2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe
Size

187KB
MD5

01f8a267d0f1db150aface0568356f40
SHA1

924a001f2bdb9cd9065299722b009f49f6f454d6
SHA256

2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594
SHA512

dfb67759573b8c793a1fedd243a31462976e4f8f78c5ed098b98def98c718a7ad032211ffc1d773a53c8397760aac451d23b6f2dafad4bae91a00babd23f08bd
SSDEEP

3072:yHBV/+UKA2Qw11ZtRGWZAnEYxeEZl2NkzwH5GJks8WYlOWe7VsayDZVZev1N:y3Q/1PtRGWZA3EO9zwZ9s8SZq/svL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghkllmoi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goddhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe

Executes dropped EXE 26 IoCs

pid	Process
1188	Gbnccfpb.exe
2364	Ghkllmoi.exe
2700	Glfhll32.exe
2624	Goddhg32.exe
2840	Gacpdbej.exe
2664	Gogangdc.exe
2964	Gphmeo32.exe
2828	Ghoegl32.exe
2992	Hiqbndpb.exe
620	Hahjpbad.exe
2380	Hcifgjgc.exe
1608	Hlakpp32.exe
2228	Hggomh32.exe
1880	Hiekid32.exe
532	Hpocfncj.exe
2856	Hellne32.exe
1124	Hpapln32.exe
836	Hcplhi32.exe
1076	Hjjddchg.exe
404	Hhmepp32.exe
1524	Hkkalk32.exe
772	Icbimi32.exe
348	Ieqeidnl.exe
2452	Ihoafpmp.exe
2456	Ioijbj32.exe
1572	Iagfoe32.exe

Loads dropped DLL 56 IoCs

pid	Process
2212	2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe
2212	2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe
1188	Gbnccfpb.exe
1188	Gbnccfpb.exe
2364	Ghkllmoi.exe
2364	Ghkllmoi.exe
2700	Glfhll32.exe
2700	Glfhll32.exe
2624	Goddhg32.exe
2624	Goddhg32.exe
2840	Gacpdbej.exe
2840	Gacpdbej.exe
2664	Gogangdc.exe
2664	Gogangdc.exe
2964	Gphmeo32.exe
2964	Gphmeo32.exe
2828	Ghoegl32.exe
2828	Ghoegl32.exe
2992	Hiqbndpb.exe
2992	Hiqbndpb.exe
620	Hahjpbad.exe
620	Hahjpbad.exe
2380	Hcifgjgc.exe
2380	Hcifgjgc.exe
1608	Hlakpp32.exe
1608	Hlakpp32.exe
2228	Hggomh32.exe
2228	Hggomh32.exe
1880	Hiekid32.exe
1880	Hiekid32.exe
532	Hpocfncj.exe
532	Hpocfncj.exe
2856	Hellne32.exe
2856	Hellne32.exe
1124	Hpapln32.exe
1124	Hpapln32.exe
836	Hcplhi32.exe
836	Hcplhi32.exe
1076	Hjjddchg.exe
1076	Hjjddchg.exe
404	Hhmepp32.exe
404	Hhmepp32.exe
1524	Hkkalk32.exe
1524	Hkkalk32.exe
772	Icbimi32.exe
772	Icbimi32.exe
348	Ieqeidnl.exe
348	Ieqeidnl.exe
2452	Ihoafpmp.exe
2452	Ihoafpmp.exe
2456	Ioijbj32.exe
2456	Ioijbj32.exe
2436	WerFault.exe
2436	WerFault.exe
2436	WerFault.exe
2436	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ooghhh32.dll	Ghkllmoi.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Gogangdc.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hjjddchg.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Gbnccfpb.exe	2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Goddhg32.exe	Glfhll32.exe
File opened for modification	C:\Windows\SysWOW64\Goddhg32.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Ghoegl32.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Pabfdklg.dll	2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hahjpbad.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Hlakpp32.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hiekid32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Gbnccfpb.exe	2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Iebpge32.dll	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Gphmeo32.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Hiekid32.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Gknfklng.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Qhbpij32.dll	Glfhll32.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hpocfncj.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hlakpp32.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hiekid32.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Goddhg32.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Omabcb32.dll	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Hpocfncj.exe	Hiekid32.exe
File created	C:\Windows\SysWOW64\Mhfkbo32.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Ghkllmoi.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Goddhg32.exe
File opened for modification	C:\Windows\SysWOW64\Gphmeo32.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Glfhll32.exe	Ghkllmoi.exe
File opened for modification	C:\Windows\SysWOW64\Hiqbndpb.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Hahjpbad.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Goddhg32.exe
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	Hahjpbad.exe
File opened for modification	C:\Windows\SysWOW64\Hlakpp32.exe	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Ghkllmoi.exe	Gbnccfpb.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Hahjpbad.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Gacpdbej.exe

Program crash 1 IoCs

pid	pid_target	Process
2436	1572	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll"	Ghkllmoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll"	2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Goddhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gacpdbej.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1188	2212	2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe	28
PID 2212 wrote to memory of 1188	2212	2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe	28
PID 2212 wrote to memory of 1188	2212	2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe	28
PID 2212 wrote to memory of 1188	2212	2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe	28
PID 1188 wrote to memory of 2364	1188	Gbnccfpb.exe	29
PID 1188 wrote to memory of 2364	1188	Gbnccfpb.exe	29
PID 1188 wrote to memory of 2364	1188	Gbnccfpb.exe	29
PID 1188 wrote to memory of 2364	1188	Gbnccfpb.exe	29
PID 2364 wrote to memory of 2700	2364	Ghkllmoi.exe	30
PID 2364 wrote to memory of 2700	2364	Ghkllmoi.exe	30
PID 2364 wrote to memory of 2700	2364	Ghkllmoi.exe	30
PID 2364 wrote to memory of 2700	2364	Ghkllmoi.exe	30
PID 2700 wrote to memory of 2624	2700	Glfhll32.exe	31
PID 2700 wrote to memory of 2624	2700	Glfhll32.exe	31
PID 2700 wrote to memory of 2624	2700	Glfhll32.exe	31
PID 2700 wrote to memory of 2624	2700	Glfhll32.exe	31
PID 2624 wrote to memory of 2840	2624	Goddhg32.exe	32
PID 2624 wrote to memory of 2840	2624	Goddhg32.exe	32
PID 2624 wrote to memory of 2840	2624	Goddhg32.exe	32
PID 2624 wrote to memory of 2840	2624	Goddhg32.exe	32
PID 2840 wrote to memory of 2664	2840	Gacpdbej.exe	33
PID 2840 wrote to memory of 2664	2840	Gacpdbej.exe	33
PID 2840 wrote to memory of 2664	2840	Gacpdbej.exe	33
PID 2840 wrote to memory of 2664	2840	Gacpdbej.exe	33
PID 2664 wrote to memory of 2964	2664	Gogangdc.exe	34
PID 2664 wrote to memory of 2964	2664	Gogangdc.exe	34
PID 2664 wrote to memory of 2964	2664	Gogangdc.exe	34
PID 2664 wrote to memory of 2964	2664	Gogangdc.exe	34
PID 2964 wrote to memory of 2828	2964	Gphmeo32.exe	35
PID 2964 wrote to memory of 2828	2964	Gphmeo32.exe	35
PID 2964 wrote to memory of 2828	2964	Gphmeo32.exe	35
PID 2964 wrote to memory of 2828	2964	Gphmeo32.exe	35
PID 2828 wrote to memory of 2992	2828	Ghoegl32.exe	36
PID 2828 wrote to memory of 2992	2828	Ghoegl32.exe	36
PID 2828 wrote to memory of 2992	2828	Ghoegl32.exe	36
PID 2828 wrote to memory of 2992	2828	Ghoegl32.exe	36
PID 2992 wrote to memory of 620	2992	Hiqbndpb.exe	37
PID 2992 wrote to memory of 620	2992	Hiqbndpb.exe	37
PID 2992 wrote to memory of 620	2992	Hiqbndpb.exe	37
PID 2992 wrote to memory of 620	2992	Hiqbndpb.exe	37
PID 620 wrote to memory of 2380	620	Hahjpbad.exe	38
PID 620 wrote to memory of 2380	620	Hahjpbad.exe	38
PID 620 wrote to memory of 2380	620	Hahjpbad.exe	38
PID 620 wrote to memory of 2380	620	Hahjpbad.exe	38
PID 2380 wrote to memory of 1608	2380	Hcifgjgc.exe	39
PID 2380 wrote to memory of 1608	2380	Hcifgjgc.exe	39
PID 2380 wrote to memory of 1608	2380	Hcifgjgc.exe	39
PID 2380 wrote to memory of 1608	2380	Hcifgjgc.exe	39
PID 1608 wrote to memory of 2228	1608	Hlakpp32.exe	40
PID 1608 wrote to memory of 2228	1608	Hlakpp32.exe	40
PID 1608 wrote to memory of 2228	1608	Hlakpp32.exe	40
PID 1608 wrote to memory of 2228	1608	Hlakpp32.exe	40
PID 2228 wrote to memory of 1880	2228	Hggomh32.exe	41
PID 2228 wrote to memory of 1880	2228	Hggomh32.exe	41
PID 2228 wrote to memory of 1880	2228	Hggomh32.exe	41
PID 2228 wrote to memory of 1880	2228	Hggomh32.exe	41
PID 1880 wrote to memory of 532	1880	Hiekid32.exe	42
PID 1880 wrote to memory of 532	1880	Hiekid32.exe	42
PID 1880 wrote to memory of 532	1880	Hiekid32.exe	42
PID 1880 wrote to memory of 532	1880	Hiekid32.exe	42
PID 532 wrote to memory of 2856	532	Hpocfncj.exe	43
PID 532 wrote to memory of 2856	532	Hpocfncj.exe	43
PID 532 wrote to memory of 2856	532	Hpocfncj.exe	43
PID 532 wrote to memory of 2856	532	Hpocfncj.exe	43

C:\Users\Admin\AppData\Local\Temp\2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2523b7a8e30ae8b8cf1c6dfc780eb8bd7e3a152f82ee6b8137ae9dd55bdac594_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\Gbnccfpb.exe
  C:\Windows\system32\Gbnccfpb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\Ghkllmoi.exe
    C:\Windows\system32\Ghkllmoi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\Glfhll32.exe
      C:\Windows\system32\Glfhll32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Goddhg32.exe
        
        C:\Windows\system32\Goddhg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Ghoegl32.exe
        
        C:\Windows\system32\Ghoegl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Hiqbndpb.exe
        
        C:\Windows\system32\Hiqbndpb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Hahjpbad.exe
        
        C:\Windows\system32\Hahjpbad.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Hcifgjgc.exe
        
        C:\Windows\system32\Hcifgjgc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        27⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 140
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Elpbcapg.dll

Filesize
7KB

MD5
7e61ea8365f15740a8e493d35306698b

SHA1
e78ef57936a4b65207ecb1edd7982b9e2199992c

SHA256
6c2b3cd376131d828c2fa8d23efe4d549d1d29e1da4223a773688cacd0f33b5d

SHA512
21e5d07c803b21d4a479bc91f2aaff50546c3bc8baa73d5a4483e804c1afd1e1c73e3e9cec3a485716eb632c8b2c1ecb1fa1fc75f09e5f2581d02f7956d655f0

Download Submit
C:\Windows\SysWOW64\Gacpdbej.exe

Filesize
187KB

MD5
4c25b975228afb154a8ad91d0e850736

SHA1
02edc2456a6b2e1e60388d8bc5fa8ddc9b9bc861

SHA256
f57a2bd0fea097aef9673a246bf7d7a1ce225a037677c51f2f15df737852dd62

SHA512
6788d125cf2b1ccb37458229e3b3ae52b3451f0b7d77af4329e8e58ff20a36dfe390a6bd3baf287ddb50f0499b0a70b13e5b004b55622c3f4de602b189361626

Download Submit
C:\Windows\SysWOW64\Ghkllmoi.exe

Filesize
187KB

MD5
3b51d5b87dc19bdfeabcfbaf10ca12f7

SHA1
46932380f7de277d531999927855e55bec559f10

SHA256
08fdf2b0a2c86de1e9e11785805de9ca64502e39d9f0c055fb653cd3bed00673

SHA512
6f28fb040413859af6e17ea3772e12a42c3ec7e703f886fbb58f2355f3dbc24a47ed9db360a7be05869fa676d9163d027bcb76e3a2dc10c8fe1ab4f30154f8a6

Download Submit
C:\Windows\SysWOW64\Ghoegl32.exe

Filesize
187KB

MD5
3c7b584eb42e881bd6d837b965acc3d2

SHA1
5216ab4ac30e26eb161b517d1a50e83b25e5261a

SHA256
a7e06fbbd8c064521e5a3cbd664174a6f44d174e2b7d4c76c9ff679fd39a62f0

SHA512
209b15d85b3579ac71d8fa70c9473033d155a460ce6c3149da93b532f7aa732e14dc5122e90df0adbe69b95b4fa9806a66960e60504ee5e4f2bd0aa6f998b28a

Download Submit
C:\Windows\SysWOW64\Glfhll32.exe

Filesize
187KB

MD5
fafe767e1a1639108777fe052a2d2dd4

SHA1
718178fe5af8ffc4d56285005e145e34757233ce

SHA256
19b281d8340b704465f86e92c3859c6f552ed70ed7c3561927bfa8318cf39fc6

SHA512
d95f46a4e7c88572346a670a54ee495fc1ca9625d75938682e12dbc00b82121c43b5c29e366d86e7c904b641f182cc1aaeca7c1fbe6bad105dbf5eba6e1570bd

Download Submit
C:\Windows\SysWOW64\Goddhg32.exe

Filesize
187KB

MD5
0d9f913c92fa88415f9d60b41f1c9110

SHA1
3efc82aeeae46aed765acaa38e5dd2f66338a9c9

SHA256
6c169cdc9cecca88000e473a2e8006d4823ca974bf87aa12d5f9203c5423ea81

SHA512
c60745e2525ebf4be3f867b755c5c0b6954a1357ba372de0807609cc40f74df76a62f0ee7c18822fb9e2c69512d39430da484dc615d9a1e8746a2bf8a0bed149

Download Submit
C:\Windows\SysWOW64\Gogangdc.exe

Filesize
187KB

MD5
931c268aea37ee60ebc56ec7364e258a

SHA1
90777cb9a277f63d655469fb2cf33a3afbd958d9

SHA256
57aad89ff5587940a29f065057f9b291dad843d83189e120fa4fa5dc08cea68c

SHA512
8859a84e0ea560631740f8dae520a2526800d5344f6176c6f333cf8b248e64b985e303cc05598cfb95b7bd52368d28df40c66731f5776c9c5278d93ad6c37081

Download Submit
C:\Windows\SysWOW64\Gphmeo32.exe

Filesize
187KB

MD5
304dade23eacab4dc975779dc0d2f8a7

SHA1
42fe151b830459400124168551f02d877448a3f5

SHA256
cd0d64b43d20043a93aeee11022058c5a1a653c97ef219841507d41adcf4c4ad

SHA512
b48acf2ca3195f3ba6095c1bed44f7b839d2cea9cc3e3e0d2424740d5d9ddb29fd819563c0daa15fb529f337373d25af5bb517c413d6e77f336c504a8332dec4

Download Submit
C:\Windows\SysWOW64\Hahjpbad.exe

Filesize
187KB

MD5
2d777e2104ad1c0958ec91dab9f24843

SHA1
5db26a177b7fe57f3844018d81dd8dde838fd9db

SHA256
61f5867f5ed6f170d43eb1705a5512f7f54e43624db9654c7d0cea2a8741c556

SHA512
9bfcff263cb21d60911b1aeafc94023204bc09cf1ada893067c199fab8554e4475cbe0ae6c19aa140a80da1cebdb6287fd911c6b2acb102686e627dfe8ffab89

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
187KB

MD5
851b46a69df4395cf6e504f04053fb64

SHA1
38da22a7952c10b461ee9ee74d5d24be283f0c89

SHA256
838df60ea39010db03cc5c185ce402ab81e6c0a815188a591562446bf6e8681c

SHA512
c012fc4fafc293869ceb43831dfd4ce81fb0d0fadcc56e6b419b84998c180a8a38186171ccef1eb992ede9f17764df32377db1555466bc5fe0bf6e4f4be979bb

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
187KB

MD5
9f628e9c7ea28b9d80b2deb4b3374668

SHA1
9afd2634730f36d1ec8fe62250a543397bc51c7b

SHA256
334bada350e2ce660d6452ae53da43d96494bd38e14974dfd4c20c235d8c8793

SHA512
1495d46bf6716fa0cda06ef8005d612cfccc6f26719df2d91bb649ce59ac2873a3636abf63197407295c0dd7391bb6957cd88730e142ae7bc615b597b42d9775

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
187KB

MD5
757fb95a0b5592ed2b87813635fa0776

SHA1
b88db11233bc6d085b54ebb931fdde7beef370e6

SHA256
eb28c2cfd36f2c50136ecb7042b845e953cd9bbdc6a8a44220d277d188f48d5b

SHA512
a95c70ae51cfd6390de23b30de3c566279e5a9153a2cf4bd9a78987e342c1bfcbc53d1df1346ae3066c41f9e1158f2d746bf906e2377bf54d72bb07202c07ee1

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
187KB

MD5
203fb4441c6eb85c07c553a34b067459

SHA1
7885b8236781e6fcf9a5e16e883776477730ea9e

SHA256
d318b4d83df6afaff5b04f4f5c47c45cc80aa45203bb6191b96330f09196d777

SHA512
b806c986e447f083c1c5adcadb43134fe888206539503025862eb8b772fa4fd95562b446b148a67fc3996bb1fae35ddb4fffaf0d543ab8f0e997300a9f5560c8

Download Submit
C:\Windows\SysWOW64\Hiekid32.exe

Filesize
187KB

MD5
6ebcc5ed797bab274dafc773912488b3

SHA1
6342af05b4dbc2495d7d3e1193fdbf1ca70254bf

SHA256
868b44dcdca5ca897a1b07b23cc49ab3208eb1639fba8339b90e90f0a7943ce5

SHA512
6f337a5702b4e5d9183d83e58be2d9c72be265c8af0343c942f436573785c114848796a97707a013cd98441664f6d3a2c042c5105dcf4129d156c3bbea6ea884

Download Submit
C:\Windows\SysWOW64\Hiqbndpb.exe

Filesize
187KB

MD5
c411133f9a0027e03a14057891f7cd07

SHA1
83c7fda8a44a9b824c286a965616418277ae9881

SHA256
b3dc27db12d30baabb5b275c1417bba215846e58996285448fb42f5018669aad

SHA512
bfcd72adb2e660399dc55dccbb56d10d626ba1f048fd64068561cdc21d665e8ec5a49cbb3700e3d407749e7133b14c9531cd82c91d37d9bd1c122fba420ed161

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
187KB

MD5
82050c93e6b58d1b6bec28bd8ae827b6

SHA1
241fc6e03d49d642b42868f35bf9a2fa817b49b3

SHA256
971a86871534348e3104aed48d1638005ddef95c427e7d38dd3e7fc17884adc3

SHA512
71c30f79ead3cefe3aa33f7c10e506a0f144547f1c9c79ef0aedb80a0c646a0810b97c462cbca84b900612a315e25435f056f2a92291eccb5bb9d4db2232aaa9

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe

Filesize
187KB

MD5
1b71567658771dba3c15b4a78b862b61

SHA1
fdd138b94ee4ac8542aa7dfb975796d47b95ff8d

SHA256
5bf3f00b72ff551ce7070d78890b6510d6dc1af262fe2aa656ed513d32145c0c

SHA512
b1c3038457d7fe6bbcd87dc385983ec9d9e00513792b10ba2b76f02dfacaa1634b4e20a4b2b4bb143b8588007fc81d46c4bb75d33572d01ad323c6dfc10946d7

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe

Filesize
187KB

MD5
21aa9a65c053a146fe7bd6c36a5961dc

SHA1
eba8fce3fb4c6583bfd33fa99ac731f8c905cca7

SHA256
f3ab097c289897d926758f7c6af1e48c6d85ffcd1b4b9b5f6e7605684548bed3

SHA512
8e7fe79356a99810fdf74740d768c37535e2d08ccc522354a11806467561b10370716b0a30883744ed0fa7618daf6fb9a92f84e266a6e6959d29465cb577f1b9

Download Submit
C:\Windows\SysWOW64\Hpapln32.exe

Filesize
187KB

MD5
e198b3f4071e67007eca00ffe48e0263

SHA1
70e1407570bf300e5478c791d0d5fde4c6fb9ea5

SHA256
1aa25fee5dc6010435741b9dbaf7f0dbe540d66b66f31f56813f57523edda56d

SHA512
2b23f44e1b3af744d205ca5e3ad253c5c41fd819daceeaa6c9a59a982f786a57a583b241500f6d6bd985d796b6895a7d51ccccdd16bb65fc1a983b86e54b2e60

Download Submit
C:\Windows\SysWOW64\Hpocfncj.exe

Filesize
187KB

MD5
2a75eb76e695d9fe59c1e068931c1e02

SHA1
5e6dd6c2467d8a89a62688c978fde475f1971fd5

SHA256
a6295798efa756bac4c3bd9ce57ac8c49faecad53dcf3fd4fae9bd93dac1e955

SHA512
2ed6dadf754b69568de1b7d03fde006dcf9e146dc15c633e35c401c7d8eadbbf6e941680fb069c4be994bb29a69bb0fdafd19a9fbdfcb89affc148a2d9ac57bc

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
187KB

MD5
83a4ee6ee704534ab437a4b9a24b9887

SHA1
58402014aabcc552ab1fb91d3a5a7c8aad14678a

SHA256
c68864baad3161f8d1c4a8f125068d7ff6b469f007697c8bb53759d2217d3c8e

SHA512
48577e8b6c52c20e9fec578d52f449b9da62182f2039009ec0183428e425743128f35fb912974bbfcd8259906796882c941b661118977d4ac7fa5524644ab9ea

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
187KB

MD5
188ccc5bb5353b05aa27b36cb6222fca

SHA1
b85f8d51a432b3319b782456cf318ce6be7ae23b

SHA256
f3b769905617be160a9168a9dcbc8d0c794788eefef59f4b4b22ceeffe601257

SHA512
bc7a584308d838d75fc3db0c010fd6472aa436c6a9df85e2c0a10ac61bf85f004a1f32af62978a368e856b8bfc83692b9fb4336299b9fdb340aefc0b330df980

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
187KB

MD5
91d8451873b1c24f8b13a38d2e30c207

SHA1
a084c9ebd803a4813a67cc82bcf841165320694b

SHA256
6527db0578fb95030756ad0565e46a343d0d7911a192c8aaee1ffdcdd0dd739c

SHA512
aad0479f852e637a545ce50280f908096c3bfd38912a5206303f61a57b30022c69c95ebf898deb9facf9ccb3105152f764c80ddfd11d6142d489a4ccae41c14d

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
187KB

MD5
47e1f3c81a43827b5350955cbe68e4c2

SHA1
e6d5c9dae941ea597098e068083c09e1cf1768f3

SHA256
295fc6df490e18a9cc8b22b8fee2f0d8e26fb78cf3a8e362f640e0f9df612ecb

SHA512
74b2485e19d88900558c6dd623b7a9b45b7ef79373abc5cff4be6c952b11c2b21be15eafaf65cc065d58946b6a2f158afa0f15542f4075fb1aff03d24e9307d6

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
187KB

MD5
7c921383ffc98120ccff9c5fd25b0a70

SHA1
1fc58b8c9ba0f0c0d2de98382ec3f019ab7d1ad0

SHA256
15e486cea4466fcfabb1c47bebfc714155525da233f3adf60514787b4af24b07

SHA512
fc929d2ef2c3fdbee108e5fc3b96436dc4544fca01d6cb037c80aee9731317729fdf88e94643a4421027520a2a655c0128db782dc5a2c9bed4501c9f0e5bc4a5

Download Submit
\Windows\SysWOW64\Gbnccfpb.exe

Filesize
187KB

MD5
eb43ec28b58cff9101d9c3aecdb72417

SHA1
4c3312a1ebfb4317bf6c52e48e7aa1163f3ed626

SHA256
f6ff9c8398cd7785803726c44cbaa159b7c92dcc8419ff7ec75fc9bb749bef4a

SHA512
c2da8620156bb20583ec100db9bf5ca424f04f28aad2ce106b2d3991afb0b0a70b05d4cb7dec6f0505531bf0873c0271f33764ea9914e2720ddd1199eb8dc943

Download Submit
\Windows\SysWOW64\Hcifgjgc.exe

Filesize
187KB

MD5
8a9401257687688e7dec6557b417a41b

SHA1
e64459c571b883194183c84218bb3c813e58a2cd

SHA256
863b572e6767d78b83f8c677f7999b5bb5ac98384e09d87c8a1a13d744c838da

SHA512
9b43063cc7aefb14b41ac853d98181d0663dc0d95e90bb374203e0bd6c2b20428c08c0e6ce4b6026e7411a2d0adce32f026b5b0174e964cfa84022031cc106eb

Download Submit
memory/348-305-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/348-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/348-304-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/348-295-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/404-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/404-274-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/404-276-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/404-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/532-343-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/532-204-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/532-217-0x0000000001FB0000-0x0000000001FEF000-memory.dmp

Filesize
252KB

Download
memory/532-218-0x0000000001FB0000-0x0000000001FEF000-memory.dmp

Filesize
252KB

Download
memory/620-143-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/620-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/620-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/620-148-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/772-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/772-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/772-294-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/772-293-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/836-255-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/836-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/836-247-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/836-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1076-257-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1076-261-0x0000000000350000-0x000000000038F000-memory.dmp

Filesize
252KB

Download
memory/1124-240-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/1124-235-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1188-330-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1188-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1524-283-0x0000000001F70000-0x0000000001FAF000-memory.dmp

Filesize
252KB

Download
memory/1524-282-0x0000000001F70000-0x0000000001FAF000-memory.dmp

Filesize
252KB

Download
memory/1524-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1572-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1608-175-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1608-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1608-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1880-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1880-202-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/1880-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2212-6-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2212-329-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2212-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2212-13-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2228-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2228-189-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2228-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2364-331-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2364-27-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2380-339-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2452-316-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/2452-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2452-315-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/2452-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-350-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-326-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2456-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-327-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2624-53-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2624-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-85-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-88-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2700-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2828-337-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2828-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2828-120-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2840-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2840-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2840-79-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2856-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2856-226-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/2856-219-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2856-234-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/2964-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2964-107-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2964-336-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads