6b72d50525905a298cc6e4173f144b31f2dbaca23b5fe1ed84805bf47f2b8bc8

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe
Size

320KB
MD5

2f5a6460066ce6bb64226a240187edc0
SHA1

27133a0ce47e8f79d63f90b6b92eb6f3e79904bc
SHA256

6b72d50525905a298cc6e4173f144b31f2dbaca23b5fe1ed84805bf47f2b8bc8
SHA512

8394d0b0f4b7a816456a6e9cdf2b3a549a18dd35c443cf2836d97c371c663c4741bf339f3d3a09c6e1d4321abac0715c66834f4b94954ed6bb8ca721bcc7617c
SSDEEP

6144:yHV58OEnoZvlmY/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:y158ToZvHm05XEvG6IveDVqvQ6IvP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gelppaof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe

Executes dropped EXE 15 IoCs

pid	Process
2096	Gpknlk32.exe
2656	Gpmjak32.exe
2908	Gldkfl32.exe
2856	Gelppaof.exe
2104	Gkihhhnm.exe
2628	Gogangdc.exe
2024	Hiqbndpb.exe
2780	Hkpnhgge.exe
1072	Hggomh32.exe
2428	Hgilchkf.exe
1832	Hodpgjha.exe
1032	Icbimi32.exe
316	Ieqeidnl.exe
2340	Ilknfn32.exe
1456	Iagfoe32.exe

Loads dropped DLL 34 IoCs

pid	Process
1684	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe
1684	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe
2096	Gpknlk32.exe
2096	Gpknlk32.exe
2656	Gpmjak32.exe
2656	Gpmjak32.exe
2908	Gldkfl32.exe
2908	Gldkfl32.exe
2856	Gelppaof.exe
2856	Gelppaof.exe
2104	Gkihhhnm.exe
2104	Gkihhhnm.exe
2628	Gogangdc.exe
2628	Gogangdc.exe
2024	Hiqbndpb.exe
2024	Hiqbndpb.exe
2780	Hkpnhgge.exe
2780	Hkpnhgge.exe
1072	Hggomh32.exe
1072	Hggomh32.exe
2428	Hgilchkf.exe
2428	Hgilchkf.exe
1832	Hodpgjha.exe
1832	Hodpgjha.exe
1032	Icbimi32.exe
1032	Icbimi32.exe
316	Ieqeidnl.exe
316	Ieqeidnl.exe
2340	Ilknfn32.exe
2340	Ilknfn32.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe
1624	WerFault.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gfoihbdp.dll	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Pnnclg32.dll	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Pabakh32.dll	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Nbniiffi.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Gelppaof.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Hiqbndpb.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hiqbndpb.exe
File opened for modification	C:\Windows\SysWOW64\Hgilchkf.exe	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	Hgilchkf.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hiqbndpb.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Gkihhhnm.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Icbimi32.exe
File created	C:\Windows\SysWOW64\Gpmjak32.exe	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Gelppaof.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Ahcocb32.dll	Gelppaof.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Liqebf32.dll	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Hmhfjo32.dll	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File opened for modification	C:\Windows\SysWOW64\Gldkfl32.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Omabcb32.dll	Gogangdc.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Gldkfl32.exe	Gpmjak32.exe
File opened for modification	C:\Windows\SysWOW64\Gkihhhnm.exe	Gelppaof.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe

Program crash 1 IoCs

pid	pid_target	Process
1624	1456	WerFault.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2096	1684	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe	28
PID 1684 wrote to memory of 2096	1684	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe	28
PID 1684 wrote to memory of 2096	1684	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe	28
PID 1684 wrote to memory of 2096	1684	2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe	28
PID 2096 wrote to memory of 2656	2096	Gpknlk32.exe	29
PID 2096 wrote to memory of 2656	2096	Gpknlk32.exe	29
PID 2096 wrote to memory of 2656	2096	Gpknlk32.exe	29
PID 2096 wrote to memory of 2656	2096	Gpknlk32.exe	29
PID 2656 wrote to memory of 2908	2656	Gpmjak32.exe	30
PID 2656 wrote to memory of 2908	2656	Gpmjak32.exe	30
PID 2656 wrote to memory of 2908	2656	Gpmjak32.exe	30
PID 2656 wrote to memory of 2908	2656	Gpmjak32.exe	30
PID 2908 wrote to memory of 2856	2908	Gldkfl32.exe	31
PID 2908 wrote to memory of 2856	2908	Gldkfl32.exe	31
PID 2908 wrote to memory of 2856	2908	Gldkfl32.exe	31
PID 2908 wrote to memory of 2856	2908	Gldkfl32.exe	31
PID 2856 wrote to memory of 2104	2856	Gelppaof.exe	32
PID 2856 wrote to memory of 2104	2856	Gelppaof.exe	32
PID 2856 wrote to memory of 2104	2856	Gelppaof.exe	32
PID 2856 wrote to memory of 2104	2856	Gelppaof.exe	32
PID 2104 wrote to memory of 2628	2104	Gkihhhnm.exe	33
PID 2104 wrote to memory of 2628	2104	Gkihhhnm.exe	33
PID 2104 wrote to memory of 2628	2104	Gkihhhnm.exe	33
PID 2104 wrote to memory of 2628	2104	Gkihhhnm.exe	33
PID 2628 wrote to memory of 2024	2628	Gogangdc.exe	34
PID 2628 wrote to memory of 2024	2628	Gogangdc.exe	34
PID 2628 wrote to memory of 2024	2628	Gogangdc.exe	34
PID 2628 wrote to memory of 2024	2628	Gogangdc.exe	34
PID 2024 wrote to memory of 2780	2024	Hiqbndpb.exe	35
PID 2024 wrote to memory of 2780	2024	Hiqbndpb.exe	35
PID 2024 wrote to memory of 2780	2024	Hiqbndpb.exe	35
PID 2024 wrote to memory of 2780	2024	Hiqbndpb.exe	35
PID 2780 wrote to memory of 1072	2780	Hkpnhgge.exe	36
PID 2780 wrote to memory of 1072	2780	Hkpnhgge.exe	36
PID 2780 wrote to memory of 1072	2780	Hkpnhgge.exe	36
PID 2780 wrote to memory of 1072	2780	Hkpnhgge.exe	36
PID 1072 wrote to memory of 2428	1072	Hggomh32.exe	37
PID 1072 wrote to memory of 2428	1072	Hggomh32.exe	37
PID 1072 wrote to memory of 2428	1072	Hggomh32.exe	37
PID 1072 wrote to memory of 2428	1072	Hggomh32.exe	37
PID 2428 wrote to memory of 1832	2428	Hgilchkf.exe	38
PID 2428 wrote to memory of 1832	2428	Hgilchkf.exe	38
PID 2428 wrote to memory of 1832	2428	Hgilchkf.exe	38
PID 2428 wrote to memory of 1832	2428	Hgilchkf.exe	38
PID 1832 wrote to memory of 1032	1832	Hodpgjha.exe	39
PID 1832 wrote to memory of 1032	1832	Hodpgjha.exe	39
PID 1832 wrote to memory of 1032	1832	Hodpgjha.exe	39
PID 1832 wrote to memory of 1032	1832	Hodpgjha.exe	39
PID 1032 wrote to memory of 316	1032	Icbimi32.exe	40
PID 1032 wrote to memory of 316	1032	Icbimi32.exe	40
PID 1032 wrote to memory of 316	1032	Icbimi32.exe	40
PID 1032 wrote to memory of 316	1032	Icbimi32.exe	40
PID 316 wrote to memory of 2340	316	Ieqeidnl.exe	41
PID 316 wrote to memory of 2340	316	Ieqeidnl.exe	41
PID 316 wrote to memory of 2340	316	Ieqeidnl.exe	41
PID 316 wrote to memory of 2340	316	Ieqeidnl.exe	41
PID 2340 wrote to memory of 1456	2340	Ilknfn32.exe	42
PID 2340 wrote to memory of 1456	2340	Ilknfn32.exe	42
PID 2340 wrote to memory of 1456	2340	Ilknfn32.exe	42
PID 2340 wrote to memory of 1456	2340	Ilknfn32.exe	42
PID 1456 wrote to memory of 1624	1456	Iagfoe32.exe	43
PID 1456 wrote to memory of 1624	1456	Iagfoe32.exe	43
PID 1456 wrote to memory of 1624	1456	Iagfoe32.exe	43
PID 1456 wrote to memory of 1624	1456	Iagfoe32.exe	43

C:\Users\Admin\AppData\Local\Temp\2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2f5a6460066ce6bb64226a240187edc0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\Gpknlk32.exe
  C:\Windows\system32\Gpknlk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\Gpmjak32.exe
    C:\Windows\system32\Gpmjak32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\Gldkfl32.exe
      C:\Windows\system32\Gldkfl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\Gelppaof.exe
        
        C:\Windows\system32\Gelppaof.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\SysWOW64\Gkihhhnm.exe
        
        C:\Windows\system32\Gkihhhnm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Hiqbndpb.exe
        
        C:\Windows\system32\Hiqbndpb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 140
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gkihhhnm.exe

Filesize
320KB

MD5
7a08defabd64a7d7cd6afd6c32f11238

SHA1
ee91e60b9356a260b03cc3ed322d6ea28fa2eead

SHA256
82d9d775d1a731b84a62247e93b16b3d0a9a37247e640753b92aa38cadd1d099

SHA512
18c42fe1177598ef80ea898978177a9cfa010c4c849f8ca99ebfd843c279b03bcf3fa55c752f587859b326b12eb2c17b6fa00332a1be6f01a92ca73e944ee47d

Download Submit
C:\Windows\SysWOW64\Gpmjak32.exe

Filesize
320KB

MD5
36b9ed0cbae3b7e440c93de878ac9bee

SHA1
0b1d44c31a9377499644ee3993c41a778bc3c33f

SHA256
b9b74e56285ed883fafd7eb6edc1ca9258b0cf4da9ca0fe17e9fadbbd8e5a786

SHA512
6b3d9c312e58bf740708b1f60cfd024895a73deb6ff72a02d0a44c27d9d128e240dc08a49ac4e08210e6b6f37ecb08da60952d4bb7a01ee4eff57df6c8803a3c

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
320KB

MD5
425e3027040a62d7e484df3ab8a17bdb

SHA1
d7797dd7c49830a27b7b9b44ec48573699ed69b6

SHA256
eadb5aea6fa3b3d993c5a000bf9b6b78a6d55954855a8027269eb6df2e07655c

SHA512
6890ce5181799b154452242192e205ad3d361ae6efc2592ab70c2323a2bae7e2c88c7814b6c49fcb7d5e4bfdbdcb19515a8217a96a4e13ba141d6f246dd4d48f

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
320KB

MD5
417f4f92a2a32eae0ba610305aa66a95

SHA1
4552dbadbecc67540b6e7d7e0ff450659e31e405

SHA256
e667d57808083f3d101966b785ce7025a2796ec090da054eb274c60056f627cc

SHA512
09c93bea9bdff769b042e76669c126758076b29febb0dfad7d354949ea7208e66cabfcd04ad045924f7cc03301695b5386dae54d7131553bef80ad5baf9037ac

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
320KB

MD5
100ad487b587506ddacb3daab2d781f7

SHA1
c7fc725996f852c38137d668387ed1674cebac38

SHA256
ee3cd8e639174da4a102258fdea77157d09605ff0d7e9b9970e61baa15057f78

SHA512
abac7eda10ce6fbe9515b012e8246651d84228abc7294da5b00a3ea1d5325f5eb1306b74ee6bbbe3598ba27bd853fbd6c97f7424566f982e2dd9db9d1ddb5262

Download Submit
\Windows\SysWOW64\Gelppaof.exe

Filesize
320KB

MD5
a42c265212245cfa8b68af14cefa66c9

SHA1
19749de5dd461ceb8734f22275a3dd414b817409

SHA256
f49f8d109ee71e1d009be4c92943cee2942661df92622f1e2c0b1580cb57528d

SHA512
1d74264ef56859413c752f49cb4d8a1b874d12a76374bd98ff124ceedfee481286ed04aefa34cd213e295e5b0f03641543ed952ba19a3f0026cf9d52654e3c46

Download Submit
\Windows\SysWOW64\Gldkfl32.exe

Filesize
320KB

MD5
69da312516f5bbf98e5629701441b9c5

SHA1
cb0ce88ef8827759f378b6abc648054e65087c39

SHA256
aeccddb424384137f113f66c8a365e5307621aba3ffc761e99c8ecd0230e8dd4

SHA512
3ec0f45058d12cfa26d3fe6e8af25f4dbc729f26b83b31000f91ea4c30c62cfbd9602cb9e834cf6cba0010d5c43008f542da4b4aa2f5085db9839e05b2188342

Download Submit
\Windows\SysWOW64\Gogangdc.exe

Filesize
320KB

MD5
e23f71ce97b3cc74d3e681e383176a7d

SHA1
9cdf3ee0bf6ea7bef1b5e4ca6cd3559bde3bcff9

SHA256
7a403e74645aefd133abafbd73a5d0231fa68db0a07adfcf249792f2ad08453f

SHA512
2fc506335c75656bdf06b0441b9e4d547adf5eed548b557c6769d412eb89019f782aacec942fb38b0499a171ae724ade68eee5d5104ed6c484e6a924da1c3f81

Download Submit
\Windows\SysWOW64\Gpknlk32.exe

Filesize
320KB

MD5
23cce5a6020d975a1a60c6b4af6e2571

SHA1
ce1a95fc0e6a7a9de21f0a719610101f172ddc9f

SHA256
e8abd0f8fa5b267623eccce5cb56052d371d10164ffe0dbfb618aa56457b0ed2

SHA512
03a7d1d217ea203fc11850e449ac84b7c4e203de26ab2fccd4ef0adef2cda530d00711b720bbb8e8b32b1a2de3e8aa7269695e681a8785c2978fc1d5e4ca16e6

Download Submit
\Windows\SysWOW64\Hgilchkf.exe

Filesize
320KB

MD5
c2b29ebd92a4bc272eb147203809f42c

SHA1
b6fedda076b2ba599c546f41de6555324c62b249

SHA256
590a95d383d19c4d9525743f490e5032552e08543195af32875896aad38b09cb

SHA512
26a321bbf6abe6cd67a05e18b4d2d0b8b37e82df155d471480329f17250532cc90203cdd64fa69b6f9080620cbf502c0402554790df13bbed2906a5140f8c327

Download Submit
\Windows\SysWOW64\Hiqbndpb.exe

Filesize
320KB

MD5
7bb6100ce256ddb4c1b1c075ef31fd62

SHA1
4863d820ee6c2c59666d6b8026eac702ee12e61e

SHA256
0f5da445392ba42d4a129a774efe0769df15113c557b659966d12b86975fc980

SHA512
fa22169992fb2074c5cff9781c15b7533b1b9b53e87aa074101edf911ba679f11412b7fb8fb91909719e31c9048f47b6ceafada0c8d94de879f3780547721a3a

Download Submit
\Windows\SysWOW64\Hkpnhgge.exe

Filesize
320KB

MD5
77dfdaec41448781be4ca242684b7328

SHA1
19743134eb1111dae49201a8c805312a46342dba

SHA256
cf4cb1e446e706bb4aca148ec74b68c2d0fa0158749aa89c3cbb87e9b4df61e8

SHA512
870dac8f5aedbb638be016a6cd513247e245a8c85b9b5a341c58596aea9cdcc7dbbeb19790a3d0199d02f9403e1f5fe57ee16c31c3cde8892d77e3e0097b4263

Download Submit
\Windows\SysWOW64\Hodpgjha.exe

Filesize
320KB

MD5
bd19fb2f530d0210835777a23fc07e2d

SHA1
23586fd4da2c63a860f043a9c32143abacf592e8

SHA256
55a5a1c53916759017e6a8e2386b9c6445d3d54576e426e5a398d85dc71d4975

SHA512
f6bdd6230d49faaf5c961fd9fbb6ba443679e41a19baad42d276a55de7cdfadbeec825566aa1b8fda89bdbfbd5b3fb7a847008d3c2da62e1efe7259b1fa8683f

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
320KB

MD5
416faa02958acfcd75f14beb07f3ff4a

SHA1
a1cd99471e67322c355b97330814821dd104275d

SHA256
51e1696622c396886cfe416b1d5e38760d341bcde4b007b703c05260ea972f6e

SHA512
8041128e0a7721f9941d95b9efce96cb4ad16188e50fc1d7f2d861d0c102458fa0b4e513fea689ab4ae9a6a3ff069f616c3405df7953b08772150220d5a6d91c

Download Submit
\Windows\SysWOW64\Icbimi32.exe

Filesize
320KB

MD5
44b0cce170103219b0a3537937c9e125

SHA1
969bd5b09f5330ab7b7f2144b428f47878900a89

SHA256
1f454c52bc5eb1134fb9e4decb1df050fff8f2f201af78f08eb89d937ca799cd

SHA512
10cb917554448f4afcf4448f3149439a0e5d6906dad7afba1a4a0e380176546822ac4fbfed5d75a6e73a91f0abb6fd1654596ee303a6164e8220ccb78e7cf577

Download Submit
memory/316-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1032-204-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1032-164-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1032-221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1072-218-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1072-134-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1072-122-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1456-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1684-6-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1684-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1684-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1832-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1832-150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1832-163-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2024-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-107-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2096-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2096-210-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2096-26-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2104-80-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2104-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-214-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-206-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-149-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2428-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-219-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-40-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2656-211-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-121-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2856-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-213-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-49-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2908-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads