1cc5d9e09dc08309a0aa6e466348517d137e1aa234892a6dbae00d2e8350d2d4

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

449068408a075dcedd54fb207042b560_NeikiAnalytics.exe
Size

121KB
MD5

449068408a075dcedd54fb207042b560
SHA1

13388611d98477b82bfdccebc69bd3f3a148b09e
SHA256

1cc5d9e09dc08309a0aa6e466348517d137e1aa234892a6dbae00d2e8350d2d4
SHA512

7f38e588b20205abdc6734d8348f9fbafb837e5b1863f41ae34cc641e0b71fe3abf59653407f7aca368a818f56251687d742499f9cf99b0229891d1a10c812b3
SSDEEP

3072:9t6NgezMG84rv3ML0NviNHrhO7AJnD5tvv:qND7rvZviNHNOarvv

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Gobgcg32.exeGhmiam32.exeGkkemh32.exeHlakpp32.exeHggomh32.exe449068408a075dcedd54fb207042b560_NeikiAnalytics.exeGmgdddmq.exeHlfdkoin.exeIeqeidnl.exeHgdbhi32.exeHnagjbdf.exeGangic32.exeHcplhi32.exeHkkalk32.exeGaemjbcg.exeGlfhll32.exeHpocfncj.exeHgilchkf.exeGhoegl32.exeHahjpbad.exeHhmepp32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmgdddmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gangic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
behavioral1/memory/3068-0-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
\Windows\SysWOW64\Gangic32.exe	family_berbew
behavioral1/memory/3068-6-0x0000000000260000-0x00000000002A7000-memory.dmp	family_berbew
behavioral1/memory/2140-14-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/1796-27-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Gobgcg32.exe	family_berbew
C:\Windows\SysWOW64\Glfhll32.exe	family_berbew
behavioral1/memory/2792-40-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Gmgdddmq.exe	family_berbew
behavioral1/memory/2660-53-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
\Windows\SysWOW64\Ghmiam32.exe	family_berbew
behavioral1/memory/2708-71-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Gkkemh32.exe	family_berbew
behavioral1/memory/2544-79-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
\Windows\SysWOW64\Gaemjbcg.exe	family_berbew
behavioral1/memory/2544-91-0x00000000002D0000-0x0000000000317000-memory.dmp	family_berbew
\Windows\SysWOW64\Ghoegl32.exe	family_berbew
behavioral1/memory/2840-105-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
\Windows\SysWOW64\Hahjpbad.exe	family_berbew
behavioral1/memory/3000-118-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
\Windows\SysWOW64\Hgdbhi32.exe	family_berbew
behavioral1/memory/1948-131-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
\Windows\SysWOW64\Hlakpp32.exe	family_berbew
behavioral1/memory/1064-144-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Hggomh32.exe	family_berbew
behavioral1/memory/1260-157-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
\Windows\SysWOW64\Hnagjbdf.exe	family_berbew
behavioral1/memory/1260-165-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
\Windows\SysWOW64\Hpocfncj.exe	family_berbew
behavioral1/memory/2292-183-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
\Windows\SysWOW64\Hgilchkf.exe	family_berbew
behavioral1/memory/2292-191-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
behavioral1/memory/1728-201-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
\Windows\SysWOW64\Hlfdkoin.exe	family_berbew
behavioral1/memory/2932-211-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2932-218-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Hcplhi32.exe	family_berbew
behavioral1/memory/2500-226-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2500-227-0x00000000002E0000-0x0000000000327000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Hhmepp32.exe	family_berbew
behavioral1/memory/2404-233-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2500-232-0x00000000002E0000-0x0000000000327000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Hkkalk32.exe	family_berbew
behavioral1/memory/1788-248-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2404-247-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ieqeidnl.exe	family_berbew
behavioral1/memory/1788-254-0x0000000000290000-0x00000000002D7000-memory.dmp	family_berbew
behavioral1/memory/2404-246-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
behavioral1/memory/1400-255-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Iagfoe32.exe	family_berbew
behavioral1/memory/1996-266-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/3068-267-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2140-268-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/1796-269-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2792-270-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2660-271-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2544-272-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2584-273-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2840-274-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/3000-275-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/1948-276-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/1064-277-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/1260-278-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2492-279-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew

Executes dropped EXE 21 IoCs

Processes:

Gangic32.exeGobgcg32.exeGlfhll32.exeGmgdddmq.exeGhmiam32.exeGkkemh32.exeGaemjbcg.exeGhoegl32.exeHahjpbad.exeHgdbhi32.exeHlakpp32.exeHggomh32.exeHnagjbdf.exeHpocfncj.exeHgilchkf.exeHlfdkoin.exeHcplhi32.exeHhmepp32.exeHkkalk32.exeIeqeidnl.exeIagfoe32.exe

pid	process
2140	Gangic32.exe
1796	Gobgcg32.exe
2792	Glfhll32.exe
2660	Gmgdddmq.exe
2708	Ghmiam32.exe
2544	Gkkemh32.exe
2584	Gaemjbcg.exe
2840	Ghoegl32.exe
3000	Hahjpbad.exe
1948	Hgdbhi32.exe
1064	Hlakpp32.exe
1260	Hggomh32.exe
2492	Hnagjbdf.exe
2292	Hpocfncj.exe
1728	Hgilchkf.exe
2932	Hlfdkoin.exe
2500	Hcplhi32.exe
2404	Hhmepp32.exe
1788	Hkkalk32.exe
1400	Ieqeidnl.exe
1996	Iagfoe32.exe

Loads dropped DLL 46 IoCs

Processes:

449068408a075dcedd54fb207042b560_NeikiAnalytics.exeGangic32.exeGobgcg32.exeGlfhll32.exeGmgdddmq.exeGhmiam32.exeGkkemh32.exeGaemjbcg.exeGhoegl32.exeHahjpbad.exeHgdbhi32.exeHlakpp32.exeHggomh32.exeHnagjbdf.exeHpocfncj.exeHgilchkf.exeHlfdkoin.exeHcplhi32.exeHhmepp32.exeHkkalk32.exeIeqeidnl.exeWerFault.exe

pid	process
3068	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe
3068	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe
2140	Gangic32.exe
2140	Gangic32.exe
1796	Gobgcg32.exe
1796	Gobgcg32.exe
2792	Glfhll32.exe
2792	Glfhll32.exe
2660	Gmgdddmq.exe
2660	Gmgdddmq.exe
2708	Ghmiam32.exe
2708	Ghmiam32.exe
2544	Gkkemh32.exe
2544	Gkkemh32.exe
2584	Gaemjbcg.exe
2584	Gaemjbcg.exe
2840	Ghoegl32.exe
2840	Ghoegl32.exe
3000	Hahjpbad.exe
3000	Hahjpbad.exe
1948	Hgdbhi32.exe
1948	Hgdbhi32.exe
1064	Hlakpp32.exe
1064	Hlakpp32.exe
1260	Hggomh32.exe
1260	Hggomh32.exe
2492	Hnagjbdf.exe
2492	Hnagjbdf.exe
2292	Hpocfncj.exe
2292	Hpocfncj.exe
1728	Hgilchkf.exe
1728	Hgilchkf.exe
2932	Hlfdkoin.exe
2932	Hlfdkoin.exe
2500	Hcplhi32.exe
2500	Hcplhi32.exe
2404	Hhmepp32.exe
2404	Hhmepp32.exe
1788	Hkkalk32.exe
1788	Hkkalk32.exe
1400	Ieqeidnl.exe
1400	Ieqeidnl.exe
912	WerFault.exe
912	WerFault.exe
912	WerFault.exe
912	WerFault.exe

Drops file in System32 directory 63 IoCs

Processes:

Glfhll32.exeGmgdddmq.exeGaemjbcg.exeGhoegl32.exeHcplhi32.exeHkkalk32.exeGangic32.exeHahjpbad.exeHhmepp32.exeHpocfncj.exeHlfdkoin.exeGhmiam32.exeHgdbhi32.exeHnagjbdf.exe449068408a075dcedd54fb207042b560_NeikiAnalytics.exeHggomh32.exeHlakpp32.exeGkkemh32.exeGobgcg32.exeHgilchkf.exeIeqeidnl.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Gmgdddmq.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Ghmiam32.exe	Gmgdddmq.exe
File opened for modification	C:\Windows\SysWOW64\Ghoegl32.exe	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Ghoegl32.exe	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Njmekj32.dll	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Gobgcg32.exe	Gangic32.exe
File created	C:\Windows\SysWOW64\Febhomkh.dll	Glfhll32.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Gpekfank.dll	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Nbniiffi.dll	Hpocfncj.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Chhpdp32.dll	Gangic32.exe
File opened for modification	C:\Windows\SysWOW64\Gkkemh32.exe	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Hgilchkf.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Hlakpp32.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Anllbdkl.dll	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Gangic32.exe	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gmgdddmq.exe	Glfhll32.exe
File opened for modification	C:\Windows\SysWOW64\Ghmiam32.exe	Gmgdddmq.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Mncnkh32.dll	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Hpocfncj.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Gkkemh32.exe
File opened for modification	C:\Windows\SysWOW64\Gangic32.exe	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ooghhh32.dll	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Hnempl32.dll	Gmgdddmq.exe
File created	C:\Windows\SysWOW64\Gkkemh32.exe	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Kcaipkch.dll	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Hlakpp32.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hahjpbad.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Gcaciakh.dll	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Hahjpbad.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hlakpp32.exe
File opened for modification	C:\Windows\SysWOW64\Hlfdkoin.exe	Hgilchkf.exe
File opened for modification	C:\Windows\SysWOW64\Gobgcg32.exe	Gangic32.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Gobgcg32.exe
File opened for modification	C:\Windows\SysWOW64\Glfhll32.exe	Gobgcg32.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hkkalk32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Hahjpbad.exe	Ghoegl32.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hgilchkf.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

912 1996 WerFault.exe Iagfoe32.exe

pid	pid_target	process	target process
912	1996	WerFault.exe	Iagfoe32.exe

Modifies registry class 64 IoCs

Processes:

Gobgcg32.exeGhmiam32.exeGkkemh32.exeHggomh32.exeHgilchkf.exeHkkalk32.exe449068408a075dcedd54fb207042b560_NeikiAnalytics.exeHhmepp32.exeHnagjbdf.exeHlfdkoin.exeIeqeidnl.exeGmgdddmq.exeHgdbhi32.exeHlakpp32.exeGhoegl32.exeHpocfncj.exeGlfhll32.exeGaemjbcg.exeHahjpbad.exeHcplhi32.exeGangic32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gobgcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gangic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Glfhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll"	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Gmgdddmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll"	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gangic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3068 wrote to memory of 2140	3068	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe	Gangic32.exe
PID 3068 wrote to memory of 2140	3068	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe	Gangic32.exe
PID 3068 wrote to memory of 2140	3068	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe	Gangic32.exe
PID 3068 wrote to memory of 2140	3068	449068408a075dcedd54fb207042b560_NeikiAnalytics.exe	Gangic32.exe
PID 2140 wrote to memory of 1796	2140	Gangic32.exe	Gobgcg32.exe
PID 2140 wrote to memory of 1796	2140	Gangic32.exe	Gobgcg32.exe
PID 2140 wrote to memory of 1796	2140	Gangic32.exe	Gobgcg32.exe
PID 2140 wrote to memory of 1796	2140	Gangic32.exe	Gobgcg32.exe
PID 1796 wrote to memory of 2792	1796	Gobgcg32.exe	Glfhll32.exe
PID 1796 wrote to memory of 2792	1796	Gobgcg32.exe	Glfhll32.exe
PID 1796 wrote to memory of 2792	1796	Gobgcg32.exe	Glfhll32.exe
PID 1796 wrote to memory of 2792	1796	Gobgcg32.exe	Glfhll32.exe
PID 2792 wrote to memory of 2660	2792	Glfhll32.exe	Gmgdddmq.exe
PID 2792 wrote to memory of 2660	2792	Glfhll32.exe	Gmgdddmq.exe
PID 2792 wrote to memory of 2660	2792	Glfhll32.exe	Gmgdddmq.exe
PID 2792 wrote to memory of 2660	2792	Glfhll32.exe	Gmgdddmq.exe
PID 2660 wrote to memory of 2708	2660	Gmgdddmq.exe	Ghmiam32.exe
PID 2660 wrote to memory of 2708	2660	Gmgdddmq.exe	Ghmiam32.exe
PID 2660 wrote to memory of 2708	2660	Gmgdddmq.exe	Ghmiam32.exe
PID 2660 wrote to memory of 2708	2660	Gmgdddmq.exe	Ghmiam32.exe
PID 2708 wrote to memory of 2544	2708	Ghmiam32.exe	Gkkemh32.exe
PID 2708 wrote to memory of 2544	2708	Ghmiam32.exe	Gkkemh32.exe
PID 2708 wrote to memory of 2544	2708	Ghmiam32.exe	Gkkemh32.exe
PID 2708 wrote to memory of 2544	2708	Ghmiam32.exe	Gkkemh32.exe
PID 2544 wrote to memory of 2584	2544	Gkkemh32.exe	Gaemjbcg.exe
PID 2544 wrote to memory of 2584	2544	Gkkemh32.exe	Gaemjbcg.exe
PID 2544 wrote to memory of 2584	2544	Gkkemh32.exe	Gaemjbcg.exe
PID 2544 wrote to memory of 2584	2544	Gkkemh32.exe	Gaemjbcg.exe
PID 2584 wrote to memory of 2840	2584	Gaemjbcg.exe	Ghoegl32.exe
PID 2584 wrote to memory of 2840	2584	Gaemjbcg.exe	Ghoegl32.exe
PID 2584 wrote to memory of 2840	2584	Gaemjbcg.exe	Ghoegl32.exe
PID 2584 wrote to memory of 2840	2584	Gaemjbcg.exe	Ghoegl32.exe
PID 2840 wrote to memory of 3000	2840	Ghoegl32.exe	Hahjpbad.exe
PID 2840 wrote to memory of 3000	2840	Ghoegl32.exe	Hahjpbad.exe
PID 2840 wrote to memory of 3000	2840	Ghoegl32.exe	Hahjpbad.exe
PID 2840 wrote to memory of 3000	2840	Ghoegl32.exe	Hahjpbad.exe
PID 3000 wrote to memory of 1948	3000	Hahjpbad.exe	Hgdbhi32.exe
PID 3000 wrote to memory of 1948	3000	Hahjpbad.exe	Hgdbhi32.exe
PID 3000 wrote to memory of 1948	3000	Hahjpbad.exe	Hgdbhi32.exe
PID 3000 wrote to memory of 1948	3000	Hahjpbad.exe	Hgdbhi32.exe
PID 1948 wrote to memory of 1064	1948	Hgdbhi32.exe	Hlakpp32.exe
PID 1948 wrote to memory of 1064	1948	Hgdbhi32.exe	Hlakpp32.exe
PID 1948 wrote to memory of 1064	1948	Hgdbhi32.exe	Hlakpp32.exe
PID 1948 wrote to memory of 1064	1948	Hgdbhi32.exe	Hlakpp32.exe
PID 1064 wrote to memory of 1260	1064	Hlakpp32.exe	Hggomh32.exe
PID 1064 wrote to memory of 1260	1064	Hlakpp32.exe	Hggomh32.exe
PID 1064 wrote to memory of 1260	1064	Hlakpp32.exe	Hggomh32.exe
PID 1064 wrote to memory of 1260	1064	Hlakpp32.exe	Hggomh32.exe
PID 1260 wrote to memory of 2492	1260	Hggomh32.exe	Hnagjbdf.exe
PID 1260 wrote to memory of 2492	1260	Hggomh32.exe	Hnagjbdf.exe
PID 1260 wrote to memory of 2492	1260	Hggomh32.exe	Hnagjbdf.exe
PID 1260 wrote to memory of 2492	1260	Hggomh32.exe	Hnagjbdf.exe
PID 2492 wrote to memory of 2292	2492	Hnagjbdf.exe	Hpocfncj.exe
PID 2492 wrote to memory of 2292	2492	Hnagjbdf.exe	Hpocfncj.exe
PID 2492 wrote to memory of 2292	2492	Hnagjbdf.exe	Hpocfncj.exe
PID 2492 wrote to memory of 2292	2492	Hnagjbdf.exe	Hpocfncj.exe
PID 2292 wrote to memory of 1728	2292	Hpocfncj.exe	Hgilchkf.exe
PID 2292 wrote to memory of 1728	2292	Hpocfncj.exe	Hgilchkf.exe
PID 2292 wrote to memory of 1728	2292	Hpocfncj.exe	Hgilchkf.exe
PID 2292 wrote to memory of 1728	2292	Hpocfncj.exe	Hgilchkf.exe
PID 1728 wrote to memory of 2932	1728	Hgilchkf.exe	Hlfdkoin.exe
PID 1728 wrote to memory of 2932	1728	Hgilchkf.exe	Hlfdkoin.exe
PID 1728 wrote to memory of 2932	1728	Hgilchkf.exe	Hlfdkoin.exe
PID 1728 wrote to memory of 2932	1728	Hgilchkf.exe	Hlfdkoin.exe

C:\Users\Admin\AppData\Local\Temp\449068408a075dcedd54fb207042b560_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\449068408a075dcedd54fb207042b560_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\Gangic32.exe
C:\Windows\system32\Gangic32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\Gobgcg32.exe
C:\Windows\system32\Gobgcg32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\Glfhll32.exe
C:\Windows\system32\Glfhll32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\Gmgdddmq.exe
C:\Windows\system32\Gmgdddmq.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\Ghmiam32.exe
C:\Windows\system32\Ghmiam32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\Gkkemh32.exe
C:\Windows\system32\Gkkemh32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\Gaemjbcg.exe
C:\Windows\system32\Gaemjbcg.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\Ghoegl32.exe
C:\Windows\system32\Ghoegl32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\Hahjpbad.exe
C:\Windows\system32\Hahjpbad.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\Hgdbhi32.exe
C:\Windows\system32\Hgdbhi32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\Hlakpp32.exe
C:\Windows\system32\Hlakpp32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\Hggomh32.exe
C:\Windows\system32\Hggomh32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\Hnagjbdf.exe
C:\Windows\system32\Hnagjbdf.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\Hpocfncj.exe
C:\Windows\system32\Hpocfncj.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\Hgilchkf.exe
C:\Windows\system32\Hgilchkf.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\Hlfdkoin.exe
C:\Windows\system32\Hlfdkoin.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2932

C:\Windows\SysWOW64\Hcplhi32.exe
C:\Windows\system32\Hcplhi32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2500

C:\Windows\SysWOW64\Hhmepp32.exe
C:\Windows\system32\Hhmepp32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2404

C:\Windows\SysWOW64\Hkkalk32.exe
C:\Windows\system32\Hkkalk32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1788

C:\Windows\SysWOW64\Ieqeidnl.exe
C:\Windows\system32\Ieqeidnl.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1400

C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
22⤵
- Executes dropped EXE
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 140
23⤵
- Loads dropped DLL
- Program crash
PID:912

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gkkemh32.exe
Filesize
121KB

MD5
52bb732a20dce84ecd17bad691fc662a

SHA1
ec28a209fa63b30bbb3489d051cf8368d2d8fca6

SHA256
8e854bccb0b5e9b90519bbdbbafca9a51d3c5ae9816df4880b6b73783b7a47a3

SHA512
6746511ea9307a851705a6cdd76dedd27932a5b2985dd182071a3d057efd50aedba4eacf93bc85ea71e671fd3816b49b8199af04c5cebb20f755d2c446df05b5

Download Submit
C:\Windows\SysWOW64\Glfhll32.exe
Filesize
121KB

MD5
1116436e10ef2c3c62793029480240bf

SHA1
eadbb38feb7df1ed959668f693f8e759672d688d

SHA256
cb0adaa851282448014dfe4be91b805e0b9510ad1bde90bb829b3f1fd7b008e1

SHA512
3359c139f00c933e9db355a4f83de96d0f297b4be55b7360dc88250a37cec8e12227f3c5ba879b3276265c4ef6ccb3e1d06919a092e31a43dd860636ac8733fa

Download Submit
C:\Windows\SysWOW64\Gmgdddmq.exe
Filesize
121KB

MD5
29feaf87d9aeccd2c0622475e453622d

SHA1
597df9422110b81d0d60cb2db77231c4cf42c974

SHA256
f37f3e7122aa01cde13b05907dea54b33e64cb734d5f65b164f9e9ba4d13b48a

SHA512
6a23ca7401f7540df820fbcdca68fa8288a994faf4609a3822f212887d59d947cbe388ac16574fad077abd13b4e35f60a12d1490e64ec2bd70b82ac255371f6b

Download Submit
C:\Windows\SysWOW64\Gobgcg32.exe
Filesize
121KB

MD5
feabf5f31ecb534da13f34e70b3dbbb7

SHA1
b98ced0be41519c8357f68e293fd61404c7f7798

SHA256
40c6958e2c9cccd219525643da52cdfc9ec88cf9c3c83615c8ccb140e1f31477

SHA512
61475f90d65c829e3a6eee9ea9f482e4fed1096a4b253a2301be4f5f0bc37363faa3ede285daa22ad3b94d22b0738fa72df2e601343430333fb50f4e1ba655cf

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe
Filesize
121KB

MD5
1d5c8ee30eab6723ff2dbdf4937331b3

SHA1
763c93aee4914bb3513a02c4a45a752698fa5390

SHA256
07b272c3895d86bfaa7951c7ac92f6d82a1240260cd7338e34e5ed18ec38de7b

SHA512
bd0d3236d54d82f5d9d891eee59bf30b1583929145647ebc47382224a2e8a7444592bed494212a017133eb7addcb896245ee553bca8cc00d2f8fb4b9bcf01535

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe
Filesize
121KB

MD5
5c4f31a86974712b609f55de32a8c00a

SHA1
2a032b32053ff30fb96e10bac4d6274eab772293

SHA256
f11f0ac7e8c6724fe621898dbc0022c4353a09c2db61881033fe2df43c0c973d

SHA512
29d059b56dfbd32f367a9a8ec0af64b5c6f8d5618407016d2290857f875f973db54dbdaa7489da01bf2fb99e720ca5db071aa80f789c690575118bbf2bc27acb

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe
Filesize
121KB

MD5
6c63d2f6a3dbba4e8b03c950d32e9c55

SHA1
9db97668d2698c93d0525f3eed71492f53f55e95

SHA256
38e0390e05bc0293fc7aa73837e6b47f6b23c642f691a70a2074e116519fe539

SHA512
c3a236857e8b185058a0b04ef651cec57ada2589e298b9bd4e32e04c0bbc1cafc064ec5b04b1abc5c0270c98d91eb26d1ead93c0918e47f7870c2616d06f4e74

Download Submit
C:\Windows\SysWOW64\Hkkalk32.exe
Filesize
121KB

MD5
c80dfa6dcbd588f89eeaae4f9700edee

SHA1
ca0b782b0e7600273a0bea723e8f6539dfc71e64

SHA256
488a7fb0ff8cc4cc3d8f5ca6cbba5a3e995500dc4c4211f91bf75fa71a003b66

SHA512
d774a535d55d9d3be579c074d5f297bbef56940ba6d10c5faec2cb08dbb258a5dfea4c8eaf416a4f0db594f36b2ba26ea25bed09747c31c0b51ebfa9b543ecc0

Download Submit
C:\Windows\SysWOW64\Hnempl32.dll
Filesize
7KB

MD5
20da6a0ce42c12db0c24b29eb5dba6d6

SHA1
9b0e491ae0e3ccd4450031a882aca4633e66cb91

SHA256
3785228c13979d9fd37f2ed0ad29855fa416c5bb728ed9ca3e264be7b46bbd8e

SHA512
0808456b49a4eedf7a543549bbe73d45f41f3416a85031614a6e2b0ff4b4d7796ba70df98a63c520577632d9024fb68d9279659b0264300ad022c285ade16606

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe
Filesize
121KB

MD5
9a67d90df2008e6c1a7dde961d2b44f9

SHA1
8f59f1dbf615f904c9b7162672ab0b049115266f

SHA256
a8d8def54c998d9ca9697b9259f5d0d2cafd4ad3e98d3e6a7963feb6b82abc1e

SHA512
0ed20b56f3443794dff3dfe90391dc6104afb1979a7a11525329a5ea3bb864d03e674c5d5d316d765110ead24b8f89f206f4fe1e2cade9e81cf27d318c365258

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe
Filesize
121KB

MD5
91f422798478f9059468b4243b39fe1a

SHA1
ec9199c936e8986afdef179e400eceff99a5d3b7

SHA256
39de800d3b12cf701131e8d1e6645141cc1967dcb250cb8a56654475cfc9537f

SHA512
e20d40aff466de5dad6cfaffe35a6174fc5c5a259a040692424106ac0d82499eaa60b129d2eb04d9a0c214574972d98d72208a6255d80cf407473f501862ddbb

Download Submit
\Windows\SysWOW64\Gaemjbcg.exe
Filesize
121KB

MD5
2c9d9da045fa7addafabd8458c83b01f

SHA1
f135561322a46eaefff7a2d7da5f6d548867b1e3

SHA256
a9e53fcbef59d07836e1f6d9f466c470dc6625da3148142434ab753075496cfc

SHA512
21fc989fd6e3d909e16257fb828fede68254ae74e6b9150cbcc874dd181fc192bd0f44dbcccd829e86c52592dc39f13de5dd9b189e4152d7b34d34d959cef20e

Download Submit
\Windows\SysWOW64\Gangic32.exe
Filesize
121KB

MD5
7292e60322b541c9acd734440488a076

SHA1
f8426584b6cf54c8879d8440e3c1368b039d97ab

SHA256
416a90acdd02515dd29cac395e7f9a1e8e8aff308cc8e4dc1062e1e5ff9af78d

SHA512
89775f99d30cd888d134eaa86f7daf2a88e7c0602cccc0ae7cf142a7521306d0f0325447762526cc8364911c5254877aab5f04693cbdf053f72ee3ba7b5978dd

Download Submit
\Windows\SysWOW64\Ghmiam32.exe
Filesize
121KB

MD5
e999cb97caf971ad87c57ec5b7e8c8cb

SHA1
a1822b3b6864e749d695738d8656a6b238ab679c

SHA256
cbe1022aee453667ae96848da74817c7219da882a8bc66f318fa35046d00ee2f

SHA512
e6464b43010af693fb60868a5acd7f99c75c4692c40e896aa559c4937c817cae3c11a0c2031b86473b14ee91ddfa5adfb500a80c051a2a8f718c3acf8f7eb06a

Download Submit
\Windows\SysWOW64\Ghoegl32.exe
Filesize
121KB

MD5
fc460964eb0aeb89d14fc96ae2977e93

SHA1
d968024a6d746a83ee3fe3af9612ad7484207889

SHA256
9132ed6cb018cb2928966fc502219fcd39daa2d60de2a4619a5926c830e100ee

SHA512
90c15ba5c7024387b59e77928bef16da03ab7fdd45ececbf8204543dc214b3aa34d0d989f585d7ec7a34e7b5a6ddd3e1dafd9f0ffeca3a3ea7ec04fdc79e5fbb

Download Submit
\Windows\SysWOW64\Hahjpbad.exe
Filesize
121KB

MD5
b4b4b41eec26adcc0c4611e3481a81ee

SHA1
0ccfe9edaef93f8bc1502038e8ac70fdc8ec50a9

SHA256
fb694f35d960a2baf29ca725166e2fc97482c34fd641f389e452ce6d51f2fb3b

SHA512
6e58fb326e56d4c1d5de41e0ab85841eb3eef6312ca85d84b94ea1b0b594462fca6848ca5d514605743bca4068e07d499a0d2bbc8a0e387ce2929add4645dfdb

Download Submit
\Windows\SysWOW64\Hgdbhi32.exe
Filesize
121KB

MD5
4a0d63ab9da3e9d9dc76bea45858a3ba

SHA1
5ec0dc45ef422476134467ccd6fb8bf8eabf9870

SHA256
3222073e958d8537649b8c3eab8689985c46a3b2377d97e19d5853e70acbf5b9

SHA512
1cf0f4b6ded690ecbc28816b4e7f312a4559fc730f7f6799a3ed6973055212dc5ec7941f2b2213678b831c646cb5ba4fb70b8ddf122beb49f9a3ab5b416b8952

Download Submit
\Windows\SysWOW64\Hgilchkf.exe
Filesize
121KB

MD5
dc6c57473b9dabd136fa295ea82ec623

SHA1
2b9103a2d1d5118c51c62dbaa77f8c88dbb68b0e

SHA256
0b539c5db0f4edc8bf98291888cd126f7e167ca62baf8a9083744f7eb7488aab

SHA512
be83753b61000ec99ca97ee6e49fd8fb3140ab6317971095cb02ef112b60e13e9ce98c9bbeb537cba706c35646989e801a95c492470707824e70713d3e3fb3b6

Download Submit
\Windows\SysWOW64\Hlakpp32.exe
Filesize
121KB

MD5
05aa75c6d4db8f9dd775b2e66dbb597b

SHA1
8a51541de70ee0dfed83e3d36aa02cfd30f1c83c

SHA256
a44c78e4dd7aec5e953c8daad71a5d2c742934a03474261dbd2ac20c99ae9166

SHA512
45f5850a7c876154af45f015d5be1bca9695d4992052d453d061a2fbbe721a4c7dfb9151e8cdcb5fa25507693d8ba225dcd73fb04544540f8e9d827095b10e03

Download Submit
\Windows\SysWOW64\Hlfdkoin.exe
Filesize
121KB

MD5
279fe5089bea9b6d6997560ea6bdd139

SHA1
adfce4c275cc5a35f883565eb82f08ad1840b7bb

SHA256
bf8c34f37973fe8c51d260b2c06c0732d9ffa6751eed31ee0c908cb2a30bf9b5

SHA512
5204904b64cd8b9465a749a81a0e8ce344b082fc6f953034eb2d2415ba737bd059f8e42280c35cc46ac9af048df235edfbacc1c349b2b5dcd21ca51e45cf4776

Download Submit
\Windows\SysWOW64\Hnagjbdf.exe
Filesize
121KB

MD5
bfc742594d82d33471acf1c72bee7f7e

SHA1
0f2e970de2c38595806fd5b66cc0951ba2306e8e

SHA256
c94520a3726b695f811a026bb9d83127ea35b1ac31bb3d3d33801566e9385b43

SHA512
b3fbc14facf34b8ec35260ed590292cab8b580446fc2a8be14f813fbf5cf924e70c1d40ae18d47a874709d7bb3b8446888074583e1861c3dc653aff8f3cbed6b

Download Submit
\Windows\SysWOW64\Hpocfncj.exe
Filesize
121KB

MD5
789ff58639090cd0c5a47a9cabae8275

SHA1
ae0e784d960c4aeb9ff03cbb927da8362a7ed332

SHA256
b3258ffb42d468e6e5cc754cd1f78a32ba7df6b3cf0c086d65b66299bcbe8747

SHA512
8a43f64231bc1b86f64f8f11d191c4c61c9a48622cf45df695fe4bcedead3d9d36eb907c0e68a37cfbabc426fbe357bf99794862452d1a06b01b2a5feec6a983

Download Submit
memory/1064-144-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1064-277-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1260-157-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1260-165-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/1260-278-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1400-265-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/1400-264-0x0000000000450000-0x0000000000497000-memory.dmp

Filesize
284KB

Download
memory/1400-285-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1400-255-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1728-201-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1728-281-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1728-210-0x0000000000280000-0x00000000002C7000-memory.dmp

Filesize
284KB

Download
memory/1788-254-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download
memory/1788-248-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1788-250-0x0000000000290000-0x00000000002D7000-memory.dmp

Filesize
284KB

Download
memory/1796-27-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1796-269-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1948-131-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1948-276-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1996-266-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2140-268-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2140-26-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2140-14-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2292-280-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2292-191-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2292-183-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2404-233-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2404-284-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2404-247-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2404-246-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2492-279-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2500-283-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2500-232-0x00000000002E0000-0x0000000000327000-memory.dmp

Filesize
284KB

Download
memory/2500-227-0x00000000002E0000-0x0000000000327000-memory.dmp

Filesize
284KB

Download
memory/2500-226-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2544-91-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/2544-79-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2544-272-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2584-273-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2660-53-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2660-271-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2708-71-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2792-270-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2792-40-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2840-274-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2840-105-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2932-282-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2932-211-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2932-218-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/3000-275-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3000-118-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3068-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3068-267-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3068-6-0x0000000000260000-0x00000000002A7000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads