1ca2739ad86d167bead36e7c01620973650d63c79a3b9293a7c2a8371f7b154c

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-06-2024 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
Size

448KB
MD5

2b0466e555997c6ab8455a55eadc2aa0
SHA1

9aaf824471ce9c01722adc00b423fee23c89aa6b
SHA256

1ca2739ad86d167bead36e7c01620973650d63c79a3b9293a7c2a8371f7b154c
SHA512

f36580ad675743ff37bf58878f5920758594704f4d507f9eba3982e9b3091d67fb2a423e6bd30d70aa19b5cb8d7a6375f376a50198801742c6ca4927a1d6ecd5
SSDEEP

6144:/D1k5Ngy46s21L7/s50z/Wa3/PNlP59ENQdgrb8X6SJqGaPonZh/nr0xuIKjyAHM:ZS705kWM/9J6gqGBf/sAHZHbgdhgi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gelppaof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggpimica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe

Executes dropped EXE 15 IoCs

pid	Process
2236	Gonnhhln.exe
3060	Gieojq32.exe
2908	Gelppaof.exe
2636	Ggpimica.exe
2684	Gddifnbk.exe
2560	Hdfflm32.exe
2484	Hicodd32.exe
2752	Hgilchkf.exe
316	Hpapln32.exe
2492	Henidd32.exe
1372	Hlhaqogk.exe
320	Hogmmjfo.exe
2432	Ieqeidnl.exe
1680	Ilknfn32.exe
2088	Iagfoe32.exe

Loads dropped DLL 34 IoCs

pid	Process
2116	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
2116	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
2236	Gonnhhln.exe
2236	Gonnhhln.exe
3060	Gieojq32.exe
3060	Gieojq32.exe
2908	Gelppaof.exe
2908	Gelppaof.exe
2636	Ggpimica.exe
2636	Ggpimica.exe
2684	Gddifnbk.exe
2684	Gddifnbk.exe
2560	Hdfflm32.exe
2560	Hdfflm32.exe
2484	Hicodd32.exe
2484	Hicodd32.exe
2752	Hgilchkf.exe
2752	Hgilchkf.exe
316	Hpapln32.exe
316	Hpapln32.exe
2492	Henidd32.exe
2492	Henidd32.exe
1372	Hlhaqogk.exe
1372	Hlhaqogk.exe
320	Hogmmjfo.exe
320	Hogmmjfo.exe
2432	Ieqeidnl.exe
2432	Ieqeidnl.exe
1680	Ilknfn32.exe
1680	Ilknfn32.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gieojq32.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Lkoabpeg.dll	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Ggpimica.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Hogmmjfo.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Gieojq32.exe	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Gelppaof.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Gddifnbk.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Hkkmeglp.dll	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Pfabenjd.dll	Ggpimica.exe
File created	C:\Windows\SysWOW64\Nbniiffi.dll	Hicodd32.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Oecbjjic.dll	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hgilchkf.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Gonnhhln.exe	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Pabakh32.dll	Gieojq32.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hgilchkf.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hpapln32.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Gelppaof.exe	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Ggpimica.exe	Gelppaof.exe
File opened for modification	C:\Windows\SysWOW64\Gddifnbk.exe	Ggpimica.exe
File opened for modification	C:\Windows\SysWOW64\Hdfflm32.exe	Gddifnbk.exe
File opened for modification	C:\Windows\SysWOW64\Hicodd32.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hogmmjfo.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Gonnhhln.exe	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Njgcpp32.dll	Gelppaof.exe
File created	C:\Windows\SysWOW64\Hdfflm32.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Phofkg32.dll	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hicodd32.exe
File opened for modification	C:\Windows\SysWOW64\Hgilchkf.exe	Hicodd32.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe

Program crash 1 IoCs

pid	pid_target	Process
1312	2088	WerFault.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll"	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggpimica.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gieojq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll"	Ggpimica.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll"	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2236	2116	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2236	2116	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2236	2116	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2236	2116	2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 3060	2236	Gonnhhln.exe	29
PID 2236 wrote to memory of 3060	2236	Gonnhhln.exe	29
PID 2236 wrote to memory of 3060	2236	Gonnhhln.exe	29
PID 2236 wrote to memory of 3060	2236	Gonnhhln.exe	29
PID 3060 wrote to memory of 2908	3060	Gieojq32.exe	30
PID 3060 wrote to memory of 2908	3060	Gieojq32.exe	30
PID 3060 wrote to memory of 2908	3060	Gieojq32.exe	30
PID 3060 wrote to memory of 2908	3060	Gieojq32.exe	30
PID 2908 wrote to memory of 2636	2908	Gelppaof.exe	31
PID 2908 wrote to memory of 2636	2908	Gelppaof.exe	31
PID 2908 wrote to memory of 2636	2908	Gelppaof.exe	31
PID 2908 wrote to memory of 2636	2908	Gelppaof.exe	31
PID 2636 wrote to memory of 2684	2636	Ggpimica.exe	32
PID 2636 wrote to memory of 2684	2636	Ggpimica.exe	32
PID 2636 wrote to memory of 2684	2636	Ggpimica.exe	32
PID 2636 wrote to memory of 2684	2636	Ggpimica.exe	32
PID 2684 wrote to memory of 2560	2684	Gddifnbk.exe	33
PID 2684 wrote to memory of 2560	2684	Gddifnbk.exe	33
PID 2684 wrote to memory of 2560	2684	Gddifnbk.exe	33
PID 2684 wrote to memory of 2560	2684	Gddifnbk.exe	33
PID 2560 wrote to memory of 2484	2560	Hdfflm32.exe	34
PID 2560 wrote to memory of 2484	2560	Hdfflm32.exe	34
PID 2560 wrote to memory of 2484	2560	Hdfflm32.exe	34
PID 2560 wrote to memory of 2484	2560	Hdfflm32.exe	34
PID 2484 wrote to memory of 2752	2484	Hicodd32.exe	35
PID 2484 wrote to memory of 2752	2484	Hicodd32.exe	35
PID 2484 wrote to memory of 2752	2484	Hicodd32.exe	35
PID 2484 wrote to memory of 2752	2484	Hicodd32.exe	35
PID 2752 wrote to memory of 316	2752	Hgilchkf.exe	36
PID 2752 wrote to memory of 316	2752	Hgilchkf.exe	36
PID 2752 wrote to memory of 316	2752	Hgilchkf.exe	36
PID 2752 wrote to memory of 316	2752	Hgilchkf.exe	36
PID 316 wrote to memory of 2492	316	Hpapln32.exe	37
PID 316 wrote to memory of 2492	316	Hpapln32.exe	37
PID 316 wrote to memory of 2492	316	Hpapln32.exe	37
PID 316 wrote to memory of 2492	316	Hpapln32.exe	37
PID 2492 wrote to memory of 1372	2492	Henidd32.exe	38
PID 2492 wrote to memory of 1372	2492	Henidd32.exe	38
PID 2492 wrote to memory of 1372	2492	Henidd32.exe	38
PID 2492 wrote to memory of 1372	2492	Henidd32.exe	38
PID 1372 wrote to memory of 320	1372	Hlhaqogk.exe	39
PID 1372 wrote to memory of 320	1372	Hlhaqogk.exe	39
PID 1372 wrote to memory of 320	1372	Hlhaqogk.exe	39
PID 1372 wrote to memory of 320	1372	Hlhaqogk.exe	39
PID 320 wrote to memory of 2432	320	Hogmmjfo.exe	40
PID 320 wrote to memory of 2432	320	Hogmmjfo.exe	40
PID 320 wrote to memory of 2432	320	Hogmmjfo.exe	40
PID 320 wrote to memory of 2432	320	Hogmmjfo.exe	40
PID 2432 wrote to memory of 1680	2432	Ieqeidnl.exe	41
PID 2432 wrote to memory of 1680	2432	Ieqeidnl.exe	41
PID 2432 wrote to memory of 1680	2432	Ieqeidnl.exe	41
PID 2432 wrote to memory of 1680	2432	Ieqeidnl.exe	41
PID 1680 wrote to memory of 2088	1680	Ilknfn32.exe	42
PID 1680 wrote to memory of 2088	1680	Ilknfn32.exe	42
PID 1680 wrote to memory of 2088	1680	Ilknfn32.exe	42
PID 1680 wrote to memory of 2088	1680	Ilknfn32.exe	42
PID 2088 wrote to memory of 1312	2088	Iagfoe32.exe	43
PID 2088 wrote to memory of 1312	2088	Iagfoe32.exe	43
PID 2088 wrote to memory of 1312	2088	Iagfoe32.exe	43
PID 2088 wrote to memory of 1312	2088	Iagfoe32.exe	43

C:\Users\Admin\AppData\Local\Temp\2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2b0466e555997c6ab8455a55eadc2aa0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\Gonnhhln.exe
  C:\Windows\system32\Gonnhhln.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\Gieojq32.exe
    C:\Windows\system32\Gieojq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\Gelppaof.exe
      C:\Windows\system32\Gelppaof.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\Ggpimica.exe
        
        C:\Windows\system32\Ggpimica.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\Gddifnbk.exe
        
        C:\Windows\system32\Gddifnbk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 140
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Henidd32.exe

Filesize
448KB

MD5
3743104dcf8c59d5b161f039d7845954

SHA1
9defcf2bd83cd7b6a5bd2394799b8efe63c22b07

SHA256
f4577497b08a8fa5657376a48bd8cd9ff86eb32316f9f324e6349a681cb0f615

SHA512
dfb7a63e9681bd32a290de1a8371cbd765c663618b0d6fa8e0a36b6a08dbfece4a32961609a9a97f114fbc8bbec006c7451e6471cbff543232250c883fcfb59c

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
448KB

MD5
91b79707a1e770be6edece5d72cab8b6

SHA1
d09ea92f4dfc5dc09f78e2da7ebe18f96ffdd5d6

SHA256
073425d44097aba932d1bc5f8223aa31030fba7b4283114cda121e24f541bb06

SHA512
58b727062a1ce48d62040da6c963c426a5956005bbaeb2a15dc8410eb6aa9cb949de46bf8a43639cf1f6e28ec901ac515a919046d9ebca642e73e7965d855cb9

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
448KB

MD5
0b0904c4f33bff504de540c642440cfe

SHA1
fb7b01adb48256ff64070816b0a4942773d73c62

SHA256
b1f3cda75d41580fe020580a84ffa8cf93a100bef1dd0cd1358ec2fe268b3430

SHA512
1e2a2ecbc49ebb9415518c7f2a77996cd35694f9f9cb5103a64122ba3372144d0a66398ba5ca13ea41b62a72ae8c1917e2807bba579df9b687386fda15fbc0af

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
448KB

MD5
64586842cbc0aa0583b39dcb74aa74ba

SHA1
cfa6586dc5ceb9b339d5742e5e4c753719f3d9a3

SHA256
9c8b5e0da731df177829f9389d7e1f0d7aa942c6679ab4e041f55b12dc484d85

SHA512
920d51b370df623145902e9022b1ee297b8cba7ddcdca273fe42e11af91aa62c53cfb67e947c4c0396e65c79f90ac35971686f65437f84e1854209829aaf040d

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
448KB

MD5
aacd47d3df323de22e3d7fbb77c18a6b

SHA1
e7dbbfdbfb1dd2eab983f8c5baefa40a1aba31a0

SHA256
d97d495da59e81a512c650d117724d5be8c76cda235f11f8a20f903e559547a8

SHA512
c5b4be84a6906b9ce942ebb76e95caa3378b7c16d64bb53e59c8efdedd33f1a3ec1c86ea7b4d2fda9e23c2b611800f5560673961af6879f6957de551be193c11

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
448KB

MD5
5e038d77bd39facf65736d36e84ccc07

SHA1
674f7d2f5e3d19bbfb56065120b18979588537d0

SHA256
0f8451c2d2b7a2217e145c038c2ab567ec41a1b22cd6592b4750df9fd7c9c4b5

SHA512
145c34b4d1be41651b19a19951c60f468047e7c471b9ee4035149774f2c306450452ceffbb08592407ee2311b62794a9b085024b2ecc935bc966eef4d42fdd6b

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
448KB

MD5
20fe8d489a116bdcb2ecc94039d91150

SHA1
d8fbf1da0c3e346f3094fc0484ec36c5fafe28dc

SHA256
a1745d41d6d1019e30a62aff2d6518da933af6a731b140ac345f61228998c5b2

SHA512
4989cfd1b98e63fa36ac23ef8c9e3029b087c744338798c20a6cbda8054e19c9e5511f7724809f4e5a81af4bd55512e0e1c1b7426418466913b94e87355d9396

Download Submit
\Windows\SysWOW64\Gddifnbk.exe

Filesize
448KB

MD5
00e144830048414d9aa41b92d1967c4a

SHA1
a5b7d8363f15a380a749fba59c53d94452cd7a1c

SHA256
24194c8857733b4920d1e64b6e67a82c296f1ff75b02c09c8b072632d094bd44

SHA512
8639a352349e4c66f3040cb45293f7875ec9d16fcf877f0901f5e17d17ba93b0acc85a6ea64f71dc7994099ab0e96095db8736948d639c47925e93de9ed58a5b

Download Submit
\Windows\SysWOW64\Gelppaof.exe

Filesize
448KB

MD5
cfe7bf1b7aad01672727bc5efbeab8ad

SHA1
974759fb92b70d3c2e9950db8dcb9536b1521e6b

SHA256
e3ce1ab900f3857fc9193ef1322616420e97aee049be33e252ec4c6334f853e1

SHA512
debd9bdf620634e560e6121982ae54af0fb259c8b417aecbb4e148fced917e1bc0cffd1ec6885deeb73a12c75e0894d5276f9963e371a9330cf00da1c9c116d3

Download Submit
\Windows\SysWOW64\Ggpimica.exe

Filesize
448KB

MD5
1a1e358a417ac2a80889a2a98999ee52

SHA1
e12d0ae89378876859f13a8233559b19ed043918

SHA256
2f6f646f49a20fe3b7a468f514b9ae692fdf1e31c0c459b89b6825de166150b6

SHA512
906d726219676e9b4a043f6cf39f06498ef68762aa7dcd2129b9e09c2d50e00a5ae7be32986667317a9e9ea2634a838b26176c8976ae7afda59a461e5ded799f

Download Submit
\Windows\SysWOW64\Gieojq32.exe

Filesize
448KB

MD5
2a4e93694fd35293de751ea23d9078ed

SHA1
ade29b1798016fb73c1e3fe1165a632ecafc8c23

SHA256
830bbb974df1dff63fee4d3a2e8c9038e024248e3461b5791ee43638f6404e02

SHA512
b2307a73e3aec5a23614a281be46d1edfd2c37423b2bc4332d980e65dbce990ea4a5a4b29b5a81a3fb04686bfeec2d9c2fd1f2c7023612eb9b20deaf4fd7721e

Download Submit
\Windows\SysWOW64\Gonnhhln.exe

Filesize
448KB

MD5
379b46bf14b9d16364693ad24502da20

SHA1
84874e9ddd99a268ff91348fba01e3f2f290d8c6

SHA256
6a36f0a8b95f4026b6e4fe966896011f7ea873f7c66559f6738c7ad04ccd0d64

SHA512
6b49290094ad57fe4fb6b3f092189f6804e51137638cd6d12e63bc403edb270b605853191c8f8d6efbc7f49e0065ba1059ba7254c515cb91c6546d7c72cf90f3

Download Submit
\Windows\SysWOW64\Hdfflm32.exe

Filesize
448KB

MD5
a281e37e092fef61ae597791a5ecaace

SHA1
c002eb9b68d4ffc7b07c9f27f9f54cb98c72a5b3

SHA256
51056fbbfdb8a44ce870642901e40f6b1d524a6b8a3b69f64672177796494675

SHA512
ec3999c0d4ce95907919bed0cee582e1d59bf465cd7108f9c5c2d44a7af49068a55c61cf9dc914428e6451288ef873cd2bad14ff7120341ed175f20bc5b77044

Download Submit
\Windows\SysWOW64\Hgilchkf.exe

Filesize
448KB

MD5
3f7acd5dc9bbc234b3045141b0133d34

SHA1
cf2e575ad1d6f65f46892fc4d06996629986d242

SHA256
c4bf8b8fcddf7f481ddd43d1f978fe9447e56df29ee644a85066ebc7a25ec9f7

SHA512
5b4bb3469e2aac3b237ac3f6f7e2918751a32fdece725bde5a593e33cf76d02c1aa82402a61fcf01b8797291a9c5f2e960cad027edc7fed73d907d1438e15067

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
448KB

MD5
97ca2a35c7af0b1cf6dc441837a3ff64

SHA1
6ba83a50df90bbc5b4eedcfe6e6c991440999659

SHA256
5cefc755e1a6f70cabfc3d473603519d8e64b00529aa9c1afbdd093c13e9e3a5

SHA512
1f3c272b77af164f5ee92e2caf1080854f2e9a283b4c1a267735f540d8c73620c317b5ec315183b3b1471a0fdd95be0c01287db98b322573848d43194b334d89

Download Submit
memory/316-129-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/320-169-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/320-178-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1372-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-205-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2088-206-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2116-6-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2116-211-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2116-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2236-19-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2236-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-195-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2432-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2484-104-0x0000000000300000-0x000000000032F000-memory.dmp

Filesize
188KB

Download
memory/2484-218-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2484-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-151-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2492-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-95-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2560-86-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-62-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2636-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2684-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2684-76-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2684-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-128-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2752-110-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-48-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2908-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-40-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/3060-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-39-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads