 wrote to memory of 836	2040	TIYgkwAU.exe	34
PID 2040 wrote to memory of 836	2040	TIYgkwAU.exe	34
PID 1636 wrote to memory of 2008	1636	TIYgkwAU.exe	36
PID 1636 wrote to memory of 2008	1636	TIYgkwAU.exe	36
PID 1636 wrote to memory of 2008	1636	TIYgkwAU.exe	36
PID 1636 wrote to memory of 2008	1636	TIYgkwAU.exe	36
PID 876 wrote to memory of 1584	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	37
PID 876 wrote to memory of 1584	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	37
PID 876 wrote to memory of 1584	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	37
PID 876 wrote to memory of 1584	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	37
PID 1584 wrote to memory of 1964	1584	cmd.exe	39
PID 1584 wrote to memory of 1964	1584	cmd.exe	39
PID 1584 wrote to memory of 1964	1584	cmd.exe	39
PID 1584 wrote to memory of 1964	1584	cmd.exe	39
PID 1964 wrote to memory of 1128	1964	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	40
PID 1964 wrote to memory of 1128	1964	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	40
PID 1964 wrote to memory of 1128	1964	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	40
PID 1964 wrote to memory of 1128	1964	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	40
PID 876 wrote to memory of 2012	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	59
PID 876 wrote to memory of 2012	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	59
PID 876 wrote to memory of 2012	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	59
PID 876 wrote to memory of 2012	876	6b0037f8bf3c5a4af6ed504b6bc73fafa1914949db1d82133d785b3fa3b90673.exe	59

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.