bd4994af9b526356bc5860e968c7fd213d9cfbdd5d37691d44f6175532f9ecfe

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
Size

121KB
MD5

b1331de1f06acee423dcb568555d7390
SHA1

88270bf9135f36bc5cb51978a3e7031c8e26dfe8
SHA256

bd4994af9b526356bc5860e968c7fd213d9cfbdd5d37691d44f6175532f9ecfe
SHA512

2718f3db0e25fe5e5ecd59bf6cee57bc2b3152b8d24513f4ef9d26522550d26ffc72ae6dbca92065abf27483ecd97f748e0cc60df1594f31699a738107aacf02
SSDEEP

3072:NviwFZZSTKW2nfUiBLRi8t4rqCHjZIDWZnHcHvR6ijwhwDCRM2O7AJnD5tvv:R+qBLRi80GW3VJRM2Oarvv

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggpimica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggpimica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hejoiedd.exe

Malware Dropper & Backdoor - Berbew 51 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral1/memory/2212-0-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x000a0000000122ec-5.dat	family_berbew
behavioral1/memory/2212-6-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
behavioral1/files/0x000c000000016103-25.dat	family_berbew
behavioral1/memory/2996-27-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2212-13-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
behavioral1/files/0x00070000000164a9-33.dat	family_berbew
behavioral1/memory/2996-35-0x0000000000450000-0x0000000000497000-memory.dmp	family_berbew
behavioral1/memory/2700-43-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x000700000001663f-53.dat	family_berbew
behavioral1/memory/2500-54-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0007000000016d65-60.dat	family_berbew
behavioral1/memory/2500-62-0x0000000000310000-0x0000000000357000-memory.dmp	family_berbew
behavioral1/memory/2580-68-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d71-74.dat	family_berbew
behavioral1/memory/2496-81-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016dde-87.dat	family_berbew
behavioral1/memory/3032-94-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016eb9-100.dat	family_berbew
behavioral1/memory/3032-102-0x0000000000290000-0x00000000002D7000-memory.dmp	family_berbew
behavioral1/files/0x0006000000017477-113.dat	family_berbew
behavioral1/memory/2828-114-0x00000000003B0000-0x00000000003F7000-memory.dmp	family_berbew
behavioral1/memory/2984-121-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000017495-127.dat	family_berbew
behavioral1/memory/2984-129-0x00000000002C0000-0x0000000000307000-memory.dmp	family_berbew
behavioral1/files/0x0014000000018669-140.dat	family_berbew
behavioral1/memory/1320-146-0x00000000002D0000-0x0000000000317000-memory.dmp	family_berbew
behavioral1/files/0x0005000000018686-153.dat	family_berbew
behavioral1/memory/2800-160-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x00050000000186f1-166.dat	family_berbew
behavioral1/memory/1620-178-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0005000000018739-185.dat	family_berbew
behavioral1/memory/848-186-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0035000000015f71-192.dat	family_berbew
behavioral1/memory/848-198-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
behavioral1/memory/2032-200-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2212-205-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/1188-206-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2996-207-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2700-208-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2500-209-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2580-210-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2496-211-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/3032-212-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2828-213-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2984-214-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/1320-215-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/300-216-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2800-217-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/1620-218-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/848-219-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew

Executes dropped EXE 15 IoCs

pid	Process
1188	Gacpdbej.exe
2996	Ggpimica.exe
2700	Ghoegl32.exe
2500	Hmlnoc32.exe
2580	Hgdbhi32.exe
2496	Hlakpp32.exe
3032	Hejoiedd.exe
2828	Hlcgeo32.exe
2984	Hellne32.exe
1320	Hpapln32.exe
300	Henidd32.exe
2800	Hhmepp32.exe
1620	Iaeiieeb.exe
848	Ihoafpmp.exe
2032	Iagfoe32.exe

Loads dropped DLL 34 IoCs

pid	Process
2212	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
2212	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
1188	Gacpdbej.exe
1188	Gacpdbej.exe
2996	Ggpimica.exe
2996	Ggpimica.exe
2700	Ghoegl32.exe
2700	Ghoegl32.exe
2500	Hmlnoc32.exe
2500	Hmlnoc32.exe
2580	Hgdbhi32.exe
2580	Hgdbhi32.exe
2496	Hlakpp32.exe
2496	Hlakpp32.exe
3032	Hejoiedd.exe
3032	Hejoiedd.exe
2828	Hlcgeo32.exe
2828	Hlcgeo32.exe
2984	Hellne32.exe
2984	Hellne32.exe
1320	Hpapln32.exe
1320	Hpapln32.exe
300	Henidd32.exe
300	Henidd32.exe
2800	Hhmepp32.exe
2800	Hhmepp32.exe
1620	Iaeiieeb.exe
1620	Iaeiieeb.exe
848	Ihoafpmp.exe
848	Ihoafpmp.exe
1852	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hpapln32.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Hlakpp32.exe	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hlakpp32.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Anllbdkl.dll	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Ghoegl32.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Njgcpp32.dll	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Ghoegl32.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ggpimica.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Gpekfank.dll	Ggpimica.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hlakpp32.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hellne32.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Ggpimica.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Ghoegl32.exe	Ggpimica.exe
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Henidd32.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Hellne32.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hlakpp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1852	2032	WerFault.exe	42

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	Ggpimica.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1188	2212	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe	28
PID 2212 wrote to memory of 1188	2212	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe	28
PID 2212 wrote to memory of 1188	2212	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe	28
PID 2212 wrote to memory of 1188	2212	b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe	28
PID 1188 wrote to memory of 2996	1188	Gacpdbej.exe	29
PID 1188 wrote to memory of 2996	1188	Gacpdbej.exe	29
PID 1188 wrote to memory of 2996	1188	Gacpdbej.exe	29
PID 1188 wrote to memory of 2996	1188	Gacpdbej.exe	29
PID 2996 wrote to memory of 2700	2996	Ggpimica.exe	30
PID 2996 wrote to memory of 2700	2996	Ggpimica.exe	30
PID 2996 wrote to memory of 2700	2996	Ggpimica.exe	30
PID 2996 wrote to memory of 2700	2996	Ggpimica.exe	30
PID 2700 wrote to memory of 2500	2700	Ghoegl32.exe	31
PID 2700 wrote to memory of 2500	2700	Ghoegl32.exe	31
PID 2700 wrote to memory of 2500	2700	Ghoegl32.exe	31
PID 2700 wrote to memory of 2500	2700	Ghoegl32.exe	31
PID 2500 wrote to memory of 2580	2500	Hmlnoc32.exe	32
PID 2500 wrote to memory of 2580	2500	Hmlnoc32.exe	32
PID 2500 wrote to memory of 2580	2500	Hmlnoc32.exe	32
PID 2500 wrote to memory of 2580	2500	Hmlnoc32.exe	32
PID 2580 wrote to memory of 2496	2580	Hgdbhi32.exe	33
PID 2580 wrote to memory of 2496	2580	Hgdbhi32.exe	33
PID 2580 wrote to memory of 2496	2580	Hgdbhi32.exe	33
PID 2580 wrote to memory of 2496	2580	Hgdbhi32.exe	33
PID 2496 wrote to memory of 3032	2496	Hlakpp32.exe	34
PID 2496 wrote to memory of 3032	2496	Hlakpp32.exe	34
PID 2496 wrote to memory of 3032	2496	Hlakpp32.exe	34
PID 2496 wrote to memory of 3032	2496	Hlakpp32.exe	34
PID 3032 wrote to memory of 2828	3032	Hejoiedd.exe	35
PID 3032 wrote to memory of 2828	3032	Hejoiedd.exe	35
PID 3032 wrote to memory of 2828	3032	Hejoiedd.exe	35
PID 3032 wrote to memory of 2828	3032	Hejoiedd.exe	35
PID 2828 wrote to memory of 2984	2828	Hlcgeo32.exe	36
PID 2828 wrote to memory of 2984	2828	Hlcgeo32.exe	36
PID 2828 wrote to memory of 2984	2828	Hlcgeo32.exe	36
PID 2828 wrote to memory of 2984	2828	Hlcgeo32.exe	36
PID 2984 wrote to memory of 1320	2984	Hellne32.exe	37
PID 2984 wrote to memory of 1320	2984	Hellne32.exe	37
PID 2984 wrote to memory of 1320	2984	Hellne32.exe	37
PID 2984 wrote to memory of 1320	2984	Hellne32.exe	37
PID 1320 wrote to memory of 300	1320	Hpapln32.exe	38
PID 1320 wrote to memory of 300	1320	Hpapln32.exe	38
PID 1320 wrote to memory of 300	1320	Hpapln32.exe	38
PID 1320 wrote to memory of 300	1320	Hpapln32.exe	38
PID 300 wrote to memory of 2800	300	Henidd32.exe	39
PID 300 wrote to memory of 2800	300	Henidd32.exe	39
PID 300 wrote to memory of 2800	300	Henidd32.exe	39
PID 300 wrote to memory of 2800	300	Henidd32.exe	39
PID 2800 wrote to memory of 1620	2800	Hhmepp32.exe	40
PID 2800 wrote to memory of 1620	2800	Hhmepp32.exe	40
PID 2800 wrote to memory of 1620	2800	Hhmepp32.exe	40
PID 2800 wrote to memory of 1620	2800	Hhmepp32.exe	40
PID 1620 wrote to memory of 848	1620	Iaeiieeb.exe	41
PID 1620 wrote to memory of 848	1620	Iaeiieeb.exe	41
PID 1620 wrote to memory of 848	1620	Iaeiieeb.exe	41
PID 1620 wrote to memory of 848	1620	Iaeiieeb.exe	41
PID 848 wrote to memory of 2032	848	Ihoafpmp.exe	42
PID 848 wrote to memory of 2032	848	Ihoafpmp.exe	42
PID 848 wrote to memory of 2032	848	Ihoafpmp.exe	42
PID 848 wrote to memory of 2032	848	Ihoafpmp.exe	42
PID 2032 wrote to memory of 1852	2032	Iagfoe32.exe	43
PID 2032 wrote to memory of 1852	2032	Iagfoe32.exe	43
PID 2032 wrote to memory of 1852	2032	Iagfoe32.exe	43
PID 2032 wrote to memory of 1852	2032	Iagfoe32.exe	43

C:\Users\Admin\AppData\Local\Temp\b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b1331de1f06acee423dcb568555d7390_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\Gacpdbej.exe
  C:\Windows\system32\Gacpdbej.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\Ggpimica.exe
    C:\Windows\system32\Ggpimica.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\Ghoegl32.exe
      C:\Windows\system32\Ghoegl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:300
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 140
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cnkajfop.dll

Filesize
7KB

MD5
fab4fdf4776d7954ac204742c3a99738

SHA1
46c6a5bbaabaaaea9f975673873fe7a0586154e8

SHA256
e9032032cf7be79e7f5b3e7892876b6b9a19c9e28b7cca754ed4f3e7604b1ed1

SHA512
bd850a69c879ce34cf03cfe8b683d41927f8908b385f3f9a7b98d840dc66b13002403d960f301647240cb91d2f43db1a8d86e289011cba67f1d44459f48f4309

Download Submit
C:\Windows\SysWOW64\Ggpimica.exe

Filesize
121KB

MD5
3cd0c128a4352a75409770ba864a7d1c

SHA1
2c0a690686c8f025998de92560e946668936e11c

SHA256
8325ce939e20ba4257de96810fc002f649be8768aeb9e67b2ad3fae1c0f7891c

SHA512
17bdc47539005426f70e81f9655adf6e653cd2c026c89211925bdf35107db9de7178d3abac9da630b3f7d7cf482a78b6c4d4d366052e05903273c0a305beec1a

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
121KB

MD5
436e0c1f379868b323224eb4212311f2

SHA1
f56a38fea1cef34ef09a473748e12ecb0703ad60

SHA256
60ef6bc4ebf0416f4b6b38dcf3679f5f7e589437d8cb6e842f47ceb67050dbb2

SHA512
aaf8c058ef8d4ace0f1b3a717b640cbbd19aa615f689fb75fe40fc527cf1d12e2bf9c04d07fa2030111c72adc166db1896c69222b00c7740cb86407b9e9e6799

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
121KB

MD5
2a2bb2fbb07d7833907548a1df4515c8

SHA1
51b0a954f59340491217530d18100c5c15a07a6a

SHA256
df90c23344d300d7bd27c8f038a2bb2eab4d02fa56d2a1b02b7d9bb051f54706

SHA512
239e703ef9f7067f90941989983c413cf0986a4a3655d5191d9953c43251fdee39e7c099321dfbd93f6aae4c6dc17276317dfa98e6d533fb9de905d80a605ffe

Download Submit
\Windows\SysWOW64\Gacpdbej.exe

Filesize
121KB

MD5
97e1382a254810c7bed377b036c13f75

SHA1
4fa7987ab1b94b2a64004391571598c6b6e217e1

SHA256
dfe269d4233cc25d8d414c626a828b4c18f70b8cdcb1e1c7c5fc095e678890da

SHA512
3b3849e7e6c52b170f8cfce47646579d9bc4ac08526c95e507b1a3d19d4bf4a19d50272be7f483a9f91281d59561c9b6b3d058a504c2c5b9c9f09c0a5b9dbfa1

Download Submit
\Windows\SysWOW64\Ghoegl32.exe

Filesize
121KB

MD5
2870990c04b14cb00a943ac72e31cab2

SHA1
908d55c7bba41c36fcea1cbe0bc086788f24f96b

SHA256
d3be3dfd0367339db62a3b88e1b9c002bd6046f9e3d5b3486ecc1b47b790559b

SHA512
b1d4448c261b42e2841024267336d9d152cad205bdda06e91fa7a183bb962cfdeb398c4405b83c87df8166c1d7638164eeeb0e1821c28edcbe9df3c2664ae8a5

Download Submit
\Windows\SysWOW64\Hejoiedd.exe

Filesize
121KB

MD5
24bc914690632c79911b174bdaf3802e

SHA1
eaec0f45a887b1f5b1225478683ceab356c4b047

SHA256
2f4ebe4f2b8e0ab73cfea75142b08d2d8b1a581c9381d8bb6a60d1e551fa354c

SHA512
6f74d697f377bc93cdf2f6d055892ee5ca467c9990c3176ecfe3ea1fa3c5a096ffc34f83dea661f0381377185ad652d7ec76c432d06e839edc75127602c7a9c1

Download Submit
\Windows\SysWOW64\Hellne32.exe

Filesize
121KB

MD5
df773dd9a124ea664296f0a1a4682126

SHA1
4bd3cd274a6783024cc8dedbb31aa0906cf78f71

SHA256
43fb2af4e77274d201a0622125d6c053cd7885b2f748a81d08b88c793155d3bb

SHA512
5b5a3705304b51a4e5c047902c17ecfdbe64e20920afb00fee74884d40adaa890920ae133f965545ac422c2ca5465173dc3e82879744c0059c0875f8b60580d3

Download Submit
\Windows\SysWOW64\Henidd32.exe

Filesize
121KB

MD5
e0c7d13ed1b4cc53025d6d55e9df5186

SHA1
58020860133a00c04e01f8bffff20c5b635fe94c

SHA256
241e87b23960640c1d805786e5ea5915cecf754609399587ff1d8be70a954d7c

SHA512
886cf9450df702bb4034d31b665dc7431336cc3c1d4658e3d18521689e6edcdf5948efa4c1dbe5c02ea8a4aa7314420401fdc01ab8b067cffb641f84087d568d

Download Submit
\Windows\SysWOW64\Hgdbhi32.exe

Filesize
121KB

MD5
364b0415eec56e0bf2f56c4d6557a3fc

SHA1
6ecc7dd3e3dcd466aab9d56f7f253a861d8bd6a9

SHA256
a2ac747223a533095edc166afecc03524f8bf743d2c27cbbcbff7dffb8e957a1

SHA512
a79bdf38e3be16bd7e2d4837a5eb2b5c818c7f32bc0ac451f2b21e9c2dba87b383f4b8277d4cdc4eb59b3196873d0b8b5f1c2d463fc315b1419d3e185629246c

Download Submit
\Windows\SysWOW64\Hhmepp32.exe

Filesize
121KB

MD5
859cf4dde0a526b9bbb867d14f4fd581

SHA1
19655d24e92f56a68f92df634868c1592c4fcb48

SHA256
76e664d6e0a4fa2bb174f01bab865a3c4d3e275519557a0774cdac18df62103a

SHA512
b646cf2fcdbf78017fe694bd4d59797b86ccea3c185d89b2ce7bb420d95b7741504c903ba72f030b4ddf691f1e456904516b4118a965ebc1b2a795386edbd761

Download Submit
\Windows\SysWOW64\Hlakpp32.exe

Filesize
121KB

MD5
b5bc7b032994f28bcdd199ba0c85a6a1

SHA1
617fa607531f4e29753760a1900177df14db6915

SHA256
44c0bc0a09df1453f27f10d162acd88c491149e393575fb461da4fc216920fbf

SHA512
0ef6f2aac54f030e92c576cb618202a71b7ccb3ac81a980ae365cfd88ef1a9c1420c067954531c9888c39eec08d108de548236e9b43e7ce63f7ff858307a58a2

Download Submit
\Windows\SysWOW64\Hlcgeo32.exe

Filesize
121KB

MD5
99b2664e44b57a163f51df5dd0015d6d

SHA1
61635edda8b462f9f6090c1347fbbd3e71fc4867

SHA256
911fc38366160e5b3362461c1aedca6ab9dfffcfcd8ec7a8ce13dc1de8f9e170

SHA512
7e5bd88b46dfa75be4655f61009ba4d9f50200cc6a71cee251cf94ac8b765a237e443f0eb6ef6ecb8006113e11b17e9fb57073025ed5b35ae9612665117b0c40

Download Submit
\Windows\SysWOW64\Hpapln32.exe

Filesize
121KB

MD5
e08788e55e6019855d26cd01e5172a50

SHA1
ac64af9d4ee0033ddbf94458ad3d1016dff10070

SHA256
7c8dca74208c8a87df2a8d104a9ec923a3686da2e7d87bf831da6f4ad2941f45

SHA512
ba47d64be6a2cf6692b4b65a20dbd9275e00aeffd31ccf7bd8ab82eabc2d80df0821016357b6093d8a2b96ca7053fae4c614ec48046a3681fe0d4e935e953438

Download Submit
\Windows\SysWOW64\Iaeiieeb.exe

Filesize
121KB

MD5
51a1d0aee5db5acd24c4ecf599f68269

SHA1
ec37ad4a80925596074cfeaa3a2511cf73c4ff3a

SHA256
f3f09a7e84c8ab4f76836841fff1b42799c8f04f3aaab338ecec9085be1cf685

SHA512
a7454be05d1700be474ab1b7febdf69d9f2353901220dfa307ae9f086863744ca6facae972f0473975477061a6ea420031eff8a5f4b1687c648aa05da0ad3610

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
121KB

MD5
4d3b28a8f30bb0e81081bc05833afe16

SHA1
c62ed7ca68c74bf77b2fbc3b4686e80223d772f5

SHA256
c7aed65cef7759d69083d04bdb60a9d9d2048d3409c08d4f3724960e66e7e39b

SHA512
549b3822df79cbb7304d2177e7000f17245c86af8723a0c67c8978b9a27a47a83ca50a4fc575235008f9f399fab4f466766d7415318a37cb6f2eb65d2b2c556d

Download Submit
memory/300-216-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/848-198-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/848-186-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/848-219-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1188-206-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1188-26-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1320-146-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/1320-215-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1620-178-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1620-218-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2032-200-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2212-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2212-6-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2212-205-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2212-13-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2496-81-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2496-211-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2500-62-0x0000000000310000-0x0000000000357000-memory.dmp

Filesize
284KB

Download
memory/2500-54-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2500-209-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2580-210-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2580-68-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2700-208-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2700-43-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2800-217-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2800-160-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2828-114-0x00000000003B0000-0x00000000003F7000-memory.dmp

Filesize
284KB

Download
memory/2828-213-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2984-129-0x00000000002C0000-0x0000000000307000-memory.dmp

Filesize
284KB

Download
memory/2984-121-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2984-214-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2996-207-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2996-27-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2996-35-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/3032-212-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3032-94-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3032-102-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads