04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 17:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe
Size

80KB
MD5

4b5cb201cf17dbb0976081a4aef832d0
SHA1

687484a83aa5701fae4d0f4474c10fec2a62bacd
SHA256

04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070
SHA512

5097e9d3b235495270d208b8714ad51e4e20580f150909bc28ba5058417cb18af30fbd4e21d25df2a03fa9852e7cb194c728bf93dc14c9e004eeaee73dcf70b1
SSDEEP

1536:cRmFMwljEQx1z+vpzvhAo9g2L9aIZTJ+7LhkiB0:cRmFMwCUYxBT9aMU7ui

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gelppaof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gangic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpmjak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inljnfkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gelppaof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inljnfkg.exe

Executes dropped EXE 25 IoCs

pid	Process
1688	Gpknlk32.exe
2652	Gicbeald.exe
2648	Gpmjak32.exe
1156	Gangic32.exe
2556	Gldkfl32.exe
2584	Gbnccfpb.exe
1640	Gelppaof.exe
2780	Gacpdbej.exe
1072	Ghmiam32.exe
1196	Gddifnbk.exe
2404	Hgbebiao.exe
600	Hdfflm32.exe
956	Hkpnhgge.exe
308	Hpmgqnfl.exe
2964	Hggomh32.exe
1648	Hcnpbi32.exe
2852	Hjhhocjj.exe
1604	Hlfdkoin.exe
1988	Henidd32.exe
1784	Hlhaqogk.exe
492	Icbimi32.exe
2056	Ieqeidnl.exe
1948	Ihoafpmp.exe
2096	Inljnfkg.exe
2612	Iagfoe32.exe

Loads dropped DLL 54 IoCs

pid	Process
2064	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe
2064	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe
1688	Gpknlk32.exe
1688	Gpknlk32.exe
2652	Gicbeald.exe
2652	Gicbeald.exe
2648	Gpmjak32.exe
2648	Gpmjak32.exe
1156	Gangic32.exe
1156	Gangic32.exe
2556	Gldkfl32.exe
2556	Gldkfl32.exe
2584	Gbnccfpb.exe
2584	Gbnccfpb.exe
1640	Gelppaof.exe
1640	Gelppaof.exe
2780	Gacpdbej.exe
2780	Gacpdbej.exe
1072	Ghmiam32.exe
1072	Ghmiam32.exe
1196	Gddifnbk.exe
1196	Gddifnbk.exe
2404	Hgbebiao.exe
2404	Hgbebiao.exe
600	Hdfflm32.exe
600	Hdfflm32.exe
956	Hkpnhgge.exe
956	Hkpnhgge.exe
308	Hpmgqnfl.exe
308	Hpmgqnfl.exe
2964	Hggomh32.exe
2964	Hggomh32.exe
1648	Hcnpbi32.exe
1648	Hcnpbi32.exe
2852	Hjhhocjj.exe
2852	Hjhhocjj.exe
1604	Hlfdkoin.exe
1604	Hlfdkoin.exe
1988	Henidd32.exe
1988	Henidd32.exe
1784	Hlhaqogk.exe
1784	Hlhaqogk.exe
492	Icbimi32.exe
492	Icbimi32.exe
2056	Ieqeidnl.exe
2056	Ieqeidnl.exe
1948	Ihoafpmp.exe
1948	Ihoafpmp.exe
2096	Inljnfkg.exe
2096	Inljnfkg.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gbnccfpb.exe	Gldkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Gelppaof.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Gelppaof.exe
File created	C:\Windows\SysWOW64\Jjcpjl32.dll	Gddifnbk.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Gangic32.exe	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Icbimi32.exe
File created	C:\Windows\SysWOW64\Gbnccfpb.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Hdfflm32.exe	Hgbebiao.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Pnbgan32.dll	Henidd32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Inljnfkg.exe
File created	C:\Windows\SysWOW64\Gfoihbdp.dll	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gldkfl32.exe	Gangic32.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Hdfflm32.exe	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gpmjak32.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Hgbebiao.exe	Gddifnbk.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Hnempl32.dll	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Pabakh32.dll	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Hmhfjo32.dll	Gicbeald.exe
File created	C:\Windows\SysWOW64\Mncnkh32.dll	Gpmjak32.exe
File created	C:\Windows\SysWOW64\Gddifnbk.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Pfabenjd.dll	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Pnnclg32.dll	Gangic32.exe
File opened for modification	C:\Windows\SysWOW64\Ghmiam32.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Gelppaof.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Phofkg32.dll	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Inljnfkg.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Jdnaob32.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Kleiio32.dll	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Pabfdklg.dll	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Inljnfkg.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Gelppaof.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Ghmiam32.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hdfflm32.exe
File opened for modification	C:\Windows\SysWOW64\Gpmjak32.exe	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Gelppaof.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Hlfdkoin.exe	Hjhhocjj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2160	2612	WerFault.exe	52

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpmjak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gangic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll"	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Inljnfkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll"	Hgbebiao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gelppaof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inljnfkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1688	2064	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe	28
PID 2064 wrote to memory of 1688	2064	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe	28
PID 2064 wrote to memory of 1688	2064	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe	28
PID 2064 wrote to memory of 1688	2064	04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2652	1688	Gpknlk32.exe	29
PID 1688 wrote to memory of 2652	1688	Gpknlk32.exe	29
PID 1688 wrote to memory of 2652	1688	Gpknlk32.exe	29
PID 1688 wrote to memory of 2652	1688	Gpknlk32.exe	29
PID 2652 wrote to memory of 2648	2652	Gicbeald.exe	30
PID 2652 wrote to memory of 2648	2652	Gicbeald.exe	30
PID 2652 wrote to memory of 2648	2652	Gicbeald.exe	30
PID 2652 wrote to memory of 2648	2652	Gicbeald.exe	30
PID 2648 wrote to memory of 1156	2648	Gpmjak32.exe	31
PID 2648 wrote to memory of 1156	2648	Gpmjak32.exe	31
PID 2648 wrote to memory of 1156	2648	Gpmjak32.exe	31
PID 2648 wrote to memory of 1156	2648	Gpmjak32.exe	31
PID 1156 wrote to memory of 2556	1156	Gangic32.exe	32
PID 1156 wrote to memory of 2556	1156	Gangic32.exe	32
PID 1156 wrote to memory of 2556	1156	Gangic32.exe	32
PID 1156 wrote to memory of 2556	1156	Gangic32.exe	32
PID 2556 wrote to memory of 2584	2556	Gldkfl32.exe	33
PID 2556 wrote to memory of 2584	2556	Gldkfl32.exe	33
PID 2556 wrote to memory of 2584	2556	Gldkfl32.exe	33
PID 2556 wrote to memory of 2584	2556	Gldkfl32.exe	33
PID 2584 wrote to memory of 1640	2584	Gbnccfpb.exe	34
PID 2584 wrote to memory of 1640	2584	Gbnccfpb.exe	34
PID 2584 wrote to memory of 1640	2584	Gbnccfpb.exe	34
PID 2584 wrote to memory of 1640	2584	Gbnccfpb.exe	34
PID 1640 wrote to memory of 2780	1640	Gelppaof.exe	35
PID 1640 wrote to memory of 2780	1640	Gelppaof.exe	35
PID 1640 wrote to memory of 2780	1640	Gelppaof.exe	35
PID 1640 wrote to memory of 2780	1640	Gelppaof.exe	35
PID 2780 wrote to memory of 1072	2780	Gacpdbej.exe	36
PID 2780 wrote to memory of 1072	2780	Gacpdbej.exe	36
PID 2780 wrote to memory of 1072	2780	Gacpdbej.exe	36
PID 2780 wrote to memory of 1072	2780	Gacpdbej.exe	36
PID 1072 wrote to memory of 1196	1072	Ghmiam32.exe	37
PID 1072 wrote to memory of 1196	1072	Ghmiam32.exe	37
PID 1072 wrote to memory of 1196	1072	Ghmiam32.exe	37
PID 1072 wrote to memory of 1196	1072	Ghmiam32.exe	37
PID 1196 wrote to memory of 2404	1196	Gddifnbk.exe	38
PID 1196 wrote to memory of 2404	1196	Gddifnbk.exe	38
PID 1196 wrote to memory of 2404	1196	Gddifnbk.exe	38
PID 1196 wrote to memory of 2404	1196	Gddifnbk.exe	38
PID 2404 wrote to memory of 600	2404	Hgbebiao.exe	39
PID 2404 wrote to memory of 600	2404	Hgbebiao.exe	39
PID 2404 wrote to memory of 600	2404	Hgbebiao.exe	39
PID 2404 wrote to memory of 600	2404	Hgbebiao.exe	39
PID 600 wrote to memory of 956	600	Hdfflm32.exe	40
PID 600 wrote to memory of 956	600	Hdfflm32.exe	40
PID 600 wrote to memory of 956	600	Hdfflm32.exe	40
PID 600 wrote to memory of 956	600	Hdfflm32.exe	40
PID 956 wrote to memory of 308	956	Hkpnhgge.exe	41
PID 956 wrote to memory of 308	956	Hkpnhgge.exe	41
PID 956 wrote to memory of 308	956	Hkpnhgge.exe	41
PID 956 wrote to memory of 308	956	Hkpnhgge.exe	41
PID 308 wrote to memory of 2964	308	Hpmgqnfl.exe	42
PID 308 wrote to memory of 2964	308	Hpmgqnfl.exe	42
PID 308 wrote to memory of 2964	308	Hpmgqnfl.exe	42
PID 308 wrote to memory of 2964	308	Hpmgqnfl.exe	42
PID 2964 wrote to memory of 1648	2964	Hggomh32.exe	43
PID 2964 wrote to memory of 1648	2964	Hggomh32.exe	43
PID 2964 wrote to memory of 1648	2964	Hggomh32.exe	43
PID 2964 wrote to memory of 1648	2964	Hggomh32.exe	43

C:\Users\Admin\AppData\Local\Temp\04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\04763c653f63442cbdf6a1c69cde7ac4bc4c97b1db050115aee838ade5878070_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\Gpknlk32.exe
  C:\Windows\system32\Gpknlk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\Gicbeald.exe
    C:\Windows\system32\Gicbeald.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\Gpmjak32.exe
      C:\Windows\system32\Gpmjak32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\Gangic32.exe
        
        C:\Windows\system32\Gangic32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Windows\SysWOW64\Gldkfl32.exe
        
        C:\Windows\system32\Gldkfl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Gbnccfpb.exe
        
        C:\Windows\system32\Gbnccfpb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Gelppaof.exe
        
        C:\Windows\system32\Gelppaof.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Gddifnbk.exe
        
        C:\Windows\system32\Gddifnbk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Hpmgqnfl.exe
        
        C:\Windows\system32\Hpmgqnfl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:492
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Inljnfkg.exe
        
        C:\Windows\system32\Inljnfkg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        26⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 140
        27⤵
        Loads dropped DLL
        Program crash
        
        PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ghmiam32.exe

Filesize
80KB

MD5
558e94fd05c48942d20b387557a77ae5

SHA1
63cf9da561f95c77fc636b66a37e06d0e7e9c07c

SHA256
751656e26924093436293dfbb2cd9dd253344eb6a1a666636e939400e93b5c7e

SHA512
afe01d8b6d1df060ba2f8e9cce51babdfdc8a265a05a1490283fa60bd690b99f12107a62dac7c9317f7a2839ff91c6cc30decf9a8c5b9de8a6a35faf334b85a2

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
80KB

MD5
a19a1631c99a777f901bef372ba391fe

SHA1
7064288dcf54111ba22a8c679b9a408e151874b3

SHA256
44738da497f4f86cc9faa18fbebd2c4c70c258937d2952d550d58f3189e1bfbd

SHA512
82c6106c95b86781f1f6b2670cf46ee7309d83095e0635c4a911bb5c21ef462159c0d63c23b431e81d22aac3f7f85d22f8d3b001ffc0d69e3885b9635f2bdf44

Download Submit
C:\Windows\SysWOW64\Hgbebiao.exe

Filesize
80KB

MD5
afcfc9061c295ae7f9e78139f60be724

SHA1
4f5c9f6e250164cca329639d2f9edcc7d95f81b7

SHA256
d0014b136c62c0d88350fb4a6d1a92812af6da3fd1b2212ca8f00591a36e0ced

SHA512
688bde38a0c316b7ecf905915e7b6dcf633869611feb69398b40da0ab3e000bd89a93bcb61c10a67ef9e2e7198971c28e1435c9bfcaf0e47b59e22673670ed5a

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
80KB

MD5
73554d3fefa8bbebf3ccbc660c0ed714

SHA1
da1c198b77aef9d482b107485271d13c20e7003d

SHA256
54512f52a27d56a49cf2e58a1869aef0f11e9a188068ffc96814b8c2f94062b3

SHA512
59a98c42919208d9e07b6a99ad479365ac274eda1c6f117f579bd49fba4f3f1aed182fb01cc6f2e12b7e8b3dd1a18db019d4617a3e8266f42ceacb787cd93d8c

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
80KB

MD5
e853ebc9b94537859f9d3c1e686423f0

SHA1
2de81fc85fc20552884df4a421b9fcc105c1437c

SHA256
728beeb2f6a8447dfc5336efa458c8ff8241c7dfaca5793e26126f0b64fe6d31

SHA512
13dcbeb9323fa8ec96c6472ccef0a3f2944003e465452b57ee51f14b2481568ec1bd5a1cca0262d8adbf3cdb88256ac95d83db6e089c83709221d7548a81a615

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
80KB

MD5
6ab76facaf52f0838a8c56f631005bd4

SHA1
34ce9e5f6964321363d296ec082bf367b6b37d1b

SHA256
8616df7783cfee98b4e307ad98bd55c226571b076da0f9e5a6db56ad83e82873

SHA512
322149f8ad0dbfb67ad51f265cb94228f4e0e8923e69dd1cbe386b577d566500fd9bad0d54a6b9db1e14d680b3b159e22f211aaa19f97baabc5f3bcf0bab895c

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
80KB

MD5
90d850a51fc5f86d959f6a9c42c4709d

SHA1
2e0de6823713067bcdadf3fb43452312177520aa

SHA256
782a8e630253320dd77c0d85f92a8dac4a76bdf713f83feaa472969fd99b41f2

SHA512
93c829c796c5fe2cfc7a201284d8445685c2080ba5433c089511a64b946138a0a99baeacf7697281da8906badee81c0358eecf8c69e7d30bac8e7caf21ca6dea

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
80KB

MD5
d5758cf221c52d36f7d750a30b11c5a1

SHA1
da249facfc6351c778ae44ec320e568e5871163e

SHA256
890eb18a00bcc15766dad46085b0033d297d3fcfc19095d60a7711b7987ad7d2

SHA512
4bd53f3ac0dd59557fd4645da6d40ed2d6d11330317c8928105d45c748fc9e0c602952b17604cf7fbf8c1c4fe6b0e78bc2f63ac7d05bb05748c4c313d61b19c3

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
80KB

MD5
fdca49eedc4a772c09d5639f96103874

SHA1
d5a7aee15f6be4415ad8c419e494b13f51f2442b

SHA256
0d4707b7d067126eff64674f88dd7238e726547fb798dcbd3eb59f04657faf7d

SHA512
5b50b71e8238a2bb6e055fb6ff725a567656faece7295b4d401b12d529a80bab23f5a05744dfa7ab70a20b84fa28a2a760ff80fa0f3ea5e4761f48d987fbc7cc

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
80KB

MD5
45eb862db19f2387ce66b5d1b97db117

SHA1
0fb391b816e1e7cd461ea2a20458cfa778810ddd

SHA256
02b16527b03c780de956a0f8e907ac603b16729b615bd96c36ef755d8b37cb08

SHA512
35721d451ac16ea2f50c2e2c7500171a411ba6b95e3e2932855ca175da3b04b6f9d025b352754d9db0327f8caa17ded0cb160207a86c9e7cbfdf03b994781f3e

Download Submit
C:\Windows\SysWOW64\Inljnfkg.exe

Filesize
80KB

MD5
60254dc2afd4b55910ba90c17773e681

SHA1
f0043a025cef06077d80920884cd602f45e45d30

SHA256
62f8284f08cc05e98937f54aff34bf2bed55d82b036aa1fec33e784b565f4ccd

SHA512
3dd0c33589cc25976d566c691c72b6019651cbc0386a3a7a173e2d7e9c4772f4d0a2caf54e60e07b436f9e76b2ae55e72d578de91d6f0ef17f0bf62551364c5a

Download Submit
\Windows\SysWOW64\Gacpdbej.exe

Filesize
80KB

MD5
3bf23291605c3976002c290169129cb8

SHA1
79cb6c82c2974676f71daec9e82056a3fbbca838

SHA256
2ef50229aa7da056c14d2766c260663bdb0fc03bde11b9242c7e27b250978722

SHA512
a365d14bbd0c6598c673604971314b65a329ae0daee097643550eeabdeb2f72b5d500294791612b5422f1c44507316e607820e1330de2de73b9f549859d8445e

Download Submit
\Windows\SysWOW64\Gangic32.exe

Filesize
80KB

MD5
733988908e8775c8f6f00181e4ceb0ef

SHA1
e14b8289c321cd776a00f874fc7214155616c4bc

SHA256
6e98af5b3bff2b929e9f0b0248c6c9f7596668ee1ed2e37b0d8283145728d1e5

SHA512
ed184900bbe049a741bad34a824e46c0462f5720af1d928f0089b87ef13942c62852b40ceaa5b232b8e89647691f6218c6935599206579c868ab764cde3abab8

Download Submit
\Windows\SysWOW64\Gbnccfpb.exe

Filesize
80KB

MD5
fc3989451b7e0f86661cb314afd6c5d2

SHA1
8b1460c32b55bb70659308649ac921b3f467a97a

SHA256
98df437f3501074ad156aa9c88511d1047524c00a7886e681f839c7beb0aa055

SHA512
7793b32fbcafc57aa3c3347a39da359fd79a56801bc5521247c691b1df4968ea950d39cab3d7e9aaea98235e2dd3760f584082624a2aa11d7bc1c36fee193b66

Download Submit
\Windows\SysWOW64\Gddifnbk.exe

Filesize
80KB

MD5
f5ce5b19621282c37b1cf85a17948156

SHA1
570cde0626962673e5dba6eab9e26790090cbf85

SHA256
3d0380de32e512619b3093165b89ef29f8d4dedeaa4f6987d53595c3693f5392

SHA512
1c99950dc7cd351163add68fee6a06e1fec34e39ca6c39774d4983a0dc4cc56a8cf0ab98ceb7b352f2851626b8f2df685fd265f58df9a6a18926e14c36c2fd23

Download Submit
\Windows\SysWOW64\Gelppaof.exe

Filesize
80KB

MD5
25563e0bdbadbbe44a39b75d0c402146

SHA1
a52b49e9a0cc07f34bac42a37dc4605966d2c949

SHA256
834000215e5d2dcc414fa0f3cf4b8ffe36286072c153d787bf8087024efa6d31

SHA512
a6822e98089adc943baec1ce0ad8faa1ab87be4fa635c4f7079ff66402722e1240898c9f2deb0c49d9ca084bb7061d17c1b5012596a6f3a6772e867972ffa4ee

Download Submit
\Windows\SysWOW64\Gicbeald.exe

Filesize
80KB

MD5
1ab27124000e2106335bbbac533b36f8

SHA1
c448d68fd9acdb673147505814e1a0670b84ab01

SHA256
1f2f1bdfa610729b09543276bca93f3ae0c8bc65cbc54b4b81b41502a7da6225

SHA512
16de3497b71ee4627fa48bb22994f1e5a889a1c69851b74c6682e6f15b54c3c99c962a7c5f7fb024d44b289ef8b719d540345f32d1102f5739e7b5ba07c42845

Download Submit
\Windows\SysWOW64\Gldkfl32.exe

Filesize
80KB

MD5
ac6fc37ea7733344f9a509097fa23b53

SHA1
ee8ad236c400f1c32af5192d0459fcb0ce5a7a7b

SHA256
5c042f3b07d41c955e003e88cd902ceb8cb8d0c7fc5b1c3e74731adc13abf5d7

SHA512
d4e5fc9471bc8d5b2d99e9c64497a8d1fb6bcc27bfb6178637055bbe322a7d7c97bbe586f614d7e7baf5a3a30688e0b4278ce19c176067979bd5f7cd0ce23069

Download Submit
\Windows\SysWOW64\Gpknlk32.exe

Filesize
80KB

MD5
72319c7ce618549baa1501f642781f83

SHA1
118c5fdc4be8c0f1bb0986836e5781b5641af6e1

SHA256
4048f5675303a5f0b4e081530b1bfa4b62895a6561e47f545b19d6c768e1197e

SHA512
4886f1145c2f9dd46c1ad5d5ed26daec044002ace000a16b47ac1042390752c23479e807fa850d3df2937e4797cec1d6497fc07069fcbb8866f341f3eaa5608f

Download Submit
\Windows\SysWOW64\Gpmjak32.exe

Filesize
80KB

MD5
a2b45595d48b314da51d46f267335f2a

SHA1
0902291608198911f4177b1712742fa02981f999

SHA256
5e08ff37d991f07508df81c6fd2bd4bb47e6c6df63b90d3320022d809d00be34

SHA512
a93e14d945cc09ed6e44215aae486a472a6a1ae6009964f10e0942cfee52b95776e5bef53c92099e15157d78f9581c24bd303d6902a8bab6d6310336dc3c77fd

Download Submit
\Windows\SysWOW64\Hcnpbi32.exe

Filesize
80KB

MD5
6019b0246caab174085c4df08a3f35fd

SHA1
5d5cc468ec4e7c512e535a8681f90711b48c8814

SHA256
df706530f23f3a780ca12ba696b532713f28982f28273449aff8702eb9339f99

SHA512
ffa52fb2b8470e39986b01b3c611914dd4b81cb038145326ba3ed2f07d38f47b763900c12ff2b3d06a52a618d94f7d2697fde17dd9f7ff6780876e4df5328b59

Download Submit
\Windows\SysWOW64\Hdfflm32.exe

Filesize
80KB

MD5
be17f638e99e590228ad1abda7665657

SHA1
5a2e8ba08431419f4fe4a38965fb010ad45aa72b

SHA256
7a2f21105e10fa45d23163baea9f94fc8b8f10c2545343a1e3743c8370c0bd0b

SHA512
c89a94f018bc9fc7835aa3bb2913d6308ab6f712d4399557acf70df2e18f632df2b3cf3cb1440cc3f242aa7bc05931d4cb4ae83f38ab5ae675e5b44233bb0b61

Download Submit
\Windows\SysWOW64\Hggomh32.exe

Filesize
80KB

MD5
ca561840ba48fdaf03c5bff231c5b742

SHA1
3612d19c3d1995d0c659056c6a4891b3c263cc80

SHA256
3f55411ba0de3729b607fe5b5fd30d2edf78fa6153f9d20c912013bbe6ab8d44

SHA512
081bce697c027a556c04de59eb57ec6c5b7b7bb10e266e814e3831b83ef9de0ccb7aca47091f266e9d388b7c62f4cab2603b63a111d3f21385f4e1c87bc42fd6

Download Submit
\Windows\SysWOW64\Hkpnhgge.exe

Filesize
80KB

MD5
d673028b3de09ae39ed200de0d697a43

SHA1
dc9694165423e2b95a872b0d0220727ba4b88d23

SHA256
53eaaae01505e87174e39735394fec60ade098f549b6aae3c4d8d70f25efd0f5

SHA512
984a92c4fecb1b734f07fc29ab7b28c947db4a7a801ba568b7c15ba042ebe2c2d0e312a94eb6dbd02a497f7821e36d8c5d74a80bf4930123e367b7c739d3f790

Download Submit
\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
80KB

MD5
cbef6724151dd42c9eff0dc8d90fc312

SHA1
cd05f28d3c2e1becbad6e62fd428122574705d32

SHA256
33712dca3cc92c3b5d40d9b4279cc2d522fb569ae4efe5e6057fdbfefd4cf3f7

SHA512
0599e4889e95ea5cdab954e0ba3773a06efc6b93227b056122bbc4d8acee0da0d0b4b82c5e2fba7f1bffb7d2326cf0526d22a4f856168574e88c16c9652c5a8e

Download Submit
memory/308-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/308-201-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/308-293-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/308-215-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/308-214-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/492-295-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/492-300-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/492-340-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/600-245-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/600-251-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/600-173-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/956-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/956-277-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/956-200-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/956-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1072-217-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/1072-142-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/1072-128-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1072-143-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/1072-213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1072-218-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/1156-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1156-141-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1196-219-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1196-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1604-334-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1604-332-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1604-267-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1604-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1640-109-0x0000000001F60000-0x0000000001F9C000-memory.dmp

Filesize
240KB

Download
memory/1640-172-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1640-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1648-327-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1648-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1648-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-96-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-25-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/1784-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1784-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1784-339-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1948-324-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1948-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1948-343-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1948-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1988-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1988-337-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/1988-336-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/1988-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1988-279-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/2056-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2056-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2064-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2064-6-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2064-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2096-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2404-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2404-158-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2556-87-0x0000000001F30000-0x0000000001F6C000-memory.dmp

Filesize
240KB

Download
memory/2556-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2556-156-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2584-170-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2584-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2612-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2612-344-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2648-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2648-50-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2648-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2648-53-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2652-122-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2652-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2652-126-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2780-124-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2780-186-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2780-123-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2852-246-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2852-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2852-252-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2964-220-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-228-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2964-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads